2017-09-05 15:58:03 +02:00
# Entry Points Definition
2018-01-29 14:36:03 +01:00
## Reference
2018-02-05 08:54:03 +01:00
### TOML
2018-01-29 14:36:03 +01:00
```toml
2018-07-16 13:52:03 +02:00
defaultEntryPoints = ["http", "https"]
# ...
# ...
2018-01-29 14:36:03 +01:00
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
2018-03-23 17:40:04 +01:00
[entryPoints.http.whitelist]
sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
useXForwardedFor = true
2018-01-29 14:36:03 +01:00
[entryPoints.http.tls]
minVersion = "VersionTLS12"
2018-02-21 08:00:03 +01:00
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
2018-01-29 14:36:03 +01:00
[[entryPoints.http.tls.certificates]]
certFile = "path/to/my.cert"
keyFile = "path/to/my.key"
[[entryPoints.http.tls.certificates]]
certFile = "path/to/other.cert"
keyFile = "path/to/other.key"
# ...
[entryPoints.http.tls.clientCA]
files = ["path/to/ca1.crt", "path/to/ca2.crt"]
optional = false
[entryPoints.http.redirect]
entryPoint = "https"
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/$1"
permanent = true
[entryPoints.http.auth]
headerField = "X-WebAuth-User"
[entryPoints.http.auth.basic]
2018-07-16 13:52:03 +02:00
removeHeader = true
2018-01-29 14:36:03 +01:00
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
usersFile = "/path/to/.htpasswd"
[entryPoints.http.auth.digest]
2018-07-16 13:52:03 +02:00
removeHeader = true
2018-01-29 14:36:03 +01:00
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]
usersFile = "/path/to/.htdigest"
[entryPoints.http.auth.forward]
address = "https://authserver.com/auth"
trustForwardHeader = true
2018-07-02 11:52:04 +02:00
authResponseHeaders = ["X-Auth-User"]
2018-01-29 14:36:03 +01:00
[entryPoints.http.auth.forward.tls]
2018-07-03 10:02:03 +02:00
ca = "path/to/local.crt"
2018-01-29 14:36:03 +01:00
caOptional = true
cert = "path/to/foo.cert"
key = "path/to/foo.key"
insecureSkipVerify = true
[entryPoints.http.proxyProtocol]
insecure = true
trustedIPs = ["10.10.10.1", "10.10.10.2"]
[entryPoints.http.forwardedHeaders]
trustedIPs = ["10.10.10.1", "10.10.10.2"]
[entryPoints.https]
# ...
```
2018-02-05 08:54:03 +01:00
### CLI
For more information about the CLI, see the documentation about [Traefik command ](/basics/#traefik ).
```shell
--entryPoints='Name:http Address::80'
--entryPoints='Name:https Address::443 TLS'
```
!!! note
Whitespace is used as option separator and `,` is used as value separator for the list.
The names of the options are case-insensitive.
2018-02-09 18:16:04 +01:00
In compose file the entrypoint syntax is different:
```yaml
traefik:
image: traefik
command:
- --defaultentrypoints=powpow
- "--entryPoints=Name:powpow Address::42 Compress:true"
```
or
```yaml
traefik:
image: traefik
command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'
```
#### All available options:
2018-02-05 08:54:03 +01:00
```ini
Name:foo
Address::80
2018-05-13 17:12:03 +02:00
TLS:/my/path/foo.cert,/my/path/foo.key;/my/path/goo.cert,/my/path/goo.key;/my/path/hoo.cert,/my/path/hoo.key
2018-02-05 08:54:03 +01:00
TLS
2018-04-04 11:56:04 +02:00
TLS.MinVersion:VersionTLS11
TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384
2018-07-06 02:30:03 -06:00
TLS.SniStrict:true
TLS.DefaultCertificate.Cert:path/to/foo.cert
TLS.DefaultCertificate.Key:path/to/foo.key
2018-02-05 08:54:03 +01:00
CA:car
CA.Optional:true
Redirect.EntryPoint:https
Redirect.Regex:http://localhost/(.*)
Redirect.Replacement:http://mydomain/$1
2018-02-08 09:30:06 +01:00
Redirect.Permanent:true
2018-02-05 08:54:03 +01:00
Compress:true
2018-03-23 17:40:04 +01:00
WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16
WhiteList.UseXForwardedFor:true
2018-02-05 08:54:03 +01:00
ProxyProtocol.TrustedIPs:192.168.0.1
2018-04-23 11:28:04 +03:00
ProxyProtocol.Insecure:true
2018-02-05 08:54:03 +01:00
ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
2018-02-08 09:30:06 +01:00
Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
2018-07-16 13:52:03 +02:00
Auth.Basic.Removeheader:true
2018-02-08 09:30:06 +01:00
Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e
2018-07-16 13:52:03 +02:00
Auth.Digest.Removeheader:true
2018-02-08 09:30:06 +01:00
Auth.HeaderField:X-WebAuth-User
Auth.Forward.Address:https://authserver.com/auth
2018-06-30 01:54:03 -04:00
Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret
2018-02-08 09:30:06 +01:00
Auth.Forward.TrustForwardHeader:true
Auth.Forward.TLS.CA:path/to/local.crt
Auth.Forward.TLS.CAOptional:true
Auth.Forward.TLS.Cert:path/to/foo.cert
Auth.Forward.TLS.Key:path/to/foo.key
Auth.Forward.TLS.InsecureSkipVerify:true
2018-02-05 08:54:03 +01:00
```
2018-01-29 14:36:03 +01:00
## Basic
2017-09-05 15:58:03 +02:00
```toml
# Entrypoints definition
#
# Default:
# [entryPoints]
# [entryPoints.http]
# address = ":80"
#
[entryPoints]
[entryPoints.http]
address = ":80"
```
## Redirect HTTP to HTTPS
To redirect an http entrypoint to an https entrypoint (with SNI support).
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
2017-11-09 12:16:03 +01:00
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
2017-09-05 15:58:03 +02:00
[[entryPoints.https.tls.certificates]]
2017-11-09 12:16:03 +01:00
certFile = "integration/fixtures/https/snitest.org.cert"
keyFile = "integration/fixtures/https/snitest.org.key"
2017-09-05 15:58:03 +02:00
```
2017-10-22 09:44:03 +02:00
!!! note
Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case).
2017-09-05 15:58:03 +02:00
## Rewriting URL
To redirect an entrypoint rewriting the URL.
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/$1"
```
2017-10-22 09:44:03 +02:00
!!! note
2018-02-07 12:42:04 +00:00
Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an `entrypoint` is defined for the redirection (they will not be used in this case).
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}` , not `${1}x` (see [Regexp.Expand ](https://golang.org/pkg/regexp/#Regexp.Expand )), so use `${1}` syntax.
Regular expressions and replacements can be tested using online tools such as [Go Playground ](https://play.golang.org/p/mWU9p-wk2ru ) or the [Regex101 ](https://regex101.com/r/58sIgx/2 ).
2017-10-22 09:44:03 +02:00
2017-11-09 12:16:03 +01:00
## TLS
2018-01-23 09:12:03 +01:00
### Static Certificates
2017-11-09 12:16:03 +01:00
Define an entrypoint with SNI support.
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
```
!!! note
2018-07-06 02:30:03 -06:00
If an empty TLS configuration is provided, default self-signed certificates are generated.
2018-01-29 14:36:03 +01:00
2018-01-23 09:12:03 +01:00
### Dynamic Certificates
If you need to add or remove TLS certificates while Traefik is started, Dynamic TLS certificates are supported using the [file provider ](/configuration/backends/file ).
2017-11-09 12:16:03 +01:00
2017-09-05 15:58:03 +02:00
## TLS Mutual Authentication
2017-11-10 10:30:04 +01:00
TLS Mutual Authentication can be `optional` or not.
If it's `optional` , Træfik will authorize connection with certificates not signed by a specified Certificate Authority (CA).
Otherwise, Træfik will only accept clients that present a certificate signed by a specified Certificate Authority (CA).
2017-09-05 15:58:03 +02:00
`ClientCAFiles` can be configured with multiple `CA:s` in the same file or use multiple files containing one or several `CA:s` .
The `CA:s` has to be in PEM format.
2017-11-10 10:30:04 +01:00
By default, `ClientCAFiles` is not optional, all clients will be required to present a valid cert.
2017-09-05 15:58:03 +02:00
The requirement will apply to all server certs in the entrypoint.
In the example below both `snitest.com` and `snitest.org` will require client certs
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
2017-11-10 10:30:04 +01:00
[entryPoints.https.tls.ClientCA]
files = ["tests/clientca1.crt", "tests/clientca2.crt"]
optional = false
2017-09-05 15:58:03 +02:00
[[entryPoints.https.tls.certificates]]
2017-11-09 12:16:03 +01:00
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
2017-09-05 15:58:03 +02:00
[[entryPoints.https.tls.certificates]]
2017-11-09 12:16:03 +01:00
certFile = "integration/fixtures/https/snitest.org.cert"
keyFile = "integration/fixtures/https/snitest.org.key"
2017-09-05 15:58:03 +02:00
```
2017-11-10 10:30:04 +01:00
!!! note
2018-02-09 10:38:03 +01:00
The deprecated argument `ClientCAFiles` allows adding Client CA files which are mandatory.
If this parameter exists, the new ones are not checked.
2017-11-10 10:30:04 +01:00
2017-09-05 15:58:03 +02:00
## Authentication
### Basic Authentication
2018-02-16 10:32:03 +01:00
Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate them.
2017-09-05 15:58:03 +02:00
2018-02-16 10:32:03 +01:00
Users can be specified directly in the TOML file, or indirectly by referencing an external file;
2017-09-05 15:58:03 +02:00
if both are provided, the two are merged, with external file contents having precedence.
```toml
# To enable basic auth on an entrypoint with 2 user/pass: test:test and test2:test2
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth.basic]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
usersFile = "/path/to/.htpasswd"
```
2018-07-16 13:52:03 +02:00
Optionally, you can:
- pass authenticated user to application via headers
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth]
headerField = "X-WebAuth-User" # < -- header for the authenticated user
[entryPoints.http.auth.basic]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
```
- remove the Authorization header
2018-07-02 11:52:04 +02:00
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth]
[entryPoints.http.auth.basic]
2018-07-16 13:52:03 +02:00
removeHeader = true # < -- remove the Authorization header
2018-07-02 11:52:04 +02:00
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
```
2017-09-05 15:58:03 +02:00
### Digest Authentication
2018-02-16 10:32:03 +01:00
You can use `htdigest` to generate them.
2017-09-05 15:58:03 +02:00
2018-02-16 10:32:03 +01:00
Users can be specified directly in the TOML file, or indirectly by referencing an external file;
2017-09-05 15:58:03 +02:00
if both are provided, the two are merged, with external file contents having precedence
```toml
# To enable digest auth on an entrypoint with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
[entryPoints]
[entryPoints.http]
address = ":80"
2018-01-11 09:46:03 +01:00
[entryPoints.http.auth.digest]
2018-01-12 20:00:06 +01:00
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
2017-09-05 15:58:03 +02:00
usersFile = "/path/to/.htdigest"
```
2018-07-16 13:52:03 +02:00
Optionally, you can!
- pass authenticated user to application via headers.
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth]
headerField = "X-WebAuth-User" # < -- header for the authenticated user
[entryPoints.http.auth.digest]
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
```
- remove the Authorization header.
2018-07-02 11:52:04 +02:00
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth]
[entryPoints.http.auth.digest]
2018-07-16 13:52:03 +02:00
removeHeader = true # < -- remove the Authorization header
2018-07-02 11:52:04 +02:00
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
```
2017-09-14 21:26:02 +02:00
### Forward Authentication
This configuration will first forward the request to `http://authserver.com/auth` .
If the response code is 2XX, access is granted and the original request is performed.
2018-02-16 10:32:03 +01:00
Otherwise, the response from the authentication server is returned.
2017-09-14 21:26:02 +02:00
```toml
[entryPoints]
2017-10-30 13:20:03 +01:00
[entryPoints.http]
2017-09-14 21:26:02 +02:00
# ...
2017-09-18 17:48:07 +02:00
# To enable forward auth on an entrypoint
2017-10-30 13:20:03 +01:00
[entryPoints.http.auth.forward]
2017-09-14 21:26:02 +02:00
address = "https://authserver.com/auth"
2018-01-29 14:36:03 +01:00
2017-09-18 17:48:07 +02:00
# Trust existing X-Forwarded-* headers.
# Useful with another reverse proxy in front of Traefik.
#
# Optional
# Default: false
#
trustForwardHeader = true
2018-01-29 14:36:03 +01:00
2018-07-02 11:52:04 +02:00
# Copy headers from the authentication server to the request.
2017-09-18 17:48:07 +02:00
#
# Optional
#
2018-07-02 11:52:04 +02:00
authResponseHeaders = ["X-Auth-User", "X-Secret"]
# Enable forward auth TLS connection.
#
# Optional
#
[entryPoints.http.auth.forward.tls]
2018-07-03 10:02:03 +02:00
ca = "path/to/local.crt"
2018-07-02 11:52:04 +02:00
caOptional = true
cert = "path/to/foo.cert"
key = "path/to/foo.key"
2017-09-14 21:26:02 +02:00
```
2017-09-05 15:58:03 +02:00
## Specify Minimum TLS Version
2017-11-27 15:24:03 +01:00
To specify an https entry point with a minimum TLS version, and specifying an array of cipher suites (from [crypto/tls ](https://godoc.org/crypto/tls#pkg-constants )).
2017-09-05 15:58:03 +02:00
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
2017-09-14 21:26:02 +02:00
minVersion = "VersionTLS12"
2018-02-21 08:00:03 +01:00
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
2017-09-05 15:58:03 +02:00
[[entryPoints.https.tls.certificates]]
2017-09-14 21:26:02 +02:00
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
2017-09-05 15:58:03 +02:00
[[entryPoints.https.tls.certificates]]
2017-09-14 21:26:02 +02:00
certFile = "integration/fixtures/https/snitest.org.cert"
keyFile = "integration/fixtures/https/snitest.org.key"
2017-09-05 15:58:03 +02:00
```
2018-07-06 02:30:03 -06:00
## Strict SNI Checking
To enable strict SNI checking, so that connections cannot be made if a matching certificate does not exist.
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
sniStrict = true
[[entryPoints.https.tls.certificates]]
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
```
## Default Certificate
To enable a default certificate to serve, so that connections without SNI or without a matching domain will be served this certificate.
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.tls.defaultCertificate]
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
```
!!! note
There can only be one `defaultCertificate` set per entrypoint.
Use a single set of square brackets `[ ]` , instead of the two needed for normal certificates.
If no default certificate is provided, a self-signed certificate will be generated by Traefik, and used instead.
2017-09-05 15:58:03 +02:00
## Compression
To enable compression support using gzip format.
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
```
2017-09-29 09:34:03 +01:00
Responses are compressed when:
* The response body is larger than `512` bytes
* And the `Accept-Encoding` request header contains `gzip`
* And the response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
2018-03-23 17:40:04 +01:00
## White Listing
2017-09-05 15:58:03 +02:00
2018-03-23 17:40:04 +01:00
To enable IP white listing at the entry point level.
2017-09-05 15:58:03 +02:00
```toml
[entryPoints]
[entryPoints.http]
2018-03-23 17:40:04 +01:00
address = ":80"
2018-03-27 14:58:03 +02:00
[entryPoints.http.whiteList]
2018-03-23 17:40:04 +01:00
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
# useXForwardedFor = true
2017-09-05 15:58:03 +02:00
```
2017-10-12 11:10:03 +02:00
## ProxyProtocol
2017-09-05 15:58:03 +02:00
To enable [ProxyProtocol ](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt ) support.
2017-10-16 12:46:03 +02:00
Only IPs in `trustedIPs` will lead to remote client address replacement: you should declare your load-balancer IP or CIDR range here (in testing environment, you can trust everyone using `insecure = true` ).
2017-10-10 14:50:03 +02:00
2017-10-12 11:10:03 +02:00
!!! danger
When queuing Træfik behind another load-balancer, be sure to carefully configure Proxy Protocol on both sides.
2018-01-29 14:36:03 +01:00
Otherwise, it could introduce a security risk in your system by forging requests.
2017-09-05 15:58:03 +02:00
```toml
[entryPoints]
[entryPoints.http]
2017-10-16 12:46:03 +02:00
address = ":80"
# Enable ProxyProtocol
[entryPoints.http.proxyProtocol]
# List of trusted IPs
#
# Required
# Default: []
#
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
# Insecure mode FOR TESTING ENVIRONNEMENT ONLY
#
# Optional
# Default: false
#
# insecure = true
```
## Forwarded Header
2017-11-02 05:38:03 -04:00
Only IPs in `trustedIPs` will be authorized to trust the client forwarded headers (`X-Forwarded-*` ).
2017-10-16 12:46:03 +02:00
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
# Enable Forwarded Headers
[entryPoints.http.forwardedHeaders]
# List of trusted IPs
#
# Required
# Default: []
#
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
2017-09-05 15:58:03 +02:00
```