2022-04-15 15:44:08 +02:00
---
title: "Routing & Load Balancing Overview |Traefik Docs"
description: "Read the official Traefik documentation to learn more on the Traefik Proxy architecture and the components that enable the routes to be created."
---
2019-02-26 05:50:07 -08:00
# Overview
What's Happening to the Requests?
{: .subtitle }
2019-05-17 11:32:05 +00:00
Let's zoom in on Traefik's architecture and talk about the components that enable the routes to be created.
2019-02-26 05:50:07 -08:00
2019-03-14 09:30:04 +01:00
First, when you start Traefik, you define [entrypoints ](../entrypoints ) (in their most basic forms, they are port numbers).
Then, connected to these entrypoints, [routers ](../routers ) analyze the incoming requests to see if they match a set of [rules ](../routers#rule ).
If they do, the router might transform the request using pieces of [middleware ](../middlewares/overview.md ) before forwarding them to your [services ](./services/index.md ).
2019-02-26 05:50:07 -08:00
![Architecture ](../assets/img/architecture-overview.png )
## Clear Responsibilities
2019-03-14 09:30:04 +01:00
- [_Providers_ ](../providers/overview.md ) discover the services that live on your infrastructure (their IP, health, ...)
2019-05-06 11:44:04 -04:00
- [_Entrypoints_ ](./entrypoints.md ) listen for incoming traffic (ports, ...)
2019-03-14 09:30:04 +01:00
- [_Routers_ ](./routers/index.md ) analyse the requests (host, path, headers, SSL, ...)
- [_Services_ ](./services/index.md ) forward the request to your services (load balancing, ...)
2019-02-26 05:50:07 -08:00
- [_Middlewares_ ](../middlewares/overview.md ) may update the request or make decisions based on the request (authentication, rate limiting, headers, ...)
2019-03-14 09:30:04 +01:00
2019-02-26 05:50:07 -08:00
## Example with a File Provider
2022-03-16 10:00:08 -04:00
Below is an example of a full configuration file for the [file provider ](../providers/file.md ) that forwards `http://example.com/whoami/` requests to a service reachable on `http://private/whoami-service/` .
2021-06-11 15:30:05 +02:00
In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware ](../middlewares/http/basicauth.md )).
2019-02-26 05:50:07 -08:00
2019-06-26 18:18:04 +02:00
Static configuration:
2019-07-02 17:36:04 +02:00
```yaml tab="File (YAML)"
2019-07-01 11:30:05 +02:00
entryPoints:
2019-06-26 18:18:04 +02:00
web:
# Listen on port 8081 for incoming requests
address: :8081
2019-07-01 11:30:05 +02:00
2019-06-26 18:18:04 +02:00
providers:
2019-12-09 11:48:05 +01:00
# Enable the file provider to define routers / middlewares / services in file
2019-07-15 10:22:03 +02:00
file:
2019-12-09 11:48:05 +01:00
directory: /path/to/dynamic/conf
2019-06-26 18:18:04 +02:00
```
2021-06-19 00:08:08 +02:00
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
# Listen on port 8081 for incoming requests
address = ":8081"
[providers]
# Enable the file provider to define routers / middlewares / services in file
[providers.file]
directory = "/path/to/dynamic/conf"
```
2019-07-02 17:36:04 +02:00
```bash tab="CLI"
# Listen on port 8081 for incoming requests
--entryPoints.web.address=:8081
2019-12-09 11:48:05 +01:00
# Enable the file provider to define routers / middlewares / services in file
--providers.file.directory=/path/to/dynamic/conf
2019-07-02 17:36:04 +02:00
```
2019-06-26 18:18:04 +02:00
Dynamic configuration:
```yaml tab="YAML"
# http routing section
http:
routers:
# Define a connection between requests and services
to-whoami:
2020-03-13 22:50:05 +01:00
rule: "Host(`example.com` ) && PathPrefix(`/whoami/` )"
2019-06-26 18:18:04 +02:00
# If the rule matches, applies the middleware
middlewares:
- test-user
# If the rule matches, forward to the whoami service (declared below)
service: whoami
2019-07-01 11:30:05 +02:00
2019-06-26 18:18:04 +02:00
middlewares:
# Define an authentication mechanism
test-user:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
2019-07-01 11:30:05 +02:00
2019-06-26 18:18:04 +02:00
services:
# Define how to reach an existing service on our infrastructure
whoami:
2019-07-01 11:30:05 +02:00
loadBalancer:
2019-06-26 18:18:04 +02:00
servers:
- url: http://private/whoami-service
2019-02-26 05:50:07 -08:00
```
2021-06-19 00:08:08 +02:00
```toml tab="TOML"
# http routing section
[http]
[http.routers]
# Define a connection between requests and services
[http.routers.to-whoami]
rule = "Host(`example.com` ) && PathPrefix(`/whoami/` )"
# If the rule matches, applies the middleware
middlewares = ["test-user"]
# If the rule matches, forward to the whoami service (declared below)
service = "whoami"
[http.middlewares]
# Define an authentication mechanism
[http.middlewares.test-user.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.services]
# Define how to reach an existing service on our infrastructure
[http.services.whoami.loadBalancer]
[[http.services.whoami.loadBalancer.servers]]
url = "http://private/whoami-service"
```
2019-09-23 14:32:04 +02:00
!!! info ""
2019-02-26 05:50:07 -08:00
In this example, we use the [file provider ](../providers/file.md ).
Even if it is one of the least magical way of configuring Traefik, it explicitly describes every available notion.
2019-03-14 09:30:04 +01:00
2019-09-23 14:32:04 +02:00
!!! info "HTTP / TCP"
2019-03-14 09:30:04 +01:00
In this example, we've defined routing rules for http requests only.
Traefik also supports TCP requests. To add [TCP routers ](./routers/index.md ) and [TCP services ](./services/index.md ), declare them in a TCP section like in the following.
2022-03-16 10:00:08 -04:00
??? example "Adding a TCP route for TLS requests on whoami-tcp.example.com"
2019-03-14 09:30:04 +01:00
2019-09-23 14:32:04 +02:00
**Static Configuration**
2019-03-14 09:30:04 +01:00
2019-07-15 10:22:03 +02:00
```yaml tab="File (YAML)"
2019-07-01 11:30:05 +02:00
entryPoints:
2019-06-26 18:18:04 +02:00
web:
# Listen on port 8081 for incoming requests
address: :8081
providers:
2019-12-09 11:48:05 +01:00
# Enable the file provider to define routers / middlewares / services in file
2019-07-15 10:22:03 +02:00
file:
2019-12-09 11:48:05 +01:00
directory: /path/to/dynamic/conf
2019-06-26 18:18:04 +02:00
```
2021-06-19 00:08:08 +02:00
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
# Listen on port 8081 for incoming requests
address = ":8081"
[providers]
# Enable the file provider to define routers / middlewares / services in file
[providers.file]
directory = "/path/to/dynamic/conf"
```
2019-07-02 17:36:04 +02:00
```bash tab="CLI"
# Listen on port 8081 for incoming requests
2019-11-19 10:18:05 +01:00
--entryPoints.web.address=:8081
2021-06-19 00:08:08 +02:00
2019-12-09 11:48:05 +01:00
# Enable the file provider to define routers / middlewares / services in file
--providers.file.directory=/path/to/dynamic/conf
2019-07-02 17:36:04 +02:00
```
2019-07-01 11:30:05 +02:00
2021-06-19 00:08:08 +02:00
**Dynamic Configuration**
2019-07-01 11:30:05 +02:00
2019-06-26 18:18:04 +02:00
```yaml tab="YAML"
# http routing section
http:
2019-07-01 11:30:05 +02:00
2019-06-26 18:18:04 +02:00
routers:
# Define a connection between requests and services
to-whoami:
2020-03-13 22:50:05 +01:00
rule: Host(`example.com` ) && PathPrefix(`/whoami/` )
2019-06-26 18:18:04 +02:00
# If the rule matches, applies the middleware
middlewares:
- test-user
# If the rule matches, forward to the whoami service (declared below)
service: whoami
2019-07-01 11:30:05 +02:00
2019-06-26 18:18:04 +02:00
middlewares:
# Define an authentication mechanism
test-user:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
2019-07-01 11:30:05 +02:00
2019-06-26 18:18:04 +02:00
services:
# Define how to reach an existing service on our infrastructure
whoami:
2019-07-01 11:30:05 +02:00
loadBalancer:
2019-06-26 18:18:04 +02:00
servers:
- url: http://private/whoami-service
tcp:
2019-07-01 11:30:05 +02:00
2019-06-26 18:18:04 +02:00
routers:
to-whoami-tcp:
service: whoami-tcp
2020-03-13 22:50:05 +01:00
rule: HostSNI(`whoami-tcp.example.com` )
2020-10-23 12:00:05 +03:00
tls: {}
2019-07-01 11:30:05 +02:00
2019-06-26 18:18:04 +02:00
services:
whoami-tcp:
2019-07-01 11:30:05 +02:00
loadBalancer:
2019-06-26 18:18:04 +02:00
servers:
- address: xx.xx.xx.xx:xx
```
2019-09-30 17:16:05 +02:00
2021-06-19 00:08:08 +02:00
```toml tab="TOML"
# http routing section
[http]
[http.routers]
# Define a connection between requests and services
[http.routers.to-whoami]
rule = "Host(`example.com` ) && PathPrefix(`/whoami/` )"
# If the rule matches, applies the middleware
middlewares = ["test-user"]
# If the rule matches, forward to the whoami service (declared below)
service = "whoami"
[http.middlewares]
# Define an authentication mechanism
[http.middlewares.test-user.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.services]
# Define how to reach an existing service on our infrastructure
[http.services.whoami.loadBalancer]
[[http.services.whoami.loadBalancer.servers]]
url = "http://private/whoami-service"
[tcp]
[tcp.routers]
[tcp.routers.to-whoami-tcp]
rule = "HostSNI(`whoami-tcp.example.com` )"
service = "whoami-tcp"
[tcp.routers.to-whoami-tcp.tls]
[tcp.services]
[tcp.services.whoami-tcp.loadBalancer]
[[tcp.services.whoami-tcp.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
```
2019-09-30 17:16:05 +02:00
## Transport configuration
Most of what happens to the connection between the clients and Traefik,
and then between Traefik and the backend servers, is configured through the
[entrypoints ](../entrypoints ) and the [routers ](../routers ).
In addition, a few parameters are dedicated to configuring globally
what happens with the connections between Traefik and the backends.
2022-12-09 09:58:05 +01:00
This is done through the [`serversTransport` ](#http-servers-transports ) and [`tcpServersTransport` ](#tcp-servers-transports )
sections of the configuration, which features these options:
2019-09-30 17:16:05 +02:00
2022-12-09 09:58:05 +01:00
### HTTP Servers Transports
#### `insecureSkipVerify`
2019-09-30 17:16:05 +02:00
_Optional, Default=false_
`insecureSkipVerify` disables SSL certificate verification.
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
insecureSkipVerify: true
```
2021-06-19 00:08:08 +02:00
```toml tab="File (TOML)"
## Static configuration
[serversTransport]
insecureSkipVerify = true
```
2019-09-30 17:16:05 +02:00
```bash tab="CLI"
## Static configuration
--serversTransport.insecureSkipVerify=true
```
2022-12-09 09:58:05 +01:00
#### `rootCAs`
2019-09-30 17:16:05 +02:00
_Optional_
`rootCAs` is the list of certificates (as file paths, or data bytes)
that will be set as Root Certificate Authorities when using a self-signed TLS certificate.
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
rootCAs:
- foo.crt
- bar.crt
```
2021-06-19 00:08:08 +02:00
```toml tab="File (TOML)"
## Static configuration
[serversTransport]
rootCAs = ["foo.crt", "bar.crt"]
```
2019-09-30 17:16:05 +02:00
```bash tab="CLI"
## Static configuration
--serversTransport.rootCAs=foo.crt,bar.crt
```
2022-12-09 09:58:05 +01:00
#### `maxIdleConnsPerHost`
2019-09-30 17:16:05 +02:00
_Optional, Default=2_
If non-zero, `maxIdleConnsPerHost` controls the maximum idle (keep-alive) connections to keep per-host.
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
maxIdleConnsPerHost: 7
```
2021-06-19 00:08:08 +02:00
```toml tab="File (TOML)"
## Static configuration
[serversTransport]
maxIdleConnsPerHost = 7
```
2019-09-30 17:16:05 +02:00
```bash tab="CLI"
## Static configuration
--serversTransport.maxIdleConnsPerHost=7
```
2022-12-09 09:58:05 +01:00
#### `spiffe`
2022-10-14 17:16:08 +02:00
Please note that [SPIFFE ](../https/spiffe.md ) must be enabled in the static configuration
before using it to secure the connection between Traefik and the backends.
#### `spiffe.ids`
_Optional_
`ids` defines the allowed SPIFFE IDs.
This takes precedence over the SPIFFE TrustDomain.
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
spiffe:
ids:
- spiffe://trust-domain/id1
- spiffe://trust-domain/id2
```
```toml tab="File (TOML)"
## Static configuration
[serversTransport.spiffe]
ids = ["spiffe://trust-domain/id1", "spiffe://trust-domain/id2"]
```
```bash tab="CLI"
## Static configuration
--serversTransport.spiffe.ids=spiffe://trust-domain/id1,spiffe://trust-domain/id2
```
#### `spiffe.trustDomain`
_Optional_
`trustDomain` defines the allowed SPIFFE trust domain.
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
trustDomain: spiffe://trust-domain
```
```toml tab="File (TOML)"
## Static configuration
[serversTransport.spiffe]
trustDomain = "spiffe://trust-domain"
```
```bash tab="CLI"
## Static configuration
--serversTransport.spiffe.trustDomain=spiffe://trust-domain
```
2022-12-09 09:58:05 +01:00
#### `forwardingTimeouts`
2019-09-30 17:16:05 +02:00
`forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers.
2021-11-09 12:16:08 +01:00
#### `forwardingTimeouts.dialTimeout`
2019-09-30 17:16:05 +02:00
_Optional, Default=30s_
`dialTimeout` is the maximum duration allowed for a connection to a backend server to be established.
Zero means no timeout.
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
forwardingTimeouts:
dialTimeout: 1s
```
2021-06-19 00:08:08 +02:00
```toml tab="File (TOML)"
## Static configuration
[serversTransport.forwardingTimeouts]
dialTimeout = "1s"
```
2019-09-30 17:16:05 +02:00
```bash tab="CLI"
## Static configuration
--serversTransport.forwardingTimeouts.dialTimeout=1s
```
2021-11-09 12:16:08 +01:00
#### `forwardingTimeouts.responseHeaderTimeout`
2019-09-30 17:16:05 +02:00
_Optional, Default=0s_
`responseHeaderTimeout` , if non-zero, specifies the amount of time to wait for a server's response headers
after fully writing the request (including its body, if any).
This time does not include the time to read the response body.
Zero means no timeout.
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
forwardingTimeouts:
responseHeaderTimeout: 1s
```
2021-06-19 00:08:08 +02:00
```toml tab="File (TOML)"
## Static configuration
[serversTransport.forwardingTimeouts]
responseHeaderTimeout = "1s"
```
2019-09-30 17:16:05 +02:00
```bash tab="CLI"
## Static configuration
--serversTransport.forwardingTimeouts.responseHeaderTimeout=1s
```
2021-11-09 12:16:08 +01:00
#### `forwardingTimeouts.idleConnTimeout`
2019-09-30 17:16:05 +02:00
_Optional, Default=90s_
`idleConnTimeout` , is the maximum amount of time an idle (keep-alive) connection
will remain idle before closing itself.
Zero means no limit.
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
forwardingTimeouts:
idleConnTimeout: 1s
```
2021-06-19 00:08:08 +02:00
```toml tab="File (TOML)"
## Static configuration
[serversTransport.forwardingTimeouts]
idleConnTimeout = "1s"
```
2019-09-30 17:16:05 +02:00
```bash tab="CLI"
## Static configuration
--serversTransport.forwardingTimeouts.idleConnTimeout=1s
```
2022-09-09 09:17:53 -06:00
2022-12-09 09:58:05 +01:00
### TCP Servers Transports
#### `dialTimeout`
_Optional, Default="30s"_
`dialTimeout` is the maximum duration allowed for a connection to a backend server to be established.
Zero means no timeout.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
dialTimeout: 30s
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport]
dialTimeout = "30s"
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.dialTimeout=30s
```
#### `dialKeepAlive`
_Optional, Default="15s"_
`dialKeepAlive` defines the interval between keep-alive probes sent on an active network connection.
If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and
operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative,
keep-alive probes are disabled.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
dialKeepAlive: 30s
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport]
dialKeepAlive = "30s"
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.dialKeepAlive=30s
```
#### `tls`
`tls` defines the TLS configuration to connect with TCP backends.
_Optional_
An empty `tls` section enables TLS.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
tls: {}
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport.tls]
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.tls=true
```
#### `tls.insecureSkipVerify`
_Optional_
`insecureSkipVerify` disables the server's certificate chain and host name verification.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
tls:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport.tls]
insecureSkipVerify = true
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.tls.insecureSkipVerify=true
```
#### `tls.rootCAs`
_Optional_
`rootCAs` defines the set of Root Certificate Authorities (as file paths, or data bytes)
to use when verifying self-signed TLS server certificates.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
tls:
rootCAs:
- foo.crt
- bar.crt
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport.tls]
rootCAs = ["foo.crt", "bar.crt"]
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.tls.rootCAs=foo.crt,bar.crt
```
#### `spiffe`
Please note that [SPIFFE ](../https/spiffe.md ) must be enabled in the static configuration
before using it to secure the connection between Traefik and the backends.
#### `spiffe.ids`
_Optional_
`ids` defines the allowed SPIFFE IDs.
This takes precedence over the SPIFFE TrustDomain.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
spiffe:
ids:
- spiffe://trust-domain/id1
- spiffe://trust-domain/id2
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport.spiffe]
ids = ["spiffe://trust-domain/id1", "spiffe://trust-domain/id2"]
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.spiffe.ids=spiffe://trust-domain/id1,spiffe://trust-domain/id2
```
#### `spiffe.trustDomain`
_Optional_
`trustDomain` defines the allowed SPIFFE trust domain.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
trustDomain: spiffe://trust-domain
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport.spiffe]
trustDomain = "spiffe://trust-domain"
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.spiffe.trustDomain=spiffe://trust-domain
```
2022-09-09 09:17:53 -06:00
{!traefik-for-business-applications.md!}