2016-04-15 14:27:40 +00:00
# Examples
2017-03-31 04:29:03 +00:00
You will find here some configuration examples of Træfik.
2016-04-15 14:27:40 +00:00
## HTTP only
2017-04-30 18:17:57 +00:00
```toml
2016-04-15 14:27:40 +00:00
defaultEntryPoints = ["http"]
2018-01-15 15:04:05 +00:00
2016-04-15 14:27:40 +00:00
[entryPoints]
[entryPoints.http]
address = ":80"
```
## HTTP + HTTPS (with SNI)
2017-04-30 18:17:57 +00:00
```toml
2016-04-15 14:27:40 +00:00
defaultEntryPoints = ["http", "https"]
2018-01-15 15:04:05 +00:00
2016-04-15 14:27:40 +00:00
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
2017-09-11 17:10:04 +00:00
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
2016-04-15 14:27:40 +00:00
[[entryPoints.https.tls.certificates]]
2017-09-11 17:10:04 +00:00
certFile = "integration/fixtures/https/snitest.org.cert"
keyFile = "integration/fixtures/https/snitest.org.key"
2016-04-15 14:27:40 +00:00
```
2016-07-11 15:32:28 +00:00
Note that we can either give path to certificate file or directly the file content itself ([like in this TOML example](/user-guide/kv-config/#upload-the-configuration-in-the-key-value-store)).
2016-04-15 14:27:40 +00:00
## HTTP redirect on HTTPS
2017-04-30 18:17:57 +00:00
```toml
2016-04-15 14:27:40 +00:00
defaultEntryPoints = ["http", "https"]
2018-01-15 15:04:05 +00:00
2016-04-15 14:27:40 +00:00
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
2017-09-11 17:10:04 +00:00
certFile = "examples/traefik.crt"
keyFile = "examples/traefik.key"
2016-04-15 14:27:40 +00:00
```
2017-10-22 07:44:03 +00:00
!!! note
Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case)
2016-04-15 14:27:40 +00:00
## Let's Encrypt support
2018-01-15 15:04:05 +00:00
### Basic example with HTTP challenge
2017-08-25 19:10:03 +00:00
```toml
[entryPoints]
2018-01-15 15:04:05 +00:00
[entryPoints.http]
address = ":80"
2017-08-25 19:10:03 +00:00
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
2018-05-18 16:16:03 +00:00
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
2017-08-25 19:10:03 +00:00
entryPoint = "https"
2018-01-15 15:04:05 +00:00
[acme.httpChallenge]
entryPoint = "http"
2017-08-25 19:10:03 +00:00
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
```
2018-01-15 15:04:05 +00:00
This configuration allows generating Let's Encrypt certificates (thanks to `HTTP-01` challenge) for the four domains `local[1-4].com` with described SANs.
2017-09-11 17:10:04 +00:00
2018-02-16 09:32:03 +00:00
Træfik generates these certificates when it starts and it needs to be restart if new domains are added.
2017-08-25 19:10:03 +00:00
2018-04-06 07:38:03 +00:00
### onHostRule option (with HTTP challenge)
2017-08-25 19:10:03 +00:00
```toml
[entryPoints]
2018-01-15 15:04:05 +00:00
[entryPoints.http]
address = ":80"
2017-08-25 19:10:03 +00:00
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
onHostRule = true
2018-05-18 16:16:03 +00:00
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
2017-08-25 19:10:03 +00:00
entryPoint = "https"
2018-01-15 15:04:05 +00:00
[acme.httpChallenge]
entryPoint = "http"
2017-08-25 19:10:03 +00:00
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
```
2018-01-15 15:04:05 +00:00
This configuration allows generating Let's Encrypt certificates (thanks to `HTTP-01` challenge) for the four domains `local[1-4].com` .
2017-09-11 17:10:04 +00:00
2018-02-16 09:32:03 +00:00
Træfik generates these certificates when it starts.
2017-08-25 19:10:03 +00:00
2018-02-16 09:32:03 +00:00
If a backend is added with a `onHost` rule, Træfik will automatically generate the Let's Encrypt certificate for the new domain (for frontends wired on the `acme.entryPoint` ).
2017-08-25 19:10:03 +00:00
2018-01-15 15:04:05 +00:00
### OnDemand option (with HTTP challenge)
2017-08-25 19:10:03 +00:00
```toml
[entryPoints]
2018-01-15 15:04:05 +00:00
[entryPoints.http]
address = ":80"
2017-08-25 19:10:03 +00:00
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
2017-09-11 17:10:04 +00:00
onDemand = true
2018-05-18 16:16:03 +00:00
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
2017-08-25 19:10:03 +00:00
entryPoint = "https"
2018-01-15 15:04:05 +00:00
[acme.httpChallenge]
entryPoint = "http"
2017-08-25 19:10:03 +00:00
```
2018-01-15 15:04:05 +00:00
This configuration allows generating a Let's Encrypt certificate (thanks to `HTTP-01` challenge) during the first HTTPS request on a new domain.
2017-08-25 19:10:03 +00:00
2017-08-28 12:33:07 +00:00
!!! note
This option simplifies the configuration but :
2018-03-12 09:04:03 +00:00
* TLS handshakes will be slow when requesting a hostname certificate for the first time, which can lead to DDoS attacks.
2017-08-28 12:33:07 +00:00
* Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits
2017-11-07 10:50:03 +00:00
That's why, it's better to use the `onHostRule` option if possible.
2017-08-25 19:10:03 +00:00
### DNS challenge
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
2018-05-18 16:16:03 +00:00
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
2017-08-25 19:10:03 +00:00
entryPoint = "https"
2018-01-15 15:04:05 +00:00
[acme.dnsChallenge]
provider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
delayBeforeCheck = 0
2017-08-25 19:10:03 +00:00
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
```
2017-09-11 17:10:04 +00:00
DNS challenge needs environment variables to be executed.
2018-03-26 12:12:03 +00:00
These variables have to be set on the machine/container that host Træfik.
These variables are described [in this section ](/configuration/acme/#provider ).
### DNS challenge with wildcard domains
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
entryPoint = "https"
[acme.dnsChallenge]
provider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
delayBeforeCheck = 0
[[acme.domains]]
main = "*.local1.com"
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "*.local3.com"
[[acme.domains]]
main = "*.local4.com"
```
DNS challenge needs environment variables to be executed.
These variables have to be set on the machine/container that host Træfik.
2017-09-11 17:10:04 +00:00
2018-01-15 15:04:05 +00:00
These variables are described [in this section ](/configuration/acme/#provider ).
2017-08-25 19:10:03 +00:00
2018-03-26 12:12:03 +00:00
More information about wildcard certificates are available [in this section ](/configuration/acme/#wildcard-domain ).
2018-04-06 07:38:03 +00:00
### onHostRule option and provided certificates (with HTTP challenge)
2017-08-25 19:10:03 +00:00
2017-04-30 18:17:57 +00:00
```toml
2016-04-15 14:27:40 +00:00
[entryPoints]
2018-01-15 15:04:05 +00:00
[entryPoints.http]
address = ":80"
2016-04-15 14:27:40 +00:00
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
2017-09-11 17:10:04 +00:00
certFile = "examples/traefik.crt"
keyFile = "examples/traefik.key"
2017-08-25 19:10:03 +00:00
2016-04-15 14:27:40 +00:00
[acme]
email = "test@traefik.io"
2017-08-25 19:10:03 +00:00
storage = "acme.json"
onHostRule = true
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
2018-01-15 15:04:05 +00:00
[acme.httpChallenge]
entryPoint = "http"
2017-08-25 19:10:03 +00:00
```
2018-02-16 09:32:03 +00:00
Træfik will only try to generate a Let's encrypt certificate (thanks to `HTTP-01` challenge) if the domain cannot be checked by the provided certificates.
2017-08-25 19:10:03 +00:00
### Cluster mode
#### Prerequisites
2017-11-07 10:50:03 +00:00
Before you use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations ](/user-guide/kv-config ) and more precisely at [this section ](/user-guide/kv-config/#store-configuration-in-key-value-store ), which will describe how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.
2017-08-25 19:10:03 +00:00
#### Configuration
```toml
[entryPoints]
2018-01-15 15:04:05 +00:00
[entryPoints.http]
address = ":80"
2017-08-25 19:10:03 +00:00
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "traefik/acme/account"
2016-04-15 14:27:40 +00:00
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
2018-01-15 15:04:05 +00:00
[acme.httpChallenge]
entryPoint = "http"
2016-04-15 14:27:40 +00:00
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
2017-08-25 19:10:03 +00:00
[consul]
endpoint = "127.0.0.1:8500"
watch = true
prefix = "traefik"
2016-04-15 14:27:40 +00:00
```
2017-08-25 19:10:03 +00:00
This configuration allows to use the key `traefik/acme/account` to get/set Let's Encrypt certificates content.
The `consul` provider contains the configuration.
2017-08-28 12:33:07 +00:00
!!! note
It's possible to use others key-value store providers as described [here ](/user-guide/kv-config/#key-value-store-configuration ).
2017-08-25 19:10:03 +00:00
2016-04-15 14:27:40 +00:00
## Override entrypoints in frontends
2017-04-30 18:17:57 +00:00
```toml
2016-04-15 14:27:40 +00:00
[frontends]
2018-01-15 15:04:05 +00:00
2016-04-15 14:27:40 +00:00
[frontends.frontend1]
backend = "backend2"
[frontends.frontend1.routes.test_1]
rule = "Host:test.localhost"
2018-01-15 15:04:05 +00:00
2016-04-15 14:27:40 +00:00
[frontends.frontend2]
backend = "backend1"
passHostHeader = true
2017-04-06 22:10:02 +00:00
passTLSCert = true
2016-04-15 14:27:40 +00:00
entrypoints = ["https"] # overrides defaultEntryPoints
[frontends.frontend2.routes.test_1]
rule = "Host:{subdomain:[a-z]+}.localhost"
2018-01-15 15:04:05 +00:00
2016-04-15 14:27:40 +00:00
[frontends.frontend3]
entrypoints = ["http", "https"] # overrides defaultEntryPoints
backend = "backend2"
2018-01-15 15:04:05 +00:00
rule = "Path:/test"
2016-04-15 14:27:40 +00:00
```
2016-07-21 15:05:58 +00:00
2018-02-16 09:32:03 +00:00
## Enable Basic authentication in an entry point
2016-07-21 15:05:58 +00:00
With two user/pass:
- `test` :`test`
- `test2` :`test2`
2018-02-16 09:32:03 +00:00
Passwords are encoded in MD5: you can use `htpasswd` to generate them.
2016-07-21 15:05:58 +00:00
2017-04-30 18:17:57 +00:00
```toml
2016-07-21 15:05:58 +00:00
defaultEntryPoints = ["http"]
2018-01-15 15:04:05 +00:00
2016-07-21 15:05:58 +00:00
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth.basic]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
2016-12-16 15:42:51 +00:00
```
## Pass Authenticated user to application via headers
Providing an authentication method as described above, it is possible to pass the user to the application
2017-09-11 17:10:04 +00:00
via a configurable header value.
2016-12-16 15:42:51 +00:00
2017-04-30 18:17:57 +00:00
```toml
2016-12-16 15:42:51 +00:00
defaultEntryPoints = ["http"]
2018-01-15 15:04:05 +00:00
2016-12-16 15:42:51 +00:00
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth]
headerField = "X-WebAuth-User"
[entryPoints.http.auth.basic]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
2017-04-04 09:36:23 +00:00
```
2018-04-06 07:38:03 +00:00
## Override the Traefik HTTP server idleTimeout and/or throttle configurations from re-loading too quickly
2017-04-04 09:36:23 +00:00
2017-04-30 18:17:57 +00:00
```toml
2017-09-11 17:10:04 +00:00
providersThrottleDuration = "5s"
[respondingTimeouts]
idleTimeout = "360s"
2017-04-04 09:36:23 +00:00
```