2016-03-22 16:25:57 +00:00
# Global configuration
## Main section
```toml
# traefik.toml
################################################################
# Global configuration
################################################################
2017-03-27 09:51:53 +00:00
# Duration to give active requests a chance to finish during hot-reloads.
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
# values (digits). If no units are provided, the value is parsed assuming
# seconds.
2016-10-27 14:17:02 +00:00
#
# Optional
2017-03-27 09:51:53 +00:00
# Default: "10s"
2016-10-27 14:17:02 +00:00
#
2017-03-27 09:51:53 +00:00
# graceTimeOut = "10s"
2016-10-27 14:17:02 +00:00
# Enable debug mode
#
# Optional
# Default: false
#
# debug = true
# Periodically check if a new version has been released
#
# Optional
# Default: true
#
# checkNewVersion = false
2016-03-22 16:25:57 +00:00
# Traefik logs file
# If not defined, logs to stdout
#
# Optional
#
# traefikLogsFile = "log/traefik.log"
# Access logs file
#
2017-05-25 11:25:53 +00:00
# Deprecated - see [accessLog] lower down
2016-03-22 16:25:57 +00:00
# Optional
#
# accessLogsFile = "log/access.log"
# Log level
#
# Optional
# Default: "ERROR"
2016-09-14 19:03:20 +00:00
# Accepted values, in order of severity: "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC"
# Messages at and above the selected level will be logged.
2016-03-22 16:25:57 +00:00
#
# logLevel = "ERROR"
2016-10-21 14:02:18 +00:00
# Backends throttle duration: minimum duration in seconds between 2 events from providers
2016-03-22 16:25:57 +00:00
# before applying a new configuration. It avoids unnecessary reloads if multiples events
# are sent in a short amount of time.
2017-03-27 09:51:53 +00:00
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
# values (digits). If no units are provided, the value is parsed assuming
# seconds.
2016-03-22 16:25:57 +00:00
#
# Optional
2017-03-27 09:51:53 +00:00
# Default: "2s"
2016-03-22 16:25:57 +00:00
#
2017-03-27 09:51:53 +00:00
# ProvidersThrottleDuration = "2s"
2016-03-22 16:25:57 +00:00
2017-04-04 09:36:23 +00:00
# IdleTimeout: maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.
# This is set to enforce closing of stale client connections.
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
# values (digits). If no units are provided, the value is parsed assuming seconds.
#
# Optional
# Default: "180s"
#
# IdleTimeout = "360s"
2017-03-06 12:40:46 +00:00
# Controls the maximum idle (keep-alive) connections to keep per-host. If zero, DefaultMaxIdleConnsPerHost
# from the Go standard library net/http module is used.
# If you encounter 'too many open files' errors, you can either increase this
# value or change the `ulimit`.
2016-03-22 16:25:57 +00:00
#
# Optional
2017-03-06 12:40:46 +00:00
# Default: 200
2016-03-22 16:25:57 +00:00
#
# MaxIdleConnsPerHost = 200
2016-07-31 16:08:33 +00:00
# If set to true invalid SSL certificates are accepted for backends.
# Note: This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.
# Optional
# Default: false
#
# InsecureSkipVerify = true
2016-03-22 16:25:57 +00:00
# Entrypoints to be used by frontends that do not specify any entrypoint.
# Each frontend can specify its own entrypoints.
#
# Optional
# Default: ["http"]
#
# defaultEntryPoints = ["http", "https"]
```
2016-06-20 23:00:52 +00:00
### Constraints
2017-03-31 04:29:03 +00:00
In a micro-service architecture, with a central service discovery, setting constraints limits Træfik scope to a smaller number of routes.
2016-06-20 23:00:52 +00:00
2017-03-31 04:29:03 +00:00
Træfik filters services according to service attributes/tags set in your configuration backends.
2016-06-20 23:00:52 +00:00
Supported backends:
- Docker
- Consul K/V
- BoltDB
- Zookeeper
- Etcd
- Consul Catalog
2017-05-02 14:51:02 +00:00
- Rancher
2016-06-20 23:00:52 +00:00
Supported filters:
2017-04-30 18:17:57 +00:00
- `tag`
2016-06-20 23:00:52 +00:00
2017-04-30 18:17:57 +00:00
```toml
2016-06-20 23:00:52 +00:00
# Constraints definition
#
# Optional
#
# Simple matching constraint
# constraints = ["tag==api"]
2016-09-20 14:56:29 +00:00
#
2016-06-20 23:00:52 +00:00
# Simple mismatching constraint
# constraints = ["tag!=api"]
2016-09-20 14:56:29 +00:00
#
2016-06-20 23:00:52 +00:00
# Globbing
# constraints = ["tag==us-*"]
2016-09-20 14:56:29 +00:00
#
2016-06-20 23:00:52 +00:00
# Backend-specific constraint
# [consulCatalog]
# endpoint = 127.0.0.1:8500
# constraints = ["tag==api"]
2016-09-20 14:56:29 +00:00
#
2016-06-20 23:00:52 +00:00
# Multiple constraints
# - "tag==" must match with at least one tag
# - "tag!=" must match with none of tags
# constraints = ["tag!=us-*", "tag!=asia-*"]
# [consulCatalog]
# endpoint = 127.0.0.1:8500
# constraints = ["tag==api", "tag!=v*-beta"]
```
2017-05-25 11:25:53 +00:00
## Access log definition
2017-05-30 10:06:49 +00:00
Access logs are written when `[accessLog]` is defined.
By default it will write to stdout and produce logs in the textual Common Log Format (CLF), extended with additional fields.
2017-05-25 11:25:53 +00:00
2017-05-30 10:06:49 +00:00
To enable access logs using the default settings just add the `[accessLog]` entry.
```toml
[accessLog]
```
To write the logs into a logfile specify the `filePath` .
2017-05-25 11:25:53 +00:00
```toml
[accessLog]
filePath = "/path/to/access.log"
```
To write JSON format logs, specify `json` as the format:
```toml
[accessLog]
filePath = "/path/to/access.log"
format = "json"
```
2016-03-22 16:25:57 +00:00
## Entrypoints definition
```toml
# Entrypoints definition
#
# Optional
# Default:
# [entryPoints]
# [entryPoints.http]
# address = ":80"
#
# To redirect an http entrypoint to an https entrypoint (with SNI support):
# [entryPoints]
# [entryPoints.http]
# address = ":80"
# [entryPoints.http.redirect]
# entryPoint = "https"
# [entryPoints.https]
# address = ":443"
# [entryPoints.https.tls]
# [[entryPoints.https.tls.certificates]]
# CertFile = "integration/fixtures/https/snitest.com.cert"
# KeyFile = "integration/fixtures/https/snitest.com.key"
# [[entryPoints.https.tls.certificates]]
# CertFile = "integration/fixtures/https/snitest.org.cert"
# KeyFile = "integration/fixtures/https/snitest.org.key"
#
# To redirect an entrypoint rewriting the URL:
# [entryPoints]
# [entryPoints.http]
# address = ":80"
# [entryPoints.http.redirect]
# regex = "^http://localhost/(.*)"
# replacement = "http://mydomain/$1"
2016-06-15 20:38:40 +00:00
#
# Only accept clients that present a certificate signed by a specified
# Certificate Authority (CA)
# ClientCAFiles can be configured with multiple CA:s in the same file or
# use multiple files containing one or several CA:s. The CA:s has to be in PEM format.
# All clients will be required to present a valid cert.
# The requirement will apply to all server certs in the entrypoint
# In the example below both snitest.com and snitest.org will require client certs
#
# [entryPoints]
# [entryPoints.https]
# address = ":443"
# [entryPoints.https.tls]
# ClientCAFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
# [[entryPoints.https.tls.certificates]]
# CertFile = "integration/fixtures/https/snitest.com.cert"
# KeyFile = "integration/fixtures/https/snitest.com.key"
# [[entryPoints.https.tls.certificates]]
# CertFile = "integration/fixtures/https/snitest.org.cert"
# KeyFile = "integration/fixtures/https/snitest.org.key"
#
2016-07-21 15:05:58 +00:00
# To enable basic auth on an entrypoint
# with 2 user/pass: test:test and test2:test2
# Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones
2017-02-24 02:46:50 +00:00
# Users can be specified directly in the toml file, or indirectly by referencing an external file; if both are provided, the two are merged, with external file contents having precedence
2016-07-21 15:05:58 +00:00
# [entryPoints]
# [entryPoints.http]
# address = ":80"
# [entryPoints.http.auth.basic]
# users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
2017-02-24 02:46:50 +00:00
# usersFile = "/path/to/.htpasswd"
2016-07-21 15:05:58 +00:00
#
# To enable digest auth on an entrypoint
# with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
# You can use htdigest to generate those ones
2017-02-24 02:46:50 +00:00
# Users can be specified directly in the toml file, or indirectly by referencing an external file; if both are provided, the two are merged, with external file contents having precedence
2016-07-21 15:05:58 +00:00
# [entryPoints]
# [entryPoints.http]
# address = ":80"
# [entryPoints.http.auth.basic]
# users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
2017-02-24 02:46:50 +00:00
# usersFile = "/path/to/.htdigest"
2016-09-20 06:06:06 +00:00
#
# To specify an https entrypoint with a minimum TLS version, and specifying an array of cipher suites (from crypto/tls):
# [entryPoints]
# [entryPoints.https]
# address = ":443"
# [entryPoints.https.tls]
# MinVersion = "VersionTLS12"
# CipherSuites = ["TLS_RSA_WITH_AES_256_GCM_SHA384"]
# [[entryPoints.https.tls.certificates]]
# CertFile = "integration/fixtures/https/snitest.com.cert"
# KeyFile = "integration/fixtures/https/snitest.com.key"
# [[entryPoints.https.tls.certificates]]
# CertFile = "integration/fixtures/https/snitest.org.cert"
# KeyFile = "integration/fixtures/https/snitest.org.key"
2016-04-15 14:27:40 +00:00
2016-09-28 21:36:06 +00:00
# To enable compression support using gzip format:
# [entryPoints]
# [entryPoints.http]
# address = ":80"
# compress = true
2016-04-19 08:00:33 +00:00
[entryPoints]
2016-04-15 14:27:40 +00:00
[entryPoints.http]
address = ":80"
2016-03-22 16:25:57 +00:00
```
## Retry configuration
```toml
# Enable retry sending request if network error
#
# Optional
#
2016-04-15 14:27:40 +00:00
[retry]
2016-03-22 16:25:57 +00:00
# Number of attempts
#
# Optional
# Default: (number servers in backend) -1
#
# attempts = 3
```
2017-03-24 08:36:33 +00:00
## Health check configuration
```toml
# Enable custom health check options.
#
# Optional
#
[healthcheck]
# Set the default health check interval. Will only be effective if health check
# paths are defined. Given provider-specific support, the value may be
# overridden on a per-backend basis.
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
# values (digits). If no units are provided, the value is parsed assuming
# seconds.
#
# Optional
# Default: "30s"
#
# interval = "30s"
```
2016-03-22 16:25:57 +00:00
## ACME (Let's Encrypt) configuration
```toml
2016-04-18 16:31:45 +00:00
# Sample entrypoint configuration when using ACME
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
2016-03-22 16:25:57 +00:00
# Enable ACME (Let's Encrypt): automatic SSL
#
# Optional
#
2016-04-15 14:27:40 +00:00
[acme]
2016-03-22 16:25:57 +00:00
# Email address used for registration
#
# Required
#
2016-04-15 14:27:40 +00:00
email = "test@traefik.io"
2016-03-22 16:25:57 +00:00
2016-09-29 11:49:12 +00:00
# File or key used for certificates storage.
2016-06-08 11:07:31 +00:00
# WARNING, if you use Traefik in Docker, you have 2 options:
2016-08-22 09:03:34 +00:00
# - create a file on your host and mount it as a volume
2016-06-08 11:07:31 +00:00
# storageFile = "acme.json"
# $ docker run -v "/my/host/acme.json:acme.json" traefik
2016-08-22 09:03:34 +00:00
# - mount the folder containing the file as a volume
2016-06-08 11:07:31 +00:00
# storageFile = "/etc/traefik/acme/acme.json"
# $ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
2016-03-22 16:25:57 +00:00
#
# Required
#
2016-09-29 11:49:12 +00:00
storage = "acme.json" # or "traefik/acme/account" if using KV store
2016-03-22 16:25:57 +00:00
2016-10-14 00:33:01 +00:00
# Entrypoint to proxy acme challenge/apply certificates to.
2016-04-13 08:11:36 +00:00
# WARNING, must point to an entrypoint on port 443
2016-03-22 16:25:57 +00:00
#
# Required
#
2016-04-15 14:27:40 +00:00
entryPoint = "https"
2016-03-22 16:25:57 +00:00
2016-10-14 00:33:01 +00:00
# Use a DNS based acme challenge rather than external HTTPS access, e.g. for a firewalled server
# Select the provider that matches the DNS domain that will host the challenge TXT record,
# and provide environment variables with access keys to enable setting it:
# - cloudflare: CLOUDFLARE_EMAIL, CLOUDFLARE_API_KEY
# - digitalocean: DO_AUTH_TOKEN
# - dnsimple: DNSIMPLE_EMAIL, DNSIMPLE_API_KEY
# - dnsmadeeasy: DNSMADEEASY_API_KEY, DNSMADEEASY_API_SECRET
# - exoscale: EXOSCALE_API_KEY, EXOSCALE_API_SECRET
# - gandi: GANDI_API_KEY
# - linode: LINODE_API_KEY
# - manual: none, but run traefik interactively & turn on acmeLogging to see instructions & press Enter
# - namecheap: NAMECHEAP_API_USER, NAMECHEAP_API_KEY
# - rfc2136: RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVER
# - route53: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, or configured user/instance IAM profile
# - dyn: DYN_CUSTOMER_NAME, DYN_USER_NAME, DYN_PASSWORD
# - vultr: VULTR_API_KEY
# - ovh: OVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY
# - pdns: PDNS_API_KEY, PDNS_API_URL
#
# Optional
#
# dnsProvider = "digitalocean"
# By default, the dnsProvider will verify the TXT DNS challenge record before letting ACME verify
# If delayDontCheckDNS is greater than zero, avoid this & instead just wait so many seconds.
# Useful if internal networks block external DNS queries
#
# Optional
#
# delayDontCheckDNS = 0
# If true, display debug log messages from the acme client library
#
# Optional
#
# acmeLogging = true
2016-03-22 16:25:57 +00:00
# Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate.
# WARNING, TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DoS attacks.
2016-08-22 09:03:34 +00:00
# WARNING, Take note that Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits
2016-03-22 16:25:57 +00:00
#
# Optional
#
# onDemand = true
2016-08-05 18:42:45 +00:00
# Enable certificate generation on frontends Host rules. This will request a certificate from Let's Encrypt for each frontend with a Host rule.
# For example, a rule Host:test1.traefik.io,test2.traefik.io will request a certificate with main domain test1.traefik.io and SAN test2.traefik.io.
#
# Optional
#
# OnHostRule = true
2016-03-22 16:25:57 +00:00
# CA server to use
# Uncomment the line to run on the staging let's encrypt server
# Leave comment to go to prod
#
# Optional
#
# caServer = "https://acme-staging.api.letsencrypt.org/directory"
# Domains list
# You can provide SANs (alternative domains) to each main domain
2016-04-18 16:31:45 +00:00
# All domains must have A/AAAA records pointing to Traefik
2016-08-22 09:03:34 +00:00
# WARNING, Take note that Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits
2016-03-22 16:25:57 +00:00
# Each domain & SANs will lead to a certificate request.
#
# [[acme.domains]]
# main = "local1.com"
# sans = ["test1.local1.com", "test2.local1.com"]
# [[acme.domains]]
# main = "local2.com"
# sans = ["test1.local2.com", "test2x.local2.com"]
# [[acme.domains]]
# main = "local3.com"
# [[acme.domains]]
# main = "local4.com"
2016-04-15 14:27:40 +00:00
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
2016-03-22 16:25:57 +00:00
```
# Configuration backends
## File backend
2017-03-31 04:29:03 +00:00
Like any other reverse proxy, Træfik can be configured with a file. You have two choices:
2016-03-22 16:25:57 +00:00
2016-08-22 09:03:34 +00:00
- simply add your configuration at the end of the global configuration file `traefik.toml` :
2016-03-22 16:25:57 +00:00
```toml
# traefik.toml
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "integration/fixtures/https/snitest.com.cert"
KeyFile = "integration/fixtures/https/snitest.com.key"
[[entryPoints.https.tls.certificates]]
CertFile = "integration/fixtures/https/snitest.org.cert"
KeyFile = "integration/fixtures/https/snitest.org.key"
[file]
# rules
[backends]
[backends.backend1]
[backends.backend1.circuitbreaker]
expression = "NetworkErrorRatio() > 0.5"
[backends.backend1.servers.server1]
url = "http://172.17.0.2:80"
weight = 10
[backends.backend1.servers.server2]
url = "http://172.17.0.3:80"
weight = 1
[backends.backend2]
2017-05-15 22:09:26 +00:00
[backends.backend2.maxconn]
2016-04-13 08:11:36 +00:00
amount = 10
extractorfunc = "request.host"
2016-03-22 16:25:57 +00:00
[backends.backend2.LoadBalancer]
method = "drr"
[backends.backend2.servers.server1]
url = "http://172.17.0.4:80"
weight = 1
[backends.backend2.servers.server2]
url = "http://172.17.0.5:80"
weight = 2
[frontends]
[frontends.frontend1]
backend = "backend2"
[frontends.frontend1.routes.test_1]
rule = "Host:test.localhost"
[frontends.frontend2]
backend = "backend1"
passHostHeader = true
2016-06-06 20:40:42 +00:00
priority = 10
2017-04-30 09:22:07 +00:00
# restrict access to this frontend to the specified list of IPv4/IPv6 CIDR Nets
# an unset or empty list allows all Source-IPs to access
# if one of the Net-Specifications are invalid, the whole list is invalid
# and allows all Source-IPs to access.
whitelistSourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
2016-03-22 16:25:57 +00:00
entrypoints = ["https"] # overrides defaultEntryPoints
[frontends.frontend2.routes.test_1]
rule = "Host:{subdomain:[a-z]+}.localhost"
[frontends.frontend3]
entrypoints = ["http", "https"] # overrides defaultEntryPoints
backend = "backend2"
rule = "Path:/test"
```
2016-04-21 22:38:44 +00:00
- or put your rules in a separate file, for example `rules.toml` :
2016-03-22 16:25:57 +00:00
```toml
# traefik.toml
logLevel = "DEBUG"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "integration/fixtures/https/snitest.com.cert"
KeyFile = "integration/fixtures/https/snitest.com.key"
[[entryPoints.https.tls.certificates]]
CertFile = "integration/fixtures/https/snitest.org.cert"
KeyFile = "integration/fixtures/https/snitest.org.key"
[file]
filename = "rules.toml"
```
```toml
# rules.toml
[backends]
[backends.backend1]
[backends.backend1.circuitbreaker]
expression = "NetworkErrorRatio() > 0.5"
[backends.backend1.servers.server1]
url = "http://172.17.0.2:80"
weight = 10
[backends.backend1.servers.server2]
url = "http://172.17.0.3:80"
weight = 1
[backends.backend2]
2017-05-15 22:09:26 +00:00
[backends.backend2.maxconn]
2016-04-13 08:11:36 +00:00
amount = 10
extractorfunc = "request.host"
2016-03-22 16:25:57 +00:00
[backends.backend2.LoadBalancer]
method = "drr"
[backends.backend2.servers.server1]
url = "http://172.17.0.4:80"
weight = 1
[backends.backend2.servers.server2]
url = "http://172.17.0.5:80"
weight = 2
[frontends]
[frontends.frontend1]
backend = "backend2"
[frontends.frontend1.routes.test_1]
rule = "Host:test.localhost"
[frontends.frontend2]
backend = "backend1"
passHostHeader = true
2016-06-06 20:40:42 +00:00
priority = 10
2016-03-22 16:25:57 +00:00
entrypoints = ["https"] # overrides defaultEntryPoints
[frontends.frontend2.routes.test_1]
rule = "Host:{subdomain:[a-z]+}.localhost"
[frontends.frontend3]
entrypoints = ["http", "https"] # overrides defaultEntryPoints
backend = "backend2"
rule = "Path:/test"
```
2017-03-31 04:29:03 +00:00
If you want Træfik to watch file changes automatically, just add:
2016-03-22 16:25:57 +00:00
```toml
[file]
watch = true
```
## API backend
2016-08-22 09:03:34 +00:00
Træfik can be configured using a RESTful api.
2016-03-22 16:25:57 +00:00
To enable it:
```toml
[web]
address = ":8080"
2017-03-03 22:09:44 +00:00
# Set the root path for webui and API
#
# Optional
#
# path = "/mypath"
#
2016-03-22 16:25:57 +00:00
# SSL certificate and key used
#
# Optional
#
# CertFile = "traefik.crt"
# KeyFile = "traefik.key"
#
# Set REST API to read-only mode
#
# Optional
# ReadOnly = false
2016-09-15 13:24:22 +00:00
#
2016-10-21 08:36:07 +00:00
# To enable more detailed statistics
# [web.statistics]
# RecentErrors = 10
#
2017-01-17 17:14:13 +00:00
# To enable Traefik to export internal metrics to Prometheus
# [web.metrics.prometheus]
2017-03-31 12:01:56 +00:00
# Buckets=[0.1,0.3,1.2,5.0]
2017-01-17 17:14:13 +00:00
#
2016-09-15 13:24:22 +00:00
# To enable basic auth on the webui
# with 2 user/pass: test:test and test2:test2
# Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones
2017-02-24 02:46:50 +00:00
# Users can be specified directly in the toml file, or indirectly by referencing an external file; if both are provided, the two are merged, with external file contents having precedence
2016-09-20 06:06:06 +00:00
# [web.auth.basic]
2016-09-15 13:24:22 +00:00
# users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
2017-02-24 02:46:50 +00:00
# usersFile = "/path/to/.htpasswd"
2016-09-15 13:24:22 +00:00
# To enable digest auth on the webui
# with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
# You can use htdigest to generate those ones
2017-02-24 02:46:50 +00:00
# Users can be specified directly in the toml file, or indirectly by referencing an external file; if both are provided, the two are merged, with external file contents having precedence
2016-11-24 17:17:57 +00:00
# [web.auth.digest]
2016-09-15 13:24:22 +00:00
# users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
2017-02-24 02:46:50 +00:00
# usersFile = "/path/to/.htdigest"
2016-03-22 16:25:57 +00:00
```
- `/` : provides a simple HTML frontend of Træfik
![Web UI Providers ](img/web.frontend.png )
![Web UI Health ](img/traefik-health.png )
2016-08-19 16:02:26 +00:00
- `/ping` : `GET` simple endpoint to check for Træfik process liveness.
2017-04-30 18:17:57 +00:00
```shell
2016-08-19 16:02:26 +00:00
$ curl -sv "http://localhost:8080/ping"
* Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> GET /ping HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP / 1 . 1 200 OK
< Date: Thu , 25 Aug 2016 01:35:36 GMT
< Content-Length: 2
< Content-Type: text / plain ; charset = utf-8
<
* Connection #0 to host localhost left intact
OK
```
2016-03-22 16:25:57 +00:00
- `/health` : `GET` json metrics
2017-04-30 18:17:57 +00:00
```shell
2016-03-22 16:25:57 +00:00
$ curl -s "http://localhost:8080/health" | jq .
{
2017-03-31 04:29:03 +00:00
// Træfik PID
2016-03-22 16:25:57 +00:00
"pid": 2458,
2017-03-31 04:29:03 +00:00
// Træfik server uptime (formated time)
2016-03-22 16:25:57 +00:00
"uptime": "39m6.885931127s",
2017-03-31 04:29:03 +00:00
// Træfik server uptime in seconds
2016-03-22 16:25:57 +00:00
"uptime_sec": 2346.885931127,
// current server date
"time": "2015-10-07 18:32:24.362238909 +0200 CEST",
// current server date in seconds
"unixtime": 1444235544,
// count HTTP response status code in realtime
"status_code_count": {
"502": 1
},
2017-03-31 04:29:03 +00:00
// count HTTP response status code since Træfik started
2016-03-22 16:25:57 +00:00
"total_status_code_count": {
"200": 7,
"404": 21,
"502": 13
},
// count HTTP response
"count": 1,
// count HTTP response
"total_count": 41,
// sum of all response time (formated time)
"total_response_time": "35.456865605s",
// sum of all response time in seconds
"total_response_time_sec": 35.456865605,
// average response time (formated time)
"average_response_time": "864.8016ms",
// average response time in seconds
2016-10-21 08:36:07 +00:00
"average_response_time_sec": 0.8648016000000001,
// request statistics [requires --web.statistics to be set]
// ten most recent requests with 4xx and 5xx status codes
"recent_errors": [
{
// status code
"status_code": 500,
// description of status code
"status": "Internal Server Error",
// request HTTP method
"method": "GET",
// request hostname
"host": "localhost",
// request path
"path": "/path",
// RFC 3339 formatted date/time
"time": "2016-10-21T16:59:15.418495872-07:00"
}
]
2016-03-22 16:25:57 +00:00
}
```
- `/api` : `GET` configuration for all providers
2017-04-30 18:17:57 +00:00
```shell
2016-03-22 16:25:57 +00:00
$ curl -s "http://localhost:8080/api" | jq .
{
"file": {
"frontends": {
"frontend2": {
"routes": {
"test_2": {
"rule": "Path:/test"
}
},
"backend": "backend1"
},
"frontend1": {
"routes": {
"test_1": {
"rule": "Host:test.localhost"
}
},
"backend": "backend2"
}
},
"backends": {
"backend2": {
"loadBalancer": {
"method": "drr"
},
"servers": {
"server2": {
"weight": 2,
"URL": "http://172.17.0.5:80"
},
"server1": {
"weight": 1,
"url": "http://172.17.0.4:80"
}
}
},
"backend1": {
"loadBalancer": {
"method": "wrr"
},
"circuitBreaker": {
"expression": "NetworkErrorRatio() > 0.5"
},
"servers": {
"server2": {
"weight": 1,
"url": "http://172.17.0.3:80"
},
"server1": {
"weight": 10,
"url": "http://172.17.0.2:80"
}
}
}
}
}
}
```
- `/api/providers` : `GET` providers
- `/api/providers/{provider}` : `GET` or `PUT` provider
- `/api/providers/{provider}/backends` : `GET` backends
- `/api/providers/{provider}/backends/{backend}` : `GET` a backend
- `/api/providers/{provider}/backends/{backend}/servers` : `GET` servers in a backend
- `/api/providers/{provider}/backends/{backend}/servers/{server}` : `GET` a server in a backend
- `/api/providers/{provider}/frontends` : `GET` frontends
- `/api/providers/{provider}/frontends/{frontend}` : `GET` a frontend
- `/api/providers/{provider}/frontends/{frontend}/routes` : `GET` routes in a frontend
- `/api/providers/{provider}/frontends/{frontend}/routes/{route}` : `GET` a route in a frontend
2017-01-12 13:34:54 +00:00
- `/metrics` : You can enable Traefik to export internal metrics to different monitoring systems (Only Prometheus is supported at the moment).
```bash
2017-03-31 12:01:56 +00:00
$ traefik --web.metrics.prometheus --web.metrics.prometheus.buckets="0.1,0.3,1.2,5.0"
2017-01-12 13:34:54 +00:00
```
2016-03-22 16:25:57 +00:00
## Docker backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Docker as a backend configuration:
2016-03-22 16:25:57 +00:00
```toml
################################################################
# Docker configuration backend
################################################################
# Enable Docker configuration backend
#
# Optional
#
[docker]
# Docker server endpoint. Can be a tcp or a unix socket endpoint.
#
# Required
#
endpoint = "unix:///var/run/docker.sock"
# Default domain used.
# Can be overridden by setting the "traefik.domain" label on a container.
#
# Required
#
domain = "docker.localhost"
# Enable watch docker changes
#
# Optional
#
watch = true
# Override default configuration template. For advanced users :)
#
# Optional
#
# filename = "docker.tmpl"
2016-07-14 09:32:15 +00:00
# Expose containers by default in traefik
2017-01-25 13:11:00 +00:00
# If set to false, containers that don't have `traefik.enable=true` will be ignored
2016-07-14 09:32:15 +00:00
#
# Optional
# Default: true
#
exposedbydefault = true
2016-09-20 12:52:35 +00:00
# Use the IP address from the binded port instead of the inner network one. For specific use-case :)
2016-08-05 14:02:46 +00:00
2016-09-20 12:52:35 +00:00
#
# Optional
# Default: false
#
usebindportip = true
2016-08-05 14:02:46 +00:00
# Use Swarm Mode services as data provider
#
# Optional
# Default: false
#
swarmmode = false
2016-09-20 12:52:35 +00:00
2016-03-22 16:25:57 +00:00
# Enable docker TLS connection
#
# [docker.tls]
# ca = "/etc/ssl/ca.crt"
# cert = "/etc/ssl/docker.crt"
# key = "/etc/ssl/docker.key"
# insecureskipverify = true
```
Labels can be used on containers to override default behaviour:
2017-05-15 22:09:26 +00:00
- `traefik.backend=foo` : give the name `foo` to the generated backend for this container.
2016-08-25 04:22:06 +00:00
- `traefik.backend.maxconn.amount=10` : set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.
- `traefik.backend.maxconn.extractorfunc=client.ip` : set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect.
- `traefik.backend.loadbalancer.method=drr` : override the default `wrr` load balancer algorithm
2016-09-28 14:29:19 +00:00
- `traefik.backend.loadbalancer.sticky=true` : enable backend sticky sessions
2017-01-07 08:20:52 +00:00
- `traefik.backend.loadbalancer.swarm=true ` : use Swarm's inbuilt load balancer (only relevant under Swarm Mode).
2016-08-25 04:22:06 +00:00
- `traefik.backend.circuitbreaker.expression=NetworkErrorRatio() > 0.5` : create a [circuit breaker ](/basics/#backends ) to be used against the backend
2016-03-22 16:25:57 +00:00
- `traefik.port=80` : register this port. Useful when the container exposes multiples ports.
- `traefik.protocol=https` : override the default `http` protocol
- `traefik.weight=10` : assign this weight to the container
2017-03-31 04:29:03 +00:00
- `traefik.enable=false` : disable this container in Træfik
2017-03-09 21:27:09 +00:00
- `traefik.frontend.rule=Host:test.traefik.io` : override the default frontend rule (Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose` ).
2016-03-22 16:25:57 +00:00
- `traefik.frontend.passHostHeader=true` : forward client `Host` header to the backend.
2016-06-06 20:40:42 +00:00
- `traefik.frontend.priority=10` : override default frontend priority
2016-03-22 16:25:57 +00:00
- `traefik.frontend.entryPoints=http,https` : assign this frontend to entry points `http` and `https` . Overrides `defaultEntryPoints` .
2017-04-19 09:14:05 +00:00
- `traefik.frontend.auth.basic=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0` : Sets a Basic Auth for that frontend with the users test:test and test2:test2
2017-04-30 09:22:07 +00:00
- `traefik.frontend.whitelistSourceRange: "1.2.3.0/24, fe80::/16"` : List of IP-Ranges which are allowed to access. An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access.- `traefik.docker.network` : Set the docker network to use for connections to this container. If a container is linked to several networks, be sure to set the proper network name (you can check with docker inspect < container_id > ) otherwise it will randomly pick one (depending on how docker is returning them). For instance when deploying docker `stack` from compose files, the compose defined networks will be prefixed with the `stack` name.
2016-03-22 16:25:57 +00:00
2017-03-08 14:10:21 +00:00
If several ports need to be exposed from a container, the services labels can be used
- `traefik.<service-name>.port=443` : create a service binding with frontend/backend using this port. Overrides `traefik.port` .
- `traefik.<service-name>.protocol=https` : assign `https` protocol. Overrides `traefik.protocol` .
- `traefik.<service-name>.weight=10` : assign this service weight. Overrides `traefik.weight` .
- `traefik.<service-name>.frontend.backend=fooBackend` : assign this service frontend to `foobackend` . Default is to assign to the service backend.
- `traefik.<service-name>.frontend.entryPoints=http` : assign this service entrypoints. Overrides `traefik.frontend.entrypoints` .
2017-04-19 09:14:05 +00:00
- `traefik.<service-name>.frontend.auth.basic=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0` Sets a Basic Auth for that frontend with the users test:test and test2:test2.
2017-03-08 14:10:21 +00:00
- `traefik.<service-name>.frontend.passHostHeader=true` : Forward client `Host` header to the backend. Overrides `traefik.frontend.passHostHeader` .
- `traefik.<service-name>.frontend.priority=10` : assign the service frontend priority. Overrides `traefik.frontend.priority` .
- `traefik.<service-name>.frontend.rule=Path:/foo` : assign the service frontend rule. Overrides `traefik.frontend.rule` .
2017-03-31 04:29:03 +00:00
NB: when running inside a container, Træfik will need network access through `docker network connect <network> <traefik-container>`
2016-03-22 16:25:57 +00:00
## Marathon backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Marathon as a backend configuration:
2016-03-22 16:25:57 +00:00
```toml
################################################################
# Mesos/Marathon configuration backend
################################################################
# Enable Marathon configuration backend
#
# Optional
#
[marathon]
# Marathon server endpoint.
# You can also specify multiple endpoint for Marathon:
# endpoint := "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
#
# Required
#
endpoint = "http://127.0.0.1:8080"
# Enable watch Marathon changes
#
# Optional
#
watch = true
# Default domain used.
#
# Required
#
domain = "marathon.localhost"
# Override default configuration template. For advanced users :)
#
# Optional
#
# filename = "marathon.tmpl"
# Expose Marathon apps by default in traefik
#
# Optional
2016-11-08 13:20:50 +00:00
# Default: true
2016-03-22 16:25:57 +00:00
#
2016-06-01 14:47:39 +00:00
# exposedByDefault = true
# Convert Marathon groups to subdomains
# Default behavior: /foo/bar/myapp => foo-bar-myapp.{defaultDomain}
# with groupsAsSubDomains enabled: /foo/bar/myapp => myapp.bar.foo.{defaultDomain}
#
# Optional
# Default: false
#
# groupsAsSubDomains = true
2016-03-22 16:25:57 +00:00
2016-10-06 15:42:19 +00:00
# Enable compatibility with marathon-lb labels
#
# Optional
# Default: false
#
# marathonLBCompatibility = true
2016-03-22 16:25:57 +00:00
# Enable Marathon basic authentication
#
# Optional
#
# [marathon.basic]
# httpBasicAuthUser = "foo"
# httpBasicPassword = "bar"
# TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
#
# Optional
#
# [marathon.TLS]
2016-10-31 05:37:06 +00:00
# CA = "/etc/ssl/ca.crt"
# Cert = "/etc/ssl/marathon.cert"
# Key = "/etc/ssl/marathon.key"
2016-03-22 16:25:57 +00:00
# InsecureSkipVerify = true
2016-06-18 12:51:52 +00:00
# DCOSToken for DCOS environment, This will override the Authorization header
#
# Optional
#
# dcosToken = "xxxxxx"
2016-10-05 15:42:58 +00:00
# Override DialerTimeout
2017-03-27 09:51:53 +00:00
# Amount of time to allow the Marathon provider to wait to open a TCP connection
# to a Marathon master.
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
# values (digits). If no units are provided, the value is parsed assuming
# seconds.
2016-10-05 15:42:58 +00:00
#
# Optional
2017-03-27 09:51:53 +00:00
# Default: "60s"
# dialerTimeout = "60s"
2016-10-05 15:42:58 +00:00
2017-03-27 09:51:53 +00:00
# Set the TCP Keep Alive interval for the Marathon HTTP Client.
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
# values (digits). If no units are provided, the value is parsed assuming
# seconds.
2016-11-22 15:11:28 +00:00
#
# Optional
2017-03-27 09:51:53 +00:00
# Default: "10s"
2016-11-22 15:11:28 +00:00
#
2017-03-27 09:51:53 +00:00
# keepAlive = "10s"
2017-03-26 19:59:08 +00:00
# By default, a task's IP address (as returned by the Marathon API) is used as
# backend server if an IP-per-task configuration can be found; otherwise, the
# name of the host running the task is used.
# The latter behavior can be enforced by enabling this switch.
#
# Optional
# Default: false
#
# forceTaskHostname: false
2016-03-22 16:25:57 +00:00
```
Labels can be used on containers to override default behaviour:
- `traefik.backend=foo` : assign the application to `foo` backend
2016-08-13 16:55:15 +00:00
- `traefik.backend.maxconn.amount=10` : set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.
- `traefik.backend.maxconn.extractorfunc=client.ip` : set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect.
- `traefik.backend.loadbalancer.method=drr` : override the default `wrr` load balancer algorithm
2016-09-28 14:29:19 +00:00
- `traefik.backend.loadbalancer.sticky=true` : enable backend sticky sessions
2016-08-13 16:55:15 +00:00
- `traefik.backend.circuitbreaker.expression=NetworkErrorRatio() > 0.5` : create a [circuit breaker ](/basics/#backends ) to be used against the backend
2017-03-15 18:16:06 +00:00
- `traefik.backend.healthcheck.path=/health` : set the Traefik health check path [default: no health checks]
- `traefik.backend.healthcheck.interval=5s` : sets a custom health check interval in Go-parseable (`time.ParseDuration`) format [default: 30s]
2016-03-22 16:25:57 +00:00
- `traefik.portIndex=1` : register port by index in the application's ports array. Useful when the application exposes multiple ports.
- `traefik.port=80` : register the explicit application port value. Cannot be used alongside `traefik.portIndex` .
- `traefik.protocol=https` : override the default `http` protocol
- `traefik.weight=10` : assign this weight to the application
2017-03-31 04:29:03 +00:00
- `traefik.enable=false` : disable this application in Træfik
2016-04-13 19:12:49 +00:00
- `traefik.frontend.rule=Host:test.traefik.io` : override the default frontend rule (Default: `Host:{containerName}.{domain}` ).
2016-03-22 16:25:57 +00:00
- `traefik.frontend.passHostHeader=true` : forward client `Host` header to the backend.
2016-06-06 20:40:42 +00:00
- `traefik.frontend.priority=10` : override default frontend priority
2016-03-22 16:25:57 +00:00
- `traefik.frontend.entryPoints=http,https` : assign this frontend to entry points `http` and `https` . Overrides `defaultEntryPoints` .
2016-04-20 11:43:37 +00:00
2016-09-30 13:37:52 +00:00
## Mesos generic backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Mesos as a backend configuration:
2016-09-30 13:37:52 +00:00
```toml
################################################################
# Mesos configuration backend
################################################################
# Enable Mesos configuration backend
#
# Optional
#
[mesos]
# Mesos server endpoint.
# You can also specify multiple endpoint for Mesos:
# endpoint = "192.168.35.40:5050,192.168.35.41:5050,192.168.35.42:5050"
# endpoint = "zk://192.168.35.20:2181,192.168.35.21:2181,192.168.35.22:2181/mesos"
#
# Required
#
endpoint = "http://127.0.0.1:8080"
# Enable watch Mesos changes
#
# Optional
#
watch = true
# Default domain used.
# Can be overridden by setting the "traefik.domain" label on an application.
#
# Required
#
domain = "mesos.localhost"
# Override default configuration template. For advanced users :)
#
# Optional
#
# filename = "mesos.tmpl"
# Expose Mesos apps by default in traefik
#
# Optional
# Default: false
#
# ExposedByDefault = true
# TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
#
# Optional
#
# [mesos.TLS]
# InsecureSkipVerify = true
# Zookeeper timeout (in seconds)
#
# Optional
2017-03-14 14:57:49 +00:00
# Default: 30
2016-09-30 13:37:52 +00:00
#
# ZkDetectionTimeout = 30
# Polling interval (in seconds)
#
# Optional
2017-03-14 14:57:49 +00:00
# Default: 30
2016-09-30 13:37:52 +00:00
#
# RefreshSeconds = 30
# IP sources (e.g. host, docker, mesos, rkt)
#
# Optional
#
# IPSources = "host"
# HTTP Timeout (in seconds)
#
# Optional
2017-03-14 14:57:49 +00:00
# Default: 30
2016-09-30 13:37:52 +00:00
#
2017-03-14 14:57:49 +00:00
# StateTimeoutSecond = "30"
2016-09-30 13:37:52 +00:00
```
2016-04-20 11:43:37 +00:00
## Kubernetes Ingress backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Kubernetes Ingress as a backend configuration:
2016-04-20 11:43:37 +00:00
```toml
################################################################
# Kubernetes Ingress configuration backend
################################################################
# Enable Kubernetes Ingress configuration backend
#
# Optional
#
[kubernetes]
# Kubernetes server endpoint
#
2017-03-07 12:09:11 +00:00
# When deployed as a replication controller in Kubernetes, Traefik will use
# the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT
# to construct the endpoint.
2016-04-20 11:43:37 +00:00
# Secure token will be found in /var/run/secrets/kubernetes.io/serviceaccount/token
# and SSL CA cert in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
2016-06-01 05:11:17 +00:00
#
2017-03-07 12:09:11 +00:00
# The endpoint may be given to override the environment variable values.
#
# When the environment variables are not found, Traefik will try to connect to
# the Kubernetes API server with an external-cluster client. In this case, the
# endpoint is required. Specifically, it may be set to the URL used by
# `kubectl proxy` to connect to a Kubernetes cluster from localhost.
#
# Optional for in-cluster configuration, required otherwise
# Default: empty
2016-04-20 11:43:37 +00:00
#
# endpoint = "http://localhost:8080"
2017-03-07 12:09:11 +00:00
# Bearer token used for the Kubernetes client configuration.
#
# Optional
# Default: empty
#
# token = "my token"
# Path to the certificate authority file used for the Kubernetes client
# configuration.
2016-07-12 05:25:01 +00:00
#
2017-03-07 12:09:11 +00:00
# Optional
# Default: empty
#
# certAuthFilePath = "/my/ca.crt"
# Array of namespaces to watch.
#
# Optional
# Default: ["default"].
#
# namespaces = ["default", "production"]
2016-07-12 05:25:01 +00:00
# See: http://kubernetes.io/docs/user-guide/labels/#list-and-watch-filtering
# labelselector = "A and not B"
#
2016-04-20 11:43:37 +00:00
```
2016-05-17 10:50:06 +00:00
Annotations can be used on containers to override default behaviour for the whole Ingress resource:
2016-05-18 22:09:32 +00:00
- `traefik.frontend.rule.type: PathPrefixStrip` : override the default frontend rule type (Default: `PathPrefix` ).
2016-05-17 10:50:06 +00:00
2017-01-25 13:11:00 +00:00
Annotations can be used on the Kubernetes service to override default behaviour:
- `traefik.backend.loadbalancer.method=drr` : override the default `wrr` load balancer algorithm
- `traefik.backend.loadbalancer.sticky=true` : enable backend sticky sessions
2016-10-17 16:36:32 +00:00
You can find here an example [ingress ](https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-ingress.yaml ) and [replication controller ](https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik.yaml ).
2016-04-20 11:43:37 +00:00
2017-02-03 16:47:48 +00:00
Additionally, an annotation can be used on Kubernetes services to set the [circuit breaker expression ](https://docs.traefik.io/basics/#backends ) for a backend.
- `traefik.backend.circuitbreaker: <expression>` : set the circuit breaker expression for the backend (Default: nil).
2017-04-30 09:22:07 +00:00
As known from nginx when used as Kubernetes Ingress Controller, a List of IP-Ranges which are allowed to access can be configured by using an ingress annotation:
- `ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"`
An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access.
2017-05-02 13:08:18 +00:00
### Authentication
Is possible to add additional authentication annotations in the Ingress rule.
The source of the authentication is a secret that contains usernames and passwords inside the the key auth.
- `ingress.kubernetes.io/auth-type` : `basic`
- `ingress.kubernetes.io/auth-secret` : contains the usernames and passwords with access to the paths defined in the Ingress Rule.
The secret must be created in the same namespace as the Ingress rule.
Limitations:
- Basic authentication only.
- Realm not configurable; only `traefik` default.
- Secret must contain only single file.
2016-03-22 16:25:57 +00:00
## Consul backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Consul as a backend configuration:
2016-03-22 16:25:57 +00:00
```toml
################################################################
# Consul KV configuration backend
################################################################
# Enable Consul KV configuration backend
#
# Optional
#
[consul]
# Consul server endpoint
#
# Required
#
endpoint = "127.0.0.1:8500"
# Enable watch Consul changes
#
# Optional
#
watch = true
# Prefix used for KV store.
#
# Optional
#
prefix = "traefik"
# Override default configuration template. For advanced users :)
#
# Optional
#
# filename = "consul.tmpl"
# Enable consul TLS connection
#
# Optional
#
# [consul.tls]
# ca = "/etc/ssl/ca.crt"
# cert = "/etc/ssl/consul.crt"
# key = "/etc/ssl/consul.key"
# insecureskipverify = true
```
2016-07-11 15:32:28 +00:00
Please refer to the [Key Value storage structure ](/user-guide/kv-config/#key-value-storage-structure ) section to get documentation on traefik KV structure.
2016-03-22 16:25:57 +00:00
## Consul catalog backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use service discovery catalog of Consul as a backend configuration:
2016-03-22 16:25:57 +00:00
```toml
################################################################
# Consul Catalog configuration backend
################################################################
# Enable Consul Catalog configuration backend
#
# Optional
#
[consulCatalog]
# Consul server endpoint
#
# Required
#
endpoint = "127.0.0.1:8500"
# Default domain used.
#
# Optional
#
domain = "consul.localhost"
2016-04-12 07:49:37 +00:00
# Prefix for Consul catalog tags
#
# Optional
#
prefix = "traefik"
2017-05-08 17:46:53 +00:00
# Default frontEnd Rule for Consul services
# The format is a Go Template with ".ServiceName", ".Domain" and ".Attributes" available
# "getTag(name, tags, defaultValue)", "hasTag(name, tags)" and "getAttribute(name, tags, defaultValue)" functions are available
# "getAttribute(...)" function uses prefixed tag names based on "prefix" value
#
# Optional
#
frontEndRule = "Host:{{.ServiceName}}.{{Domain}}"
2016-03-22 16:25:57 +00:00
```
This backend will create routes matching on hostname based on the service name
used in consul.
2016-04-12 07:49:37 +00:00
Additional settings can be defined using Consul Catalog tags:
2016-04-13 19:12:49 +00:00
2017-03-31 04:29:03 +00:00
- `traefik.enable=false` : disable this container in Træfik
2016-06-06 20:40:42 +00:00
- `traefik.protocol=https` : override the default `http` protocol
- `traefik.backend.weight=10` : assign this weight to the container
- `traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5`
- `traefik.backend.loadbalancer=drr` : override the default load balancing mode
2016-08-25 03:46:47 +00:00
- `traefik.backend.maxconn.amount=10` : set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.
- `traefik.backend.maxconn.extractorfunc=client.ip` : set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect.
2017-05-08 17:46:53 +00:00
- `traefik.frontend.rule=Host:test.traefik.io` : override the default frontend rule (Default: `Host:{{.ServiceName}}.{{.Domain}}` ).
2016-06-06 20:40:42 +00:00
- `traefik.frontend.passHostHeader=true` : forward client `Host` header to the backend.
- `traefik.frontend.priority=10` : override default frontend priority
- `traefik.frontend.entryPoints=http,https` : assign this frontend to entry points `http` and `https` . Overrides `defaultEntryPoints` .
2016-03-22 16:25:57 +00:00
## Etcd backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Etcd as a backend configuration:
2016-03-22 16:25:57 +00:00
```toml
################################################################
# Etcd configuration backend
################################################################
# Enable Etcd configuration backend
#
# Optional
#
2016-04-15 14:27:40 +00:00
[etcd]
2016-03-22 16:25:57 +00:00
# Etcd server endpoint
#
# Required
#
2016-07-11 11:36:35 +00:00
endpoint = "127.0.0.1:2379"
2016-03-22 16:25:57 +00:00
# Enable watch Etcd changes
#
# Optional
#
2016-04-15 14:27:40 +00:00
watch = true
2016-03-22 16:25:57 +00:00
# Prefix used for KV store.
#
# Optional
#
2016-04-15 14:27:40 +00:00
prefix = "/traefik"
2016-03-22 16:25:57 +00:00
# Override default configuration template. For advanced users :)
#
# Optional
#
# filename = "etcd.tmpl"
2017-03-28 15:54:48 +00:00
# Use etcd user/pass authentication
#
# Optional
#
# username = foo
# password = bar
2016-03-22 16:25:57 +00:00
# Enable etcd TLS connection
#
# Optional
#
# [etcd.tls]
# ca = "/etc/ssl/ca.crt"
# cert = "/etc/ssl/etcd.crt"
# key = "/etc/ssl/etcd.key"
# insecureskipverify = true
```
2016-07-11 15:32:28 +00:00
Please refer to the [Key Value storage structure ](/user-guide/kv-config/#key-value-storage-structure ) section to get documentation on traefik KV structure.
2016-03-22 16:25:57 +00:00
## Zookeeper backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Zookeeper as a backend configuration:
2016-03-22 16:25:57 +00:00
```toml
################################################################
# Zookeeper configuration backend
################################################################
# Enable Zookeeperconfiguration backend
#
# Optional
#
2016-04-15 14:27:40 +00:00
[zookeeper]
2016-03-22 16:25:57 +00:00
# Zookeeper server endpoint
#
# Required
#
2016-04-15 14:27:40 +00:00
endpoint = "127.0.0.1:2181"
2016-03-22 16:25:57 +00:00
# Enable watch Zookeeper changes
#
# Optional
#
2016-04-15 14:27:40 +00:00
watch = true
2016-03-22 16:25:57 +00:00
# Prefix used for KV store.
#
# Optional
#
2016-12-20 21:25:50 +00:00
prefix = "traefik"
2016-03-22 16:25:57 +00:00
# Override default configuration template. For advanced users :)
#
# Optional
#
# filename = "zookeeper.tmpl"
```
2016-07-11 15:32:28 +00:00
Please refer to the [Key Value storage structure ](/user-guide/kv-config/#key-value-storage-structure ) section to get documentation on traefik KV structure.
2016-03-22 16:25:57 +00:00
## BoltDB backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use BoltDB as a backend configuration:
2016-03-22 16:25:57 +00:00
```toml
################################################################
# BoltDB configuration backend
################################################################
# Enable BoltDB configuration backend
#
# Optional
#
2016-04-15 14:27:40 +00:00
[boltdb]
2016-03-22 16:25:57 +00:00
# BoltDB file
#
# Required
#
2016-04-15 14:27:40 +00:00
endpoint = "/my.db"
2016-03-22 16:25:57 +00:00
# Enable watch BoltDB changes
#
# Optional
#
2016-04-15 14:27:40 +00:00
watch = true
2016-03-22 16:25:57 +00:00
# Prefix used for KV store.
#
# Optional
#
2016-04-15 14:27:40 +00:00
prefix = "/traefik"
2016-03-22 16:25:57 +00:00
# Override default configuration template. For advanced users :)
#
# Optional
#
# filename = "boltdb.tmpl"
```
2016-08-31 20:43:05 +00:00
## Eureka backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Eureka as a backend configuration:
2016-08-31 20:43:05 +00:00
```toml
################################################################
# Eureka configuration backend
################################################################
# Enable Eureka configuration backend
#
# Optional
#
[eureka]
# Eureka server endpoint.
# endpoint := "http://my.eureka.server/eureka"
#
# Required
#
endpoint = "http://my.eureka.server/eureka"
# Override default configuration time between refresh
#
# Optional
# default 30s
delay = "1m"
# Override default configuration template. For advanced users :)
#
# Optional
#
# filename = "eureka.tmpl"
```
2016-07-11 15:32:28 +00:00
Please refer to the [Key Value storage structure ](/user-guide/kv-config/#key-value-storage-structure ) section to get documentation on traefik KV structure.
2017-01-05 14:24:17 +00:00
## ECS backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Amazon ECS as a backend configuration:
2017-01-05 14:24:17 +00:00
```toml
################################################################
# ECS configuration backend
################################################################
# Enable ECS configuration backend
#
# Optional
#
[ecs]
# ECS Cluster Name
#
# Optional
# Default: "default"
#
Cluster = "default"
# Enable watch ECS changes
#
# Optional
# Default: true
#
Watch = true
# Polling interval (in seconds)
#
# Optional
# Default: 15
#
RefreshSeconds = 15
# Expose ECS services by default in traefik
#
# Optional
# Default: true
#
ExposedByDefault = false
# Region to use when connecting to AWS
#
# Optional
#
# Region = "us-east-1"
# AccessKeyID to use when connecting to AWS
#
# Optional
#
# AccessKeyID = "abc"
# SecretAccessKey to use when connecting to AWS
#
# Optional
#
# SecretAccessKey = "123"
```
Labels can be used on task containers to override default behaviour:
- `traefik.protocol=https` : override the default `http` protocol
- `traefik.weight=10` : assign this weight to the container
2017-03-31 04:29:03 +00:00
- `traefik.enable=false` : disable this container in Træfik
2017-01-05 14:24:17 +00:00
- `traefik.frontend.rule=Host:test.traefik.io` : override the default frontend rule (Default: `Host:{containerName}.{domain}` ).
- `traefik.frontend.passHostHeader=true` : forward client `Host` header to the backend.
- `traefik.frontend.priority=10` : override default frontend priority
- `traefik.frontend.entryPoints=http,https` : assign this frontend to entry points `http` and `https` . Overrides `defaultEntryPoints` .
2017-02-08 14:08:16 +00:00
If `AccessKeyID` /`SecretAccessKey` is not given credentials will be resolved in the following order:
- From environment variables; `AWS_ACCESS_KEY_ID` , `AWS_SECRET_ACCESS_KEY` , and `AWS_SESSION_TOKEN` .
- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE` , defaults to `default` and `~/.aws/credentials` .
- EC2 instance role or ECS task role
2017-03-31 04:29:03 +00:00
Træfik needs the following policy to read ECS information:
2017-02-08 14:08:16 +00:00
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Traefik ECS read access",
"Effect": "Allow",
"Action": [
"ecs:ListTasks",
"ecs:DescribeTasks",
"ecs:DescribeContainerInstances",
"ecs:DescribeTaskDefinition",
"ec2:DescribeInstances"
],
"Resource": [
"*"
]
}
]
}
```
2017-02-20 19:41:28 +00:00
# Rancher backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Rancher as a backend configuration:
2017-02-20 19:41:28 +00:00
```toml
################################################################
# Rancher configuration backend
################################################################
# Enable Rancher configuration backend
#
# Optional
#
[rancher]
# Default domain used.
# Can be overridden by setting the "traefik.domain" label on an service.
#
# Required
#
domain = "rancher.localhost"
# Enable watch Rancher changes
#
# Optional
# Default: true
#
Watch = true
2017-04-29 19:37:54 +00:00
# Polling interval (in seconds)
#
# Optional
#
RefreshSeconds = 15
2017-02-20 19:41:28 +00:00
# Expose Rancher services by default in traefik
#
# Optional
# Default: true
#
ExposedByDefault = false
2017-04-29 19:37:54 +00:00
# Filter services with unhealthy states and health states
#
# Optional
# Default: false
#
EnableServiceHealthFilter = false
2017-02-20 19:41:28 +00:00
# Endpoint to use when connecting to Rancher
#
2017-03-24 09:13:12 +00:00
# Required
# Endpoint = "http://rancherserver.example.com/v1"
2017-02-20 19:41:28 +00:00
# AccessKey to use when connecting to Rancher
#
2017-03-24 09:13:12 +00:00
# Required
# AccessKey = "XXXXXXXXXXXXXXXXXXXX"
2017-02-20 19:41:28 +00:00
# SecretKey to use when connecting to Rancher
#
2017-03-24 09:13:12 +00:00
# Required
# SecretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
2017-02-20 19:41:28 +00:00
```
2017-03-24 09:13:12 +00:00
As traefik needs access to the rancher API, you need to set the `endpoint` , `accesskey` and `secretkey` parameters.
2017-02-20 19:41:28 +00:00
2017-03-24 09:13:12 +00:00
To enable traefik to fetch information about the Environment it's deployed in only, you need to create an `Environment API Key` . This can be found within the API Key advanced options.
2017-02-20 19:41:28 +00:00
Labels can be used on task containers to override default behaviour:
- `traefik.protocol=https` : override the default `http` protocol
- `traefik.weight=10` : assign this weight to the container
2017-03-31 04:29:03 +00:00
- `traefik.enable=false` : disable this container in Træfik
2017-02-20 19:41:28 +00:00
- `traefik.frontend.rule=Host:test.traefik.io` : override the default frontend rule (Default: `Host:{containerName}.{domain}` ).
- `traefik.frontend.passHostHeader=true` : forward client `Host` header to the backend.
- `traefik.frontend.priority=10` : override default frontend priority
- `traefik.frontend.entryPoints=http,https` : assign this frontend to entry points `http` and `https` . Overrides `defaultEntryPoints` .
2017-04-19 09:14:05 +00:00
- `traefik.frontend.auth.basic=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0` : Sets a Basic Auth for that frontend with the users test:test and test2:test2
2017-03-09 01:53:34 +00:00
## DynamoDB backend
2017-03-31 04:29:03 +00:00
Træfik can be configured to use Amazon DynamoDB as a backend configuration:
2017-03-09 01:53:34 +00:00
```toml
################################################################
# DynamoDB configuration backend
################################################################
# Enable DynamoDB configuration backend
#
# Optional
#
[dynamodb]
# DyanmoDB Table Name
#
# Optional
#
TableName = "traefik"
# Enable watch DynamoDB changes
#
# Optional
#
Watch = true
# Polling interval (in seconds)
#
# Optional
#
RefreshSeconds = 15
# Region to use when connecting to AWS
#
# Required
#
# Region = "us-west-1"
# AccessKeyID to use when connecting to AWS
#
# Optional
#
# AccessKeyID = "abc"
# SecretAccessKey to use when connecting to AWS
#
# Optional
#
# SecretAccessKey = "123"
# Endpoint of local dynamodb instance for testing
#
# Optional
#
# Endpoint = "http://localhost:8080"
```
2017-04-30 18:17:57 +00:00
Items in the `dynamodb` table must have three attributes:
2017-03-09 01:53:34 +00:00
2017-04-30 18:17:57 +00:00
- `id` : string
2017-03-09 01:53:34 +00:00
- The id is the primary key.
2017-04-30 18:17:57 +00:00
- `name` : string
2017-03-09 01:53:34 +00:00
- The name is used as the name of the frontend or backend.
2017-04-30 18:17:57 +00:00
- `frontend` or `backend` : map
- This attribute's structure matches exactly the structure of a Frontend or Backend type in traefik. See `types/types.go` for details. The presence or absence of this attribute determines its type. So an item should never have both a `frontend` and a `backend` attribute.