baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Merge branch 'v2.0' into master

Browse source
This commit is contained in:
Fernandez Ludovic 2019-07-02 13:35:09 +02:00
commit 06df6017df
457 changed files with 30741 additions and 16993 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.github/ISSUE_TEMPLATE.md vendored
View file

@ -4,7 +4,6 @@ DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
The issue tracker is for reporting bugs and feature requests only.
For end-user related support questions, please refer to one of the following:
- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
- the Traefik community forum: https://community.containo.us/
-->

1
.github/ISSUE_TEMPLATE/Bug_report.md vendored
View file

@ -10,7 +10,6 @@ DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
The issue tracker is for reporting bugs and feature requests only.
For end-user related support questions, please refer to one of the following:
- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
- the Traefik community forum: https://community.containo.us/
-->

1
.github/ISSUE_TEMPLATE/Feature_request.md vendored
View file

@ -10,7 +10,6 @@ DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
The issue tracker is for reporting bugs and feature requests only.
For end-user related support questions, please refer to one of the following:
- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
- the Traefik community forum: https://community.containo.us/
-->

23
CHANGELOG.md
View file

@ -1,5 +1,28 @@
# Change Log
## [v2.0.0-alpha8](https://github.com/containous/traefik/tree/v2.0.0-alpha8) (2019-07-01)
[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha7...v2.0.0-alpha8)
**Enhancements:**
- **[api]** Adding content-header to api endpoints ([#5019](https://github.com/containous/traefik/pull/5019) by [dalanmiller](https://github.com/dalanmiller))
- **[file]** Support YAML for the dynamic configuration. ([#5024](https://github.com/containous/traefik/pull/5024) by [ldez](https://github.com/ldez))
- **[logs]** Drop headers by default in access logs. ([#5034](https://github.com/containous/traefik/pull/5034) by [ldez](https://github.com/ldez))
- **[middleware,k8s/crd]** Handle cross-provider middleware in kubernetes CRD ([#5009](https://github.com/containous/traefik/pull/5009) by [mpl](https://github.com/mpl))
- **[server]** Use h2c from x/net to handle h2c requests ([#5045](https://github.com/containous/traefik/pull/5045) by [juliens](https://github.com/juliens))
- **[server]** Make HTTP Keep-Alive timeout configurable for backend connections ([#4983](https://github.com/containous/traefik/pull/4983) by [mszabo-wikia](https://github.com/mszabo-wikia))
- **[tls]** Define a TLS section to group TLS, TLSOptions, and TLSStores. ([#5031](https://github.com/containous/traefik/pull/5031) by [ldez](https://github.com/ldez))
- **[tracing]** Improve tracing ([#5010](https://github.com/containous/traefik/pull/5010) by [mmatur](https://github.com/mmatur))
**Bug fixes:**
- **[cli]** Change the loading resource order ([#5007](https://github.com/containous/traefik/pull/5007) by [ldez](https://github.com/ldez))
- **[logs]** fix: error log message. ([#5020](https://github.com/containous/traefik/pull/5020) by [ldez](https://github.com/ldez))
**Documentation:**
- **[acme]** doc/crd-acme: specify required kubectl version ([#5015](https://github.com/containous/traefik/pull/5015) by [mpl](https://github.com/mpl))
- **[middleware]** Improve middleware documentation. ([#5003](https://github.com/containous/traefik/pull/5003) by [ldez](https://github.com/ldez))
- **[server]** Add gRPC user guide ([#5042](https://github.com/containous/traefik/pull/5042) by [ldez](https://github.com/ldez))
- Use the same case everywhere ([#5043](https://github.com/containous/traefik/pull/5043) by [ldez](https://github.com/ldez))
## [v2.0.0-alpha7](https://github.com/containous/traefik/tree/v2.0.0-alpha7) (2019-06-21)
[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha6...v2.0.0-alpha7)

8
Gopkg.lock generated
View file

@ -1677,7 +1677,7 @@
[[projects]]
branch = "master"
digest = "1:62afa19ba5d4c75369a1d6446688e33ef3c04a40aeedd819cf044a509747b563"
digest = "1:4d0fb9f19b2af3461e900a526395330403b39d839f126b66312215f153892ccc"
name = "golang.org/x/net"
packages = [
"bpf",
@ -1685,6 +1685,7 @@
"context/ctxhttp",
"http/httpguts",
"http2",
"http2/h2c",
"http2/hpack",
"idna",
"internal/iana",
@ -1699,7 +1700,7 @@
"websocket",
]
pruneopts = "NUT"
revision = "e514e69ffb8bc3c76a71ae40de0118d794855992"
revision = "da137c7871d730100384dbcf36e6f8fa493aef5b"
[[projects]]
branch = "master"
@ -2301,9 +2302,8 @@
"github.com/vulcand/oxy/roundrobin",
"github.com/vulcand/oxy/utils",
"github.com/vulcand/predicate",
"golang.org/x/net/http/httpguts",
"golang.org/x/net/http2",
"golang.org/x/net/http2/hpack",
"golang.org/x/net/http2/h2c",
"golang.org/x/net/websocket",
"google.golang.org/grpc",
"google.golang.org/grpc/credentials",

1
README.md
View file

@ -104,7 +104,6 @@ A collection of contributions around Traefik can be found at [https://awesome.tr
To get community support, you can:
- join the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
- use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.

1
docs/.markdownlint.json
View file

@ -3,6 +3,7 @@
"MD007": { "indent": 4 },
"MD009": false,
"MD013": false,
"MD024": false,
"MD026": false,
"MD033": false,
"MD034": false,

4
docs/content/assets/img/user-guides/grpc.svg Normal file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 186 KiB

4
docs/content/assets/js/hljs/highlight.pack.js
View file

File diff suppressed because one or more lines are too long

27
docs/content/contributing/data-collection.md
View file

@ -14,9 +14,9 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to
??? example "Enabling Data Collection with TOML"
```toml
[Global]
# Send anonymous usage data
sendAnonymousUsage = true
[global]
# Send anonymous usage data
sendAnonymousUsage = true
```
??? example "Enabling Data Collection with the CLI"
@ -51,24 +51,23 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
```toml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web]
address = ":80"
[api]
[Docker]
[providers.docker]
endpoint = "tcp://10.10.10.10:2375"
domain = "foo.bir"
exposedByDefault = true
swarmMode = true
[Docker.TLS]
[providers.docker.TLS]
ca = "dockerCA"
cert = "dockerCert"
key = "dockerKey"
insecureSkipVerify = true
[ECS]
[providers.ecs]
domain = "foo.bar"
exposedByDefault = true
clusters = ["foo-bar"]
@ -81,24 +80,24 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
```toml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web]
address = ":80"
[api]
[Docker]
[providers.docker]
endpoint = "xxxx"
domain = "xxxx"
exposedByDefault = true
swarmMode = true
[Docker.TLS]
[providers.docker.TLS]
ca = "xxxx"
cert = "xxxx"
key = "xxxx"
insecureSkipVerify = false
[ECS]
[providers.ecs]
domain = "xxxx"
exposedByDefault = true
clusters = []

1
docs/content/contributing/submitting-issues.md
View file

@ -15,7 +15,6 @@ To save us some time and get quicker feedback, be sure to follow the guide lines
For end-user related support questions, try using first:
- the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
- [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
## Issue Title

7
docs/content/getting-started/configuration-overview.md
View file

@ -49,7 +49,12 @@ Once positioned, this option sets (and resets) all the default values of the sub
### Configuration File
At startup, Traefik searches for a file named `traefik.toml` in `/etc/traefik/`, `$XDG_CONFIG_HOME/`, `$HOME/.config/`, and `.` (_the working directory_).
At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` or `traefik.yaml`) in:
- `/etc/traefik/`
- `$XDG_CONFIG_HOME/`
- `$HOME/.config/`
- `.` (_the working directory_).
You can override this using the `configFile` argument.

18
docs/content/getting-started/quick-start.md
View file

@ -14,13 +14,18 @@ version: '3'
services:
reverse-proxy:
image: traefik:v2.0 # The official v2.0 Traefik docker image
command: --api --providers.docker # Enables the web UI and tells Traefik to listen to docker
# The official v2.0 Traefik docker image
image: traefik:v2.0
# Enables the web UI and tells Traefik to listen to docker
command: --api --providers.docker
ports:
- "80:80" # The HTTP port
- "8080:8080" # The Web UI (enabled by --api)
# The HTTP port
- "80:80"
# The Web UI (enabled by --api)
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
```
**That's it. Now you can launch Traefik!**
@ -42,7 +47,8 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil
```yaml
# ...
whoami:
image: containous/whoami # A container that exposes an API to show its IP address
# A container that exposes an API to show its IP address
image: containous/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
```

254
docs/content/https/acme.md
View file

@ -12,25 +12,47 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
??? example "Enabling ACME"
```toml
```toml tab="TOML"
[entryPoints]
[entryPoints.web]
address = ":80"
address = ":80"
[entryPoints.http-tls]
address = ":443"
address = ":443"
[acme] # every router with TLS enabled will now be able to use ACME for its certificates
email = "your-email@your-domain.org"
storage = "acme.json"
onHostRule = true # dynamic generation based on the Host() & HostSNI() matchers
[acme.httpChallenge]
entryPoint = "web" # used during the challenge
# every router with TLS enabled will now be able to use ACME for its certificates
[acme]
email = "your-email@your-domain.org"
storage = "acme.json"
# dynamic generation based on the Host() & HostSNI() matchers
onHostRule = true
[acme.httpChallenge]
# used during the challenge
entryPoint = "web"
```
```yaml tab="YAML"
entryPoints:
web:
address: ":80"
http-tls:
address: ":443"
# every router with TLS enabled will now be able to use ACME for its certificates
acme:
email: your-email@your-domain.org
storage: acme.json
# dynamic generation based on the Host() & HostSNI() matchers
onHostRule: true
httpChallenge:
# used during the challenge
entryPoint: web
```
??? example "Configuring Wildcard Certificates"
```toml
```toml tab="TOML"
[entryPoints]
[entryPoints.web]
address = ":80"
@ -49,19 +71,44 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
sans = ["mydomain.com"]
```
```yaml tab="YAML"
entryPoints:
web:
address: ":80"
http-tls:
address: ":443"
acme:
email: your-email@your-domain.org
storage: acme.json
dnsChallenge:
provide: xxx
domains:
- main: "*.mydomain.com"
sans:
- mydomain.com
```
??? note "Configuration Reference"
There are many available options for ACME. For a quick glance at what's possible, browse the configuration reference:
There are many available options for ACME.
For a quick glance at what's possible, browse the configuration reference:
```toml
```toml tab="TOML"
--8<-- "content/https/ref-acme.toml"
```
```yaml tab="YAML"
--8<-- "content/https/ref-acme.yaml"
```
## Automatic Renewals
Traefik automatically tracks the expiry date of ACME certificates it generates.
If there are less than 30 days remaining before the certificate expires, Traefik will attempt to rewnew it automatically.
If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.
!!! note
Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
@ -77,9 +124,14 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
??? example "Configuring the `tlsChallenge`"
```toml
```toml tab="TOML"
[acme]
[acme.tlsChallenge]
[acme.tlsChallenge]
```
```yaml tab="YAML"
acme:
tlsChallenge: {}
```
### `httpChallenge`
@ -91,11 +143,18 @@ when using the `HTTP-01` challenge, `acme.httpChallenge.entryPoint` must be reac
??? example "Using an EntryPoint Called http for the `httpChallenge`"
```toml
```toml tab="TOML"
[acme]
# ...
[acme.httpChallenge]
entryPoint = "http"
# ...
[acme.httpChallenge]
entryPoint = "http"
```
```yaml tab="YAML"
acme:
# ...
httpChallenge:
entryPoint: http
```
!!! note
@ -107,12 +166,21 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
```toml
```toml tab="TOML"
[acme]
# ...
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
# ...
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
# ...
```
```yaml tab="YAML"
acme:
# ...
dnsChallenge:
provider: digitalocean
delayBeforeCheck: 0
# ...
```
@ -200,12 +268,22 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
Use custom DNS servers to resolve the FQDN authority.
```toml
```toml tab="TOML"
[acme]
# ...
[acme.dnsChallenge]
# ...
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
# ...
[acme.dnsChallenge]
# ...
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
```
```yaml tab="YAML"
acme:
# ...
dnsChallenge:
# ...
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
```
#### Wildcard Domains
@ -213,12 +291,23 @@ Use custom DNS servers to resolve the FQDN authority.
[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
```toml
```toml tab="TOML"
[acme]
# ...
[[acme.domains]]
main = "*.local1.com"
sans = ["local1.com"]
# ...
[[acme.domains]]
main = "*.local1.com"
sans = ["local1.com"]
# ...
```
```yaml tab="YAML"
acme:
# ...
domains:
- main: "*.local1.com"
sans:
- local1.com
# ...
```
@ -240,17 +329,33 @@ You can set SANs (alternative domains) for each main domain.
Every domain must have A/AAAA records pointing to Traefik.
Each domain & SAN will lead to a certificate request.
```toml
```toml tab="TOML"
[acme]
# ...
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
[[acme.domains]]
main = "*.local3.com"
sans = ["local3.com", "test1.test1.local3.com"]
# ...
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
[[acme.domains]]
main = "*.local3.com"
sans = ["local3.com", "test1.test1.local3.com"]
# ...
```
```yaml tab="YAML"
acme:
# ...
domains:
- main: "local1.com"
sans:
- "test1.local1.com"
- "test2.local1.com"
- main: "local2.com"
- main: "*.local3.com"
sans:
- "local3.com"
- "test1.test1.local3.com"
# ...
```
@ -264,11 +369,18 @@ Each domain & SAN will lead to a certificate request.
??? example "Using the Let's Encrypt staging server"
```toml
```toml tab="TOML"
[acme]
# ...
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# ...
# ...
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# ...
```
```yaml tab="YAML"
acme:
# ...
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
# ...
```
## `onHostRule`
@ -277,11 +389,18 @@ Enable certificate generation on [routers](../routing/routers/index.md) `Host` &
This will request a certificate from Let's Encrypt for each router with a Host rule.
```toml
```toml tab="TOML"
[acme]
# ...
onHostRule = true
# ...
# ...
onHostRule = true
# ...
```
```yaml tab="YAML"
acme:
# ...
onHostRule: true
# ...
```
!!! note "Multiple Hosts in a Rule"
@ -294,17 +413,23 @@ This will request a certificate from Let's Encrypt for each router with a Host r
The `storage` option sets the location where your ACME certificates are saved to.
```toml
```toml tab="TOML"
[acme]
# ...
storage = "acme.json"
# ...
# ...
storage = "acme.json"
# ...
```
The value can refer to two kinds of storage:
```yaml tab="YAML"
acme
# ...
storage: acme.json
# ...
```
The value can refer to some kinds of storage:
- a JSON file
- a KV store entry
### In a File
@ -323,19 +448,6 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
!!! warning
For concurrency reason, this file cannot be shared across multiple instances of Traefik. Use a key value store entry instead.
### In a a Key Value Store Entry
ACME certificates can be stored in a key-value store entry.
```toml
storage = "traefik/acme/account"
```
!!! note "Storage Size"
Because key-value stores have limited entry size, the certificates list is compressed _before_ it is saved.
For example, it is possible to store up to _approximately_ 100 ACME certificates in Consul.
## Fallback
If Let's Encrypt is not reachable, the following certificates will apply:

31
docs/content/https/ref-acme.toml
View file

@ -7,31 +7,11 @@
#
email = "test@traefik.io"
# File used for certificates storage.
#
# Optional (Deprecated)
#
#storageFile = "acme.json"
# File or key used for certificates storage.
#
# Required
#
storage = "acme.json"
# or `storage = "traefik/acme/account"` if using KV store.
# Deprecated, replaced by [acme.dnsChallenge].
#
# Optional.
#
# dnsProvider = "digitalocean"
# Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
#
# Optional
# Default: 0
#
# delayDontCheckDNS = 0
# If true, display debug log messages from the acme client library.
#
@ -47,14 +27,7 @@ storage = "acme.json"
#
# overrideCertificates = true
# Deprecated. Enable on demand certificate generation.
#
# Optional
# Default: false
#
# onDemand = true
# Enable certificate generation on frontends host rules.
# Enable certificate generation on routers host rules.
#
# Optional
# Default: false
@ -95,7 +68,7 @@ storage = "acme.json"
#
# Required
#
# entryPoint = "http"
# entryPoint = "web"
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.

127
docs/content/https/ref-acme.yaml Normal file
View file

@ -0,0 +1,127 @@
# Enable ACME (Let's Encrypt): automatic SSL.
acme:
# Email address used for registration.
#
# Required
#
email: "test@traefik.io"
# File or key used for certificates storage.
#
# Required
#
storage: "acme.json"
# If true, display debug log messages from the acme client library.
#
# Optional
# Default: false
#
# acmeLogging: true
# If true, override certificates in key-value store when using storeconfig.
#
# Optional
# Default: false
#
# overrideCertificates: true
# Enable certificate generation on routers host rules.
#
# Optional
# Default: false
#
# onHostRule: true
# CA server to use.
# Uncomment the line to use Let's Encrypt's staging server,
# leave commented to go to prod.
#
# Optional
# Default: "https://acme-v02.api.letsencrypt.org/directory"
#
# caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
# KeyType to use.
#
# Optional
# Default: "RSA4096"
#
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
#
# KeyType: RSA4096
# Use a TLS-ALPN-01 ACME challenge.
#
# Optional (but recommended)
#
tlsChallenge:
# Use a HTTP-01 ACME challenge.
#
# Optional
#
# httpChallenge:
# EntryPoint to use for the HTTP-01 challenges.
#
# Required
#
# entryPoint: web
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.
#
# Optional
#
# dnsChallenge:
# DNS provider used.
#
# Required
#
# provider: digitalocean
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
# Default: 0
#
# delayBeforeCheck: 0
# Use following DNS servers to resolve the FQDN authority.
#
# Optional
# Default: empty
#
# resolvers
# - "1.1.1.1:53"
# - "8.8.8.8:53"
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
#
# NOT RECOMMENDED:
# Increase the risk of reaching Let's Encrypt's rate limits.
#
# Optional
# Default: false
#
# disablePropagationCheck: true
# Domains list.
# Only domains defined here can generate wildcard certificates.
# The certificates for these domains are negotiated at traefik startup only.
#
# domains:
# - main: "local1.com"
# sans:
# - "test1.local1.com"
# - "test2.local1.com"
# - main: "local2.com"
# - main: "*.local3.com"
# sans:
# - "local3.com"
# - "test1.test1.local3.com"

153
docs/content/https/tls.md
View file

@ -11,18 +11,25 @@ See the [Let's Encrypt](./acme.md) page.
### User defined
To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls]]` section:
To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:
```toml
[[tls]]
[tls.certificate]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
```toml tab="TOML"
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls]]
[tls.certificate]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
[[tls.certificates]]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
```yaml tab="YAML"
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
- certFile: /path/to/other-domain.cert
keyFile: /path/to/other-domain.key
```
!!! important "File Provider Only"
@ -34,9 +41,15 @@ To add / remove TLS certificates, even when Traefik is already running, their de
In Traefik, certificates are grouped together in certificates stores, which are defined as such:
```toml
[tlsStores]
[tlsStores.default]
```toml tab="TOML"
[tls.stores]
[tls.stores.default]
```
```yaml tab="YAML"
tls:
stores:
default: {}
```
!!! important "Alpha restriction"
@ -44,21 +57,32 @@ In Traefik, certificates are grouped together in certificates stores, which are
During the alpha version, any store definition other than the default one (named `default`) will be ignored,
and there is thefore only one globally available TLS store.
In the `[[tls]]` section, a list of stores can then be specified to indicate where the certificates should be stored:
In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
```toml
[[tls]]
```toml tab="TOML"
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
stores = ["default"]
[tls.certificate]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls]]
[[tls.certificates]]
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
[tls.certificate]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
```yaml tab="YAML"
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
stores:
- default
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
- certFile: /path/to/other-domain.cert
keyFile: /path/to/other-domain.key
```
!!! important "Alpha restriction"
@ -70,14 +94,23 @@ In the `[[tls]]` section, a list of stores can then be specified to indicate whe
Traefik can use a default certificate for connections without a SNI, or without a matching domain.
This default certificate should be defined in a TLS store:
```toml
[tlsStores]
[tlsStores.default]
[tlsStores.default.defaultCertificate]
```toml tab="TOML"
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "path/to/cert.crt"
keyFile = "path/to/cert.key"
```
```yaml tab="YAML"
tls:
stores:
default:
defaultCertificate:
certFile: path/to/cert.crt
keyFile: path/to/cert.key
```
If no default certificate is provided, Traefik generates and uses a self-signed certificate.
## TLS Options
@ -86,16 +119,26 @@ The TLS options allow one to configure some parameters of the TLS connection.
### Minimum TLS Version
```toml
[tlsOptions]
```toml tab="TOML"
[tls.options]
[tlsOptions.default]
[tls.options.default]
minVersion = "VersionTLS12"
[tlsOptions.mintls13]
[tls.options.mintls13]
minVersion = "VersionTLS13"
```
```yaml tab="YAML"
tls:
options:
default:
minVersion: VersionTLS12
mintls13:
minVersion: VersionTLS13
```
### Mutual Authentication
Traefik supports both optional and strict (which is the default) mutual authentication, though the `ClientCA.files` section.
@ -106,35 +149,63 @@ For clients with a certificate, the `optional` option governs the behaviour as f
- When `optional = false`, Traefik accepts connections only from clients presenting a certificate signed by a CA listed in `ClientCA.files`.
- When `optional = true`, Traefik authorizes connections from clients presenting a certificate signed by an unknown CA.
```toml
[tlsOptions]
[tlsOptions.default]
[tlsOptions.default.ClientCA]
```toml tab="TOML"
[tls.options]
[tls.options.default]
[tls.options.default.clientCA]
# in PEM format. each file can contain multiple CAs.
files = ["tests/clientca1.crt", "tests/clientca2.crt"]
optional = false
```
```yaml tab="YAML"
tls:
options:
default:
clientCA:
# in PEM format. each file can contain multiple CAs.
files:
- tests/clientca1.crt
- tests/clientca2.crt
optional: false
```
### Cipher Suites
See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
```toml
[tlsOptions]
[tlsOptions.default]
```toml tab="TOML"
[tls.options]
[tls.options.default]
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
```
```yaml tab="YAML"
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
```
### Strict SNI Checking
With strict SNI checking, Traefik won't allow connections from clients connections
that do not specify a server_name extension.
```toml
[tlsOptions]
[tlsOptions.default]
```toml tab="TOML"
[tls.options]
[tls.options.default]
sniStrict = true
```
```yaml tab="YAML"
tls:
options:
default:
sniStrict: true
```

4
docs/content/middlewares/addprefix.md
View file

@ -41,8 +41,8 @@ labels:
```toml tab="File"
# Prefixing with /foo
[http.middlewares]
[http.middlewares.add-foo.AddPrefix]
prefix = "/foo"
[http.middlewares.add-foo.addPrefix]
prefix = "/foo"
```
## Configuration Options

4
docs/content/middlewares/basicauth.md
View file

@ -47,7 +47,7 @@ labels:
```toml tab="File"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.basicauth]
[http.middlewares.test-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
@ -120,7 +120,7 @@ spec:
```
```toml tab="File"
[http.middlewares.my-auth.basicauth]
[http.middlewares.my-auth.basicAuth]
# ...
headerField = "X-WebAuth-User"
```

2
docs/content/middlewares/buffering.md
View file

@ -46,7 +46,7 @@ labels:
# Sets the maximum request body to 2Mb
[http.middlewares]
[http.middlewares.limit.buffering]
maxRequestBodyBytes = 250000
maxRequestBodyBytes = 250000
```
## Configuration Options

30
docs/content/middlewares/chain.md
View file

@ -111,27 +111,27 @@ labels:
```toml tab="File"
# ...
[http.routers]
[http.routers.router1]
service = "service1"
middlewares = ["secured"]
rule = "Host(`mydomain`)"
[http.routers.router1]
service = "service1"
middlewares = ["secured"]
rule = "Host(`mydomain`)"
[http.middlewares]
[http.middlewares.secured.Chain]
middlewares = ["https-only", "known-ips", "auth-users"]
[http.middlewares.secured.chain]
middlewares = ["https-only", "known-ips", "auth-users"]
[http.middlewares.auth-users.BasicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.middlewares.auth-users.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.middlewares.https-only.redirectScheme]
scheme = "https"
[http.middlewares.https-only.redirectScheme]
scheme = "https"
[http.middlewares.known-ips.ipWhiteList]
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
[http.middlewares.known-ips.ipWhiteList]
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
[http.services]
[http.services.service1]
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:80"
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
```

4
docs/content/middlewares/circuitbreaker.md
View file

@ -55,8 +55,8 @@ labels:
```toml tab="File"
# Latency Check
[http.middlewares]
[http.middlewares.latency-check.circuitBreaker]
expression = "LatencyAtQuantileMS(50.0) > 100"
[http.middlewares.latency-check.circuitBreaker]
expression = "LatencyAtQuantileMS(50.0) > 100"
```
## Possible States

2
docs/content/middlewares/compress.md
View file

@ -40,7 +40,7 @@ labels:
```toml tab="File"
# Enable gzip compression
[http.middlewares]
[http.middlewares.test-compress.Compress]
[http.middlewares.test-compress.compress]
```
## Notes

10
docs/content/middlewares/digestauth.md
View file

@ -53,7 +53,7 @@ labels:
## Configuration Options
### `Users`
### `users`
The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
@ -61,7 +61,7 @@ The `users` option is an array of authorized users. Each user will be declared u
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### `UsersFile`
### `usersFile`
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@ -78,11 +78,11 @@ The file content is a list of `name:realm:encoded-password`.
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### `Realm`
### `realm`
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
### `HeaderField`
### `headerField`
You can customize the header field for the authenticated user using the `headerField`option.
@ -121,6 +121,6 @@ labels:
headerField = "X-WebAuth-User"
```
### `RemoveHeader`
### `removeHeader`
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)

2
docs/content/middlewares/errorpages.md
View file

@ -52,7 +52,7 @@ labels:
```toml tab="File"
# Custom Error Page for 5XX
[http.middlewares]
[http.middlewares.test-errorpage.Errors]
[http.middlewares.test-errorpage.errors]
status = ["500-599"]
service = "serviceError"
query = "/{status}.html"

54
docs/content/middlewares/forwardauth.md
View file

@ -14,14 +14,14 @@ Otherwise, the response from the authentication server is returned.
```yaml tab="Docker"
# Forward authentication to authserver.com
labels:
- "traefik.http.middlewares.test-auth.ForwardAuth.Address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA=path/to/local.crt"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional=true"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key=path/to/foo.key"
- "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
```
```yaml tab="Kubernetes"
@ -45,28 +45,28 @@ spec:
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-auth.ForwardAuth.Address": "https://authserver.com/auth",
"traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders": "X-Auth-User,X-Secret",
"traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA": "path/to/local.crt",
"traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional": "true",
"traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert": "path/to/foo.cert",
"traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify": "true",
"traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key": "path/to/foo.key",
"traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader": "true"
"traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth",
"traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret",
"traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt",
"traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true",
"traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
"traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true",
"traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key",
"traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
}
```
```yaml tab="Rancher"
# Forward authentication to authserver.com
labels:
- "traefik.http.middlewares.test-auth.ForwardAuth.Address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA=path/to/local.crt"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional=true"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key=path/to/foo.key"
- "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.forwardauth.tls.InisecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
```
```toml tab="File"
@ -77,7 +77,7 @@ labels:
trustForwardHeader = true
authResponseHeaders = ["X-Auth-User", "X-Secret"]
[http.middlewares.test-auth.forwardauth.tls]
[http.middlewares.test-auth.forwardAuth.tls]
ca = "path/to/local.crt"
caOptional = true
cert = "path/to/foo.cert"
@ -92,7 +92,7 @@ The `address` option defines the authentication server address.
### `trustForwardHeader`
Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers.
Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
### `authResponseHeaders`
@ -100,4 +100,4 @@ The `authResponseHeaders` option is the list of the headers to copy from the aut
### `tls`
The `tls` option is the tls configuration from Traefik to the authentication server.
The `tls` option is the TLS configuration from Traefik to the authentication server.

103
docs/content/middlewares/headers.md
View file

@ -15,8 +15,8 @@ Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
- "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=True"
```
```yaml tab="Kubernetes"
@ -34,23 +34,23 @@ spec:
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name": "test",
"traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header": "True"
"traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
"traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "True"
}
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=True"
```
```toml tab="File"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.CustomRequestHeaders]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Script-Name = "test"
[http.middlewares.testHeader.headers.CustomResponseHeaders]
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Custom-Response-Header = "True"
```
@ -77,22 +77,22 @@ spec:
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name": "test",
"traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
}
```
```toml tab="File"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.CustomRequestHeaders]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Script-Name = "test" # Adds
X-Custom-Request-Header = "" # Removes
[http.middlewares.testHeader.headers.CustomResponseHeaders]
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Custom-Response-Header = "" # Removes
```
@ -103,8 +103,8 @@ This functionality allows for some easy security features to quickly be set.
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.testHeader.Headers.FrameDeny=true"
- "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true"
- "traefik.http.middlewares.testHeader.headers.framedeny=true"
- "traefik.http.middlewares.testHeader.headers.sslredirect=true"
```
```yaml tab="Kubernetes"
@ -120,14 +120,14 @@ spec:
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testHeader.Headers.FrameDeny=true"
- "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true"
- "traefik.http.middlewares.testheader.headers.framedeny=true"
- "traefik.http.middlewares.testheader.headers.sslredirect=true"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.testHeader.Headers.FrameDeny": "true",
"traefik.http.middlewares.testHeader.Headers.SSLRedirect": "true"
"traefik.http.middlewares.testheader.headers.framedeny": "true",
"traefik.http.middlewares.testheader.headers.sslredirect": "true"
}
```
@ -145,10 +145,10 @@ This functionality allows for more advanced security features to quickly be set.
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods=GET,OPTIONS,PUT"
- "traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin=origin-list-or-null"
- "traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge=100"
- "traefik.http.middlewares.testHeader.Headers.AddVaryHeader=true"
- "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
- "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
- "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
- "traefik.http.middlewares.testheader.headers.addvaryheader=true"
```
```yaml tab="Kubernetes"
@ -158,39 +158,39 @@ metadata:
name: testHeader
spec:
headers:
AccessControlAllowMethods:
accessControlAllowMethods:
- "GET"
- "OPTIONS"
- "PUT"
AccessControlAllowOrigin: "origin-list-or-null"
AccessControlMaxAge: 100
AddVaryHeader: "true"
accessControlAllowOrigin: "origin-list-or-null"
accessControlMaxAge: 100
addVaryHeader: "true"
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods=GET,OPTIONS,PUT"
- "traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin=origin-list-or-null"
- "traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge=100"
- "traefik.http.middlewares.testHeader.Headers.AddVaryHeader=true"
- "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
- "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
- "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
- "traefik.http.middlewares.testheader.headers.addvaryheader=true"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods": "GET,OPTIONS,PUT",
"traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin": "origin-list-or-null",
"traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge": "100",
"traefik.http.middlewares.testHeader.Headers.AddVaryHeader": "true"
"traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
"traefik.http.middlewares.testheader.headers.accesscontrolalloworigin": "origin-list-or-null",
"traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
"traefik.http.middlewares.testheader.headers.addvaryheader": "true"
}
```
```toml tab="File"
[http.middlewares]
[http.middlewares.testHeader.headers]
AccessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
AccessControlAllowOrigin = "origin-list-or-null"
AccessControlMaxAge = 100
AddVaryHeader = true
accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
accessControlAllowOrigin = "origin-list-or-null"
accessControlMaxAge = 100
addVaryHeader = true
```
## Configuration Options
@ -225,7 +225,8 @@ The `accessControlAllowMethods` indicates which methods can be used during requ
### `accessControlAllowOrigin`
The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values. The three options for this value are:
The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values.
The three options for this value are:
- `origin-list-or-null`
- `*`
@ -261,11 +262,12 @@ Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302
### `sslHost`
The `SSLHost` option is the host name that is used to redirect http requests to https.
The `sslHost` option is the host name that is used to redirect http requests to https.
### `sslProxyHeaders`
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request.
Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
### `sslForceHost`
@ -273,7 +275,8 @@ Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` e
### `stsSeconds`
The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
The `stsSeconds` is the max-age of the Strict-Transport-Security header.
If set to 0, would NOT include the header.
### `stsIncludeSubdomains`
@ -281,11 +284,11 @@ The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appen
### `stsPreload`
Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
Set `stsPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
### `forceSTSHeader`
Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP.
Set `forceSTSHeader` to true, to add the STS header even when the connection is HTTP.
### `frameDeny`
@ -293,7 +296,8 @@ Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `D
### `customFrameOptionsValue`
The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option.
The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value.
This overrides the FrameDeny option.
### `contentTypeNosniff`
@ -301,11 +305,12 @@ Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with
### `browserXssFilter`
Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
### `customBrowserXSSValue`
The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option.
The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value.
This overrides the BrowserXssFilter option.
### `contentSecurityPolicy`
@ -321,5 +326,7 @@ The `referrerPolicy` allows sites to control when browsers will pass the Referer
### `isDevelopment`
Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain.
Set `isDevelopment` to true when developing.
The AllowedHosts, SSL, and STS options can cause some unwanted effects.
Usually testing happens on http, not https, and on localhost, not your production domain.
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.

26
docs/content/middlewares/ipwhitelist.md
View file

@ -12,7 +12,7 @@ IPWhitelist accepts / refuses requests based on the client IP.
```yaml tab="Docker"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
@ -29,14 +29,14 @@ spec:
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange": "127.0.0.1/32,192.168.1.7"
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
}
```
```yaml tab="Rancher"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File"
@ -75,7 +75,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
```yaml tab="Docker"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
@ -87,23 +87,23 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
name: testIPwhitelist
spec:
ipWhiteList:
SourceRange:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
ipstrategy:
ipStrategy:
depth: 2
```
```yaml tab="Rancher"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange": "127.0.0.1/32, 192.168.1.7",
"traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
"traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
}
```
@ -114,7 +114,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
[http.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
depth = 2
depth = 2
```
!!! note
@ -142,7 +142,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
```yaml tab="Docker"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
@ -153,7 +153,7 @@ metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
ipstrategy:
ipStrategy:
excludedIPs:
- 127.0.0.1/32
- 192.168.1.7
@ -162,12 +162,12 @@ spec:
```yaml tab="Rancher"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs": "127.0.0.1/32, 192.168.1.7"
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
}
```

4
docs/content/middlewares/maxconnection.md
View file

@ -40,8 +40,8 @@ labels:
```toml tab="File"
# Limiting to 10 simultaneous connections
[http.middlewares]
[http.middlewares.test-maxconn.maxconn]
amount = 10
[http.middlewares.test-maxconn.maxConn]
amount = 10
```
## Configuration Options

101
docs/content/middlewares/overview.md
View file

@ -22,7 +22,7 @@ whoami:
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.router.router1.Middlewares=foo-add-prefix@docker"
- "traefik.http.router.router1.middlewares=foo-add-prefix@docker"
```
```yaml tab="Kubernetes"
@ -46,7 +46,7 @@ kind: Middleware
metadata:
name: stripprefix
spec:
stripprefix:
stripPrefix:
prefixes:
- /stripit
@ -66,7 +66,7 @@ spec:
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
"traefik.http.router.router1.Middlewares": "foo-add-prefix@marathon"
"traefik.http.router.router1.middlewares": "foo-add-prefix@marathon"
}
```
@ -76,56 +76,30 @@ labels:
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.router.router1.Middlewares=foo-add-prefix@rancher"
```
```yaml tab="Kubernetes"
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: mytlsoption
namespace: default
spec:
minversion: VersionTLS12
- "traefik.http.router.router1.middlewares=foo-add-prefix@rancher"
```
```toml tab="File"
# As Toml Configuration File
[providers]
[providers.file]
[providers.file]
[http.routers]
[http.routers.router1]
Service = "myService"
Middlewares = ["foo-add-prefix"]
Rule = "Host(`example.com`)"
service = "myService"
middlewares = ["foo-add-prefix"]
rule = "Host(`example.com`)"
[http.middlewares]
[http.middlewares.foo-add-prefix.AddPrefix]
[http.middlewares.foo-add-prefix.addPrefix]
prefix = "/foo"
[http.services]
[http.services.service1]
[http.services.service1.LoadBalancer]
[http.services.service1.loadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:80"
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
```
## Provider Namespace
@ -133,35 +107,66 @@ spec:
When you declare a middleware, it lives in its provider namespace.
For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.
If you use multiple providers and wish to reference a middleware declared in another provider,
then you'll have to prefix the middleware name with the provider name.
If you use multiple providers and wish to reference a middleware declared in another provider
(aka referencing a cross-provider middleware),
then you'll have to append to the middleware name, the `@` separator, followed by the provider name.
```text
<resource-name>@<provider-name>
```
!!! important "Kubernetes Namespace"
As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
In this case, since the definition of the middleware is not in kubernetes,
specifying a "kubernetes namespace" when referring to the resource does not make any sense,
and therefore this specification would be ignored even if present.
!!! abstract "Referencing a Middleware from Another Provider"
Declaring the add-foo-prefix in the file provider.
```toml
[providers]
[providers.file]
[providers.file]
[http.middlewares]
[http.middlewares.add-foo-prefix.AddPrefix]
[http.middlewares.add-foo-prefix.addPrefix]
prefix = "/foo"
```
Using the add-foo-prefix middleware from docker.
Using the add-foo-prefix middleware from other providers:
```yaml
```yaml tab="Docker"
your-container: #
image: your-docker-image
image: your-docker-image
labels:
# Attach add-foo-prefix@file middleware (declared in file)
- "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
labels:
# Attach add-foo-prefix@file middleware (declared in file)
- "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutestripprefix
spec:
entryPoints:
- web
routes:
- match: Host(`bar.com`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: add-foo-prefix@file
# namespace: bar
# A namespace specification such as above is ignored
# when the cross-provider syntax is used.
```
## Available Middlewares

50
docs/content/middlewares/passtlsclientcert.md
View file

@ -23,7 +23,7 @@ kind: Middleware
metadata:
name: addprefix
spec:
passtlsclientcert:
passTLSClientCert:
pem: true
```
@ -42,7 +42,7 @@ labels:
```toml tab="File"
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
[http.middlewares]
[http.middlewares.test-passtlsclientcert.passtlsclientcert]
[http.middlewares.test-passtlsclientcert.passTLSClientCert]
pem = true
```
@ -77,7 +77,7 @@ labels:
metadata:
name: test-passtlsclientcert
spec:
passtlsclientcert:
passTLSClientCert:
info:
notAfter: true
notBefore: true
@ -147,12 +147,12 @@ labels:
```toml tab="File"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
[http.middlewares]
[http.middlewares.test-passtlsclientcert.passtlsclientcert]
[http.middlewares.test-passtlsclientcert.passtlsclientcert.info]
[http.middlewares.test-passtlsclientcert.passTLSClientCert]
[http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
notAfter = true
notBefore = true
sans = true
[http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject]
[http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
country = true
province = true
locality = true
@ -160,7 +160,7 @@ labels:
commonName = true
serialNumber = true
domainComponent = true
[http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer]
[http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
country = true
province = true
locality = true
@ -360,9 +360,9 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO
If there are more than one certificate, they are separated by a `;`.
#### `info.notafter`
#### `info.notAfter`
Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
Set the `info.notAfter` option to `true` to add the `Not After` information from the `Validity` part.
The data are taken from the following certificate part:
@ -371,15 +371,15 @@ The data are taken from the following certificate part:
Not After : Dec 5 11:10:16 2020 GMT
```
The escape `notafter` info part will be like:
The escape `notAfter` info part will be like:
```text
NA=1607166616
```
#### `info.notbefore`
#### `info.notBefore`
Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part.
Set the `info.notBefore` option to `true` to add the `Not Before` information from the `Validity` part.
The data are taken from the following certificate part:
@ -388,7 +388,7 @@ Validity
Not Before: Dec 6 11:10:16 2018 GMT
```
The escape `notafter` info part will be like:
The escape `notBefore` info part will be like:
```text
NB=1544094616
@ -471,9 +471,9 @@ The escape organization info in the subject part will be like :
O=Cheese,O=Cheese 2
```
##### `info.subject.commonname`
##### `info.subject.commonName`
Set the `info.subject.commonname` option to true to add the `commonname` information into the subject.
Set the `info.subject.commonName` option to true to add the `commonName` information into the subject.
The data are taken from the subject part with the `CN` key.
@ -483,9 +483,9 @@ The escape common name info in the subject part will be like :
CN=*.cheese.com
```
##### `info.subject.serialnumber`
##### `info.subject.serialNumber`
Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject.
Set the `info.subject.serialNumber` option to true to add the `serialNumber` information into the subject.
The data are taken from the subject part with the `SN` key.
@ -495,9 +495,9 @@ The escape serial number info in the subject part will be like :
SN=1234567890
```
##### `info.subject.domaincomponent`
##### `info.subject.domainComponent`
Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject.
Set the `info.subject.domainComponent` option to true to add the `domainComponent` information into the subject.
The data are taken from the subject part with the `DC` key.
@ -563,9 +563,9 @@ The escape organization info in the issuer part will be like :
O=Cheese,O=Cheese 2
```
##### `info.issuer.commonname`
##### `info.issuer.commonName`
Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer.
Set the `info.issuer.commonName` option to true to add the `commonName` information into the issuer.
The data are taken from the issuer part with the `CN` key.
@ -575,9 +575,9 @@ The escape common name info in the issuer part will be like :
CN=Simple Signing CA 2
```
##### `info.issuer.serialnumber`
##### `info.issuer.serialNumber`
Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer.
Set the `info.issuer.serialNumber` option to true to add the `serialNumber` information into the issuer.
The data are taken from the issuer part with the `SN` key.
@ -587,9 +587,9 @@ The escape serial number info in the issuer part will be like :
SN=1234567890
```
##### `info.issuer.domaincomponent`
##### `info.issuer.domainComponent`
Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer.
Set the `info.issuer.domainComponent` option to true to add the `domainComponent` information into the issuer.
The data are taken from the issuer part with the `DC` key.

10
docs/content/middlewares/ratelimit.md
View file

@ -33,7 +33,7 @@ metadata:
spec:
rateLimit:
extractorFunc: client.ip
rateset:
rateSet:
rate0:
period: 10s
average: 100
@ -74,15 +74,15 @@ labels:
# Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
# These can "burst" up to 10 and 200 in each period, respectively.
[http.middlewares]
[http.middlewares.test-ratelimit.ratelimit]
[http.middlewares.test-ratelimit.rateLimit]
extractorfunc = "client.ip"
[http.middlewares.test-ratelimit.ratelimit.rateset.rate0]
[http.middlewares.test-ratelimit.rateLimit.rateSet.rate0]
period = "10s"
average = 100
burst = 200
[http.middlewares.test-ratelimit.ratelimit.rateset.rate1]
[http.middlewares.test-ratelimit.rateLimit.rateSet.rate1]
period = "3s"
average = 5
burst = 10
@ -100,7 +100,7 @@ The possible values are:
- `client.ip` categorizes requests based on the client ip.
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
### `ratelimit`
### `rateSet`
You can combine multiple rate limits.
The rate limit will trigger with the first reached limit.

4
docs/content/middlewares/redirectregex.md
View file

@ -45,7 +45,7 @@ labels:
```toml tab="File"
# Redirect with domain replacement
[http.middlewares]
[http.middlewares.test-redirectregex.redirectregex]
[http.middlewares.test-redirectregex.redirectRegex]
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/$1"
```
@ -58,7 +58,7 @@ Set the `permanent` option to `true` to apply a permanent redirection.
### `regex`
The `Regex` option is the regular expression to match and capture elements from the request URL.
The `regex` option is the regular expression to match and capture elements from the request URL.
!!! warning

2
docs/content/middlewares/redirectscheme.md
View file

@ -41,7 +41,7 @@ labels:
```toml tab="File"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectscheme]
[http.middlewares.test-redirectscheme.redirectScheme]
scheme = "https"
```

4
docs/content/middlewares/replacepath.md
View file

@ -41,8 +41,8 @@ labels:
```toml tab="File"
# Replace the path by /foo
[http.middlewares]
[http.middlewares.test-replacepath.ReplacePath]
path = "/foo"
[http.middlewares.test-replacepath.replacePath]
path = "/foo"
```
## Configuration Options

2
docs/content/middlewares/replacepathregex.md
View file

@ -61,7 +61,7 @@ The ReplacePathRegex middleware will:
### `regex`
The `Regex` option is the regular expression to match and capture the path from the request URL.
The `regex` option is the regular expression to match and capture the path from the request URL.
!!! warning

2
docs/content/middlewares/retry.md
View file

@ -41,7 +41,7 @@ labels:
```toml tab="File"
# Retry to send request 4 times
[http.middlewares]
[http.middlewares.test-retry.Retry]
[http.middlewares.test-retry.retry]
attempts = 4
```

4
docs/content/middlewares/stripprefix.md
View file

@ -43,8 +43,8 @@ labels:
```toml tab="File"
# Strip prefix /foobar and /fiibar
[http.middlewares]
[http.middlewares.test-stripprefix.StripPrefix]
prefixes = ["/foobar", "/fiibar"]
[http.middlewares.test-stripprefix.stripPrefix]
prefixes = ["/foobar", "/fiibar"]
```
## Configuration Options

4
docs/content/middlewares/stripprefixregex.md
View file

@ -41,7 +41,7 @@ labels:
```toml tab="File"
# Replace the path by /foo
[http.middlewares]
[http.middlewares.test-stripprefixregex.StripPrefixRegex]
[http.middlewares.test-stripprefixregex.stripPrefixRegex]
regex: "^/foo/(.*)"
```
@ -56,7 +56,7 @@ The StripPrefixRegex middleware will:
!!! tip
Use a `StripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
### `regex`

120
docs/content/observability/access-logs.md
View file

@ -5,51 +5,57 @@ Who Calls Whom?
By default, logs are written to stdout, in text format.
## Configuration Examples
## Configuration
??? example "Enabling Access Logs"
To enable the access logs:
```toml
[accessLog]
```
```toml tab="File"
[accessLog]
```
## Configuration Options
```bash tab="CLI"
--accesslog
```
### filePath
### `filePath`
By default access logs are written to the standard output.
To write the logs into a log file, use the `filePath` option.
in the Common Log Format (CLF), extended with additional fields.
### format
### `format`
By default, logs are written using the Common Log Format (CLF).
To write logs in JSON, use `json` in the `format` option.
!!! note "Common Log Format"
#### CLF - Common Log Format
```html
<remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms
```
#### bufferingSize
### `bufferingSize`
To write the logs in an asynchronous fashion, specify a `bufferingSize` option.
This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.
In some cases, this option can greatly help performances.
??? example "Configuring a buffer of 100 lines"
```toml tab="File"
# Configuring a buffer of 100 lines
[accessLog]
filePath = "/path/to/access.log"
bufferingSize = 100
```
```toml
[accessLog]
filePath = "/path/to/access.log"
bufferingSize = 100
```
```bash tab="CLI"
# Configuring a buffer of 100 lines
--accesslog
--accesslog.filepath="/path/to/access.log"
--accesslog.bufferingsize=100
```
#### Filtering
### Filtering
To filter logs, you can specify a set of filters which are logically "OR-connected".
Thus, specifying multiple filters will keep more access logs than specifying only one.
@ -60,20 +66,29 @@ The available filters are:
- `retryAttempts`, to keep the access logs when at least one retry has happened
- `minDuration`, to keep access logs when requests take longer than the specified duration
??? example "Configuring Multiple Filters"
```toml tab="File"
# Configuring Multiple Filters
[accessLog]
filePath = "/path/to/access.log"
format = "json"
```toml
[accessLog]
filePath = "/path/to/access.log"
format = "json"
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
```
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
```
```bash tab="CLI"
# Configuring Multiple Filters
--accesslog
--accesslog.filepath="/path/to/access.log"
--accesslog.format="json"
--accesslog.filters.statuscodes="200, 300-302"
--accesslog.filters.retryattempts
--accesslog.filters.minduration="10ms"
```
#### Limiting the Fields
### Limiting the Fields
You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.header` options
@ -83,30 +98,41 @@ Each field can be set to:
- `drop` to drop the value
- `redact` to replace the value with "redacted"
??? example "Limiting the Logs to Specific Fields"
The `defaultMode` for `fields.header` is `drop`.
```toml
[accessLog]
filePath = "/path/to/access.log"
format = "json"
```toml tab="File"
# Limiting the Logs to Specific Fields
[accessLog]
filePath = "/path/to/access.log"
format = "json"
[accessLog.filters]
statusCodes = ["200", "300-302"]
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"ClientUsername" = "drop"
[accessLog.fields.names]
"ClientUsername" = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
```
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
```
```bash tab="CLI"
# Limiting the Logs to Specific Fields
--accesslog
--accesslog.filepath="/path/to/access.log"
--accesslog.format="json"
--accesslog.fields.defaultmode="keep"
--accesslog.fields.names.ClientUsername="drop"
--accesslog.fields.headers.defaultmode="keep"
--accesslog.fields.headers.names.User-Agent="redact"
--accesslog.fields.headers.names.Authorization="drop"
--accesslog.fields.headers.names.Content-Type="keep"
```
??? list "Available Fields"

234
docs/content/observability/tracing.md
View file

@ -1,234 +0,0 @@
# Tracing
Visualize the Requests Flow
{: .subtitle }
The tracing system allows developers to visualize call flows in their infrastructure.
Traefik uses OpenTracing, an open standard designed for distributed tracing.
Traefik supports four tracing backends: Jaeger, Zipkin, DataDog, and Instana.
## Configuration Reference
??? example "With Jaeger"
```toml
# Tracing definition
[tracing]
# Backend name used to send tracing data
#
# Default: "jaeger"
#
backend = "jaeger"
# Service name used in Jaeger backend
#
# Default: "traefik"
#
serviceName = "traefik"
# Span name limit allows for name truncation in case of very long Frontend/Backend names
# This can prevent certain tracing providers to drop traces that exceed their length limits
#
# Default: 0 - no truncation will occur
#
spanNameLimit = 0
[tracing.jaeger]
# Sampling Server URL is the address of jaeger-agent's HTTP sampling server
#
# Default: "http://localhost:5778/sampling"
#
samplingServerURL = "http://localhost:5778/sampling"
# Sampling Type specifies the type of the sampler: const, probabilistic, rateLimiting
#
# Default: "const"
#
samplingType = "const"
# Sampling Param is a value passed to the sampler.
# Valid values for Param field are:
# - for "const" sampler, 0 or 1 for always false/true respectively
# - for "probabilistic" sampler, a probability between 0 and 1
# - for "rateLimiting" sampler, the number of spans per second
#
# Default: 1.0
#
samplingParam = 1.0
# Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address
#
# Default: "127.0.0.1:6831"
#
localAgentHostPort = "127.0.0.1:6831"
# Generate 128-bit trace IDs, compatible with OpenCensus
#
# Default: false
gen128Bit = true
# Set the propagation header type. This can be either:
# - "jaeger", jaeger's default trace header.
# - "b3", compatible with OpenZipkin
#
# Default: "jaeger"
propagation = "jaeger"
# Trace Context Header Name is the http header name used to propagate tracing context.
# This must be in lower-case to avoid mismatches when decoding incoming headers.
#
# Default: "uber-trace-id"
#
traceContextHeaderName = "uber-trace-id"
```
!!! warning
Traefik is only able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent).
??? example "With Zipkin"
```toml
# Tracing definition
[tracing]
# Backend name used to send tracing data
#
# Default: "jaeger"
#
backend = "zipkin"
# Service name used in Zipkin backend
#
# Default: "traefik"
#
serviceName = "traefik"
# Span name limit allows for name truncation in case of very long Frontend/Backend names
# This can prevent certain tracing providers to drop traces that exceed their length limits
#
# Default: 0 - no truncation will occur
#
spanNameLimit = 150
[tracing.zipkin]
# Zipkin HTTP endpoint used to send data
#
# Default: "http://localhost:9411/api/v1/spans"
#
httpEndpoint = "http://localhost:9411/api/v1/spans"
# Enable Zipkin debug
#
# Default: false
#
debug = false
# Use Zipkin SameSpan RPC style traces
#
# Default: false
#
sameSpan = false
# Use Zipkin 128 bit root span IDs
#
# Default: true
#
id128Bit = true
# The rate between 0.0 and 1.0 of requests to trace.
#
# Default: 1.0
#
sampleRate = 0.2
```
??? example "With DataDog"
```toml
# Tracing definition
[tracing]
# Backend name used to send tracing data
#
# Default: "jaeger"
#
backend = "datadog"
# Service name used in DataDog backend
#
# Default: "traefik"
#
serviceName = "traefik"
# Span name limit allows for name truncation in case of very long Frontend/Backend names
# This can prevent certain tracing providers to drop traces that exceed their length limits
#
# Default: 0 - no truncation will occur
#
spanNameLimit = 100
[tracing.datadog]
# Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address
#
# Default: "127.0.0.1:8126"
#
localAgentHostPort = "127.0.0.1:8126"
# Enable DataDog debug
#
# Default: false
#
debug = false
# Apply shared tag in a form of Key:Value to all the traces
#
# Default: ""
#
globalTag = ""
# Enable priority sampling. When using distributed tracing, this option must be enabled in order
# to get all the parts of a distributed trace sampled.
#
# Default: false
#
prioritySampling = false
```
??? example "With Instana"
```toml
# Tracing definition
[tracing]
# Backend name used to send tracing data
#
# Default: "jaeger"
#
backend = "instana"
# Service name used in Instana backend
#
# Default: "traefik"
#
serviceName = "traefik"
[tracing.instana]
# Local Agent Host instructs reporter to send spans to instana-agent at this address
#
# Default: "127.0.0.1"
#
localAgentHost = "127.0.0.1"
# Local Agent port instructs reporter to send spans to the instana-agent at this port
#
# Default: 42699
#
localAgentPort = 42699
# Set Instana tracer log level
#
# Default: info
# Valid values for logLevel field are:
# - error
# - warn
# - debug
# - info
#
logLevel = "info"
```

82
docs/content/observability/tracing/datadog.md Normal file
View file

@ -0,0 +1,82 @@
# DataDog
To enable the DataDog:
```toml tab="File"
[tracing]
[tracing.dataDog]
```
```bash tab="CLI"
--tracing
--tracing.datadog
```
#### `localAgentHostPort`
_Required, Default="127.0.0.1:8126"_
Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address.
```toml tab="File"
[tracing]
[tracing.dataDog]
localAgentHostPort = "127.0.0.1:8126"
```
```bash tab="CLI"
--tracing
--tracing.datadog.localAgentHostPort="127.0.0.1:8126"
```
#### `debug`
_Optional, Default=false_
Enable DataDog debug.
```toml tab="File"
[tracing]
[tracing.dataDog]
debug = true
```
```bash tab="CLI"
--tracing
--tracing.datadog.debug=true
```
#### `globalTag`
_Optional, Default=empty_
Apply shared tag in a form of Key:Value to all the traces.
```toml tab="File"
[tracing]
[tracing.dataDog]
globalTag = "sample"
```
```bash tab="CLI"
--tracing
--tracing.datadog.globalTag="sample"
```
#### `prioritySampling`
_Optional, Default=false_
Enable priority sampling. When using distributed tracing,
this option must be enabled in order to get all the parts of a distributed trace sampled.
```toml tab="File"
[tracing]
[tracing.dataDog]
prioritySampling = true
```
```bash tab="CLI"
--tracing
--tracing.datadog.prioritySampling=true
```

132
docs/content/observability/tracing/haystack.md Normal file
View file

@ -0,0 +1,132 @@
# Haystack
To enable the Haystack:
```toml tab="File"
[tracing]
[tracing.haystack]
```
```bash tab="CLI"
--tracing
--tracing.haystack
```
#### `localAgentHost`
_Require, Default="127.0.0.1"_
Local Agent Host instructs reporter to send spans to haystack-agent at this address.
```toml tab="File"
[tracing]
[tracing.haystack]
localAgentHost = "127.0.0.1"
```
```bash tab="CLI"
--tracing
--tracing.haystack.localAgentHost="127.0.0.1"
```
#### `localAgentPort`
_Require, Default=42699_
Local Agent port instructs reporter to send spans to the haystack-agent at this port.
```toml tab="File"
[tracing]
[tracing.haystack]
localAgentPort = 42699
```
```bash tab="CLI"
--tracing
--tracing.haystack.localAgentPort=42699
```
#### `globalTag`
_Optional, Default=empty_
Apply shared tag in a form of Key:Value to all the traces.
```toml tab="File"
[tracing]
[tracing.haystack]
globalTag = "sample:test"
```
```bash tab="CLI"
--tracing
--tracing.haystack.globalTag="sample:test"
```
#### `traceIDHeaderName`
_Optional, Default=empty_
Specifies the header name that will be used to store the trace ID.
```toml tab="File"
[tracing]
[tracing.haystack]
traceIDHeaderName = "sample"
```
```bash tab="CLI"
--tracing
--tracing.haystack.traceIDHeaderName="sample"
```
#### `parentIDHeaderName`
_Optional, Default=empty_
Specifies the header name that will be used to store the span ID.
```toml tab="File"
[tracing]
[tracing.haystack]
parentIDHeaderName = "sample"
```
```bash tab="CLI"
--tracing
--tracing.haystack.parentIDHeaderName="sample"
```
#### `spanIDHeaderName`
_Optional, Default=empty_
Apply shared tag in a form of Key:Value to all the traces.
```toml tab="File"
[tracing]
[tracing.haystack]
spanIDHeaderName = "sample:test"
```
```bash tab="CLI"
--tracing
--tracing.haystack.spanIDHeaderName="sample:test"
```
#### `baggagePrefixHeaderName`
_Optional, Default=empty_
Specifies the header name prefix that will be used to store baggage items in a map.
```toml tab="File"
[tracing]
[tracing.haystack]
baggagePrefixHeaderName = "sample"
```
```bash tab="CLI"
--tracing
--tracing.haystack.baggagePrefixHeaderName="sample"
```

71
docs/content/observability/tracing/instana.md Normal file
View file

@ -0,0 +1,71 @@
# Instana
To enable the Instana:
```toml tab="File"
[tracing]
[tracing.instana]
```
```bash tab="CLI"
--tracing
--tracing.instana
```
#### `localAgentHost`
_Require, Default="127.0.0.1"_
Local Agent Host instructs reporter to send spans to instana-agent at this address.
```toml tab="File"
[tracing]
[tracing.instana]
localAgentHost = "127.0.0.1"
```
```bash tab="CLI"
--tracing
--tracing.instana.localAgentHost="127.0.0.1"
```
#### `localAgentPort`
_Require, Default=42699_
Local Agent port instructs reporter to send spans to the instana-agent at this port.
```toml tab="File"
[tracing]
[tracing.instana]
localAgentPort = 42699
```
```bash tab="CLI"
--tracing
--tracing.instana.localAgentPort=42699
```
#### `logLevel`
_Require, Default="info"_
Set Instana tracer log level.
Valid values for logLevel field are:
- `error`
- `warn`
- `debug`
- `info`
```toml tab="File"
[tracing]
[tracing.instana]
logLevel = "info"
```
```bash tab="CLI"
--tracing
--tracing.instana.logLevel="info"
```

146
docs/content/observability/tracing/jaeger.md Normal file
View file

@ -0,0 +1,146 @@
# Jaeger
To enable the Jaeger:
```toml tab="File"
[tracing]
[tracing.jaeger]
```
```bash tab="CLI"
--tracing
--tracing.jaeger
```
!!! warning
Traefik is only able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent).
#### `samplingServerURL`
_Required, Default="http://localhost:5778/sampling"_
Sampling Server URL is the address of jaeger-agent's HTTP sampling server.
```toml tab="File"
[tracing]
[tracing.jaeger]
samplingServerURL = "http://localhost:5778/sampling"
```
```bash tab="CLI"
--tracing
--tracing.jaeger.samplingServerURL="http://localhost:5778/sampling"
```
#### `samplingType`
_Required, Default="const"_
Sampling Type specifies the type of the sampler: `const`, `probabilistic`, `rateLimiting`.
```toml tab="File"
[tracing]
[tracing.jaeger]
samplingType = "const"
```
```bash tab="CLI"
--tracing
--tracing.jaeger.samplingType="const"
```
#### `samplingParam`
_Required, Default=1.0_
Sampling Param is a value passed to the sampler.
Valid values for Param field are:
- for `const` sampler, 0 or 1 for always false/true respectively
- for `probabilistic` sampler, a probability between 0 and 1
- for `rateLimiting` sampler, the number of spans per second
```toml tab="File"
[tracing]
[tracing.jaeger]
samplingParam = 1.0
```
```bash tab="CLI"
--tracing
--tracing.jaeger.samplingParam="1.0"
```
#### `localAgentHostPort`
_Required, Default="127.0.0.1:6831"_
Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address.
```toml tab="File"
[tracing]
[tracing.jaeger]
localAgentHostPort = "127.0.0.1:6831"
```
```bash tab="CLI"
--tracing
--tracing.jaeger.localAgentHostPort="127.0.0.1:6831"
```
#### `gen128Bit`
_Optional, Default=false_
Generate 128-bit trace IDs, compatible with OpenCensus.
```toml tab="File"
[tracing]
[tracing.jaeger]
gen128Bit = true
```
```bash tab="CLI"
--tracing
--tracing.jaeger.gen128Bit
```
#### `propagation`
_Required, Default="jaeger"_
Set the propagation header type.
This can be either:
- `jaeger`, jaeger's default trace header.
- `b3`, compatible with OpenZipkin
```toml tab="File"
[tracing]
[tracing.jaeger]
propagation = "jaeger"
```
```bash tab="CLI"
--tracing
--tracing.jaeger.propagation="jaeger"
```
#### `traceContextHeaderName`
_Required, Default="uber-trace-id"_
Trace Context Header Name is the http header name used to propagate tracing context.
This must be in lower-case to avoid mismatches when decoding incoming headers.
```toml tab="File"
[tracing]
[tracing.jaeger]
traceContextHeaderName = "uber-trace-id"
```
```bash tab="CLI"
--tracing
--tracing.jaeger.traceContextHeaderName="uber-trace-id"
```

67
docs/content/observability/tracing/overview.md Normal file
View file

@ -0,0 +1,67 @@
# Tracing
Visualize the Requests Flow
{: .subtitle }
The tracing system allows developers to visualize call flows in their infrastructure.
Traefik uses OpenTracing, an open standard designed for distributed tracing.
Traefik supports five tracing backends:
- [Jaeger](./jaeger.md)
- [Zipkin](./zipkin.md)
- [DataDog](./datadog.md)
- [Instana](./instana.md)
- [Haystack](./haystack.md)
## Configuration
By default, Traefik uses Jaeger as tracing backend.
To enable the tracing:
```toml tab="File"
[tracing]
```
```bash tab="CLI"
--tracing
```
### Common Options
#### `serviceName`
_Required, Default="traefik"_
Service name used in selected backend.
```toml tab="File"
[tracing]
serviceName = "traefik"
```
```bash tab="CLI"
--tracing
--tracing.serviceName="traefik"
```
#### `spanNameLimit`
_Required, Default=0_
Span name limit allows for name truncation in case of very long names.
This can prevent certain tracing providers to drop traces that exceed their length limits.
`0` means no truncation will occur.
```toml tab="File"
[tracing]
spanNameLimit = 150
```
```bash tab="CLI"
--tracing
--tracing.spanNameLimit=150
```

98
docs/content/observability/tracing/zipkin.md Normal file
View file

@ -0,0 +1,98 @@
# Zipkin
To enable the Zipkin:
```toml tab="File"
[tracing]
[tracing.zipkin]
```
```bash tab="CLI"
--tracing
--tracing.zipkin
```
#### `httpEndpoint`
_Required, Default="http://localhost:9411/api/v1/spans"_
Zipkin HTTP endpoint used to send data.
```toml tab="File"
[tracing]
[tracing.zipkin]
httpEndpoint = "http://localhost:9411/api/v1/spans"
```
```bash tab="CLI"
--tracing
--tracing.zipkin.httpEndpoint="http://localhost:9411/api/v1/spans"
```
#### `debug`
_Optional, Default=false_
Enable Zipkin debug.
```toml tab="File"
[tracing]
[tracing.zipkin]
debug = true
```
```bash tab="CLI"
--tracing
--tracing.zipkin.debug=true
```
#### `sameSpan`
_Optional, Default=false_
Use Zipkin SameSpan RPC style traces.
```toml tab="File"
[tracing]
[tracing.zipkin]
sameSpan = true
```
```bash tab="CLI"
--tracing
--tracing.zipkin.sameSpan=true
```
#### `id128Bit`
_Optional, Default=true_
Use Zipkin 128 bit root span IDs.
```toml tab="File"
[tracing]
[tracing.zipkin]
id128Bit = false
```
```bash tab="CLI"
--tracing
--tracing.zipkin.id128Bit=false
```
#### `sampleRate`
_Required, Default=1.0_
The rate between 0.0 and 1.0 of requests to trace.
```toml tab="File"
[tracing]
[tracing.zipkin]
sampleRate = 0.2
```
```bash tab="CLI"
--tracing
--tracing.zipkin.sampleRate="0.2"
```

20
docs/content/operations/api.md
View file

@ -128,19 +128,19 @@ You can define a custom address/port like this:
```toml
[entryPoints]
[entryPoints.web]
address = ":80"
address = ":80"
[entryPoints.foo]
address = ":8082"
address = ":8082"
[entryPoints.bar]
address = ":8083"
address = ":8083"
[ping]
entryPoint = "foo"
entryPoint = "foo"
[api]
entryPoint = "bar"
entryPoint = "bar"
```
In the above example, you would access a service at /foo, an api endpoint, or the health-check as follows:
@ -160,9 +160,9 @@ To restrict access to the API handler, one can add authentication with the [basi
```toml
[http.middlewares]
[http.middlewares.api-auth.basicauth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
[http.middlewares.api-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```

8
docs/content/operations/dashboard.md
View file

@ -10,13 +10,13 @@ The dashboard is the central place that shows you the current active routes hand
Therefore, the dashboard is currently not working.
<figure>
<img src="../../assets/img/dashboard-main.png" alt="Dashboard - Providers" />
<figcaption>The dashboard in action with Traefik listening to 3 different providers</figcaption>
<img src="../../assets/img/dashboard-main.png" alt="Dashboard - Providers" />
<figcaption>The dashboard in action with Traefik listening to 3 different providers</figcaption>
</figure>
<figure>
<img src="../../assets/img/dashboard-health.png" alt="Dashboard - Health" />
<figcaption>The dashboard shows the health of the system.</figcaption>
<img src="../../assets/img/dashboard-health.png" alt="Dashboard - Health" />
<figcaption>The dashboard shows the health of the system.</figcaption>
</figure>
By default, the dashboard is available on `/` on port `:8080`.

2
docs/content/operations/ping.md
View file

@ -22,7 +22,7 @@ Checking the Health of Your Traefik Instances
address = ":8082"
[ping]
entryPoint = "ping"
entryPoint = "ping"
```
| Path | Method | Description |

10
docs/content/providers/docker.md
View file

@ -18,7 +18,7 @@ Attach labels to your containers and let Traefik do the rest!
```toml
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
endpoint = "unix:///var/run/docker.sock"
```
Attaching labels to containers (in your docker compose file)
@ -136,8 +136,8 @@ Traefik requires access to the docker socket to get its dynamic configuration.
```toml
# ...
[providers]
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
```
### `usebindportip`
@ -194,8 +194,8 @@ and the template has access to all the labels defined on this container.
```toml tab="File"
[providers.docker]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
```txt tab="CLI"

150
docs/content/providers/file.md
View file

@ -3,10 +3,10 @@
Good Old Configuration File
{: .subtitle }
The file provider lets you define the [dynamic configuration](./overview.md) in a `toml` file.
The file provider lets you define the [dynamic configuration](./overview.md) in a TOML or YAML file.
You can write these configuration elements:
* At the end of the main Traefik configuration file (by default: `traefik.toml`).
* At the end of the main Traefik configuration file (by default: `traefik.toml`/`traefik.yml`/`traefik.yaml`).
* In [a dedicated file](#filename)
* In [several dedicated files](#directory)
@ -20,10 +20,20 @@ You can write these configuration elements:
??? example "Declaring Routers, Middlewares & Services"
``` toml
# Enabling the file provider
[providers.file]
Enabling the file provider:
```toml tab="TOML"
[providers.file]
```
```yaml tab="YAML"
providers:
file: {}
```
Declaring Routers, Middlewares & Services:
```toml tab="TOML"
[http]
# Add the router
[http.routers]
@ -35,7 +45,7 @@ You can write these configuration elements:
# Add the middleware
[http.middlewares]
[http.middlewares.my-basic-auth.BasicAuth]
[http.middlewares.my-basic-auth.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
usersFile = "etc/traefik/.htpasswd"
@ -43,13 +53,44 @@ You can write these configuration elements:
# Add the service
[http.services]
[http.services.service-foo]
[http.services.service-foo.LoadBalancer]
[[http.services.service-foo.LoadBalancer.Servers]]
[http.services.service-foo.loadBalancer]
[[http.services.service-foo.loadBalancer.servers]]
url = "http://foo/"
[[http.services.service-foo.LoadBalancer.Servers]]
[[http.services.service-foo.loadBalancer.servers]]
url = "http://bar/"
```
```yaml tab="YAML"
http:
# Add the router
routers:
router0:
entryPoints:
- web
middlewares:
- my-basic-auth
service: service-foo
rule: Path(`foo`)
# Add the middleware
middlewares:
my-basic-auth:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
- test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
usersFile: etc/traefik/.htpasswd
# Add the service
services:
service-foo:
loadBalancer:
servers:
- url: http://foo/
- url: http://bar/
passHostHeader: false
```
## Provider Configuration Options
!!! tip "Browse the Reference"
@ -61,24 +102,36 @@ _Optional_
Defines the path of the configuration file.
```toml
```toml tab="TOML"
[providers]
[providers.file]
filename = "rules.toml"
```
```yaml tab="YAML"
providers:
file:
filename: rules.yaml
```
### `directory`
_Optional_
Defines the directory that contains the configuration files.
```toml
```toml tab="TOML"
[providers]
[providers.file]
directory = "/path/to/config"
```
```yaml tab="YAML"
providers:
file:
directory: /path/to/config
```
### `watch`
_Optional_
@ -86,24 +139,32 @@ _Optional_
Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.
It works with both the `filename` and the `directory` options.
```toml
```toml tab="TOML"
[providers]
[providers.file]
filename = "rules.toml"
watch = true
```
### TOML Templating
```yaml tab="YAML"
providers:
file:
filename: rules.yml
watch: true
```
### Go Templating
!!! warning
TOML templating only works along with dedicated configuration files. Templating does not work in the Traefik main configuration file.
Go Templating only works along with dedicated configuration files.
Templating does not work in the Traefik main configuration file.
Traefik allows using TOML templating.
Traefik allows using Go templating.
Thus, it's possible to define easily lot of routers, services and TLS certificates as described in the file `template-rules.toml` :
??? example "Configuring Using Templating"
```toml
```toml tab="TOML"
# template-rules.toml
[http]
@ -114,7 +175,7 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
{{ end }}
[http.Services]
[http.services]
{{ range $i, $e := until 100 }}
[http.services.service{{ $e }}]
# ...
@ -129,23 +190,62 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
{{ end }}
[tcp.Services]
[tcp.services]
{{ range $i, $e := until 100 }}
[http.services.service{{ $e }}]
# ...
{{ end }}
{{ range $i, $e := until 10 }}
[[TLS]]
Store = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
[TLS.Certificate]
CertFile = "/etc/traefik/cert-{{ $e }}.pem"
KeyFile = "/etc/traefik/cert-{{ $e }}.key"
[[tls.certificates]]
certFile = "/etc/traefik/cert-{{ $e }}.pem"
keyFile = "/etc/traefik/cert-{{ $e }}.key"
store = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
{{ end }}
[TLSConfig]
[tls.config]
{{ range $i, $e := until 10 }}
[TLSConfig.TLS{{ $e }}]
[tls.config.TLS{{ $e }}]
# ...
{{ end }}
```
```yaml tab="YAML"
http:
{{range $i, $e := until 100 }}
routers:
router{{ $e }:
# ...
{{end}}
{{range $i, $e := until 100 }}
services:
application{{ $e }}:
# ...
{{end}}
tcp:
{{range $i, $e := until 100 }}
routers:
router{{ $e }:
# ...
{{end}}
{{range $i, $e := until 100 }}
services:
service{{ $e }}:
# ...
{{end}}
{{ range $i, $e := until 10 }}
tls:
certificates:
- certFile: "/etc/traefik/cert-{{ $e }}.pem"
keyFile: "/etc/traefik/cert-{{ $e }}.key"
store:
- "my-store-foo-{{ $e }}"
- "my-store-bar-{{ $e }}"
{{end}}
```

33
docs/content/providers/kubernetes-crd.md
View file

@ -33,7 +33,7 @@ In this case, the endpoint is required.
Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
```toml tab="File"
[Providers.KubernetesCRD]
[providers.kubernetesCRD]
endpoint = "http://localhost:8080"
# ...
```
@ -50,7 +50,7 @@ _Optional, Default=empty_
Bearer token used for the Kubernetes client configuration.
```toml tab="File"
[Providers.KubernetesCRD]
[providers.kubernetesCRD]
token = "mytoken"
# ...
```
@ -68,7 +68,7 @@ Path to the certificate authority file.
Used for the Kubernetes client configuration.
```toml tab="File"
[Providers.KubernetesCRD]
[providers.kubernetesCRD]
certAuthFilePath = "/my/ca.crt"
# ...
```
@ -85,7 +85,7 @@ _Optional, Default: all namespaces (empty array)_
Array of namespaces to watch.
```toml tab="File"
[Providers.KubernetesCRD]
[providers.kubernetesCRD]
namespaces = ["default", "production"]
# ...
```
@ -105,7 +105,7 @@ A label selector can be defined to filter on specific Ingress objects only.
See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
```toml tab="File"
[Providers.KubernetesCRD]
[providers.kubernetesCRD]
labelselector = "A and not B"
# ...
```
@ -125,7 +125,7 @@ If the parameter is non-empty, only Ingresses containing an annotation with the
Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
```toml tab="File"
[Providers.KubernetesCRD]
[providers.kubernetesCRD]
ingressClass = "traefik-internal"
# ...
```
@ -203,6 +203,7 @@ apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: stripprefix
namespace: foo
spec:
stripPrefix:
@ -226,13 +227,21 @@ spec:
port: 80
middlewares:
- name: stripprefix
namespace: foo
```
!!! important "Cross-provider namespace"
As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource
(in the reference to the middleware) with the [provider namespace](../middlewares/overview.md#provider-namespace),
when the definition of the middleware is from another provider.
In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored.
More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).
### Traefik TLS Option Definition
### TLS Option
Additionally, to allow for the use of tls options in an IngressRoute, we defined the CRD below for the TLSOption kind.
Additionally, to allow for the use of TLS options in an IngressRoute, we defined the CRD below for the TLSOption kind.
More information about TLS Options is available in the dedicated [TLS Configuration Options](../../https/tls/#tls-options).
```yaml
@ -272,9 +281,15 @@ spec:
namespace: default
```
!!! note "TLS Option reference and namespace"
!!! important "References and namespaces"
If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
Additionally, when the definition of the TLS option is from another provider,
the cross-provider syntax (`middlewarename@provider`) should be used to refer to the TLS option,
just as in the [middleware case](../middlewares/overview.md#provider-namespace).
Specifying a namespace attribute in this case would not make any sense, and will be ignored.
### TLS
To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`:

42
docs/content/providers/marathon.md
View file

@ -13,7 +13,7 @@ See also [Marathon user guide](../user-guides/marathon.md).
```toml tab="File"
[providers.marathon]
endpoint = "http://127.0.0.1:8080"
endpoint = "http://127.0.0.1:8080"
```
```txt tab="CLI"
@ -58,9 +58,9 @@ _Optional_
Enables Marathon basic authentication.
```toml tab="File"
[marathon.basic]
httpBasicAuthUser = "foo"
httpBasicPassword = "bar"
[providers.marathon.basic]
httpBasicAuthUser = "foo"
httpBasicPassword = "bar"
```
```txt tab="CLI"
@ -79,8 +79,8 @@ If set, it overrides the Authorization header.
```toml tab="File"
[providers.marathon]
dcosToken = "xxxxxx"
# ...
dcosToken = "xxxxxx"
# ...
```
```txt tab="CLI"
@ -102,8 +102,8 @@ and the template has access to all the labels defined on this Marathon applicati
```toml tab="File"
[providers.marathon]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
```txt tab="CLI"
@ -133,8 +133,8 @@ You can optionally specify multiple endpoints:
```toml tab="File"
[providers.marathon]
endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
# ...
endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
# ...
```
```txt tab="CLI"
@ -247,11 +247,11 @@ _Optional_
TLS client configuration. [tls/#Config](https://golang.org/pkg/crypto/tls/#Config).
```toml tab="File"
[marathon.TLS]
CA = "/etc/ssl/ca.crt"
Cert = "/etc/ssl/marathon.cert"
Key = "/etc/ssl/marathon.key"
insecureSkipVerify = true
[providers.marathon.tls]
ca = "/etc/ssl/ca.crt"
cert = "/etc/ssl/marathon.cert"
key = "/etc/ssl/marathon.key"
insecureSkipVerify = true
```
```txt tab="CLI"
@ -296,23 +296,23 @@ and the router automatically gets a rule defined by defaultRule (if no rule for
### Routers
To update the configuration of the Router automatically attached to the application,
add labels starting with `traefik.HTTP.Routers.{router-name-of-your-choice}.` and followed by the option you want to change.
For example, to change the routing rule, you could add the label ```traefik.HTTP.Routers.Routername.Rule=Host(`my-domain`)```.
add labels starting with `traefik.http.routers.{router-name-of-your-choice}.` and followed by the option you want to change.
For example, to change the routing rule, you could add the label ```traefik.http.routers.routername.rule=Host(`my-domain`)```.
Every [Router](../routing/routers/index.md) parameter can be updated this way.
### Services
To update the configuration of the Service automatically attached to the container,
add labels starting with `traefik.HTTP.Services.{service-name-of-your-choice}.`, followed by the option you want to change.
For example, to change the passhostheader behavior, you'd add the label `traefik.HTTP.Services.Servicename.LoadBalancer.PassHostHeader=false`.
add labels starting with `traefik.http.services.{service-name-of-your-choice}.`, followed by the option you want to change.
For example, to change the passHostHeader behavior, you'd add the label `traefik.http.services.servicename.loadbalancer.passhostheader=false`.
Every [Service](../routing/services/index.md) parameter can be updated this way.
### Middleware
You can declare pieces of middleware using labels starting with `traefik.HTTP.Middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options.
For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.HTTP.Middlewares.my-redirect.RedirectScheme.Scheme: https`.
You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options.
For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
??? example "Declaring and Referencing a Middleware"

8
docs/content/providers/rancher.md
View file

@ -19,7 +19,7 @@ Attach labels to your services and let Traefik do the rest!
Enabling the rancher provider
```toml
[Providers.Rancher]
[providers.rancher]
```
Attaching labels to services
@ -58,9 +58,9 @@ The service name can be accessed as the `Name` identifier,
and the template has access to all the labels defined on this container.
```toml tab="File"
[Providers.Rancher]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
[providers.rancher]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
```txt tab="CLI"

14
docs/content/providers/rancher.toml
View file

@ -1,20 +1,20 @@
# Enable Rancher Provider.
[Providers.Rancher]
[providers.rancher]
# Expose Rancher services by default in Traefik.
ExposedByDefault = true
exposedByDefault = true
# Enable watch Rancher changes.
Watch = true
watch = true
# Filter services with unhealthy states and inactive states.
EnableServiceHealthFilter = true
enableServiceHealthFilter = true
# Defines the polling interval (in seconds).
RefreshSeconds = true
refreshSeconds = true
# Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
IntervalPoll = false
intervalPoll = false
# Prefix used for accessing the Rancher metadata service
Prefix = "/latest"
prefix = "/latest"

2
docs/content/reference/dynamic-configuration/docker.md
View file

@ -3,6 +3,8 @@
Dynamic configuration with Docker Labels
{: .subtitle }
The labels are case insensitive.
```yaml
--8<-- "content/reference/dynamic-configuration/labels.yml"
```

8
docs/content/reference/dynamic-configuration/file.md
View file

@ -1,8 +1,12 @@
# File Configuration Reference
Dynamic configuration with toml files
Dynamic configuration with files
{: .subtitle }
```toml
```toml tab="TOML"
--8<-- "content/reference/dynamic-configuration/file.toml"
```
```yml tab="YAML"
--8<-- "content/reference/dynamic-configuration/file.yaml"
```

469
docs/content/reference/dynamic-configuration/file.toml
View file

@ -1,261 +1,248 @@
[HTTP]
[HTTP.Routers]
[HTTP.Routers.Router0]
EntryPoints = ["foobar", "foobar"]
Middlewares = ["foobar", "foobar"]
Service = "foobar"
Rule = "foobar"
[http]
[http.routers]
[http.routers.Router0]
entryPoints = ["foobar", "foobar"]
middlewares = ["foobar", "foobar"]
service = "foobar"
rule = "foobar"
priority = 42
[HTTP.Routers.Router0.tls]
[http.routers.Router0.tls]
options = "TLS0"
[HTTP.Middlewares]
[HTTP.Middlewares.Middleware0.AddPrefix]
Prefix = "foobar"
[HTTP.Middlewares.Middleware1.StripPrefix]
Prefixes = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware2.StripPrefixRegex]
Regex = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware3.ReplacePath]
Path = "foobar"
[HTTP.Middlewares.Middleware4.ReplacePathRegex]
Regex = "foobar"
Replacement = "foobar"
[HTTP.Middlewares.Middleware5.Chain]
Middlewares = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware6.IPWhiteList]
SourceRange = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware7.IPWhiteList.IPStrategy]
Depth = 42
ExcludedIPs = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware8.Headers]
AccessControlAllowCredentials = true
AccessControlAllowHeaders = ["foobar", "foobar"]
AccessControlAllowMethods = ["foobar", "foobar"]
AccessControlAllowOrigin = "foobar"
AccessControlExposeHeaders = ["foobar", "foobar"]
AccessControlMaxAge = 42
AddVaryHeader = true
AllowedHosts = ["foobar", "foobar"]
HostsProxyHeaders = ["foobar", "foobar"]
SSLRedirect = true
SSLTemporaryRedirect = true
SSLHost = "foobar"
SSLForceHost = true
STSSeconds = 42
STSIncludeSubdomains = true
STSPreload = true
ForceSTSHeader = true
FrameDeny = true
CustomFrameOptionsValue = "foobar"
ContentTypeNosniff = true
BrowserXSSFilter = true
CustomBrowserXSSValue = "foobar"
ContentSecurityPolicy = "foobar"
PublicKey = "foobar"
ReferrerPolicy = "foobar"
IsDevelopment = true
[HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders]
[http.middlewares]
[http.middlewares.Middleware0]
[http.middlewares.Middleware0.addPrefix]
prefix = "foobar"
[http.middlewares.Middleware1]
[http.middlewares.Middleware1.stripPrefix]
prefixes = ["foobar", "foobar"]
[http.middlewares.Middleware10]
[http.middlewares.Middleware10.rateLimit]
extractorFunc = "foobar"
[http.middlewares.Middleware10.rateLimit.rateSet]
[http.middlewares.Middleware10.rateLimit.rateSet.Rate0]
period = 42
average = 42
burst = 42
[http.middlewares.Middleware10.rateLimit.rateSet.Rate1]
period = 42
average = 42
burst = 42
[http.middlewares.Middleware11]
[http.middlewares.Middleware11.redirectRegex]
regex = "foobar"
replacement = "foobar"
permanent = true
[http.middlewares.Middleware12]
[http.middlewares.Middleware12.redirectScheme]
scheme = "foobar"
port = "foobar"
permanent = true
[http.middlewares.Middleware13]
[http.middlewares.Middleware13.basicAuth]
users = ["foobar", "foobar"]
usersFile = "foobar"
realm = "foobar"
removeHeader = true
headerField = "foobar"
[http.middlewares.Middleware14]
[http.middlewares.Middleware14.digestAuth]
users = ["foobar", "foobar"]
usersFile = "foobar"
removeHeader = true
realm = "foobar"
headerField = "foobar"
[http.middlewares.Middleware15]
[http.middlewares.Middleware15.forwardAuth]
address = "foobar"
trustForwardHeader = true
authResponseHeaders = ["foobar", "foobar"]
[http.middlewares.Middleware15.forwardAuth.tls]
ca = "foobar"
caOptional = true
cert = "foobar"
key = "foobar"
insecureSkipVerify = true
[http.middlewares.Middleware16]
[http.middlewares.Middleware16.maxConn]
amount = 42
extractorFunc = "foobar"
[http.middlewares.Middleware17]
[http.middlewares.Middleware17.buffering]
maxRequestBodyBytes = 42
memRequestBodyBytes = 42
maxResponseBodyBytes = 42
memResponseBodyBytes = 42
retryExpression = "foobar"
[http.middlewares.Middleware18]
[http.middlewares.Middleware18.circuitBreaker]
expression = "foobar"
[http.middlewares.Middleware19]
[http.middlewares.Middleware19.compress]
[http.middlewares.Middleware2]
[http.middlewares.Middleware2.stripPrefixRegex]
regex = ["foobar", "foobar"]
[http.middlewares.Middleware20]
[http.middlewares.Middleware20.passTLSClientCert]
pem = true
[http.middlewares.Middleware20.passTLSClientCert.info]
notAfter = true
notBefore = true
sans = true
[http.middlewares.Middleware20.passTLSClientCert.info.subject]
country = true
province = true
locality = true
organization = true
commonName = true
serialNumber = true
domainComponent = true
[http.middlewares.Middleware20.passTLSClientCert.info.issuer]
country = true
province = true
locality = true
organization = true
commonName = true
serialNumber = true
domainComponent = true
[http.middlewares.Middleware21]
[http.middlewares.Middleware21.retry]
attemps = 42
[http.middlewares.Middleware3]
[http.middlewares.Middleware3.replacePath]
path = "foobar"
[http.middlewares.Middleware4]
[http.middlewares.Middleware4.replacePathRegex]
regex = "foobar"
replacement = "foobar"
[http.middlewares.Middleware5]
[http.middlewares.Middleware5.chain]
middlewares = ["foobar", "foobar"]
[http.middlewares.Middleware6]
[http.middlewares.Middleware6.ipWhiteList]
sourceRange = ["foobar", "foobar"]
[http.middlewares.Middleware7]
[http.middlewares.Middleware7.ipWhiteList]
[http.middlewares.Middleware7.ipWhiteList.ipStrategy]
depth = 42
excludedIPs = ["foobar", "foobar"]
[http.middlewares.Middleware8]
[http.middlewares.Middleware8.headers]
accessControlAllowCredentials = true
accessControlAllowHeaders = ["foobar", "foobar"]
accessControlAllowMethods = ["foobar", "foobar"]
accessControlAllowOrigin = "foobar"
accessControlExposeHeaders = ["foobar", "foobar"]
accessControlMaxAge = 42
addVaryHeader = true
allowedHosts = ["foobar", "foobar"]
hostsProxyHeaders = ["foobar", "foobar"]
sslRedirect = true
sslTemporaryRedirect = true
sslHost = "foobar"
sslForceHost = true
stsSeconds = 42
stsIncludeSubdomains = true
stsPreload = true
forceSTSHeader = true
frameDeny = true
customFrameOptionsValue = "foobar"
contentTypeNosniff = true
browserXssFilter = true
customBrowserXSSValue = "foobar"
contentSecurityPolicy = "foobar"
publicKey = "foobar"
referrerPolicy = "foobar"
isDevelopment = true
[http.middlewares.Middleware8.headers.customRequestHeaders]
name0 = "foobar"
name1 = "foobar"
[HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders]
[http.middlewares.Middleware8.headers.customResponseHeaders]
name0 = "foobar"
name1 = "foobar"
[HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders]
[http.middlewares.Middleware8.headers.sslProxyHeaders]
name0 = "foobar"
name1 = "foobar"
[http.middlewares.Middleware9]
[http.middlewares.Middleware9.errors]
status = ["foobar", "foobar"]
service = "foobar"
query = "foobar"
[http.services]
[http.services.Service0]
[http.services.Service0.loadBalancer]
passHostHeader = true
[http.services.Service0.loadBalancer.stickiness]
cookieName = "foobar"
[HTTP.Middlewares.Middleware9.Errors]
Status = ["foobar", "foobar"]
Service = "foobar"
Query = "foobar"
[[http.services.Service0.loadBalancer.servers]]
url = "foobar"
[HTTP.Middlewares.Middleware10.RateLimit]
ExtractorFunc = "foobar"
[HTTP.Middlewares.Middleware10.RateLimit.RateSet]
[HTTP.Middlewares.Middleware10.RateLimit.RateSet.Rate0]
Period = 42
Average = 42
Burst = 42
[HTTP.Middlewares.Middleware10.RateLimit.RateSet.Rate1]
Period = 42
Average = 42
Burst = 42
[HTTP.Middlewares.Middleware11.RedirectRegex]
Regex = "foobar"
Replacement = "foobar"
Permanent = true
[HTTP.Middlewares.Middleware12.RedirectScheme]
Scheme = "foobar"
Port = "foobar"
Permanent = true
[HTTP.Middlewares.Middleware13.BasicAuth]
Users = ["foobar", "foobar"]
UsersFile = "foobar"
Realm = "foobar"
RemoveHeader = true
HeaderField = "foobar"
[HTTP.Middlewares.Middleware14.DigestAuth]
Users = ["foobar", "foobar"]
UsersFile = "foobar"
RemoveHeader = true
Realm = "foobar"
HeaderField = "foobar"
[HTTP.Middlewares.Middleware15.ForwardAuth]
Address = "foobar"
TrustForwardHeader = true
AuthResponseHeaders = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware15.ForwardAuth.TLS]
CA = "foobar"
CAOptional = true
Cert = "foobar"
Key = "foobar"
InsecureSkipVerify = true
[HTTP.Middlewares.Middleware16.MaxConn]
Amount = 42
ExtractorFunc = "foobar"
[HTTP.Middlewares.Middleware17.Buffering]
MaxRequestBodyBytes = 42
MemRequestBodyBytes = 42
MaxResponseBodyBytes = 42
MemResponseBodyBytes = 42
RetryExpression = "foobar"
[HTTP.Middlewares.Middleware18.CircuitBreaker]
Expression = "foobar"
[HTTP.Middlewares.Middleware19.Compress]
[HTTP.Middlewares.Middleware20.PassTLSClientCert]
PEM = true
[HTTP.Middlewares.Middleware20.PassTLSClientCert.Info]
NotAfter = true
NotBefore = true
Sans = true
[HTTP.Middlewares.Middleware20.PassTLSClientCert.Info.Subject]
Country = true
Province = true
Locality = true
Organization = true
CommonName = true
SerialNumber = true
DomainComponent = true
[HTTP.Middlewares.Middleware20.PassTLSClientCert.Info.Issuer]
Country = true
Province = true
Locality = true
Organization = true
CommonName = true
SerialNumber = true
DomainComponent = true
[HTTP.Middlewares.Middleware21.Retry]
Attempts = 42
[HTTP.Services]
[HTTP.Services.Service0]
[HTTP.Services.Service0.LoadBalancer]
PassHostHeader = true
[[HTTP.Services.Service0.LoadBalancer.Servers]]
URL = "foobar"
[HTTP.Services.Service0.LoadBalancer.Stickiness]
CookieName = "foobar"
[[HTTP.Services.Service0.LoadBalancer.Servers]]
URL = "foobar"
[HTTP.Services.Service0.LoadBalancer.HealthCheck]
Scheme = "foobar"
Path = "foobar"
Port = 42
Interval = "foobar"
Timeout = "foobar"
Hostname = "foobar"
[HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers]
[[http.services.Service0.loadBalancer.servers]]
url = "foobar"
[http.services.Service0.loadBalancer.healthCheck]
scheme = "foobar"
path = "foobar"
port = 42
interval = "foobar"
timeout = "foobar"
hostname = "foobar"
[http.services.Service0.loadBalancer.healthCheck.headers]
name0 = "foobar"
name1 = "foobar"
[HTTP.Services.Service0.LoadBalancer.ResponseForwarding]
FlushInterval = "foobar"
[http.services.Service0.loadBalancer.responseForwarding]
flushInterval = "foobar"
[TCP]
[TCP.Routers]
[TCP.Routers.TCPRouter0]
EntryPoints = ["foobar", "foobar"]
Service = "foobar"
Rule = "foobar"
[TCP.Routers.TCPRouter0.tls]
[tcp]
[tcp.routers]
[tcp.routers.TCPRouter0]
entryPoints = ["foobar", "foobar"]
service = "foobar"
rule = "foobar"
[tcp.routers.TCPRouter0.tls]
passthrough = true
options = "TLS1"
[tcp.services]
[tcp.services.TCPService0]
[tcp.services.TCPService0.loadBalancer]
[TCP.Services]
[[tcp.services.TCPService0.loadBalancer.servers]]
address = "foobar"
[TCP.Services.TCPService0]
[TCP.Services.TCPService0.LoadBalancer]
[[tcp.services.TCPService0.loadBalancer.servers]]
address = "foobar"
[[TCP.Services.TCPService0.LoadBalancer.Servers]]
Address = "foobar"
[tls]
[[TCP.Services.TCPService0.LoadBalancer.Servers]]
Address = "foobar"
[[tls.certificates]]
certFile = "foobar"
keyFile = "foobar"
stores = ["foobar", "foobar"]
[[TLS]]
Stores = ["foobar", "foobar"]
[TLS.Certificate]
CertFile = "foobar"
KeyFile = "foobar"
[[TLS]]
Stores = ["foobar", "foobar"]
[TLS.Certificate]
CertFile = "foobar"
KeyFile = "foobar"
[TLSOptions]
[TLSOptions.TLS0]
MinVersion = "foobar"
CipherSuites = ["foobar", "foobar"]
SniStrict = true
[TLSOptions.TLS0.ClientCA]
Files = ["foobar", "foobar"]
Optional = true
[TLSOptions.TLS1]
MinVersion = "foobar"
CipherSuites = ["foobar", "foobar"]
SniStrict = true
[TLSOptions.TLS1.ClientCA]
Files = ["foobar", "foobar"]
Optional = true
[TLSStores]
[TLSStores.Store0]
[TLSStores.Store0.DefaultCertificate]
CertFile = "foobar"
KeyFile = "foobar"
[TLSStores.Store1]
[TLSStores.Store1.DefaultCertificate]
CertFile = "foobar"
KeyFile = "foobar"
[[tls.certificates]]
certFile = "foobar"
keyFile = "foobar"
stores = ["foobar", "foobar"]
[tls.options]
[tls.options.TLS0]
minVersion = "foobar"
cipherSuites = ["foobar", "foobar"]
sniStrict = true
[tls.options.TLS0.clientCA]
files = ["foobar", "foobar"]
optional = true
[tls.options.TLS1]
minVersion = "foobar"
cipherSuites = ["foobar", "foobar"]
sniStrict = true
[tls.options.TLS1.clientCA]
files = ["foobar", "foobar"]
optional = true
[tls.stores]
[tls.stores.Store0]
[tls.stores.Store0.defaultCertificate]
certFile = "foobar"
keyFile = "foobar"
[tls.stores.Store1]
[tls.stores.Store1.defaultCertificate]
certFile = "foobar"
keyFile = "foobar"

281
docs/content/reference/dynamic-configuration/file.yaml Normal file
View file

@ -0,0 +1,281 @@
http:
routers:
Router0:
entryPoints:
- foobar
- foobar
middlewares:
- foobar
- foobar
service: foobar
rule: foobar
priority: 42
tls: {}
middlewares:
Middleware0:
addPrefix:
prefix: foobar
Middleware1:
stripPrefix:
prefixes:
- foobar
- foobar
Middleware2:
stripPrefixRegex:
regex:
- foobar
- foobar
Middleware3:
replacePath:
path: foobar
Middleware4:
replacePathRegex:
regex: foobar
replacement: foobar
Middleware5:
chain:
middlewares:
- foobar
- foobar
Middleware6:
ipWhiteList:
sourceRange:
- foobar
- foobar
Middleware7:
ipWhiteList:
ipStrategy:
depth: 42
excludedIPs:
- foobar
- foobar
Middleware8:
headers:
customRequestHeaders:
name0: foobar
name1: foobar
customResponseHeaders:
name0: foobar
name1: foobar
accessControlAllowCredentials: true
accessControlAllowHeaders:
- foobar
- foobar
accessControlAllowMethods:
- foobar
- foobar
accessControlAllowOrigin: foobar
accessControlExposeHeaders:
- foobar
- foobar
accessControlMaxAge: 42
addVaryHeader: true
allowedHosts:
- foobar
- foobar
hostsProxyHeaders:
- foobar
- foobar
sslRedirect: true
sslTemporaryRedirect: true
sslHost: foobar
sslProxyHeaders:
name0: foobar
name1: foobar
sslForceHost: true
stsSeconds: 42
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
frameDeny: true
customFrameOptionsValue: foobar
contentTypeNosniff: true
browserXssFilter: true
customBrowserXSSValue: foobar
contentSecurityPolicy: foobar
publicKey: foobar
referrerPolicy: foobar
isDevelopment: true
Middleware9:
errors:
status:
- foobar
- foobar
service: foobar
query: foobar
Middleware10:
rateLimit:
rateSet:
Rate0:
period: 42000000000
average: 42
burst: 42
Rate1:
period: 42000000000
average: 42
burst: 42
extractorFunc: foobar
Middleware11:
redirectRegex:
regex: foobar
replacement: foobar
permanent: true
Middleware12:
redirectScheme:
scheme: foobar
port: foobar
permanent: true
Middleware13:
basicAuth:
users:
- foobar
- foobar
usersFile: foobar
realm: foobar
removeHeader: true
headerField: foobar
Middleware14:
digestAuth:
users:
- foobar
- foobar
usersFile: foobar
removeHeader: true
realm: foobar
headerField: foobar
Middleware15:
forwardAuth:
address: foobar
tls:
ca: foobar
caOptional: true
cert: foobar
key: foobar
insecureSkipVerify: true
trustForwardHeader: true
authResponseHeaders:
- foobar
- foobar
Middleware16:
maxConn:
amount: 42
extractorFunc: foobar
Middleware17:
buffering:
maxRequestBodyBytes: 42
memRequestBodyBytes: 42
maxResponseBodyBytes: 42
memResponseBodyBytes: 42
retryExpression: foobar
Middleware18:
circuitBreaker:
expression: foobar
Middleware19:
compress: {}
Middleware20:
passTLSClientCert:
pem: true
info:
notAfter: true
notBefore: true
sans: true
subject:
country: true
province: true
locality: true
organization: true
commonName: true
serialNumber: true
domainComponent: true
issuer:
country: true
province: true
locality: true
organization: true
commonName: true
serialNumber: true
domainComponent: true
Middleware21:
retry:
attemps: 42
services:
Service0:
loadBalancer:
stickiness:
cookieName: foobar
servers:
- url: foobar
- url: foobar
healthCheck:
scheme: foobar
path: foobar
port: 42
interval: foobar
timeout: foobar
hostname: foobar
headers:
name0: foobar
name1: foobar
passHostHeader: true
responseForwarding:
flushInterval: foobar
tcp:
routers:
TCPRouter0:
entryPoints:
- foobar
- foobar
service: foobar
rule: foobar
tls:
passthrough: true
services:
TCPService0:
loadBalancer:
servers:
- address: foobar
- address: foobar
tls:
certificates:
- certFile: foobar
keyFile: foobar
stores:
- foobar
- foobar
- certFile: foobar
keyFile: foobar
stores:
- foobar
- foobar
options:
TLS0:
minVersion: foobar
cipherSuites:
- foobar
- foobar
clientCA:
files:
- foobar
- foobar
optional: true
sniStrict: true
TLS1:
minVersion: foobar
cipherSuites:
- foobar
- foobar
clientCA:
files:
- foobar
- foobar
optional: true
sniStrict: true
stores:
Store0:
defaultCertificate:
certFile: foobar
keyFile: foobar
Store1:
defaultCertificate:
certFile: foobar
keyFile: foobar

306
docs/content/reference/dynamic-configuration/labels.yml
View file

@ -1,154 +1,154 @@
labels:
- "traefik.HTTP.Middlewares.Middleware0.AddPrefix.Prefix=foobar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.HeaderField=foobar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.Realm=foobar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.RemoveHeader=true"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.Users=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.UsersFile=foobar"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MaxRequestBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MaxResponseBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MemRequestBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MemResponseBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.RetryExpression=foobar"
- "traefik.HTTP.Middlewares.Middleware3.Chain.Middlewares=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware4.CircuitBreaker.Expression=foobar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.HeaderField=foobar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.Realm=foobar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.RemoveHeader=true"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.Users=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.UsersFile=foobar"
- "traefik.HTTP.Middlewares.Middleware6.Errors.Query=foobar"
- "traefik.HTTP.Middlewares.Middleware6.Errors.Service=foobar"
- "traefik.HTTP.Middlewares.Middleware6.Errors.Status=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.Address=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthResponseHeaders=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CA=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CAOptional=true"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Cert=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.InsecureSkipVerify=true"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Key=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TrustForwardHeader=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowCredentials=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowHeaders=X-foobar, X-fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowMethods=GET, PUT"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowOrigin=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlExposeHeaders=X-foobar, X-fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlMaxAge=200"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AddVaryHeader=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AllowedHosts=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.BrowserXSSFilter=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ContentSecurityPolicy=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ContentTypeNosniff=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomBrowserXSSValue=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomFrameOptionsValue=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders.name0=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders.name1=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders.name0=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders.name1=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ForceSTSHeader=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.FrameDeny=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.HostsProxyHeaders=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.IsDevelopment=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.PublicKey=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ReferrerPolicy=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLForceHost=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLHost=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name0=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name1=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLRedirect=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLTemporaryRedirect=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds=42"
- "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.Depth=42"
- "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.ExcludedIPs=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.SourceRange=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware10.MaxConn.Amount=42"
- "traefik.HTTP.Middlewares.Middleware10.MaxConn.ExtractorFunc=foobar"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotAfter=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotBefore=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Sans=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Country=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Province=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Locality=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Organization=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.CommonName=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.SerialNumber=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.DomainComponent=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Country=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Province=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Locality=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Organization=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.CommonName=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.SerialNumber=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.DomainComponent=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.PEM=true"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.ExtractorFunc=foobar"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Average=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Burst=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Period=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Average=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Burst=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Period=42"
- "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Regex=foobar"
- "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Replacement=foobar"
- "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Permanent=true"
- "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Scheme=https"
- "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Port=80"
- "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Permanent=true"
- "traefik.HTTP.Middlewares.Middleware14.ReplacePath.Path=foobar"
- "traefik.HTTP.Middlewares.Middleware15.ReplacePathRegex.Regex=foobar"
- "traefik.HTTP.Middlewares.Middleware15.ReplacePathRegex.Replacement=foobar"
- "traefik.HTTP.Middlewares.Middleware16.Retry.Attempts=42"
- "traefik.HTTP.Middlewares.Middleware17.StripPrefix.Prefixes=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware18.StripPrefixRegex.Regex=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware19.Compress=true"
- "traefik.HTTP.Routers.Router0.EntryPoints=foobar, fiibar"
- "traefik.HTTP.Routers.Router0.Middlewares=foobar, fiibar"
- "traefik.HTTP.Routers.Router0.Priority=42"
- "traefik.HTTP.Routers.Router0.Rule=foobar"
- "traefik.HTTP.Routers.Router0.Service=foobar"
- "traefik.HTTP.Routers.Router0.TLS=true"
- "traefik.HTTP.Routers.Router0.TLS.options=foo"
- "traefik.HTTP.Routers.Router1.EntryPoints=foobar, fiibar"
- "traefik.HTTP.Routers.Router1.Middlewares=foobar, fiibar"
- "traefik.HTTP.Routers.Router1.Priority=42"
- "traefik.HTTP.Routers.Router1.Rule=foobar"
- "traefik.HTTP.Routers.Router1.Service=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name1=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Hostname=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Interval=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Path=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Port=42"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Scheme=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Timeout=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.PassHostHeader=true"
- "traefik.HTTP.Services.Service0.LoadBalancer.ResponseForwarding.FlushInterval=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.server.Port=8080"
- "traefik.HTTP.Services.Service0.LoadBalancer.server.Scheme=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.Stickiness.CookieName=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name0=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name1=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Hostname=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Interval=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Path=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Port=42"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Scheme=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Timeout=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.PassHostHeader=true"
- "traefik.HTTP.Services.Service1.LoadBalancer.ResponseForwarding.FlushInterval=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.server.Port=8080"
- "traefik.HTTP.Services.Service1.LoadBalancer.server.Scheme=foobar"
- "traefik.TCP.Routers.Router0.Rule=foobar"
- "traefik.TCP.Routers.Router0.EntryPoints=foobar, fiibar"
- "traefik.TCP.Routers.Router0.Service=foobar"
- "traefik.TCP.Routers.Router0.TLS.Passthrough=false"
- "traefik.TCP.Routers.Router0.TLS.options=bar"
- "traefik.TCP.Routers.Router1.Rule=foobar"
- "traefik.TCP.Routers.Router1.EntryPoints=foobar, fiibar"
- "traefik.TCP.Routers.Router1.Service=foobar"
- "traefik.TCP.Routers.Router1.TLS.Passthrough=false"
- "traefik.TCP.Routers.Router1.TLS.options=foobar"
- "traefik.TCP.Services.Service0.LoadBalancer.server.Port=42"
- "traefik.TCP.Services.Service1.LoadBalancer.server.Port=42"
- "traefik.http.middlewares.Middleware0.addprefix.prefix=foobar"
- "traefik.http.middlewares.Middleware1.basicauth.headerfield=foobar"
- "traefik.http.middlewares.Middleware1.basicauth.realm=foobar"
- "traefik.http.middlewares.Middleware1.basicauth.removeheader=true"
- "traefik.http.middlewares.Middleware1.basicauth.users=foobar, fiibar"
- "traefik.http.middlewares.Middleware1.basicauth.usersfile=foobar"
- "traefik.http.middlewares.Middleware2.buffering.maxrequestbodybytes=42"
- "traefik.http.middlewares.Middleware2.buffering.maxresponsebodybytes=42"
- "traefik.http.middlewares.Middleware2.buffering.memrequestbodybytes=42"
- "traefik.http.middlewares.Middleware2.buffering.memresponsebodybytes=42"
- "traefik.http.middlewares.Middleware2.buffering.retryexpression=foobar"
- "traefik.http.middlewares.Middleware3.chain.middlewares=foobar, fiibar"
- "traefik.http.middlewares.Middleware4.circuitbreaker.expression=foobar"
- "traefik.http.middlewares.Middleware5.digestauth.headerfield=foobar"
- "traefik.http.middlewares.Middleware5.digestauth.realm=foobar"
- "traefik.http.middlewares.Middleware5.digestauth.removeheader=true"
- "traefik.http.middlewares.Middleware5.digestauth.users=foobar, fiibar"
- "traefik.http.middlewares.Middleware5.digestauth.usersfile=foobar"
- "traefik.http.middlewares.Middleware6.errors.query=foobar"
- "traefik.http.middlewares.Middleware6.errors.service=foobar"
- "traefik.http.middlewares.Middleware6.errors.status=foobar, fiibar"
- "traefik.http.middlewares.Middleware7.forwardauth.address=foobar"
- "traefik.http.middlewares.Middleware7.forwardauth.authresponseheaders=foobar, fiibar"
- "traefik.http.middlewares.Middleware7.forwardauth.tls.ca=foobar"
- "traefik.http.middlewares.Middleware7.forwardauth.tls.caoptional=true"
- "traefik.http.middlewares.Middleware7.forwardauth.tls.cert=foobar"
- "traefik.http.middlewares.Middleware7.forwardauth.tls.insecureskipverify=true"
- "traefik.http.middlewares.Middleware7.forwardauth.tls.key=foobar"
- "traefik.http.middlewares.Middleware7.forwardauth.trustforwardheader=true"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolallowcredentials=true"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolallowheaders=x-foobar, x-fiibar"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolallowmethods=get, put"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolalloworigin=foobar"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolexposeheaders=x-foobar, x-fiibar"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolmaxage=200"
- "traefik.http.middlewares.Middleware8.headers.addvaryheader=true"
- "traefik.http.middlewares.Middleware8.headers.allowedhosts=foobar, fiibar"
- "traefik.http.middlewares.Middleware8.headers.browserxssfilter=true"
- "traefik.http.middlewares.Middleware8.headers.contentsecuritypolicy=foobar"
- "traefik.http.middlewares.Middleware8.headers.contenttypenosniff=true"
- "traefik.http.middlewares.Middleware8.headers.custombrowserxssvalue=foobar"
- "traefik.http.middlewares.Middleware8.headers.customframeoptionsvalue=foobar"
- "traefik.http.middlewares.Middleware8.headers.customrequestheaders.name0=foobar"
- "traefik.http.middlewares.Middleware8.headers.customrequestheaders.name1=foobar"
- "traefik.http.middlewares.Middleware8.headers.customresponseheaders.name0=foobar"
- "traefik.http.middlewares.Middleware8.headers.customresponseheaders.name1=foobar"
- "traefik.http.middlewares.Middleware8.headers.forcestsheader=true"
- "traefik.http.middlewares.Middleware8.headers.framedeny=true"
- "traefik.http.middlewares.Middleware8.headers.hostsproxyheaders=foobar, fiibar"
- "traefik.http.middlewares.Middleware8.headers.isdevelopment=true"
- "traefik.http.middlewares.Middleware8.headers.publickey=foobar"
- "traefik.http.middlewares.Middleware8.headers.referrerpolicy=foobar"
- "traefik.http.middlewares.Middleware8.headers.sslforcehost=true"
- "traefik.http.middlewares.Middleware8.headers.sslhost=foobar"
- "traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name0=foobar"
- "traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name1=foobar"
- "traefik.http.middlewares.Middleware8.headers.sslredirect=true"
- "traefik.http.middlewares.Middleware8.headers.ssltemporaryredirect=true"
- "traefik.http.middlewares.Middleware8.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.Middleware8.headers.stspreload=true"
- "traefik.http.middlewares.Middleware8.headers.stsseconds=42"
- "traefik.http.middlewares.Middleware9.ipwhitelist.ipstrategy.depth=42"
- "traefik.http.middlewares.Middleware9.ipwhitelist.ipstrategy.excludedips=foobar, fiibar"
- "traefik.http.middlewares.Middleware9.ipwhitelist.sourcerange=foobar, fiibar"
- "traefik.http.middlewares.Middleware10.maxconn.amount=42"
- "traefik.http.middlewares.Middleware10.maxconn.extractorfunc=foobar"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.notafter=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.notbefore=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.sans=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.country=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.province=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.locality=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.organization=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.commonname=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.serialnumber=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.domaincomponent=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.country=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.province=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.locality=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.organization=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.commonname=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.serialnumber=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.domaincomponent=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.pem=true"
- "traefik.http.middlewares.Middleware12.ratelimit.extractorfunc=foobar"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate0.average=42"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate0.burst=42"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate0.period=42"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate1.average=42"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate1.burst=42"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate1.period=42"
- "traefik.http.middlewares.Middleware13.redirectregex.regex=foobar"
- "traefik.http.middlewares.Middleware13.redirectregex.replacement=foobar"
- "traefik.http.middlewares.Middleware13.redirectregex.permanent=true"
- "traefik.http.middlewares.Middleware13b.redirectscheme.scheme=https"
- "traefik.http.middlewares.Middleware13b.redirectscheme.port=80"
- "traefik.http.middlewares.Middleware13b.redirectscheme.permanent=true"
- "traefik.http.middlewares.Middleware14.replacepath.path=foobar"
- "traefik.http.middlewares.Middleware15.replacepathregex.regex=foobar"
- "traefik.http.middlewares.Middleware15.replacepathregex.replacement=foobar"
- "traefik.http.middlewares.Middleware16.retry.attempts=42"
- "traefik.http.middlewares.Middleware17.stripprefix.prefixes=foobar, fiibar"
- "traefik.http.middlewares.Middleware18.stripprefixregex.regex=foobar, fiibar"
- "traefik.http.middlewares.Middleware19.compress=true"
- "traefik.http.routers.Router0.entrypoints=foobar, fiibar"
- "traefik.http.routers.Router0.middlewares=foobar, fiibar"
- "traefik.http.routers.Router0.priority=42"
- "traefik.http.routers.Router0.rule=foobar"
- "traefik.http.routers.Router0.service=foobar"
- "traefik.http.routers.Router0.tls=true"
- "traefik.http.routers.Router0.tls.options=foo"
- "traefik.http.routers.Router1.entrypoints=foobar, fiibar"
- "traefik.http.routers.Router1.middlewares=foobar, fiibar"
- "traefik.http.routers.Router1.priority=42"
- "traefik.http.routers.Router1.rule=foobar"
- "traefik.http.routers.Router1.service=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.headers.name0=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.headers.name1=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.hostname=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.interval=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.path=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.port=42"
- "traefik.http.services.Service0.loadbalancer.healthcheck.scheme=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.timeout=foobar"
- "traefik.http.services.Service0.loadbalancer.passhostheader=true"
- "traefik.http.services.Service0.loadbalancer.responseforwarding.flushinterval=foobar"
- "traefik.http.services.Service0.loadbalancer.server.port=8080"
- "traefik.http.services.Service0.loadbalancer.server.scheme=foobar"
- "traefik.http.services.Service0.loadbalancer.stickiness.cookiename=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.headers.name0=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.headers.name1=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.hostname=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.interval=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.path=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.port=42"
- "traefik.http.services.Service1.loadbalancer.healthcheck.scheme=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.timeout=foobar"
- "traefik.http.services.Service1.loadbalancer.passhostheader=true"
- "traefik.http.services.Service1.loadbalancer.responseforwarding.flushinterval=foobar"
- "traefik.http.services.Service1.loadbalancer.server.port=8080"
- "traefik.http.services.Service1.loadbalancer.server.scheme=foobar"
- "traefik.tcp.routers.Router0.rule=foobar"
- "traefik.tcp.routers.Router0.entrypoints=foobar, fiibar"
- "traefik.tcp.routers.Router0.service=foobar"
- "traefik.tcp.routers.Router0.tls.passthrough=false"
- "traefik.tcp.routers.Router0.tls.options=bar"
- "traefik.tcp.routers.Router1.rule=foobar"
- "traefik.tcp.routers.Router1.entrypoints=foobar, fiibar"
- "traefik.tcp.routers.Router1.service=foobar"
- "traefik.tcp.routers.Router1.tls.passthrough=false"
- "traefik.tcp.routers.Router1.tls.options=foobar"
- "traefik.tcp.services.Service0.loadbalancer.server.port=42"
- "traefik.tcp.services.Service1.loadbalancer.server.port=42"

9
docs/content/reference/static-configuration/cli.txt
View file

@ -477,6 +477,10 @@
The amount of time to wait for a server's response headers after fully writing
the request (including its body, if any). If zero, no timeout exists.
--serverstransport.forwardingtimeouts.idleconntimeout (Default: "90s")
The maximum period for which an idle HTTP keep-alive connection to a backend
server will remain open before closing itself.
--serverstransport.insecureskipverify (Default: "false")
Disable SSL certificate verification.
@ -490,9 +494,6 @@
--tracing (Default: "false")
OpenTracing configuration.
--tracing.backend (Default: "jaeger")
Selects the tracking backend ('jaeger','zipkin','datadog','instana').
--tracing.datadog (Default: "false")
Settings for DataDog.
@ -526,7 +527,7 @@
Settings for Haystack.
--tracing.haystack.baggageprefixheadername (Default: "")
specifies the header name prefix that will be used to store baggage items in a
Specifies the header name prefix that will be used to store baggage items in a
map.
--tracing.haystack.globaltag (Default: "")

7
docs/content/reference/static-configuration/env.md
View file

@ -462,6 +462,10 @@ The amount of time to wait until a connection to a backend server can be establi
`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_RESPONSEHEADERTIMEOUT`:
The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: ```0```)
`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_IDLECONNTIMEOUT`:
The maximum period for which an idle HTTP keep-alive connection to a backend
server will remain open before closing itself. (Default: ```90s```)
`TRAEFIK_SERVERSTRANSPORT_INSECURESKIPVERIFY`:
Disable SSL certificate verification. (Default: ```false```)
@ -474,9 +478,6 @@ Add cert file for self-signed certificate.
`TRAEFIK_TRACING`:
OpenTracing configuration. (Default: ```false```)
`TRAEFIK_TRACING_BACKEND`:
Selects the tracking backend ('jaeger','zipkin','datadog','instana'). (Default: ```jaeger```)
`TRAEFIK_TRACING_DATADOG`:
Settings for DataDog. (Default: ```false```)

8
docs/content/reference/static-configuration/file.md
View file

@ -1,7 +1,9 @@
# Static Configuration: File
## TOML
```toml
```toml tab="TOML"
--8<-- "content/reference/static-configuration/file.toml"
```
```yml tab="YAML"
--8<-- "content/reference/static-configuration/file.yaml"
```

444
docs/content/reference/static-configuration/file.toml
View file

@ -1,246 +1,232 @@
[Global]
CheckNewVersion = true
SendAnonymousUsage = true
[global]
checkNewVersion = true
sendAnonymousUsage = true
[ServersTransport]
InsecureSkipVerify = true
RootCAs = ["foobar", "foobar"]
MaxIdleConnsPerHost = 42
[ServersTransport.ForwardingTimeouts]
DialTimeout = 42
ResponseHeaderTimeout = 42
[serversTransport]
insecureSkipVerify = true
rootCAs = ["foobar", "foobar"]
maxIdleConnsPerHost = 42
[serversTransport.forwardingTimeouts]
dialTimeout = 42
responseHeaderTimeout = 42
idleConnTimeout = 42
[EntryPoints]
[entryPoints]
[entryPoints.EntryPoint0]
address = "foobar"
[entryPoints.EntryPoint0.transport]
[entryPoints.EntryPoint0.transport.lifeCycle]
requestAcceptGraceTimeout = 42
graceTimeOut = 42
[entryPoints.EntryPoint0.transport.respondingTimeouts]
readTimeout = 42
writeTimeout = 42
idleTimeout = 42
[entryPoints.EntryPoint0.proxyProtocol]
insecure = true
trustedIPs = ["foobar", "foobar"]
[entryPoints.EntryPoint0.forwardedHeaders]
insecure = true
trustedIPs = ["foobar", "foobar"]
[EntryPoints.EntryPoint0]
Address = "foobar"
[EntryPoints.EntryPoint0.Transport]
[EntryPoints.EntryPoint0.Transport.LifeCycle]
RequestAcceptGraceTimeout = 42
GraceTimeOut = 42
[EntryPoints.EntryPoint0.Transport.RespondingTimeouts]
ReadTimeout = 42
WriteTimeout = 42
IdleTimeout = 42
[EntryPoints.EntryPoint0.ProxyProtocol]
Insecure = true
TrustedIPs = ["foobar", "foobar"]
[EntryPoints.EntryPoint0.ForwardedHeaders]
Insecure = true
TrustedIPs = ["foobar", "foobar"]
[providers]
providersThrottleDuration = 42
[providers.docker]
constraints = "foobar"
watch = true
endpoint = "foobar"
defaultRule = "foobar"
exposedByDefault = true
useBindPortIP = true
swarmMode = true
network = "foobar"
swarmModeRefreshSeconds = 42
[providers.docker.tls]
ca = "foobar"
caOptional = true
cert = "foobar"
key = "foobar"
insecureSkipVerify = true
[providers.file]
directory = "foobar"
watch = true
filename = "foobar"
debugLogGeneratedTemplate = true
traefikFile = "foobar"
[providers.marathon]
constraints = "foobar"
trace = true
watch = true
endpoint = "foobar"
defaultRule = "foobar"
exposedByDefault = true
dcosToken = "foobar"
dialerTimeout = 42
responseHeaderTimeout = 42
tlsHandshakeTimeout = 42
keepAlive = 42
forceTaskHostname = true
respectReadinessChecks = true
[providers.marathon.tls]
ca = "foobar"
caOptional = true
cert = "foobar"
key = "foobar"
insecureSkipVerify = true
[providers.marathon.basic]
httpBasicAuthUser = "foobar"
httpBasicPassword = "foobar"
[providers.kubernetes]
endpoint = "foobar"
token = "foobar"
certAuthFilePath = "foobar"
disablePassHostHeaders = true
namespaces = ["foobar", "foobar"]
labelSelector = "foobar"
ingressClass = "foobar"
[providers.kubernetes.ingressEndpoint]
ip = "foobar"
hostname = "foobar"
publishedService = "foobar"
[providers.kubernetesCRD]
endpoint = "foobar"
token = "foobar"
certAuthFilePath = "foobar"
disablePassHostHeaders = true
namespaces = ["foobar", "foobar"]
labelSelector = "foobar"
ingressClass = "foobar"
[providers.rest]
entryPoint = "foobar"
[providers.rancher]
constraints = "foobar"
watch = true
defaultRule = "foobar"
exposedByDefault = true
enableServiceHealthFilter = true
refreshSeconds = 42
intervalPoll = true
prefix = "foobar"
[Providers]
ProvidersThrottleDuration = 42
[api]
entryPoint = "foobar"
dashboard = true
middlewares = ["foobar", "foobar"]
[api.statistics]
recentErrors = 42
[Providers.Docker]
Watch = true
Endpoint = "foobar"
DefaultRule = "foobar"
ExposedByDefault = true
UseBindPortIP = true
SwarmMode = true
Network = "foobar"
SwarmModeRefreshSeconds = 42
Constraints = "foobar"
[metrics]
[metrics.prometheus]
buckets = [42.0, 42.0]
entryPoint = "foobar"
middlewares = ["foobar", "foobar"]
[metrics.dataDog]
address = "foobar"
pushInterval = "10s"
[metrics.statsD]
address = "foobar"
pushInterval = "10s"
[metrics.influxDB]
address = "foobar"
protocol = "foobar"
pushInterval = "10s"
database = "foobar"
retentionPolicy = "foobar"
username = "foobar"
password = "foobar"
[Providers.Docker.TLS]
CA = "foobar"
CAOptional = true
Cert = "foobar"
Key = "foobar"
InsecureSkipVerify = true
[ping]
entryPoint = "foobar"
middlewares = ["foobar", "foobar"]
[Providers.File]
Directory = "foobar"
Watch = true
Filename = "foobar"
DebugLogGeneratedTemplate = true
TraefikFile = "foobar"
[log]
level = "foobar"
filePath = "foobar"
format = "foobar"
[Providers.Marathon]
Trace = true
Watch = true
Endpoint = "foobar"
DefaultRule = "foobar"
ExposedByDefault = true
DCOSToken = "foobar"
DialerTimeout = 42
ResponseHeaderTimeout = 42
TLSHandshakeTimeout = 42
KeepAlive = 42
ForceTaskHostname = true
RespectReadinessChecks = true
Constraints = "foobar"
[Providers.Marathon.TLS]
CA = "foobar"
CAOptional = true
Cert = "foobar"
Key = "foobar"
InsecureSkipVerify = true
[Providers.Marathon.Basic]
HTTPBasicAuthUser = "foobar"
HTTPBasicPassword = "foobar"
[Providers.Kubernetes]
Endpoint = "foobar"
Token = "foobar"
CertAuthFilePath = "foobar"
DisablePassHostHeaders = true
Namespaces = ["foobar", "foobar"]
LabelSelector = "foobar"
IngressClass = "foobar"
[Providers.Kubernetes.IngressEndpoint]
IP = "foobar"
Hostname = "foobar"
PublishedService = "foobar"
[Providers.KubernetesCRD]
Endpoint = "foobar"
Token = "foobar"
CertAuthFilePath = "foobar"
DisablePassHostHeaders = true
Namespaces = ["foobar", "foobar"]
LabelSelector = "foobar"
IngressClass = "foobar"
[Providers.Rest]
EntryPoint = "foobar"
[Providers.Rancher]
Watch = true
DefaultRule = "foobar"
ExposedByDefault = true
EnableServiceHealthFilter = true
RefreshSeconds = 42
IntervalPoll = true
Prefix = "foobar"
Constraints = "foobar"
[API]
EntryPoint = "foobar"
Dashboard = true
Middlewares = ["foobar", "foobar"]
[API.Statistics]
RecentErrors = 42
[Metrics]
[Metrics.Prometheus]
Buckets = [42.0, 42.0]
EntryPoint = "foobar"
Middlewares = ["foobar", "foobar"]
[Metrics.Datadog]
Address = "foobar"
PushInterval = "foobar"
[Metrics.StatsD]
Address = "foobar"
PushInterval = "foobar"
[Metrics.InfluxDB]
Address = "foobar"
Protocol = "foobar"
PushInterval = "foobar"
Database = "foobar"
RetentionPolicy = "foobar"
Username = "foobar"
Password = "foobar"
[Ping]
EntryPoint = "foobar"
Middlewares = ["foobar", "foobar"]
[Log]
Level = "foobar"
FilePath = "foobar"
Format = "foobar"
[AccessLog]
FilePath = "foobar"
Format = "foobar"
BufferingSize = 42
[AccessLog.Filters]
StatusCodes = ["foobar", "foobar"]
RetryAttempts = true
MinDuration = 42
[AccessLog.Fields]
DefaultMode = "foobar"
[AccessLog.Fields.Names]
[accessLog]
filePath = "foobar"
format = "foobar"
bufferingSize = 42
[accessLog.filters]
statusCodes = ["foobar", "foobar"]
retryAttempts = true
minDuration = 42
[accessLog.fields]
defaultMode = "foobar"
[accessLog.fields.names]
name0 = "foobar"
name1 = "foobar"
[AccessLog.Fields.Headers]
DefaultMode = "foobar"
[AccessLog.Fields.Headers.Names]
[accessLog.fields.headers]
defaultMode = "foobar"
[accessLog.fields.headers.names]
name0 = "foobar"
name1 = "foobar"
[Tracing]
Backend = "foobar"
ServiceName = "foobar"
SpanNameLimit = 42
[tracing]
serviceName = "foobar"
spanNameLimit = 42
[tracing.jaeger]
samplingServerURL = "foobar"
samplingType = "foobar"
samplingParam = 42.0
localAgentHostPort = "foobar"
gen128Bit = true
propagation = "foobar"
traceContextHeaderName = "foobar"
[tracing.zipkin]
httpEndpoint = "foobar"
sameSpan = true
id128Bit = true
debug = true
sampleRate = 42.0
[tracing.dataDog]
localAgentHostPort = "foobar"
globalTag = "foobar"
debug = true
prioritySampling = true
traceIDHeaderName = "foobar"
parentIDHeaderName = "foobar"
samplingPriorityHeaderName = "foobar"
bagagePrefixHeaderName = "foobar"
[tracing.instana]
localAgentHost = "foobar"
localAgentPort = 42
logLevel = "foobar"
[tracing.haystack]
localAgentHost = "foobar"
localAgentPort = 42
globalTag = "foobar"
traceIDHeaderName = "foobar"
parentIDHeaderName = "foobar"
spanIDHeaderName = "foobar"
[Tracing.Jaeger]
SamplingServerURL = "foobar"
SamplingType = "foobar"
SamplingParam = 42.0
LocalAgentHostPort = "foobar"
Gen128Bit = true
Propagation = "foobar"
TraceContextHeaderName = "foobar"
[hostResolver]
cnameFlattening = true
resolvConfig = "foobar"
resolvDepth = 42
[Tracing.Zipkin]
HTTPEndpoint = "foobar"
SameSpan = true
ID128Bit = true
Debug = true
SampleRate = 42.0
[acme]
email = "foobar"
acmeLogging = true
caServer = "foobar"
storage = "foobar"
entryPoint = "foobar"
keyType = "foobar"
onHostRule = true
[acme.dnsChallenge]
provider = "foobar"
delayBeforeCheck = 42
resolvers = ["foobar", "foobar"]
disablePropagationCheck = true
[acme.httpChallenge]
entryPoint = "foobar"
[acme.tlsChallenge]
[Tracing.DataDog]
LocalAgentHostPort = "foobar"
GlobalTag = "foobar"
Debug = true
PrioritySampling = true
TraceIDHeaderName = "foobar"
ParentIDHeaderName = "foobar"
SamplingPriorityHeaderName = "foobar"
BagagePrefixHeaderName = "foobar"
[[acme.domains]]
main = "foobar"
sans = ["foobar", "foobar"]
[Tracing.Instana]
LocalAgentHost = "foobar"
LocalAgentPort = 42
LogLevel = "foobar"
[HostResolver]
CnameFlattening = true
ResolvConfig = "foobar"
ResolvDepth = 42
[ACME]
Email = "foobar"
ACMELogging = true
CAServer = "foobar"
Storage = "foobar"
EntryPoint = "foobar"
KeyType = "foobar"
OnHostRule = true
[ACME.DNSChallenge]
Provider = "foobar"
DelayBeforeCheck = 42
Resolvers = ["foobar", "foobar"]
DisablePropagationCheck = true
[ACME.HTTPChallenge]
EntryPoint = "foobar"
[ACME.TLSChallenge]
[[ACME.Domains]]
Main = "foobar"
SANs = ["foobar", "foobar"]
[[ACME.Domains]]
Main = "foobar"
SANs = ["foobar", "foobar"]
[[acme.domains]]
main = "foobar"
sans = ["foobar", "foobar"]

244
docs/content/reference/static-configuration/file.yaml Normal file
View file

@ -0,0 +1,244 @@
global:
checkNewVersion: true
sendAnonymousUsage: true
serversTransport:
insecureSkipVerify: true
rootCAs:
- foobar
- foobar
maxIdleConnsPerHost: 42
forwardingTimeouts:
dialTimeout: 42000000000
responseHeaderTimeout: 42000000000
idleConnTimeout: 42000000000
entryPoints:
EntryPoint0:
address: foobar
transport:
lifeCycle:
requestAcceptGraceTimeout: 42000000000
graceTimeOut: 42000000000
respondingTimeouts:
readTimeout: 42000000000
writeTimeout: 42000000000
idleTimeout: 42000000000
proxyProtocol:
insecure: true
trustedIPs:
- foobar
- foobar
forwardedHeaders:
insecure: true
trustedIPs:
- foobar
- foobar
providers:
providersThrottleDuration: 42000000000
docker:
constraints: foobar
watch: true
endpoint: foobar
defaultRule: foobar
tls:
ca: foobar
caOptional: true
cert: foobar
key: foobar
insecureSkipVerify: true
exposedByDefault: true
useBindPortIP: true
swarmMode: true
network: foobar
swarmModeRefreshSeconds: 42000000000
file:
directory: foobar
watch: true
filename: foobar
debugLogGeneratedTemplate: true
traefikFile: foobar
marathon:
constraints: foobar
trace: true
watch: true
endpoint: foobar
defaultRule: foobar
exposedByDefault: true
dcosToken: foobar
tls:
ca: foobar
caOptional: true
cert: foobar
key: foobar
insecureSkipVerify: true
dialerTimeout: 42000000000
responseHeaderTimeout: 42000000000
tlsHandshakeTimeout: 42000000000
keepAlive: 42000000000
forceTaskHostname: true
basic:
httpBasicAuthUser: foobar
httpBasicPassword: foobar
respectReadinessChecks: true
kubernetes:
endpoint: foobar
token: foobar
certAuthFilePath: foobar
disablePassHostHeaders: true
namespaces:
- foobar
- foobar
labelSelector: foobar
ingressClass: foobar
ingressEndpoint:
ip: foobar
hostname: foobar
publishedService: foobar
kubernetesCRD:
endpoint: foobar
token: foobar
certAuthFilePath: foobar
disablePassHostHeaders: true
namespaces:
- foobar
- foobar
labelSelector: foobar
ingressClass: foobar
rest:
entryPoint: foobar
rancher:
constraints: foobar
watch: true
defaultRule: foobar
exposedByDefault: true
enableServiceHealthFilter: true
refreshSeconds: 42
intervalPoll: true
prefix: foobar
api:
entryPoint: foobar
dashboard: true
statistics:
recentErrors: 42
middlewares:
- foobar
- foobar
metrics:
prometheus:
buckets:
- 42
- 42
entryPoint: foobar
middlewares:
- foobar
- foobar
dataDog:
address: foobar
pushInterval: 10000000000
statsD:
address: foobar
pushInterval: 10000000000
influxDB:
address: foobar
protocol: foobar
pushInterval: 10000000000
database: foobar
retentionPolicy: foobar
username: foobar
password: foobar
ping:
entryPoint: foobar
middlewares:
- foobar
- foobar
log:
level: foobar
filePath: foobar
format: foobar
accessLog:
filePath: foobar
format: foobar
filters:
statusCodes:
- foobar
- foobar
retryAttempts: true
minDuration: 42000000000
fields:
defaultMode: foobar
names:
name0: foobar
name1: foobar
headers:
defaultMode: foobar
names:
name0: foobar
name1: foobar
bufferingSize: 42
tracing:
serviceName: foobar
spanNameLimit: 42
jaeger:
samplingServerURL: foobar
samplingType: foobar
samplingParam: 42
localAgentHostPort: foobar
gen128Bit: true
propagation: foobar
traceContextHeaderName: foobar
zipkin:
httpEndpoint: foobar
sameSpan: true
id128Bit: true
debug: true
sampleRate: 42
dataDog:
localAgentHostPort: foobar
globalTag: foobar
debug: true
prioritySampling: true
traceIDHeaderName: foobar
parentIDHeaderName: foobar
samplingPriorityHeaderName: foobar
bagagePrefixHeaderName: foobar
instana:
localAgentHost: foobar
localAgentPort: 42
logLevel: foobar
haystack:
localAgentHost: foobar
localAgentPort: 42
globalTag: foobar
traceIDHeaderName: foobar
parentIDHeaderName: foobar
spanIDHeaderName: foobar
hostResolver:
cnameFlattening: true
resolvConfig: foobar
resolvDepth: 42
acme:
email: foobar
acmeLogging: true
caServer: foobar
storage: foobar
entryPoint: foobar
keyType: foobar
onHostRule: true
dnsChallenge:
provider: foobar
delayBeforeCheck: 42000000000
resolvers:
- foobar
- foobar
disablePropagationCheck: true
httpChallenge:
entryPoint: foobar
tlsChallenge: {}
domains:
- main: foobar
sans:
- foobar
- foobar
- main: foobar
sans:
- foobar
- foobar

175
docs/content/routing/entrypoints.md
View file

@ -3,7 +3,7 @@
Opening Connections for Incoming Requests
{: .subtitle }
![EntryPoints](../assets/img/entrypoints.png)
![entryPoints](../assets/img/entrypoints.png)
EntryPoints are the network entry points into Traefik.
They define the port which will receive the requests (whether HTTP or TCP).
@ -12,17 +12,27 @@ They define the port which will receive the requests (whether HTTP or TCP).
??? example "Port 80 only"
```toml
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
address = ":80"
```
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
```
```ini tab="CLI"
--entryPoints.web.address=:80
```
We define an `entrypoint` called `web` that will listen on port `80`.
??? example "Port 80 & 443"
```toml
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
@ -31,6 +41,20 @@ They define the port which will receive the requests (whether HTTP or TCP).
address = ":443"
```
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
web-secure:
address: ":443"
```
```ini tab="CLI"
--entryPoints.web.address=:80
--entryPoints.web-secure.address=:443
```
- Two entrypoints are defined: one called `web`, and the other called `web-secure`.
- `web` listens on port `80`, and `web-secure` on port `443`.
@ -43,38 +67,63 @@ You can define them using a toml file, CLI arguments, or a key-value store.
See the complete reference for the list of available options:
```toml tab="File"
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.EntryPoint0]
Address = ":8888"
[entryPoints.EntryPoint0.Transport]
[entryPoints.EntryPoint0.Transport.LifeCycle]
RequestAcceptGraceTimeout = 42
GraceTimeOut = 42
[entryPoints.EntryPoint0.Transport.RespondingTimeouts]
ReadTimeout = 42
WriteTimeout = 42
IdleTimeout = 42
[entryPoints.EntryPoint0.ProxyProtocol]
Insecure = true
TrustedIPs = ["foobar", "foobar"]
[entryPoints.EntryPoint0.ForwardedHeaders]
Insecure = true
TrustedIPs = ["foobar", "foobar"]
address = ":8888"
[entryPoints.EntryPoint0.transport]
[entryPoints.EntryPoint0.transport.lifeCycle]
requestAcceptGraceTimeout = 42
graceTimeOut = 42
[entryPoints.EntryPoint0.transport.respondingTimeouts]
readTimeout = 42
writeTimeout = 42
idleTimeout = 42
[entryPoints.EntryPoint0.proxyProtocol]
insecure = true
trustedIPs = ["foobar", "foobar"]
[entryPoints.EntryPoint0.forwardedHeaders]
insecure = true
trustedIPs = ["foobar", "foobar"]
```
```yaml tab="File (YAML)"
entryPoints:
EntryPoint0:
address: ":8888"
transport:
lifeCycle:
requestAcceptGraceTimeout: 42
graceTimeOut: 42
respondingTimeouts:
readTimeout: 42
writeTimeout: 42
idleTimeout: 42
proxyProtocol:
insecure: true
trustedIPs:
- "foobar"
- "foobar"
forwardedHeaders:
insecure: true
trustedIPs:
- "foobar"
- "foobar"
```
```ini tab="CLI"
--entryPoints.EntryPoint0.Address=:8888
--entryPoints.EntryPoint0.Transport.LifeCycle.RequestAcceptGraceTimeout=42
--entryPoints.EntryPoint0.Transport.LifeCycle.GraceTimeOut=42
--entryPoints.EntryPoint0.Transport.RespondingTimeouts.ReadTimeout=42
--entryPoints.EntryPoint0.Transport.RespondingTimeouts.WriteTimeout=42
--entryPoints.EntryPoint0.Transport.RespondingTimeouts.IdleTimeout=42
--entryPoints.EntryPoint0.ProxyProtocol.Insecure=true
--entryPoints.EntryPoint0.ProxyProtocol.TrustedIPs=foobar,foobar
--entryPoints.EntryPoint0.ForwardedHeaders.Insecure=true
--entryPoints.EntryPoint0.ForwardedHeaders.TrustedIPs=foobar,foobar
--entryPoints.EntryPoint0.address=:8888
--entryPoints.EntryPoint0.transport.lifeCycle.requestAcceptGraceTimeout=42
--entryPoints.EntryPoint0.transport.lifeCycle.graceTimeOut=42
--entryPoints.EntryPoint0.transport.respondingTimeouts.readTimeout=42
--entryPoints.EntryPoint0.transport.respondingTimeouts.writeTimeout=42
--entryPoints.EntryPoint0.transport.respondingTimeouts.idleTimeout=42
--entryPoints.EntryPoint0.proxyProtocol.insecure=true
--entryPoints.EntryPoint0.proxyProtocol.trustedIPs=foobar,foobar
--entryPoints.EntryPoint0.forwardedHeaders.insecure=true
--entryPoints.EntryPoint0.forwardedHeaders.trustedIPs=foobar,foobar
```
## ProxyProtocol
@ -83,7 +132,7 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
??? example "Enabling Proxy Protocol with Trusted IPs"
```toml
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
@ -92,6 +141,21 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
proxyProtocol
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
```
```ini tab="CLI"
--entryPoints.web.address=:80
--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,192.168.1.7
```
IPs in `trustedIPs` only will lead to remote client address replacement: Declare load-balancer IPs or CIDR range here.
??? example "Insecure Mode -- Testing Environment Only"
@ -99,7 +163,7 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
In a test environments, you can configure Traefik to trust every incoming connection.
Doing so, every remote client address will be replaced (`trustedIPs` won't have any effect)
```toml
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
@ -108,6 +172,19 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
insecure = true
```
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
proxyProtocol:
insecure: true
```
```ini tab="CLI"
--entryPoints.web.address=:80
--entryPoints.web.proxyProtocol.insecure
```
!!! warning "Queuing Traefik behind Another Load Balancer"
When queuing Traefik behind another load-balancer, make sure to configure Proxy Protocol on both sides.
@ -119,7 +196,7 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
??? example "Trusting Forwarded Headers from specific IPs"
```toml
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
@ -128,13 +205,41 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
forwardedHeaders
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
```
```ini tab="CLI"
--entryPoints.web.address=:80
--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,192.168.1.7
```
??? example "Insecure Mode -- Always Trusting Forwarded Headers"
```toml
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.forwardedHeaders]
insecure = true
insecure = true
```
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
forwardedHeaders:
insecure: true
```
```ini tab="CLI"
--entryPoints.web.address=:80
--entryPoints.web.forwardedHeaders.insecure
```

216
docs/content/routing/overview.md
View file

@ -24,29 +24,82 @@ If they do, the router might transform the request using pieces of [middleware](
Below is an example of a full configuration file for the [file provider](../providers/file.md) that forwards `http://domain/whoami/` requests to a service reachable on `http://private/whoami-service/`.
In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware](../middlewares/basicauth.md)).
```toml
Static configuration:
```toml tab="TOML"
[entryPoints]
[entryPoints.web]
address = ":8081" # Listen on port 8081 for incoming requests
[entryPoints.web]
# Listen on port 8081 for incoming requests
address = ":8081"
[providers]
[providers.file] # Enable the file provider to define routers / middlewares / services in a file
# Enable the file provider to define routers / middlewares / services in a file
[providers.file]
```
[http] # http routing section
[http.routers]
[http.routers.to-whoami] # Define a connection between requests and services
rule = "Host(domain) && PathPrefix(/whoami/)"
middlewares = ["test-user"] # If the rule matches, applies the middleware
service = "whoami" # If the rule matches, forward to the whoami service (declared below)
```yaml tab="YAML"
entryPoints:
web:
# Listen on port 8081 for incoming requests
address: :8081
[http.middlewares]
[http.middlewares.test-user.basicauth] # Define an authentication mechanism
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
providers:
# Enable the file provider to define routers / middlewares / services in a file
file: {}
```
[http.services]
[http.services.whoami.loadbalancer] # Define how to reach an existing service on our infrastructure
[[http.services.whoami.loadbalancer.servers]]
url = "http://private/whoami-service"
Dynamic configuration:
```toml tab="TOML"
# http routing section
[http]
[http.routers]
# Define a connection between requests and services
[http.routers.to-whoami]
rule = "Host(`domain`) && PathPrefix(`/whoami/`)"
# If the rule matches, applies the middleware
middlewares = ["test-user"]
# If the rule matches, forward to the whoami service (declared below)
service = "whoami"
[http.middlewares]
# Define an authentication mechanism
[http.middlewares.test-user.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.services]
# Define how to reach an existing service on our infrastructure
[http.services.whoami.loadBalancer]
[[http.services.whoami.loadBalancer.servers]]
url = "http://private/whoami-service"
```
```yaml tab="YAML"
# http routing section
http:
routers:
# Define a connection between requests and services
to-whoami:
rule: "Host(`domain`) && PathPrefix(`/whoami/`)"
# If the rule matches, applies the middleware
middlewares:
- test-user
# If the rule matches, forward to the whoami service (declared below)
service: whoami
middlewares:
# Define an authentication mechanism
test-user:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
services:
# Define how to reach an existing service on our infrastructure
whoami:
loadBalancer:
servers:
- url: http://private/whoami-service
```
!!! note "The File Provider"
@ -61,39 +114,104 @@ In the process, Traefik will make sure that the user is authenticated (using the
??? example "Adding a TCP route for TLS requests on whoami.traefik.io"
```toml
Static configuration:
```toml tab="TOML"
[entryPoints]
[entryPoints.web]
address = ":8081" # Listen on port 8081 for incoming requests
[entryPoints.web]
# Listen on port 8081 for incoming requests
address = ":8081"
[providers]
[providers.file] # Enable the file provider to define routers / middlewares / services in a file
[http] # http routing section
[http.routers]
[http.routers.to-whoami] # Define a connection between requests and services
rule = "Host(`domain`) && PathPrefix(/whoami/)"
middlewares = ["test-user"] # If the rule matches, applies the middleware
service = "whoami" # If the rule matches, forward to the whoami service (declared below)
[http.middlewares]
[http.middlewares.test-user.basicauth] # Define an authentication mechanism
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.services]
[http.services.whoami.loadbalancer] # Define how to reach an existing service on our infrastructure
[[http.services.whoami.loadbalancer.servers]]
url = "http://private/whoami-service"
[tcp]
[tcp.routers]
[tcp.routers.to-whoami-tcp]
rule = "HostSNI(`whoami-tcp.traefik.io`)"
service = "whoami-tcp"
[tcp.routers.to-whoami-tcp.tls]
[tcp.services]
[tcp.services.whoami-tcp.loadbalancer]
[[tcp.services.whoami-tcp.loadbalancer.servers]]
address = "xx.xx.xx.xx:xx"
# Enable the file provider to define routers / middlewares / services in a file
[providers.file]
```
```yaml tab="YAML"
entryPoints:
web:
# Listen on port 8081 for incoming requests
address: :8081
providers:
# Enable the file provider to define routers / middlewares / services in a file
file: {}
```
Dynamic configuration:
```toml tab="TOML"
# http routing section
[http]
[http.routers]
# Define a connection between requests and services
[http.routers.to-whoami]
rule = "Host(`domain`) && PathPrefix(`/whoami/`)"
# If the rule matches, applies the middleware
middlewares = ["test-user"]
# If the rule matches, forward to the whoami service (declared below)
service = "whoami"
[http.middlewares]
# Define an authentication mechanism
[http.middlewares.test-user.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.services]
# Define how to reach an existing service on our infrastructure
[http.services.whoami.loadBalancer]
[[http.services.whoami.loadBalancer.servers]]
url = "http://private/whoami-service"
[tcp]
[tcp.routers]
[tcp.routers.to-whoami-tcp]
rule = "HostSNI(`whoami-tcp.traefik.io`)"
service = "whoami-tcp"
[tcp.routers.to-whoami-tcp.tls]
[tcp.services]
[tcp.services.whoami-tcp.loadBalancer]
[[tcp.services.whoami-tcp.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
```
```yaml tab="YAML"
# http routing section
http:
routers:
# Define a connection between requests and services
to-whoami:
rule: Host(`domain`) && PathPrefix(`/whoami/`)
# If the rule matches, applies the middleware
middlewares:
- test-user
# If the rule matches, forward to the whoami service (declared below)
service: whoami
middlewares:
# Define an authentication mechanism
test-user:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
services:
# Define how to reach an existing service on our infrastructure
whoami:
loadBalancer:
servers:
- url: http://private/whoami-service
tcp:
routers:
to-whoami-tcp:
service: whoami-tcp
rule: HostSNI(`whoami-tcp.traefik.io`)
services:
whoami-tcp:
loadBalancer:
servers:
- address: xx.xx.xx.xx:xx
```

490
docs/content/routing/routers/index.md
View file

@ -12,40 +12,84 @@ In the process, routers may use pieces of [middleware](../../middlewares/overvie
??? example "Requests /foo are Handled by service-foo -- Using the [File Provider](../../providers/file.md)"
```toml
```toml tab="TOML"
[http.routers]
[http.routers.my-router]
rule = "Path(`/foo`)"
service = "service-foo"
rule = "Path(`/foo`)"
service = "service-foo"
```
```yaml tab="YAML"
http:
routers:
my-router:
rule: "Path(`/foo`)"
service: service-foo
```
??? example "With a [middleware](../../middlewares/overview.md) -- using the [File Provider](../../providers/file.md)"
```toml
```toml tab="TOML"
[http.routers]
[http.routers.my-router]
rule = "Path(`/foo`)"
middlewares = ["authentication"] # declared elsewhere
service = "service-foo"
rule = "Path(`/foo`)"
# declared elsewhere
middlewares = ["authentication"]
service = "service-foo"
```
```yaml tab="YAML"
http:
routers:
my-router:
rule: "Path(`/foo`)"
# declared elsewhere
middlewares:
- authentication
service: service-foo
```
??? example "Forwarding all (non-tls) requests on port 3306 to a database service"
```toml
[entryPoints]
[entryPoints.mysql-default]
address = ":80"
[entryPoints.mysql-default]
address = ":3306"
```toml tab="TOML"
## Static configuration ##
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.mysql-default]
address = ":3306"
## Dynamic configuration ##
[tcp]
[tcp.routers]
[tcp.routers.to-database]
entryPoints = ["mysql-default"]
# Catch every request (only available rule for non-tls routers. See below.)
rule = "HostSNI(`*`)"
service = "database"
```
```toml
[tcp]
[tcp.routers]
[tcp.routers.to-database]
entryPoints = ["mysql-default"]
rule = "HostSNI(`*`)" # Catch every request (only available rule for non-tls routers. See below.)
service = "database"
```yaml tab="YAML"
## Static configuration ##
entryPoints:
web:
address: ":80"
mysql-default:
address: ":3306"
## Dynamic configuration ##
tcp:
routers:
to-database:
entryPoints:
- "mysql-default"
# Catch every request (only available rule for non-tls routers. See below.)
rule: "HostSNI(`*`)"
service: database
```
## Configuring HTTP Routers
@ -57,42 +101,93 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
??? example "Listens to Every EntryPoint"
```toml
```toml tab="TOML"
## Static configuration ##
[entryPoints]
[entryPoints.web]
# ...
[entryPoints.web-secure]
# ...
[entryPoints.other]
# ...
[entryPoints.web]
# ...
[entryPoints.web-secure]
# ...
[entryPoints.other]
# ...
## Dynamic configuration ##
[http.routers]
[http.routers.Router-1]
# By default, routers listen to every entry points
rule = "Host(`traefik.io`)"
service = "service-1"
```
```toml
[http.routers]
[http.routers.Router-1]
# By default, routers listen to every entrypoints
rule = "Host(`traefik.io`)"
service = "service-1"
```yaml tab="YAML"
## Static configuration ##
entryPoints:
web:
# ...
web-secure:
# ...
other:
# ...
## Dynamic configuration ##
http:
routers:
Router-1:
# By default, routers listen to every entry points
rule: "Host(`traefik.io`)"
service: "service-1"
```
??? example "Listens to Specific EntryPoints"
```toml
```toml tab="TOML"
## Static configuration ##
[entryPoints]
[entryPoints.web]
# ...
[entryPoints.web-secure]
# ...
[entryPoints.other]
# ...
[entryPoints.web]
# ...
[entryPoints.web-secure]
# ...
[entryPoints.other]
# ...
## Dynamic configuration ##
[http.routers]
[http.routers.Router-1]
# won't listen to entry point web
entryPoints = ["web-secure", "other"]
rule = "Host(`traefik.io`)"
service = "service-1"
```
```toml
[http.routers]
[http.routers.Router-1]
entryPoints = ["web-secure", "other"] # won't listen to entrypoint web
rule = "Host(`traefik.io`)"
service = "service-1"
```yaml tab="YAML"
## Static configuration ##
entryPoints:
web:
# ...
web-secure:
# ...
other:
# ...
## Dynamic configuration ##
http:
routers:
Router-1:
# won't listen to entry point web
entryPoints:
- "web-secure"
- "other"
rule: "Host(`traefik.io`)"
service: "service-1"
```
### Rule
@ -170,12 +265,23 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
??? example "Configuring the router to accept HTTPS requests only"
```toml
```toml tab="TOML"
[http.routers]
[http.routers.Router-1]
rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
service = "service-id"
[http.routers.Router-1.tls] # will terminate the TLS request
[http.routers.Router-1]
rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
service = "service-id"
# will terminate the TLS request
[http.routers.Router-1.tls]
```
```yaml tab="YAML"
http:
routers:
Router-1:
rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
service: service-id
# will terminate the TLS request
tls: {}
```
!!! note "HTTPS & ACME"
@ -192,40 +298,75 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
??? example "HTTP & HTTPS routes"
```toml
```toml tab="TOML"
[http.routers]
[http.routers.my-https-router]
rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
service = "service-id"
[http.routers.my-https-router.tls] # will terminate the TLS request
[http.routers.my-https-router]
rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
service = "service-id"
# will terminate the TLS request
[http.routers.my-https-router.tls]
[http.routers.my-http-router]
rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
service = "service-id"
[http.routers.my-http-router]
rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
service = "service-id"
```
```yaml tab="YAML"
http:
routers:
my-https-router:
rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
service: service-id
# will terminate the TLS request
tls: {}
my-http-router:
rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
service: service-id
```
#### `Options`
The `Options` field enables fine-grained control of the TLS parameters.
It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
??? example "Configuring the tls options"
??? example "Configuring the TLS options"
```toml
```toml tab="TOML"
[http.routers]
[http.routers.Router-1]
rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
service = "service-id"
[http.routers.Router-1.tls] # will terminate the TLS request
options = "foo"
[http.routers.Router-1]
rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
service = "service-id"
# will terminate the TLS request
[http.routers.Router-1.tls]
options = "foo"
[tlsOptions]
[tlsOptions.foo]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
[tls.options]
[tls.options.foo]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
```
```yaml tab="YAML"
http:
routers:
Router-1:
rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
service: service-id
# will terminate the TLS request
tls:
options: foo
tls:
options:
foo:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
```
## Configuring TCP Routers
@ -242,44 +383,100 @@ If you want to limit the router scope to a set of entry points, set the entry po
??? example "Listens to Every Entry Point"
```toml
```toml tab="TOML"
## Static configuration ##
[entryPoints]
[entryPoints.web]
# ...
[entryPoints.web-secure]
# ...
[entryPoints.other]
# ...
[entryPoints.web]
# ...
[entryPoints.web-secure]
# ...
[entryPoints.other]
# ...
## Dynamic configuration ##
[tcp.routers]
[tcp.routers.Router-1]
# By default, routers listen to every entrypoints
rule = "HostSNI(`traefik.io`)"
service = "service-1"
# will route TLS requests (and ignore non tls requests)
[tcp.routers.Router-1.tls]
```
```toml
[tcp.routers]
[tcp.routers.Router-1]
```yaml tab="YAML"
## Static configuration ##
entryPoints:
web:
# ...
web-secure:
# ...
other:
# ...
## Dynamic configuration ##
tcp:
routers:
Router-1:
# By default, routers listen to every entrypoints
rule = "HostSNI(`traefik.io`)"
service = "service-1"
[tcp.routers.Router-1.tls] # will route TLS requests (and ignore non tls requests)
rule: "HostSNI(`traefik.io`)"
service: "service-1"
# will route TLS requests (and ignore non tls requests)
tls: {}
```
??? example "Listens to Specific Entry Points"
```toml
```toml tab="TOML"
## Static configuration ##
[entryPoints]
[entryPoints.web]
# ...
[entryPoints.web-secure]
# ...
[entryPoints.other]
# ...
[entryPoints.web]
# ...
[entryPoints.web-secure]
# ...
[entryPoints.other]
# ...
## Dynamic configuration ##
[tcp.routers]
[tcp.routers.Router-1]
# won't listen to entry point web
entryPoints = ["web-secure", "other"]
rule = "HostSNI(`traefik.io`)"
service = "service-1"
# will route TLS requests (and ignore non tls requests)
[tcp.routers.Router-1.tls]
```
```toml
[tcp.routers]
[tcp.routers.Router-1]
entryPoints = ["web-secure", "other"] # won't listen to entrypoint web
rule = "HostSNI(`traefik.io`)"
service = "service-1"
[tcp.routers.Router-1.tls] # will route TLS requests (and ignore non tls requests)
```yaml tab="YAML"
## Static configuration ##
entryPoints:
web:
# ...
web-secure:
# ...
other:
# ...
## Dynamic configuration ##
tcp:
routers:
Router-1:
# won't listen to entry point web
entryPoints:
- "web-secure"
- "other"
rule: "HostSNI(`traefik.io`)"
service: "service-1"
# will route TLS requests (and ignore non tls requests)
tls: {}
```
### Rule
@ -312,23 +509,44 @@ Services are the target for the router.
??? example "Configuring TLS Termination"
```toml
```toml tab="TOML"
[tcp.routers]
[tcp.routers.Router-1]
rule = "HostSNI(`foo-domain`)"
service = "service-id"
[tcp.routers.Router-1.tls] # will terminate the TLS request by default
[tcp.routers.Router-1]
rule = "HostSNI(`foo-domain`)"
service = "service-id"
# will terminate the TLS request by default
[tcp.routers.Router-1.tls]
```
```yaml tab="YAML"
tcp:
routers:
Router-1:
rule: "HostSNI(`foo-domain`)"
service: service-id
# will terminate the TLS request by default
tld: {}
```
??? example "Configuring passthrough"
```toml
```toml tab="TOML"
[tcp.routers]
[tcp.routers.Router-1]
rule = "HostSNI(`foo-domain`)"
service = "service-id"
[tcp.routers.Router-1.tls]
passthrough=true
[tcp.routers.Router-1]
rule = "HostSNI(`foo-domain`)"
service = "service-id"
[tcp.routers.Router-1.tls]
passthrough = true
```
```yaml tab="YAML"
tcp:
routers:
Router-1:
rule: "HostSNI(`foo-domain`)"
service: service-id
tls:
passthrough: true
```
!!! note "TLS & ACME"
@ -338,23 +556,43 @@ Services are the target for the router.
#### `Options`
The `Options` field enables fine-grained control of the TLS parameters.
It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.
It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.
??? example "Configuring the tls options"
```toml
```toml tab="TOML"
[tcp.routers]
[tcp.routers.Router-1]
rule = "HostSNI(`foo-domain`)"
service = "service-id"
[tcp.routers.Router-1.tls] # will terminate the TLS request
options = "foo"
[tcp.routers.Router-1]
rule = "HostSNI(`foo-domain`)"
service = "service-id"
# will terminate the TLS request
[tcp.routers.Router-1.tls]
options = "foo"
[tlsOptions]
[tlsOptions.foo]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
[tls.options]
[tls.options.foo]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
```
```yaml tab="YAML"
tcp:
routers:
Router-1:
rule: "HostSNI(`foo-domain`)"
service: service-id
# will terminate the TLS request
tls:
options: foo
tls:
options:
foo:
minVersion: VersionTLS12
cipherSuites:
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_RSA_WITH_AES_256_GCM_SHA384"
```

286
docs/content/routing/services/index.md
View file

@ -11,25 +11,45 @@ The `Services` are responsible for configuring how to reach the actual services
??? example "Declaring an HTTP Service with Two Servers -- Using the [File Provider](../../providers/file.md)"
```toml
```toml tab="TOML"
[http.services]
[http.services.my-service.LoadBalancer]
[http.services.my-service.loadBalancer]
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-2/"
[[http.services.my-service.loadBalancer.servers]]
url = "http://private-ip-server-1/"
[[http.services.my-service.loadBalancer.servers]]
url = "http://private-ip-server-2/"
```
```yaml tab="YAML"
http:
services:
my-service:
loadBalancer:
servers:
- url: "http://private-ip-server-1/"
- url: "http://private-ip-server-2/"
```
??? example "Declaring a TCP Service with Two Servers -- Using the [File Provider](../../providers/file.md)"
```toml
```toml tab="TOML"
[tcp.services]
[tcp.services.my-service.LoadBalancer]
[[tcp.services.my-service.LoadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
[[tcp.services.my-service.LoadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
[tcp.services.my-service.loadBalancer]
[[tcp.services.my-service.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
[[tcp.services.my-service.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
```
```yaml tab="YAML"
tcp:
services:
my-service:
loadBalancer:
servers:
- address: "xx.xx.xx.xx:xx"
- address: "xx.xx.xx.xx:xx"
```
## Configuring HTTP Services
@ -46,14 +66,24 @@ The load balancers are able to load balance the requests between multiple instan
??? example "Declaring a Service with Two Servers (with Load Balancing) -- Using the [File Provider](../../providers/file.md)"
```toml
```toml tab="TOML"
[http.services]
[http.services.my-service.LoadBalancer]
[http.services.my-service.loadBalancer]
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-2/"
[[http.services.my-service.loadBalancer.servers]]
url = "http://private-ip-server-1/"
[[http.services.my-service.loadBalancer.servers]]
url = "http://private-ip-server-2/"
```
```yaml tab="YAML"
http:
services:
my-service:
loadBalancer:
servers:
- url: "http://private-ip-server-1/"
- url: "http://private-ip-server-2/"
```
#### Servers
@ -68,11 +98,20 @@ The `url` option point to a specific instance.
??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)"
```toml
```toml tab="TOML"
[http.services]
[http.services.my-service.LoadBalancer]
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
[http.services.my-service.loadBalancer]
[[http.services.my-service.loadBalancer.servers]]
url = "http://private-ip-server-1/"
```
```yaml tab="YAML"
http:
services:
my-service:
loadBalancer:
servers:
url: "http://private-ip-server-1/"
```
#### Load-balancing
@ -81,13 +120,23 @@ For now, only round robin load balancing is supported:
??? example "Load Balancing -- Using the [File Provider](../../providers/file.md)"
```toml
```toml tab="TOML"
[http.services]
[http.services.my-service.LoadBalancer]
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
[[http.services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
[http.services.my-service.loadBalancer]
[[http.services.my-service.loadBalancer.servers]]
url = "http://private-ip-server-1/"
[[http.services.my-service.loadBalancer.servers]]
url = "http://private-ip-server-2/"
```
```yaml tab="YAML"
http:
services:
my-service:
loadBalancer:
servers:
- url: "http://private-ip-server-1/"
- url: "http://private-ip-server-2/"
```
#### Sticky sessions
@ -109,39 +158,56 @@ On subsequent requests, the client is forwarded to the same server.
??? example "Adding Stickiness"
```toml
```toml tab="TOML"
[http.services]
[http.services.my-service]
[http.services.my-service.LoadBalancer.stickiness]
secureCookie = true
httpOnlyCookie = true
[http.services.my-service.loadBalancer.stickiness]
```
```yaml tab="YAML"
http:
services:
my-service:
loadBalancer:
stickiness: {}
```
??? example "Adding Stickiness with a Custom Cookie Name"
```toml
```toml tab="TOML"
[http.services]
[http.services.my-service]
[http.services.my-service.LoadBalancer.stickiness]
cookieName = "my_stickiness_cookie_name"
secureCookie = true
httpOnlyCookie = true
[http.services.my-service.loadBalancer.stickiness]
cookieName = "my_stickiness_cookie_name"
secureCookie = true
httpOnlyCookie = true
```
```yaml tab="YAML"
http:
services:
my-service:
loadBalancer:
stickiness:
cookieName: my_stickiness_cookie_name
secureCookie: true
httpOnlyCookie: true
```
#### Health Check
Configure healthcheck to remove unhealthy servers from the load balancing rotation.
Configure health check to remove unhealthy servers from the load balancing rotation.
Traefik will consider your servers healthy as long as they return status codes between `2XX` and `3XX` to the health check requests (carried out every `interval`).
Below are the available options for the health check mechanism:
- `path` is appended to the server URL to set the healcheck endpoint.
- `scheme`, if defined, will replace the server URL `scheme` for the healthcheck endpoint
- `hostname`, if defined, will replace the server URL `hostname` for the healthcheck endpoint.
- `port`, if defined, will replace the server URL `port` for the healthcheck endpoint.
- `interval` defines the frequency of the healthcheck calls.
- `timeout` defines the maximum duration Traefik will wait for a healthcheck request before considering the server failed (unhealthy).
- `headers` defines custom headers to be sent to the healthcheck endpoint.
- `path` is appended to the server URL to set the health check endpoint.
- `scheme`, if defined, will replace the server URL `scheme` for the health check endpoint
- `hostname`, if defined, will replace the server URL `hostname` for the health check endpoint.
- `port`, if defined, will replace the server URL `port` for the health check endpoint.
- `interval` defines the frequency of the health check calls.
- `timeout` defines the maximum duration Traefik will wait for a health check request before considering the server failed (unhealthy).
- `headers` defines custom headers to be sent to the health check endpoint.
!!! note "Interval & Timeout Format"
@ -153,48 +219,91 @@ Below are the available options for the health check mechanism:
Traefik keeps monitoring the health of unhealthy servers.
If a server has recovered (returning `2xx` -> `3xx` responses again), it will be added back to the load balacer rotation pool.
??? example "Custom Interval & Timeout -- Using the File Provider"
??? example "Custom Interval & Timeout -- Using the [File Provider](../../providers/file.md)"
```toml
```toml tab="TOML"
[http.services]
[http.servicess.Service-1]
[http.services.Service-1.healthcheck]
path = "/health"
interval = "10s"
timeout = "3s"
[http.services.Service-1.loadBalancer.healthCheck]
path = "/health"
interval = "10s"
timeout = "3s"
```
??? example "Custom Port -- Using the File Provider"
```yaml tab="YAML"
http:
servicess:
Service-1:
loadBalancer:
healthCheck:
path: /health
interval: "10s"
timeout: "3s"
```
```toml
??? example "Custom Port -- Using the [File Provider](../../providers/file.md)"
```toml tab="TOML"
[http.services]
[http.services.Service-1]
[http.services.Service-1.healthcheck]
path = "/health"
port = 8080
[http.services.Service-1.loadBalancer.healthCheck]
path = "/health"
port = 8080
```
??? example "Custom Scheme -- Using the File Provider"
```yaml tab="YAML"
http:
services:
Service-1:
loadBalancer:
healthCheck:
path: /health
port: 8080
```
```toml
??? example "Custom Scheme -- Using the [File Provider](../../providers/file.md)"
```toml tab="TOML"
[http.services]
[http.services.Service-1]
[http.services.Service-1.healthcheck]
path = "/health"
scheme = "http"
[http.services.Service-1.loadBalancer.healthCheck]
path = "/health"
scheme = "http"
```
??? example "Additional HTTP Headers -- Using the File Provider"
```yaml tab="YAML"
http:
services:
Service-1:
loadBalancer:
healthCheck:
path: /health
scheme: http
```
```toml
??? example "Additional HTTP Headers -- Using the [File Provider](../../providers/file.md)"
```toml tab="TOML"
[http.services]
[http.services.Service-1]
[http.servicess.Service-1.healthcheck]
path = "/health"
[http.services.Service-1]
[http.services.Service-1.loadBalancer.healthCheck]
path = "/health"
[Service.Service-1.healthcheck.headers]
My-Custom-Header = "foo"
My-Header = "bar"
[http.services.Service-1.loadBalancer.healthCheck.headers]
My-Custom-Header = "foo"
My-Header = "bar"
```
```yaml tab="YAML"
http:
services:
Service-1:
loadBalancer:
healthCheck:
path: /health
headers:
My-Custom-Header: foo
My-Header: bar
```
## Configuring TCP Services
@ -211,13 +320,23 @@ The load balancers are able to load balance the requests between multiple instan
??? example "Declaring a Service with Two Servers -- Using the [File Provider](../../providers/file.md)"
```toml
```toml tab="TOML"
[tcp.services]
[tcp.services.my-service.LoadBalancer]
[[tcp.services.my-service.LoadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
[[tcp.services.my-service.LoadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
[tcp.services.my-service.loadBalancer]
[[tcp.services.my-service.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
[[tcp.services.my-service.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
```
```yaml tab="YAML"
tcp:
services:
my-service:
loadBalancer:
servers:
- address: "xx.xx.xx.xx:xx"
- address: "xx.xx.xx.xx:xx"
```
#### Servers
@ -227,9 +346,18 @@ The `address` option (IP:Port) point to a specific instance.
??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)"
```toml
```toml tab="TOML"
[tcp.services]
[tcp.services.my-service.LoadBalancer]
[[tcp.services.my-service.LoadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
[tcp.services.my-service.loadBalancer]
[[tcp.services.my-service.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
```
```yaml tab="YAML"
tcp:
services:
my-service:
loadBalancer:
servers:
address: "xx.xx.xx.xx:xx"
```

252
docs/content/user-guides/grpc.md Normal file
View file

@ -0,0 +1,252 @@
# gRPC Examples
## With HTTP (h2c)
This section explains how to use Traefik as reverse proxy for gRPC application.
### Traefik Configuration
```toml tab="TOML"
## static configuration ##
[entryPoints]
[entryPoints.http]
address = ":80"
[api]
[providers.file]
## dynamic configuration ##
[http]
[http.routers]
[http.routers.routerTest]
service = "srv-grpc"
rule = "Host(`frontend.local`)"
[http.services]
[http.services.srv-grpc]
[http.services.srv-grpc.loadBalancer]
[[http.services.srv-grpc.loadBalancer.servers]]
url = "h2c://backend.local:8080"
```
```yaml tab="YAML"
## static configuration ##
entryPoints:
http:
address: :80
providers:
file: {}
api: {}
## dynamic configuration ##
http:
routers:
routerTest:
service: srv-grpc
rule: Host(`frontend.local`)
services:
srv-grpc:
loadBalancer:
servers:
- url: h2c://backend.local:8080
```
!!! warning
For providers with labels, you will have to specify the `traefik.http.services.<my-service-name>.loadbalancer.server.scheme=h2c`
### Conclusion
We don't need specific configuration to use gRPC in Traefik, we just need to use `h2c` protocol, or use HTTPS communications to have HTTP2 with the backend.
## With HTTPS
This section explains how to use Traefik as reverse proxy for gRPC application with self-signed certificates.
![gRPC architecture](../assets/img/user-guides/grpc.svg)
### gRPC Server Certificate
In order to secure the gRPC server, we generate a self-signed certificate for service url:
```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./backend.key -out ./backend.cert
```
That will prompt for information, the important answer is:
```txt
Common Name (e.g. server FQDN or YOUR name) []: backend.local
```
### gRPC Client Certificate
Generate your self-signed certificate for router url:
```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./frontend.key -out ./frontend.cert
```
with
```txt
Common Name (e.g. server FQDN or YOUR name) []: frontend.local
```
### Traefik Configuration
At last, we configure our Traefik instance to use both self-signed certificates.
```toml tab="TOML"
## static configuration ##
[entryPoints]
[entryPoints.https]
address = ":4443"
[serversTransport]
# For secure connection on backend.local
rootCAs = [ "./backend.cert" ]
[api]
[provider.file]
## dynamic configuration ##
[http]
[http.routers]
[http.routers.routerTest]
service = "srv-grpc"
rule = "Host(`frontend.local`)"
[http.services]
[http.services.srv-grpc]
[http.services.srv-grpc.loadBalancer]
[[http.services.srv-grpc.loadBalancer.servers]]
# Access on backend with HTTPS
url = "https://backend.local:8080"
[tls]
# For secure connection on frontend.local
[[tls.certificates]]
certFile = "./frontend.cert"
keyFile = "./frontend.key"
```
```yaml tab="YAML"
## static configuration ##
entryPoints:
https:
address: :4443
serversTransport:
# For secure connection on backend.local
rootCAs:
- ./backend.cert
providers:
file: {}
api: {}
## dynamic configuration ##
http:
routers:
routerTest:
service: srv-grpc
rule: Host(`frontend.local`)
services:
srv-grpc:
loadBalancer:
servers:
# Access on backend with HTTPS
- url: https://backend.local:8080
tls:
# For secure connection on frontend.local
certificates:
- certfile: ./frontend.cert
keyfile: ./frontend.key
```
!!! warning
With some services, the server URLs use the IP, so you may need to configure `insecureSkipVerify` instead of the `rootCAs` to activate HTTPS without hostname verification.
### A gRPC example in go (modify for https)
We use the gRPC greeter example in [grpc-go](https://github.com/grpc/grpc-go/tree/master/examples/helloworld)
!!! warning
In order to use this gRPC example, we need to modify it to use HTTPS
So we modify the "gRPC server example" to use our own self-signed certificate:
```go
// ...
// Read cert and key file
backendCert, _ := ioutil.ReadFile("./backend.cert")
backendKey, _ := ioutil.ReadFile("./backend.key")
// Generate Certificate struct
cert, err := tls.X509KeyPair(backendCert, backendKey)
if err != nil {
log.Fatalf("failed to parse certificate: %v", err)
}
// Create credentials
creds := credentials.NewServerTLSFromCert(&cert)
// Use Credentials in gRPC server options
serverOption := grpc.Creds(creds)
var s *grpc.Server = grpc.NewServer(serverOption)
defer s.Stop()
pb.RegisterGreeterServer(s, &server{})
err := s.Serve(lis)
// ...
```
Next we will modify gRPC Client to use our Traefik self-signed certificate:
```go
// ...
// Read cert file
frontendCert, _ := ioutil.ReadFile("./frontend.cert")
// Create CertPool
roots := x509.NewCertPool()
roots.AppendCertsFromPEM(frontendCert)
// Create credentials
credsClient := credentials.NewClientTLSFromCert(roots, "")
// Dial with specific Transport (with credentials)
conn, err := grpc.Dial("frontend.local:4443", grpc.WithTransportCredentials(credsClient))
if err != nil {
log.Fatalf("did not connect: %v", err)
}
defer conn.Close()
client := pb.NewGreeterClient(conn)
name := "World"
r, err := client.SayHello(context.Background(), &pb.HelloRequest{Name: name})
// ...
```

12
docs/content/user-guides/marathon.md
View file

@ -17,10 +17,10 @@ Traefik tries to detect the configured mode and route traffic to the right IP ad
Traefik also attempts to determine the right port (which is a [non-trivial matter in Marathon](https://mesosphere.github.io/marathon/docs/ports.html)).
Following is the order by which Traefik tries to identify the port (the first one that yields a positive result will be used):
1. A arbitrary port specified through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=8080`
1. The task port (possibly indexed through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=index:0` label, otherwise the first one).
1. The port from the application's `portDefinitions` field (possibly indexed through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=index:0` label, otherwise the first one).
1. The port from the application's `ipAddressPerTask` field (possibly indexed through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=index:0` label, otherwise the first one).
1. A arbitrary port specified through the `traefik.http.services.serviceName.loadbalancer.server.port=8080`
1. The task port (possibly indexed through the `traefik.http.services.serviceName.loadbalancer.server.port=index:0` label, otherwise the first one).
1. The port from the application's `portDefinitions` field (possibly indexed through the `traefik.http.services.serviceName.loadbalancer.server.port=index:0` label, otherwise the first one).
1. The port from the application's `ipAddressPerTask` field (possibly indexed through the `traefik.http.services.serviceName.loadbalancer.server.port=index:0` label, otherwise the first one).
## Achieving high availability
@ -47,7 +47,7 @@ Beginning with version 1.4, Traefik respects readiness check results if the Trae
!!! note
Due to the way readiness check results are currently exposed by the Marathon API, ready tasks may be taken into rotation with a small delay.
It is on the order of one readiness check timeout interval (as configured on the application specifiation) and guarantees that non-ready tasks do not receive traffic prematurely.
It is on the order of one readiness check timeout interval (as configured on the application specification) and guarantees that non-ready tasks do not receive traffic prematurely.
If readiness checks are not possible, a current mitigation strategy is to enable [retries](../middlewares/retry.md) and make sure that a sufficient number of healthy application tasks exist so that one retry will likely hit one of those.
Apart from its probabilistic nature, the workaround comes at the price of increased latency.
@ -80,7 +80,7 @@ Failure reasons vary broadly and could stretch from unacceptable slowness, a tas
There are two mitigaton efforts:
1. Configure [Marathon health checks](https://mesosphere.github.io/marathon/docs/health-checks.html) on each application.
2. Configure Traefik health checks (possibly via the `traefik.HTTP.Services.YourServiceName.LoadBalancer.HealthCheck.*` labels) and make sure they probe with proper frequency.
2. Configure Traefik health checks (possibly via the `traefik.http.services.yourServiceName.loadbalancer.healthcheck.*` labels) and make sure they probe with proper frequency.
The Marathon health check makes sure that applications once deemed dysfunctional are being rescheduled to different slaves.
However, they might take a while to get triggered and the follow-up processes to complete.

9
docs/mkdocs.yml
View file

@ -119,9 +119,16 @@ nav:
- 'Observability':
- 'Logs': 'observability/logs.md'
- 'Access Logs': 'observability/access-logs.md'
- 'Tracing': 'observability/tracing.md'
- 'Tracing':
- 'Overview': 'observability/tracing/overview.md'
- 'Jaeger': 'observability/tracing/jaeger.md'
- 'Zipkin': 'observability/tracing/zipkin.md'
- 'DataDog': 'observability/tracing/datadog.md'
- 'Instana': 'observability/tracing/instana.md'
- 'Haystack': 'observability/tracing/haystack.md'
- 'User Guides':
- 'Kubernetes and Let''s Encrypt': 'user-guides/crd-acme/index.md'
- 'gRPC Examples': 'user-guides/grpc.md'
- 'Marathon': 'user-guides/marathon.md'
- 'Contributing':
- 'Thank You!': 'contributing/thank-you.md'

16
integration/fixtures/access_log_config.toml
View file

@ -1,10 +1,10 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "ERROR"
filePath = "traefik.log"
level = "ERROR"
filePath = "traefik.log"
[accessLog]
filePath = "access.log"
@ -24,7 +24,7 @@ filePath = "traefik.log"
[api]
[providers]
[providers.docker]
exposedByDefault = false
defaultRule = "Host(`{{ normalize .Name }}.docker.local`)"
watch = true
[providers.docker]
exposedByDefault = false
defaultRule = "Host(`{{ normalize .Name }}.docker.local`)"
watch = true

14
integration/fixtures/acme/acme_base.toml
View file

@ -1,9 +1,9 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
@ -40,11 +40,13 @@ level = "DEBUG"
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.services]
[http.services.test.loadbalancer]
[[http.services.test.loadbalancer.servers]]
[http.services.test.loadBalancer]
[[http.services.test.loadBalancer.servers]]
url = "http://127.0.0.1:9010"
[http.routers]

31
integration/fixtures/acme/acme_tls.toml
View file

@ -1,9 +1,9 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
@ -40,20 +40,23 @@ level = "DEBUG"
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.services]
[http.services.test.loadbalancer]
[[http.services.test.loadbalancer.servers]]
url = "http://127.0.0.1:9010"
[http.services.test.loadBalancer]
[[http.services.test.loadBalancer.servers]]
url = "http://127.0.0.1:9010"
[http.routers]
[http.routers.test]
entryPoints = ["web-secure"]
rule = "Host(`traefik.acme.wtf`)"
service = "test"
[http.routers.test.tls]
entryPoints = ["web-secure"]
rule = "Host(`traefik.acme.wtf`)"
service = "test"
[http.routers.test.tls]
[tlsStores.default.defaultCertificate]
certFile = "fixtures/acme/ssl/wildcard.crt"
keyFile = "fixtures/acme/ssl/wildcard.key"
[tls.stores]
[tls.stores.default.defaultCertificate]
certFile = "fixtures/acme/ssl/wildcard.crt"
keyFile = "fixtures/acme/ssl/wildcard.key"

12
integration/fixtures/acme/acme_tls_dynamic.toml
View file

@ -1,9 +1,9 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
@ -36,6 +36,6 @@ level = "DEBUG"
[api]
[providers]
[providers.file]
filename = "fixtures/acme/certificates.toml"
watch = true
[providers.file]
filename = "fixtures/acme/certificates.toml"
watch = true

8
integration/fixtures/acme/acme_tls_multiple_entrypoints.toml
View file

@ -1,9 +1,9 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
@ -16,7 +16,7 @@ level = "DEBUG"
address = ":9000"
# FIXME
# [entryPoints.traefik.tls]
# [entryPoints.traefik.tls.DefaultCertificate]
# [entryPoints.traefik.tls.defaultCertificate]
# certFile = "fixtures/acme/ssl/wildcard.crt"
# keyFile = "fixtures/acme/ssl/wildcard.key"

17
integration/fixtures/acme/certificates.toml
View file

@ -1,17 +1,16 @@
[http.services]
[http.services.test.loadbalancer]
[[http.services.test.loadbalancer.servers]]
url = "http://127.0.0.1:9010"
[http.services.test.loadBalancer]
[[http.services.test.loadBalancer.servers]]
url = "http://127.0.0.1:9010"
[http.routers]
[http.routers.test]
entryPoints = ["web-secure"]
rule = "Host(`traefik.acme.wtf`)"
service = "test"
[http.routers.test.tls]
entryPoints = ["web-secure"]
rule = "Host(`traefik.acme.wtf`)"
service = "test"
[http.routers.test.tls]
[[tls]]
[[tls.certificates]]
store = ["default"]
[tls.certificate]
certFile = "fixtures/acme/ssl/wildcard.crt"
keyFile = "fixtures/acme/ssl/wildcard.key"

16
integration/fixtures/docker/minimal.toml
View file

@ -1,18 +1,18 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
address = ":8000"
[api]
[providers]
[providers.docker]
endpoint = "{{ .DockerHost }}"
defaultRule = "{{ .DefaultRule }}"
exposedByDefault = false
[providers.docker]
endpoint = "{{ .DockerHost }}"
defaultRule = "{{ .DefaultRule }}"
exposedByDefault = false

16
integration/fixtures/docker/simple.toml
View file

@ -1,18 +1,18 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
address = ":8000"
[api]
[providers]
[providers.docker]
endpoint = "{{ .DockerHost }}"
defaultRule = "{{ .DefaultRule }}"
exposedByDefault = true
[providers.docker]
endpoint = "{{ .DockerHost }}"
defaultRule = "{{ .DefaultRule }}"
exposedByDefault = true

34
integration/fixtures/error_pages/error.toml
View file

@ -1,35 +1,37 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8080"
address = ":8080"
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
Rule = "Host(`test.local`)"
rule = "Host(`test.local`)"
service = "service1"
middlewares = ["error"]
[http.middlewares]
[http.middlewares.error.errors]
status = ["500-502", "503-599"]
service = "error"
query = "/50x.html"
[http.middlewares.error.errors]
status = ["500-502", "503-599"]
service = "error"
query = "/50x.html"
[http.services]
[http.services.service1.loadbalancer]
[http.services.service1.loadBalancer]
passHostHeader = true
[[http.services.service1.loadbalancer.servers]]
url = "http://{{.Server1}}:8989474"
[[http.services.service1.loadBalancer.servers]]
url = "http://{{.Server1}}:8989474"
[http.services.error.loadbalancer]
[[http.services.error.loadbalancer.servers]]
url = "http://{{.Server2}}:80"
[http.services.error.loadBalancer]
[[http.services.error.loadBalancer.servers]]
url = "http://{{.Server2}}:80"

38
integration/fixtures/error_pages/simple.toml
View file

@ -1,35 +1,37 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8080"
address = ":8080"
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
Rule = "Host(`test.local`)"
service = "service1"
middlewares = ["error"]
rule = "Host(`test.local`)"
service = "service1"
middlewares = ["error"]
[http.middlewares]
[http.middlewares.error.errors]
status = ["500-502", "503-599"]
service = "error"
query = "/50x.html"
[http.middlewares.error.errors]
status = ["500-502", "503-599"]
service = "error"
query = "/50x.html"
[http.services]
[http.services.service1.loadbalancer]
[http.services.service1.loadBalancer]
passHostHeader = true
[[http.services.service1.loadbalancer.servers]]
url = "http://{{.Server1}}:80"
[[http.services.service1.loadBalancer.servers]]
url = "http://{{.Server1}}:80"
[http.services.error.loadbalancer]
[[http.services.error.loadbalancer.servers]]
url = "http://{{.Server2}}:80"
[http.services.error.loadBalancer]
[[http.services.error.loadBalancer.servers]]
url = "http://{{.Server2}}:80"

11
integration/fixtures/file/56-simple-panic.toml
View file

@ -1,14 +1,13 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
address = ":8000"
[providers]
[providers.file]
[providers.file]

4
integration/fixtures/file/dir/simple1.toml
View file

@ -4,6 +4,6 @@
service = "service1"
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://172.17.0.2:80"

4
integration/fixtures/file/dir/simple2.toml
View file

@ -4,6 +4,6 @@
service = "service2"
[http.services]
[http.services.service2.loadbalancer]
[[http.services.service2.loadbalancer.servers]]
[http.services.service2.loadBalancer]
[[http.services.service2.loadBalancer.servers]]
url = "http://172.17.0.123:80"

12
integration/fixtures/file/directory.toml
View file

@ -1,14 +1,14 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
address = ":8000"
[providers]
[providers.file]
directory = "fixtures/file/dir/"
[providers.file]
directory = "fixtures/file/dir/"

16
integration/fixtures/file/simple-hosts.toml
View file

@ -1,16 +1,18 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
@ -22,6 +24,6 @@ level = "DEBUG"
service = "service1"
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
URL = "{{.Server}}"
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "{{.Server}}"

24
integration/fixtures/file/simple.toml
View file

@ -1,16 +1,18 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
@ -23,19 +25,19 @@ level = "DEBUG"
service = "service1"
[http.middlewares]
[http.middlewares.circuitbreaker.circuitbreaker]
[http.middlewares.circuitbreaker.circuitBreaker]
expression = "NetworkErrorRatio() > 0.5"
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://172.17.0.2:80"
[[http.services.service1.loadbalancer.servers]]
[[http.services.service1.loadBalancer.servers]]
url = "http://172.17.0.3:80"
[http.services.service2]
[http.services.service2.loadbalancer]
[[http.services.service2.loadbalancer.servers]]
[http.services.service2.loadBalancer]
[[http.services.service2.loadBalancer.servers]]
url = "http://172.17.0.4:80"
[[http.services.service2.loadbalancer.servers]]
[[http.services.service2.loadBalancer.servers]]
url = "http://172.17.0.5:80"

19
integration/fixtures/grpc/config.toml
View file

@ -1,12 +1,12 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[serversTransport]
rootCAs = [ """{{ .CertContent }}""" ]
rootCAs = [ """{{ .CertContent }}""" ]
[entryPoints]
[entryPoints.web-secure]
@ -15,7 +15,9 @@ rootCAs = [ """{{ .CertContent }}""" ]
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
@ -24,10 +26,11 @@ rootCAs = [ """{{ .CertContent }}""" ]
[http.routers.router1.tls]
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "https://127.0.0.1:{{ .GRPCServerPort }}"
[tlsStores.default.DefaultCertificate]
[tls.stores]
[tls.stores.default.defaultCertificate]
certFile = """{{ .CertContent }}"""
keyFile = """{{ .KeyContent }}"""

14
integration/fixtures/grpc/config_h2c.toml
View file

@ -1,9 +1,9 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
@ -12,7 +12,9 @@ level = "DEBUG"
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
@ -20,6 +22,6 @@ level = "DEBUG"
service = "service1"
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "h2c://127.0.0.1:{{ .GRPCServerPort }}"

20
integration/fixtures/grpc/config_h2c_termination.toml
View file

@ -1,19 +1,20 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web-secure]
address = ":4443"
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
@ -22,10 +23,11 @@ level = "DEBUG"
[http.routers.router1.tls]
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "h2c://127.0.0.1:{{ .GRPCServerPort }}"
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "h2c://127.0.0.1:{{ .GRPCServerPort }}"
[tlsStores.default.DefaultCertificate]
[tls.stores]
[tls.stores.default.defaultCertificate]
certFile = """{{ .CertContent }}"""
keyFile = """{{ .KeyContent }}"""

19
integration/fixtures/grpc/config_insecure.toml
View file

@ -1,12 +1,12 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[serversTransport]
insecureSkipVerify = true
insecureSkipVerify = true
[entryPoints]
[entryPoints.web-secure]
@ -15,7 +15,9 @@ insecureSkipVerify = true
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
@ -24,10 +26,11 @@ insecureSkipVerify = true
[http.routers.router1.tls]
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "https://127.0.0.1:{{ .GRPCServerPort }}"
[tlsStores.default.DefaultCertificate]
[tls.stores]
[tls.stores.default.defaultCertificate]
certFile = """{{ .CertContent }}"""
keyFile = """{{ .KeyContent }}"""

27
integration/fixtures/grpc/config_retry.toml
View file

@ -1,21 +1,23 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[serversTransport]
rootCAs = [ """{{ .CertContent }}""" ]
rootCAs = [ """{{ .CertContent }}""" ]
[entryPoints]
[entryPoints.web-secure]
address = ":4443"
address = ":4443"
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
@ -26,15 +28,16 @@ rootCAs = [ """{{ .CertContent }}""" ]
[http.middlewares]
[http.middlewares.retryer.retry]
Attempts = 2
attempts = 2
[http.services]
[http.services.service1.loadbalancer]
[http.services.service1.loadbalancer.responseForwarding]
flushInterval="1ms"
[[http.services.service1.loadbalancer.servers]]
[http.services.service1.loadBalancer]
[http.services.service1.loadBalancer.responseForwarding]
flushInterval = "1ms"
[[http.services.service1.loadBalancer.servers]]
url = "https://127.0.0.1:{{ .GRPCServerPort }}"
[tlsStores.default.DefaultCertificate]
[tls.stores]
[tls.stores.default.defaultCertificate]
certFile = """{{ .CertContent }}"""
keyFile = """{{ .KeyContent }}"""

14
integration/fixtures/headers/basic.toml
View file

@ -1,16 +1,18 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
@ -18,6 +20,6 @@ level = "DEBUG"
service = "service1"
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://172.17.0.2:80"

24
integration/fixtures/headers/cors.toml
View file

@ -1,16 +1,18 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
@ -18,13 +20,13 @@ level = "DEBUG"
service = "service1"
[http.middlewares]
[http.middlewares.cors.Headers]
AccessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
AccessControlAllowOrigin = "origin-list-or-null"
AccessControlMaxAge = 100
AddVaryHeader = true
[http.middlewares.cors.headers]
accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
accessControlAllowOrigin = "origin-list-or-null"
accessControlMaxAge = 100
addVaryHeader = true
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://172.17.0.2:80"

20
integration/fixtures/healthcheck/multiple-entrypoints.toml
View file

@ -1,9 +1,9 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.http1]
@ -14,20 +14,22 @@ level = "DEBUG"
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
service = "service1"
Rule = "Host(`test.localhost`)"
rule = "Host(`test.localhost`)"
[http.services]
[http.services.service1.loadbalancer]
[http.services.service1.loadbalancer.healthcheck]
[http.services.service1.loadBalancer]
[http.services.service1.loadBalancer.healthcheck]
path = "/health"
interval = "1s"
timeout = "0.9s"
[[http.services.service1.loadbalancer.servers]]
[[http.services.service1.loadBalancer.servers]]
url = "http://{{.Server1}}:80"
[[http.services.service1.loadbalancer.servers]]
[[http.services.service1.loadBalancer.servers]]
url = "http://{{.Server2}}:80"

18
integration/fixtures/healthcheck/port_overload.toml
View file

@ -1,9 +1,9 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
@ -12,19 +12,21 @@ level = "DEBUG"
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
service = "service1"
Rule = "Host(`test.localhost`)"
rule = "Host(`test.localhost`)"
[http.services]
[http.services.service1.loadbalancer]
[http.services.service1.loadbalancer.healthcheck]
[http.services.service1.loadBalancer]
[http.services.service1.loadBalancer.healthcheck]
path = "/health"
port = 80
interval = "1s"
timeout = "0.9s"
[[http.services.service1.loadbalancer.servers]]
[[http.services.service1.loadBalancer.servers]]
url = "http://{{.Server1}}:81"

20
integration/fixtures/healthcheck/simple.toml
View file

@ -1,9 +1,9 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
@ -12,20 +12,22 @@ level = "DEBUG"
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
service = "service1"
Rule = "Host(`test.localhost`)"
rule = "Host(`test.localhost`)"
[http.services]
[http.services.service1.loadbalancer]
[http.services.service1.loadbalancer.healthcheck]
[http.services.service1.loadBalancer]
[http.services.service1.loadBalancer.healthcheck]
path = "/health"
interval = "1s"
timeout = "0.9s"
[[http.services.service1.loadbalancer.servers]]
[[http.services.service1.loadBalancer.servers]]
url = "http://{{.Server1}}:80"
[[http.services.service1.loadbalancer.servers]]
[[http.services.service1.loadBalancer.servers]]
url = "http://{{.Server2}}:80"

49
integration/fixtures/https/clientca/https_1ca1config.toml
View file

@ -1,51 +1,52 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web-secure]
address = ":4443"
address = ":4443"
[api]
[providers]
[providers.file]
[providers.file]
## dynamic configuration ##
[http.routers]
[http.routers.router1]
Service = "service1"
Rule = "Host(`snitest.com`)"
service = "service1"
rule = "Host(`snitest.com`)"
[http.routers.router1.tls]
[http.routers.router2]
Service = "service2"
Rule = "Host(`snitest.org`)"
service = "service2"
rule = "Host(`snitest.org`)"
[http.routers.router2.tls]
[http.services]
[http.services.service1]
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:9010"
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:9010"
[http.services.service2]
[http.services.service2.LoadBalancer]
[[http.services.service2.LoadBalancer.Servers]]
URL = "http://127.0.0.1:9020"
[http.services.service2.loadBalancer]
[[http.services.service2.loadBalancer.servers]]
url = "http://127.0.0.1:9020"
[[tls]]
[tls.certificate]
certFile = "fixtures/https/snitest.com.cert"
keyFile = "fixtures/https/snitest.com.key"
[[tls.certificates]]
certFile = "fixtures/https/snitest.com.cert"
keyFile = "fixtures/https/snitest.com.key"
[[tls]]
[tls.certificate]
certFile = "fixtures/https/snitest.org.cert"
keyFile = "fixtures/https/snitest.org.key"
[[tls.certificates]]
certFile = "fixtures/https/snitest.org.cert"
keyFile = "fixtures/https/snitest.org.key"
[tlsOptions.default.ClientCA]
[tls.options]
[tls.options.default.ClientCA]
files = ["fixtures/https/clientca/ca1.crt"]
optional = true

Some files were not shown because too many files have changed in this diff Show more