baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch v2.0 to master.

Browse source
This commit is contained in:
Fernandez Ludovic 2019-04-17 13:49:49 +02:00
commit 11f04a453e
752 changed files with 13542 additions and 265800 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/ISSUE_TEMPLATE.md vendored
View file

@ -76,7 +76,7 @@ Add more configuration information here.
-->
### If applicable, please paste the log output at DEBUG level (`--logLevel=DEBUG` switch)
### If applicable, please paste the log output at DEBUG level (`--log.level=DEBUG` switch)
```
(paste your output here)

2
.github/ISSUE_TEMPLATE/Bug_report.md vendored
View file

@ -81,7 +81,7 @@ Add more configuration information here.
-->
### If applicable, please paste the log output in DEBUG level (`--logLevel=DEBUG` switch)
### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
```
(paste your output here)

35
.golangci.toml
View file

@ -1,8 +1,6 @@
[run]
deadline = "10m"
skip-files = [
"^old/.*",
]
skip-files = []
[linters-settings]
@ -52,12 +50,6 @@
[[issues.exclude-rules]]
path = ".+_test.go"
linters = ["goconst"]
[[issues.exclude-rules]]
path = "provider/label/internal/.+_test.go"
text = "U1000: field `(foo|fuu)` is unused"
[[issues.exclude-rules]]
path = "middlewares/recovery/recovery.go"
text = "`logger` can be `github.com/containous/traefik/vendor/github.com/stretchr/testify/assert.TestingT`"
[[issues.exclude-rules]]
path = "integration/.+_test.go"
text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
@ -68,23 +60,26 @@
path = "integration/grpc_test.go"
text = "Error return value of `closer` is not checked"
[[issues.exclude-rules]]
path = "provider/kubernetes/builder_(endpoint|service)_test.go"
path = "pkg/h2c/h2c.go"
text = "Error return value of `rw.Write` is not checked"
[[issues.exclude-rules]]
path = "pkg/middlewares/recovery/recovery.go"
text = "`logger` can be `github.com/containous/traefik/vendor/github.com/stretchr/testify/assert.TestingT`"
[[issues.exclude-rules]]
path = "pkg/provider/docker/builder_test.go"
text = "(U1000: func )?`(.+)` is unused"
[[issues.exclude-rules]]
path = "provider/docker/builder_test.go"
path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
text = "(U1000: func )?`(.+)` is unused"
[[issues.exclude-rules]]
path = "pkg/provider/label/internal/.+_test.go"
text = "U1000: field `(foo|fuu)` is unused"
[[issues.exclude-rules]]
path = "pkg/server/service/bufferpool.go"
text = "SA6002: argument should be pointer-like to avoid allocations"
[[issues.exclude-rules]]
path = "cmd/configuration.go"
text = "string `traefik` has (\\d) occurrences, make it a constant"
[[issues.exclude-rules]]
path = "h2c/h2c.go"
text = "Error return value of `rw.Write` is not checked"
[[issues.exclude-rules]]
path = "server/service/bufferpool.go"
text = "SA6002: argument should be pointer-like to avoid allocations"
[[issues.exclude-rules]] # FIXME must be fixed
path = "acme/.+.go"
text = "(assignment copies lock value to domainsCerts|literal copies lock value from)"
[[issues.exclude-rules]] # FIXME must be fixed
path = "cmd/context.go"
text = "S1000: should use a simple channel send/receive instead of `select` with a single case"

3
.goreleaser.yml
View file

@ -51,5 +51,8 @@ archive:
- LICENSE.md
- CHANGELOG.md
checksum:
name_template: "{{ .ProjectName }}_v{{ .Version }}_checksums.txt"
release:
disable: true

2
.travis.yml
View file

@ -28,7 +28,7 @@ before_deploy:
if [ "$TRAVIS_TAG" ]; then
make release-packages;
fi;
curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" v1.7.0
curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
fi

61
CHANGELOG.md
View file

@ -1,5 +1,41 @@
# Change Log
## [v2.0.0-alpha4](https://github.com/containous/traefik/tree/v2.0.0-alpha4) (2019-04-17)
[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha3...v2.0.0-alpha4)
**Enhancements:**
- **[logs]** log.loglevel becomes log.level in configuration ([#4775](https://github.com/containous/traefik/pull/4775) by [juliens](https://github.com/juliens))
- **[marathon,tcp]** Handle TCP in the marathon provider ([#4728](https://github.com/containous/traefik/pull/4728) by [juliens](https://github.com/juliens))
- **[middleware]** Enable CORS configuration ([#3809](https://github.com/containous/traefik/pull/3809) by [dtomcej](https://github.com/dtomcej))
- **[rancher]** Add Rancher provider ([#4647](https://github.com/containous/traefik/pull/4647) by [SantoDE](https://github.com/SantoDE))
- **[tracing]** Update tracing dependencies ([#4721](https://github.com/containous/traefik/pull/4721) by [ldez](https://github.com/ldez))
**Bug fixes:**
- **[docker]** Insensitive case for allow-empty value. ([#4745](https://github.com/containous/traefik/pull/4745) by [ldez](https://github.com/ldez))
- **[middleware]** Fix response modifier initial building ([#4719](https://github.com/containous/traefik/pull/4719) by [mpl](https://github.com/mpl))
- **[middleware]** Set X-Forwarded-* headers ([#4707](https://github.com/containous/traefik/pull/4707) by [mpl](https://github.com/mpl))
- **[tcp]** Fix EOF error ([#4733](https://github.com/containous/traefik/pull/4733) by [juliens](https://github.com/juliens))
**Documentation:**
- **[acme]** Use the same case every where for entryPoints. ([#4764](https://github.com/containous/traefik/pull/4764) by [ldez](https://github.com/ldez))
- **[docker]** Fix two minor nits in Traefik 2.0 docs ([#4692](https://github.com/containous/traefik/pull/4692) by [cfra](https://github.com/cfra))
- **[k8s,k8s/crd]** k8s static configuration explanation ([#4767](https://github.com/containous/traefik/pull/4767) by [ldez](https://github.com/ldez))
- **[marathon]** Enhance Marathon documentation ([#4776](https://github.com/containous/traefik/pull/4776) by [ldez](https://github.com/ldez))
- **[middleware,k8s,k8s/crd]** Fix typo: middleware -> middlewares. ([#4781](https://github.com/containous/traefik/pull/4781) by [ldez](https://github.com/ldez))
- **[middleware]** Adds middlewares examples for k8s. ([#4713](https://github.com/containous/traefik/pull/4713) by [ldez](https://github.com/ldez))
- **[middleware]** Remove invalid commas. ([#4706](https://github.com/containous/traefik/pull/4706) by [ldez](https://github.com/ldez))
- **[middleware]** Fix doc about removing headers ([#4708](https://github.com/containous/traefik/pull/4708) by [mpl](https://github.com/mpl))
- **[middleware]** Update the middleware documentation ([#4729](https://github.com/containous/traefik/pull/4729) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[tracing]** Fix typo in tracing docs ([#4737](https://github.com/containous/traefik/pull/4737) by [timoschwarzer](https://github.com/timoschwarzer))
- Improve the Documentation with a Reference Section ([#4714](https://github.com/containous/traefik/pull/4714) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Adds a note in traefik.sample.toml ([#4757](https://github.com/containous/traefik/pull/4757) by [ldez](https://github.com/ldez))
- Update to v2.0 readme links ([#4700](https://github.com/containous/traefik/pull/4700) by [karnthis](https://github.com/karnthis))
- Remove dumpcerts.sh ([#4783](https://github.com/containous/traefik/pull/4783) by [ldez](https://github.com/ldez))
**Misc:**
- Cherry pick v1.7 into v2.0 ([#4787](https://github.com/containous/traefik/pull/4787) by [ldez](https://github.com/ldez))
- Cherry pick v1.7 into v2.0 ([#4695](https://github.com/containous/traefik/pull/4695) by [jbdoumenjou](https://github.com/jbdoumenjou))
## [v2.0.0-alpha3](https://github.com/containous/traefik/tree/v2.0.0-alpha3) (2019-03-29)
[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha2...v2.0.0-alpha3)
@ -129,6 +165,23 @@
- Merge v1.7.0-rc4 into master ([#3867](https://github.com/containous/traefik/pull/3867) by [ldez](https://github.com/ldez))
- Merge v1.7.0-rc2 into master ([#3634](https://github.com/containous/traefik/pull/3634) by [ldez](https://github.com/ldez))
## [v1.7.10](https://github.com/containous/traefik/tree/v1.7.10) (2019-03-28)
[All Commits](https://github.com/containous/traefik/compare/v1.7.9...v1.7.10)
**Bug fixes:**
- **[acme]** fix: update lego. ([#4670](https://github.com/containous/traefik/pull/4670) by [ldez](https://github.com/ldez))
- **[acme]** Migrate to go-acme/lego. ([#4577](https://github.com/containous/traefik/pull/4577) by [ldez](https://github.com/ldez))
- **[authentication,middleware]** Reorder Auth and TLSClientHeaders middleware ([#4557](https://github.com/containous/traefik/pull/4557) by [tomberek](https://github.com/tomberek))
- **[k8s/ingress]** Support external name service on global default backend ([#4564](https://github.com/containous/traefik/pull/4564) by [kippandrew](https://github.com/kippandrew))
- **[k8s/ingress]** Loop through service ports for global backend ([#4486](https://github.com/containous/traefik/pull/4486) by [dtomcej](https://github.com/dtomcej))
- **[k8s]** Add entrypoints prefix in kubernetes frontend/backend id ([#4679](https://github.com/containous/traefik/pull/4679) by [juliens](https://github.com/juliens))
- **[websocket]** Exclude websocket connections from Average Response Time ([#4313](https://github.com/containous/traefik/pull/4313) by [siyu6974](https://github.com/siyu6974))
- **[middleware]** Added support for configuring trace headers for DataDog tracing ([#4516](https://github.com/containous/traefik/pull/4516) by [aantono](https://github.com/aantono))
**Documentation:**
- **[acme]** Add _FILE Environment Variable Documentation ([#4643](https://github.com/containous/traefik/pull/4643) by [dargmuesli](https://github.com/dargmuesli))
- **[docker]** Add TraefikEE as security workaround ([#4606](https://github.com/containous/traefik/pull/4606) by [emilevauge](https://github.com/emilevauge))
## [v1.7.9](https://github.com/containous/traefik/tree/v1.7.9) (2019-02-11)
[All Commits](https://github.com/containous/traefik/compare/v1.7.8...v1.7.9)
@ -154,7 +207,7 @@
- **[acme]** Updates lego. ([#4376](https://github.com/containous/traefik/pull/4376) by [ldez](https://github.com/ldez))
- **[docker]** Fixes docker swarm mode refresh second for KV. ([#4420](https://github.com/containous/traefik/pull/4420) by [ldez](https://github.com/ldez))
- **[ecs]** Generic awsvpc support, not just Fargate ([#4360](https://github.com/containous/traefik/pull/4360) by [maartenvanderhoef](https://github.com/maartenvanderhoef))
- **[ecs]** Cache exising task definitions to avoid rate limiting ([#4177](https://github.com/containous/traefik/pull/4177) by [hwhelan-CB](https://github.com/hwhelan-CB))
- **[ecs]** Cache existing task definitions to avoid rate limiting ([#4177](https://github.com/containous/traefik/pull/4177) by [hwhelan-CB](https://github.com/hwhelan-CB))
- **[tls]** Check for dynamic tls updates on configuration preload ([#4022](https://github.com/containous/traefik/pull/4022) by [ffilippopoulos](https://github.com/ffilippopoulos))
- **[tracing]** Support Datadog tracer priority sampling ([#4359](https://github.com/containous/traefik/pull/4359) by [jcassee](https://github.com/jcassee))
- Update to Go 1.11.5 [CVE-2019-6486](https://nvd.nist.gov/vuln/detail/CVE-2019-6486)
@ -279,7 +332,7 @@
**Bug fixes:**
- **[acme]** DNS challenge Cloudflare auth zone ([#4042](https://github.com/containous/traefik/pull/4042) by [ldez](https://github.com/ldez))
- **[acme]** ACME DNS challenges ([#3998](https://github.com/containous/traefik/pull/3998) by [ldez](https://github.com/ldez))
- **[acme]** Don't initalize ACME provider if storage is empty ([#3988](https://github.com/containous/traefik/pull/3988) by [nmengin](https://github.com/nmengin))
- **[acme]** Don't initialize ACME provider if storage is empty ([#3988](https://github.com/containous/traefik/pull/3988) by [nmengin](https://github.com/nmengin))
- **[acme]** Fix: acme DNS providers ([#4021](https://github.com/containous/traefik/pull/4021) by [ldez](https://github.com/ldez))
- **[acme]** Prevent some malformed errors in LE. ([#4015](https://github.com/containous/traefik/pull/4015) by [ldez](https://github.com/ldez))
- **[authentication,consulcatalog,docker,ecs,etcd,kv,marathon,mesos,rancher]** Add the AuthResponseHeaders to the labels ([#3973](https://github.com/containous/traefik/pull/3973) by [Crypto89](https://github.com/Crypto89))
@ -354,7 +407,7 @@
- **[healthcheck]** Support all 2xx HTTP status code for health check. ([#3362](https://github.com/containous/traefik/pull/3362) by [ldez](https://github.com/ldez))
- **[healthcheck]** Add HTTP headers to healthcheck. ([#3047](https://github.com/containous/traefik/pull/3047) by [zetaab](https://github.com/zetaab))
- **[k8s]** Add more k8s tests ([#3491](https://github.com/containous/traefik/pull/3491) by [dtomcej](https://github.com/dtomcej))
- **[k8s]** Substitude hardcoded "<namespace>/<name>" with k8s ListerGetter ([#3470](https://github.com/containous/traefik/pull/3470) by [yue9944882](https://github.com/yue9944882))
- **[k8s]** Substitute hardcoded "<namespace>/<name>" with k8s ListerGetter ([#3470](https://github.com/containous/traefik/pull/3470) by [yue9944882](https://github.com/yue9944882))
- **[k8s]** Custom frontend name for test helper ([#3444](https://github.com/containous/traefik/pull/3444) by [ldez](https://github.com/ldez))
- **[k8s]** Add annotation to allow modifiers to be used properly in kubernetes ([#3481](https://github.com/containous/traefik/pull/3481) by [dtomcej](https://github.com/dtomcej))
- **[k8s]** Create Global Backend Ingress ([#3404](https://github.com/containous/traefik/pull/3404) by [dtomcej](https://github.com/dtomcej))
@ -651,7 +704,7 @@
- **[healthcheck]** Support all 2xx HTTP status code for health check. ([#3362](https://github.com/containous/traefik/pull/3362) by [ldez](https://github.com/ldez))
- **[healthcheck]** Add HTTP headers to healthcheck. ([#3047](https://github.com/containous/traefik/pull/3047) by [zetaab](https://github.com/zetaab))
- **[k8s]** Add more k8s tests ([#3491](https://github.com/containous/traefik/pull/3491) by [dtomcej](https://github.com/dtomcej))
- **[k8s]** Substitude hardcoded "<namespace>/<name>" with k8s ListerGetter ([#3470](https://github.com/containous/traefik/pull/3470) by [yue9944882](https://github.com/yue9944882))
- **[k8s]** Substitute hardcoded "<namespace>/<name>" with k8s ListerGetter ([#3470](https://github.com/containous/traefik/pull/3470) by [yue9944882](https://github.com/yue9944882))
- **[k8s]** Custom frontend name for test helper ([#3444](https://github.com/containous/traefik/pull/3444) by [ldez](https://github.com/ldez))
- **[k8s]** Add annotation to allow modifiers to be used properly in kubernetes ([#3481](https://github.com/containous/traefik/pull/3481) by [dtomcej](https://github.com/dtomcej))
- **[k8s]** Create Global Backend Ingress ([#3404](https://github.com/containous/traefik/pull/3404) by [dtomcej](https://github.com/dtomcej))

304
Gopkg.lock generated
View file

@ -9,22 +9,6 @@
revision = "056a55f54a6cc77b440b31a56a5e7c3982d32811"
version = "v0.22.0"
[[projects]]
branch = "master"
digest = "1:24afd6a7be85997c981693ddcc5f7b37fd3ed5cb119901e14737b9635b944cfb"
name = "github.com/ArthurHlt/go-eureka-client"
packages = ["eureka"]
pruneopts = "NUT"
revision = "9d0a49cbd39aa3634ae1977e9f519a262b10adaf"
[[projects]]
branch = "master"
digest = "1:922aa650254d0678003e182aeb75f6b094a0bfc40a87d198859d511cdafcfa8a"
name = "github.com/ArthurHlt/gominlog"
packages = ["."]
pruneopts = "NUT"
revision = "72eebf980f467d3ab3a8b4ddf660f664911ce519"
[[projects]]
digest = "1:59f6c2fd10ad014d2907eaa48a19070d5e7af35624328a4fbbf93b7b1c4a19e8"
name = "github.com/Azure/azure-sdk-for-go"
@ -70,17 +54,6 @@
pruneopts = "NUT"
revision = "a368813c5e648fee92e5f6c30e3944ff9d5e8895"
[[projects]]
branch = "master"
digest = "1:28e560d27a06cbebacd86531439aafa31c6da990607ca5a085d0005af325697f"
name = "github.com/BurntSushi/ty"
packages = [
".",
"fun",
]
pruneopts = "NUT"
revision = "6add9cd6ad42d389d6ead1dde60b4ad71e46fd74"
[[projects]]
digest = "1:ab7fee312bbdc8070d0325d841de8704cc78bf032b076200f1458659b74b8ed6"
name = "github.com/JamesClonk/vultr"
@ -88,6 +61,14 @@
pruneopts = "NUT"
revision = "2fd0705ce648e602e6c9c57329a174270a4f6688"
[[projects]]
digest = "1:25870183293a3fb61cc9afd060a61d63a486f091db72af01a8ea3449f5ca530d"
name = "github.com/Masterminds/goutils"
packages = ["."]
pruneopts = "NUT"
revision = "41ac8693c5c10a92ea1ff5ac3a7f95646f6123b0"
version = "v1.1.0"
[[projects]]
digest = "1:0ce2a409217f52078c6b8642993deb1025940cded6d5054047c1d5c7379f753c"
name = "github.com/Masterminds/semver"
@ -97,11 +78,12 @@
version = "v1.2.2"
[[projects]]
digest = "1:a49472e7d73071005f436b7da85567220f24bb26fbfccbec45d2cd1359d4c67d"
digest = "1:876a1121171c083c4e3a4789683d02a40c0f644c8190da521d15b59799f556d6"
name = "github.com/Masterminds/sprig"
packages = ["."]
pruneopts = "NUT"
revision = "e039e20e500c2c025d9145be375e27cf42a94174"
revision = "9f8fceff796fb9f4e992cd2bece016be0121ab74"
version = "2.19.0"
[[projects]]
digest = "1:915c86626dfd65f8105c48b2972d29f34fd77ff16b31157147cb8ebbddeebbe3"
@ -161,15 +143,11 @@
[[projects]]
branch = "master"
digest = "1:d4ad87edcd6f6b6cfd1bfe8da6dd090e00901601c9270aa2928842402a361475"
digest = "1:28be1959f81e9a6dec3058768a4c4535cf73fcd6e171d21688ad0a7fdf49d43a"
name = "github.com/abronan/valkeyrie"
packages = [
".",
"store",
"store/boltdb",
"store/consul",
"store/etcd/v3",
"store/zookeeper",
]
pruneopts = "NUT"
revision = "063d875e3c5fd734fa2aa12fac83829f62acfc70"
@ -207,20 +185,12 @@
version = "1.27.7"
[[projects]]
digest = "1:975108e8d4f5dab096fc991326e96a5716ee8d02e5e7386bb4796171afc4ab9a"
name = "github.com/aokoli/goutils"
packages = ["."]
pruneopts = "NUT"
revision = "3391d3790d23d03408670993e957e8f408993c34"
version = "v1.0.1"
[[projects]]
digest = "1:9752dad5e89cd779096bf2477a4ded16bea7ac62de453c8d6b4bf841d51a8512"
digest = "1:b39cf81d5f440b9c0757a25058432d33af867e5201109bf53621356d9dab4b73"
name = "github.com/apache/thrift"
packages = ["lib/go/thrift"]
pruneopts = "NUT"
revision = "b2a4d4ae21c789b689dd162deb819665567f481c"
version = "0.10.0"
revision = "384647d290e2e4a55a14b1b7ef1b7e66293a2c33"
version = "v0.12.0"
[[projects]]
branch = "master"
@ -231,7 +201,7 @@
revision = "48572f11356f1843b694f21a290d4f1006bc5e47"
[[projects]]
digest = "1:bfb036834a43e76abd318f0db39b0bbec6f7865680c1e443475c0297250a89ed"
digest = "1:9991a3fc14d9de52a55cdb5a5f1f237140684eab050251ecfaaafa239a8ab5c9"
name = "github.com/aws/aws-sdk-go"
packages = [
"aws",
@ -254,7 +224,6 @@
"internal/sdkrand",
"internal/shareddefaults",
"private/protocol",
"private/protocol/ec2query",
"private/protocol/json/jsonutil",
"private/protocol/jsonrpc",
"private/protocol/query",
@ -262,11 +231,6 @@
"private/protocol/rest",
"private/protocol/restxml",
"private/protocol/xml/xmlutil",
"service/dynamodb",
"service/dynamodb/dynamodbattribute",
"service/dynamodb/dynamodbiface",
"service/ec2",
"service/ecs",
"service/lightsail",
"service/route53",
"service/sts",
@ -350,29 +314,6 @@
revision = "7a9987c3a6d46be84e141a5c3191347ec10af17d"
version = "v3.1.2"
[[projects]]
digest = "1:4e9c9d51ef5c98f2a71d6fa56a22f0bb8a4463656f9591ba24ebff2c21bcbd1f"
name = "github.com/coreos/bbolt"
packages = ["."]
pruneopts = "NUT"
revision = "32c383e75ce054674c53b5a07e55de85332aee14"
[[projects]]
digest = "1:f07fcc19d52f5d9f559573c6b625142bc4b018fd275029c020d06d2bad6f6c8c"
name = "github.com/coreos/etcd"
packages = [
"auth/authpb",
"clientv3",
"clientv3/concurrency",
"etcdserver/api/v3rpc/rpctypes",
"etcdserver/etcdserverpb",
"mvcc/mvccpb",
"pkg/types",
]
pruneopts = "NUT"
revision = "70c8726202dd91e482fb4029fd14af1d4ed1d5af"
version = "v3.3.5"
[[projects]]
digest = "1:fa91847d50d3f656fc2d2d608b9749b97d77528e8988ad8001f957640545e91e"
name = "github.com/coreos/go-systemd"
@ -543,15 +484,6 @@
pruneopts = "NUT"
revision = "9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1"
[[projects]]
branch = "master"
digest = "1:2de676f0b5c5d051ae4343503760069de753c995a3cb3b01544a4924c65a93aa"
name = "github.com/docker/leadership"
packages = ["."]
pruneopts = "NUT"
revision = "a2e096d9fe0af5b4c37dd37aea719bc9c2e5eec6"
source = "github.com/containous/leadership"
[[projects]]
branch = "master"
digest = "1:9b26bdc6b9952f728f61f510a48875c38974591c69b0afa77dcfe466c6162e9e"
@ -635,13 +567,6 @@
revision = "0a91ac8209d6a805f259ff881d0c2654221d0346"
version = "v0.14.3"
[[projects]]
digest = "1:b0d5e98ac0f0a509eb320f542e748582d637aae09e74538212e9712d1e71064b"
name = "github.com/fatih/color"
packages = ["."]
pruneopts = "NUT"
revision = "62e9147c64a1ed519147b62a56a14e83e2be02c1"
[[projects]]
digest = "1:aa3ed0a71c4e66e4ae6486bf97a3f4cab28edc78df2e50c5ad01dc7d91604b88"
name = "github.com/fatih/structs"
@ -673,8 +598,7 @@
revision = "73d445a93680fa1a78ae23a5839bad48f32ba1ee"
[[projects]]
branch = "master"
digest = "1:7dcfb91047873eb70b3a20ed5c400c4d05d9c1e73c9dac0e71ec0d44589d208a"
digest = "1:a04af13190b67ff69cf8fcd79ee133a24c4a7a900cacbc296261dd43f3fbde5c"
name = "github.com/go-acme/lego"
packages = [
"acme",
@ -712,6 +636,7 @@
"providers/dns/dnsmadeeasy",
"providers/dns/dnsmadeeasy/internal",
"providers/dns/dnspod",
"providers/dns/dode",
"providers/dns/dreamhost",
"providers/dns/duckdns",
"providers/dns/dyn",
@ -758,7 +683,8 @@
"registration",
]
pruneopts = "NUT"
revision = "0c87df143e630a1c50b4c36c8fbdda6cd993ebba"
revision = "aaecc1ca7254190b71c5f01f57ee3bb6701bc937"
version = "v2.4.0"
[[projects]]
branch = "fork-containous"
@ -821,12 +747,10 @@
version = "v1.5.4"
[[projects]]
digest = "1:b518b9be1fc76244e246afe09113e3dd6246073b444787d30883877b82a0b90d"
digest = "1:6689652ec1f6e30455551da19c707f2bfac75e4df5c7bbe3f0ad7b49b9aa2cfc"
name = "github.com/gogo/protobuf"
packages = [
"gogoproto",
"proto",
"protoc-gen-gogo/descriptor",
"sortkeys",
]
pruneopts = "NUT"
@ -971,29 +895,6 @@
pruneopts = "NUT"
revision = "2bcd89a1743fd4b373f7370ce8ddc14dfbd18229"
[[projects]]
digest = "1:c3f14b698c0f5c5729896489f4b526f519d1d2522e697d63f532901d0e183dff"
name = "github.com/hashicorp/consul"
packages = ["api"]
pruneopts = "NUT"
revision = "9a494b5fb9c86180a5702e29c485df1507a47198"
version = "v1.0.6"
[[projects]]
digest = "1:7b699584752575e81e3f4e8b00cfb3e5d6fa5419d5d212ef925e02c798847464"
name = "github.com/hashicorp/go-cleanhttp"
packages = ["."]
pruneopts = "NUT"
revision = "3573b8b52aa7b37b9358d966a898feb387f62437"
[[projects]]
branch = "master"
digest = "1:cdb5ce76cd7af19e3d2d5ba9b6458a2ee804f0d376711215dd3df5f51100d423"
name = "github.com/hashicorp/go-rootcerts"
packages = ["."]
pruneopts = "NUT"
revision = "6bb64b370b90e7ef1fa532be9e591a81c3493e00"
[[projects]]
digest = "1:f7b3db9cb74d13f6a7cf84b3801e68585745eacaf7d40cc10ecc4734c30503d3"
name = "github.com/hashicorp/go-version"
@ -1013,18 +914,12 @@
revision = "0fb14efe8c47ae851c0034ed7a448854d3d34cf3"
[[projects]]
digest = "1:c6552ffc71f7586a9ea624c6b2bdab87a47d9bd52889e3baf5fbf200425a85e2"
name = "github.com/hashicorp/serf"
packages = ["coordinate"]
pruneopts = "NUT"
revision = "19f2c401e122352c047a84d6584dd51e2fb8fcc4"
[[projects]]
digest = "1:45e66b20393507035c6a7d15bef5ffe8faf5b083621c1284d9824cc052776de5"
digest = "1:dc54242755f5b6721dd880843de6e45fe234838ea9149ec8249951880fd5802f"
name = "github.com/huandu/xstrings"
packages = ["."]
pruneopts = "NUT"
revision = "3959339b333561bf62a38b424fd41517c2c90f40"
revision = "f02667b379e2fb5916c3cda2cf31e0eb885d79f8"
version = "v1.2.0"
[[projects]]
branch = "master"
@ -1192,20 +1087,6 @@
pruneopts = "NUT"
revision = "c1c17f74874f2a5ea48bfb06b5459d4ef2689749"
[[projects]]
digest = "1:4953945f4fdc12cb7aa0263710534fb64b35a85e4047570fdf1cb03284055f0d"
name = "github.com/mattn/go-colorable"
packages = ["."]
pruneopts = "NUT"
revision = "5411d3eea5978e6cdc258b30de592b60df6aba96"
[[projects]]
digest = "1:89e4861dccb76fd84b7de2d88791cc8d23e125805397db27195b4dd83c459713"
name = "github.com/mattn/go-isatty"
packages = ["."]
pruneopts = "NUT"
revision = "57fdcb988a5c543893cc61bce354a6e24ab70022"
[[projects]]
branch = "master"
digest = "1:5985ef4caf91ece5d54817c11ea25f182697534f8ae6521eadcd628c142ac4b6"
@ -1214,37 +1095,6 @@
pruneopts = "NUT"
revision = "c12348ce28de40eed0136aa2b644d0ee0650e56c"
[[projects]]
digest = "1:337c4007f8ecd8092927c3f9d3c7e391a9e7222aa579dd07a6008379d92d61f6"
name = "github.com/mesos/mesos-go"
packages = [
"detector",
"detector/zoo",
"mesosproto",
"mesosutil",
"upid",
]
pruneopts = "NUT"
revision = "068d5470506e3780189fe607af40892814197c5e"
[[projects]]
branch = "master"
digest = "1:940a93ac88a908ef0908939181ab048c4172ba7babd32d896ac8b1ef5c1f9036"
name = "github.com/mesosphere/mesos-dns"
packages = [
"detect",
"errorutil",
"logging",
"models",
"records",
"records/labels",
"records/state",
"util",
]
pruneopts = "NUT"
revision = "b47dc4c19f215e98da687b15b4c64e70f629bea5"
source = "https://github.com/containous/mesos-dns.git"
[[projects]]
digest = "1:b83995756f9b1a24c518d40052d80f524f0a9024ee0479d8a8e91ec2548074d1"
name = "github.com/miekg/dns"
@ -1395,7 +1245,7 @@
version = "v1.0.0"
[[projects]]
digest = "1:7da29c22bcc5c2ffb308324377dc00b5084650348c2799e573ed226d8cc9faf0"
digest = "1:6846140b3f116579680eefdc17145f2bcf064b68deb9febf86b4419a454049af"
name = "github.com/opentracing/opentracing-go"
packages = [
".",
@ -1403,12 +1253,12 @@
"log",
]
pruneopts = "NUT"
revision = "1949ddbfd147afd4d964a9f00b24eb291e0e7c38"
version = "v1.0.2"
revision = "659c90643e714681897ec2521c60567dd21da733"
version = "v1.1.0"
[[projects]]
digest = "1:07c44a0ce6012eafd2f05b715d30852d576aeda7798b8760a2ff51b1e90eb753"
name = "github.com/openzipkin/zipkin-go-opentracing"
digest = "1:0f4793617dc898d3ee99fe1abab076d3976a9d17d14f8327af2dc3f1ec0fd92c"
name = "github.com/openzipkin-contrib/zipkin-go-opentracing"
packages = [
".",
"flag",
@ -1418,7 +1268,8 @@
"wire",
]
pruneopts = "NUT"
revision = "1f5c07e90700ae93ddcba0c7af7d9c7201646ccc"
revision = "f0f479ad013a498e4cbfb369414e5d3880903779"
version = "v0.3.5"
[[projects]]
digest = "1:b52f6b7059f06a11ab6ab039714dda0d93878d9227f84c84ca9b6f046bfb5fef"
@ -1540,20 +1391,13 @@
pruneopts = "NUT"
revision = "a1dba9ce8baed984a2495b658c82687f8157b98f"
[[projects]]
digest = "1:f140e414b284a500b812b26bda8b9a5110aa110f0473ec97e79f3245000c730a"
name = "github.com/rancher/go-rancher"
packages = ["v2"]
pruneopts = "NUT"
revision = "52e2f489534007ae843065468c5a1920d542afa4"
[[projects]]
branch = "containous-fork"
digest = "1:4e63da6276e18c5e12eadef1ec3cabd437698bef5e60ffdce7a75b492cd1c14e"
digest = "1:f103263e55945772fcb058736a03dfc2796c6a14b99b1684b8e88327c0fa0f75"
name = "github.com/rancher/go-rancher-metadata"
packages = ["metadata"]
pruneopts = "NUT"
revision = "e937e8308985dfd3bc157cc8a284454f0cbf4fef"
revision = "c6a65f8b7a28edc424e85732df4cd1c215843a99"
source = "github.com/containous/go-rancher-metadata"
[[projects]]
@ -1584,13 +1428,6 @@
pruneopts = "NUT"
revision = "306ea89b6ef19334614f7b0fc5aa19595022bb8c"
[[projects]]
digest = "1:142520cf3c9bb85449dd0000f820b8c604531587ee654793c54909be7dabadac"
name = "github.com/samuel/go-zookeeper"
packages = ["zk"]
pruneopts = "NUT"
revision = "1d7be4effb13d2d908342d349d71a284a7542693"
[[projects]]
digest = "1:6bc0652ea6e39e22ccd522458b8bdd8665bf23bdc5a20eec90056e4dc7e273ca"
name = "github.com/satori/go.uuid"
@ -1600,12 +1437,12 @@
version = "v1.2.0"
[[projects]]
digest = "1:01252cd79aac70f16cac02a72a1067dd136e0ad6d5b597d0129cf74c739fd8d1"
digest = "1:bb9033d47c116ea3b981ff159bdef73df8351b0b9700da2066339b97211b1bf0"
name = "github.com/sirupsen/logrus"
packages = ["."]
pruneopts = "NUT"
revision = "a67f783a3814b8729bd2dac5780b5f78f8dbd64d"
version = "v1.1.0"
revision = "dae0fa8d5b0c810a8ab733fbd5510c7cae84eca4"
version = "v1.4.0"
[[projects]]
digest = "1:9d8420bbf131d1618bde6530af37c3799340d3762cc47210c1d9532a4c3a2779"
@ -1644,11 +1481,11 @@
revision = "c4434f09ec131ecf30f986d5dcb1636508bfa49a"
[[projects]]
digest = "1:c269070c7f286c941392076d6c42a4a7a062356f7083a48bd202397e877a965e"
digest = "1:84b9a5318d8ce3b8a9b1509bf15734f4f9dcd4decf9d9e9c7346a16c7b64d49e"
name = "github.com/thoas/stats"
packages = ["."]
pruneopts = "NUT"
revision = "152b5d051953fdb6e45f14b6826962aadc032324"
revision = "4975baf6a358ed3ddaa42133996e1959f96c9300"
[[projects]]
branch = "master"
@ -1682,14 +1519,7 @@
revision = "1dc93a7db3567a5ccf865106afac88278ba940cf"
[[projects]]
digest = "1:9b2996458a2f7d1f3e0ebf08152acfe8c1106f3fe855d08121c5ee7d801a063f"
name = "github.com/tv42/zbase32"
packages = ["."]
pruneopts = "NUT"
revision = "03389da7e0bf9844767f82690f4d68fc097a1306"
[[projects]]
digest = "1:7d3a890e525da3b7014d26dd1d4a0e4d31a479995007cd11989ad31db132e66c"
digest = "1:dc5b63bdf6fd3b22c970e06ad4fb686f6d08104f50f414644d5ac5e267a7934a"
name = "github.com/uber/jaeger-client-go"
packages = [
".",
@ -1712,16 +1542,18 @@
"zipkin",
]
pruneopts = "NUT"
revision = "1a782e2da844727691fef1757c72eb190c2909f0"
version = "v2.15.0"
revision = "2f47546e3facd43297739439600bcf43f44cce5d"
source = "github.com/jaegertracing/jaeger-client-go"
version = "v2.16.0"
[[projects]]
digest = "1:0f09db8429e19d57c8346ad76fbbc679341fa86073d3b8fb5ac919f0357d8f4c"
digest = "1:c9d69a04f7fa171f50360bbcc32196b4de8ab8837ef772f6302d0140a1e3e7f6"
name = "github.com/uber/jaeger-lib"
packages = ["metrics"]
pruneopts = "NUT"
revision = "ed3a127ec5fef7ae9ea95b01b542c47fbd999ce5"
version = "v1.5.0"
revision = "0e30338a695636fe5bcf7301e8030ce8dd2a8530"
source = "github.com/jaegertracing/jaeger-lib"
version = "v2.0.0"
[[projects]]
digest = "1:fb6d90081ae53fdb35d0fffa7d82a555df936bbc6db9a93126795655b2317604"
@ -1738,13 +1570,6 @@
pruneopts = "NUT"
revision = "a1cf62cc2159fff407728f118c41aece76c397fa"
[[projects]]
digest = "1:e84e99d5f369afaa9a5c41f55b57fa03047ecd3bac2a65861607882693ceea81"
name = "github.com/urfave/negroni"
packages = ["."]
pruneopts = "NUT"
revision = "490e6a555d47ca891a89a150d0c1ef3922dfffe9"
[[projects]]
digest = "1:a68c3f55d44d225da4f22ffbed2d8572d267cb19aaa1d60537769034ac66bc01"
name = "github.com/vdemeester/shakers"
@ -1956,7 +1781,7 @@
revision = "09f6ed296fc66555a25fe4ce95173148778dfa85"
[[projects]]
digest = "1:a893d24a604ae6f45f2d6e00ae9e817476e110e2dd5455152b35bb720ca2f626"
digest = "1:a840929a3a2d91282dc853cbd5f586069c14ae373247fb7d4cb4fa02b285326e"
name = "google.golang.org/grpc"
packages = [
".",
@ -1971,7 +1796,6 @@
"encoding/proto",
"grpclb/grpc_lb_v1/messages",
"grpclog",
"health/grpc_health_v1",
"internal",
"keepalive",
"metadata",
@ -2348,29 +2172,12 @@
analyzer-name = "dep"
analyzer-version = 1
input-imports = [
"github.com/ArthurHlt/go-eureka-client/eureka",
"github.com/BurntSushi/toml",
"github.com/BurntSushi/ty/fun",
"github.com/Masterminds/sprig",
"github.com/NYTimes/gziphandler",
"github.com/abbot/go-http-auth",
"github.com/abronan/valkeyrie",
"github.com/abronan/valkeyrie/store",
"github.com/abronan/valkeyrie/store/boltdb",
"github.com/abronan/valkeyrie/store/consul",
"github.com/abronan/valkeyrie/store/etcd/v3",
"github.com/abronan/valkeyrie/store/zookeeper",
"github.com/armon/go-proxyproto",
"github.com/aws/aws-sdk-go/aws",
"github.com/aws/aws-sdk-go/aws/credentials",
"github.com/aws/aws-sdk-go/aws/defaults",
"github.com/aws/aws-sdk-go/aws/ec2metadata",
"github.com/aws/aws-sdk-go/aws/session",
"github.com/aws/aws-sdk-go/service/dynamodb",
"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute",
"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbiface",
"github.com/aws/aws-sdk-go/service/ec2",
"github.com/aws/aws-sdk-go/service/ecs",
"github.com/cenkalti/backoff",
"github.com/containous/alice",
"github.com/containous/flaeg",
@ -2390,7 +2197,6 @@
"github.com/docker/docker/pkg/namesgenerator",
"github.com/docker/go-connections/nat",
"github.com/docker/go-connections/sockets",
"github.com/docker/leadership",
"github.com/eapache/channels",
"github.com/elazarl/go-bindata-assetfs",
"github.com/gambol99/go-marathon",
@ -2414,40 +2220,27 @@
"github.com/golang/protobuf/proto",
"github.com/google/go-github/github",
"github.com/gorilla/websocket",
"github.com/hashicorp/consul/api",
"github.com/hashicorp/go-version",
"github.com/influxdata/influxdb/client/v2",
"github.com/instana/go-sensor",
"github.com/libkermit/compose/check",
"github.com/libkermit/docker",
"github.com/libkermit/docker-check",
"github.com/mesos/mesos-go/detector",
"github.com/mesos/mesos-go/detector/zoo",
"github.com/mesos/mesos-go/upid",
"github.com/mesosphere/mesos-dns/detect",
"github.com/mesosphere/mesos-dns/logging",
"github.com/mesosphere/mesos-dns/records",
"github.com/mesosphere/mesos-dns/records/state",
"github.com/mesosphere/mesos-dns/util",
"github.com/miekg/dns",
"github.com/mitchellh/copystructure",
"github.com/mitchellh/hashstructure",
"github.com/mitchellh/mapstructure",
"github.com/mvdan/xurls",
"github.com/ogier/pflag",
"github.com/opentracing/opentracing-go",
"github.com/opentracing/opentracing-go/ext",
"github.com/opentracing/opentracing-go/log",
"github.com/openzipkin/zipkin-go-opentracing",
"github.com/openzipkin-contrib/zipkin-go-opentracing",
"github.com/patrickmn/go-cache",
"github.com/pkg/errors",
"github.com/prometheus/client_golang/prometheus",
"github.com/prometheus/client_golang/prometheus/promhttp",
"github.com/prometheus/client_model/go",
"github.com/rancher/go-rancher-metadata/metadata",
"github.com/rancher/go-rancher/v2",
"github.com/ryanuber/go-glob",
"github.com/satori/go.uuid",
"github.com/sirupsen/logrus",
"github.com/stretchr/testify/assert",
"github.com/stretchr/testify/mock",
@ -2460,7 +2253,6 @@
"github.com/uber/jaeger-lib/metrics",
"github.com/unrolled/render",
"github.com/unrolled/secure",
"github.com/urfave/negroni",
"github.com/vdemeester/shakers",
"github.com/vulcand/oxy/buffer",
"github.com/vulcand/oxy/cbreaker",

59
Gopkg.toml
View file

@ -36,17 +36,17 @@ required = [
non-go = false
unused-packages = false
[[constraint]]
branch = "master"
name = "github.com/ArthurHlt/go-eureka-client"
#[[constraint]]
# branch = "master"
# name = "github.com/ArthurHlt/go-eureka-client"
[[constraint]]
branch = "master"
name = "github.com/BurntSushi/toml"
[[constraint]]
branch = "master"
name = "github.com/BurntSushi/ty"
#[[constraint]]
# branch = "master"
# name = "github.com/BurntSushi/ty"
[[constraint]]
branch = "master"
@ -61,9 +61,9 @@ required = [
branch = "master"
name = "github.com/armon/go-proxyproto"
[[constraint]]
name = "github.com/aws/aws-sdk-go"
version = "1.13.11"
#[[constraint]]
# name = "github.com/aws/aws-sdk-go"
# version = "1.13.11"
[[constraint]]
name = "github.com/cenkalti/backoff"
@ -85,18 +85,19 @@ required = [
name = "github.com/containous/staert"
version = "3.1.2"
#[[constraint]]
# name = "github.com/containous/traefik-extra-service-fabric"
# version = "1.3.0"
[[constraint]]
name = "github.com/thoas/stats"
# related to https://github.com/thoas/stats/pull/32
revision = "4975baf6a358ed3ddaa42133996e1959f96c9300"
[[constraint]]
name = "github.com/coreos/go-systemd"
version = "14.0.0"
[[constraint]]
branch = "master"
name = "github.com/docker/leadership"
source = "github.com/containous/leadership"
#[[constraint]]
# branch = "master"
# name = "github.com/docker/leadership"
# source = "github.com/containous/leadership"
[[constraint]]
name = "github.com/eapache/channels"
@ -124,9 +125,9 @@ required = [
branch = "master"
name = "github.com/gorilla/websocket"
[[constraint]]
name = "github.com/hashicorp/consul"
version = "1.0.6"
#[[constraint]]
# name = "github.com/hashicorp/consul"
# version = "1.0.6"
[[constraint]]
name = "github.com/influxdata/influxdb"
@ -140,9 +141,9 @@ required = [
branch = "master"
name = "github.com/abronan/valkeyrie"
[[constraint]]
name = "github.com/mesosphere/mesos-dns"
source = "https://github.com/containous/mesos-dns.git"
#[[constraint]]
# name = "github.com/mesosphere/mesos-dns"
# source = "https://github.com/containous/mesos-dns.git"
[[constraint]]
name = "github.com/opentracing/opentracing-go"
@ -158,8 +159,8 @@ required = [
name = "github.com/ryanuber/go-glob"
[[constraint]]
name = "github.com/satori/go.uuid"
version = "1.1.0"
name = "github.com/Masterminds/sprig"
version = "2.19.0"
[[constraint]]
branch = "master"
@ -171,11 +172,13 @@ required = [
[[constraint]]
name = "github.com/uber/jaeger-client-go"
version = "2.15.0"
source = "github.com/jaegertracing/jaeger-client-go"
version = "2.16.0"
[[constraint]]
name = "github.com/uber/jaeger-lib"
version = "1.3.0"
source = "github.com/jaegertracing/jaeger-lib"
version = "2.0.0"
[[constraint]]
branch = "v1"
@ -190,9 +193,9 @@ required = [
name = "github.com/vulcand/oxy"
[[constraint]]
branch = "master"
# branch = "master"
name = "github.com/go-acme/lego"
# version = "2.4.0"
version = "2.4.0"
[[constraint]]
name = "google.golang.org/grpc"

6
Makefile
View file

@ -93,7 +93,11 @@ test-integration: $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
TEST_HOST=1 ./script/make.sh test-integration
## Validate code, vendor
## Validate code and docs
validate-files: $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
## Validate code, docs, and vendor
validate: $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor

4
README.md
View file

@ -98,6 +98,8 @@ You can access the simple HTML frontend of Traefik.
You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
:warning: If you're testing out v2, please ensure you are using the [v2 documentation](https://docs.traefik.io/v2.0/).
## Support
To get community support, you can:
@ -128,6 +130,8 @@ git clone https://github.com/containous/traefik
## Introductory Videos
:warning: Please be aware that these videos are for v1.X. The old configurations for Traefik v1.X are NOT compatible with Traefik v2. If you're testing out v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/v2.0/).
Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at GopherCon 2017.
You will learn Traefik basics in less than 10 minutes.

5
build.Dockerfile
View file

@ -1,8 +1,9 @@
FROM golang:1.12-alpine
RUN apk --update upgrade \
&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar \
&& rm -rf /var/cache/apk/*
&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
&& update-ca-certificates \
&& rm -rf /var/cache/apk/*
# Download golangci-lint and misspell binary to bin folder in $GOPATH
RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.15.0 \

11
cmd/configuration.go
View file

@ -11,6 +11,7 @@ import (
"github.com/containous/traefik/pkg/provider/file"
"github.com/containous/traefik/pkg/provider/kubernetes/ingress"
"github.com/containous/traefik/pkg/provider/marathon"
"github.com/containous/traefik/pkg/provider/rancher"
"github.com/containous/traefik/pkg/provider/rest"
"github.com/containous/traefik/pkg/tracing/datadog"
"github.com/containous/traefik/pkg/tracing/instana"
@ -172,12 +173,22 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
// default Kubernetes
var defaultKubernetes ingress.Provider
// default Rancher
var defaultRancher rancher.Provider
defaultRancher.Watch = true
defaultRancher.ExposedByDefault = true
defaultRancher.EnableServiceHealthFilter = true
defaultRancher.RefreshSeconds = 15
defaultRancher.DefaultRule = rancher.DefaultTemplateRule
defaultRancher.Prefix = "latest"
defaultProviders := static.Providers{
File: &defaultFile,
Docker: &defaultDocker,
Rest: &defaultRest,
Marathon: &defaultMarathon,
Kubernetes: &defaultKubernetes,
Rancher: &defaultRancher,
}
return &TraefikConfiguration{

4
cmd/traefik/traefik.go
View file

@ -94,7 +94,7 @@ func main() {
// traefik Command init
traefikCmd := &flaeg.Command{
Name: "traefik",
Description: `traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
Description: `Traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
Complete documentation is available at https://traefik.io`,
Config: traefikConfiguration,
DefaultPointersConfig: traefikPointersConfiguration,
@ -317,7 +317,7 @@ func configureLogging(staticConfiguration *static.Configuration) {
// otherwise.
var levelStr string
if staticConfiguration.Log != nil {
levelStr = strings.ToLower(staticConfiguration.Log.LogLevel)
levelStr = strings.ToLower(staticConfiguration.Log.Level)
}
if levelStr == "" {
levelStr = "error"

171
contrib/scripts/dumpcerts.sh
View file

@ -1,171 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) 2017 Brian 'redbeard' Harrington <redbeard@dead-city.org>
#
# dumpcerts.sh - A simple utility to explode a Traefik acme.json file into a
# directory of certificates and a private key
#
# Usage - dumpcerts.sh /etc/traefik/acme.json /etc/ssl/
#
# Dependencies -
# util-linux
# openssl
# jq
# The MIT License (MIT)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
# Exit codes:
# 1 - A component is missing or could not be read
# 2 - There was a problem reading acme.json
# 4 - The destination certificate directory does not exist
# 8 - Missing private key
set -o errexit
set -o pipefail
set -o nounset
USAGE="$(basename "$0") <path to acme> <destination cert directory>"
# Platform variations
case "$(uname)" in
'Linux')
# On Linux, -d should always work. --decode does not work with Alpine's busybox-binary
CMD_DECODE_BASE64="base64 -d"
;;
*)
# Max OS-X supports --decode and -D, but --decode may be supported by other platforms as well.
CMD_DECODE_BASE64="base64 --decode"
;;
esac
# Allow us to exit on a missing jq binary
exit_jq() {
echo "
You must have the binary 'jq' to use this.
jq is available at: https://stedolan.github.io/jq/download/
${USAGE}" >&2
exit 1
}
bad_acme() {
echo "
There was a problem parsing your acme.json file.
${USAGE}" >&2
exit 2
}
if [ $# -ne 2 ]; then
echo "
Insufficient number of parameters.
${USAGE}" >&2
exit 1
fi
readonly acmefile="${1}"
readonly certdir="${2%/}"
if [ ! -r "${acmefile}" ]; then
echo "
There was a problem reading from '${acmefile}'
We need to read this file to explode the JSON bundle... exiting.
${USAGE}" >&2
exit 2
fi
if [ ! -d "${certdir}" ]; then
echo "
Path ${certdir} does not seem to be a directory
We need a directory in which to explode the JSON bundle... exiting.
${USAGE}" >&2
exit 4
fi
jq=$(command -v jq) || exit_jq
priv=$(${jq} -e -r '.Account.PrivateKey' "${acmefile}") || bad_acme
if [ ! -n "${priv}" ]; then
echo "
There didn't seem to be a private key in ${acmefile}.
Please ensure that there is a key in this file and try again." >&2
exit 8
fi
# If they do not exist, create the needed subdirectories for our assets
# and place each in a variable for later use, normalizing the path
mkdir -p "${certdir}"/{certs,private}
pdir="${certdir}/private/"
cdir="${certdir}/certs/"
# Save the existing umask, change the default mode to 600, then
# after writing the private key switch it back to the default
oldumask=$(umask)
umask 177
trap 'umask ${oldumask}' EXIT
# traefik stores the private key in stripped base64 format but the certificates
# bundled as a base64 object without stripping headers. This normalizes the
# headers and formatting.
#
# In testing this out it was a balance between the following mechanisms:
# gawk:
# echo ${priv} | awk 'BEGIN {print "-----BEGIN RSA PRIVATE KEY-----"}
# {gsub(/.{64}/,"&\n")}1
# END {print "-----END RSA PRIVATE KEY-----"}' > "${pdir}/letsencrypt.key"
#
# openssl:
# echo -e "-----BEGIN RSA PRIVATE KEY-----\n${priv}\n-----END RSA PRIVATE KEY-----" \
# | openssl rsa -inform pem -out "${pdir}/letsencrypt.key"
#
# and sed:
# echo "-----BEGIN RSA PRIVATE KEY-----" > "${pdir}/letsencrypt.key"
# echo ${priv} | sed -E 's/(.{64})/\1\n/g' >> "${pdir}/letsencrypt.key"
# sed -i '$ d' "${pdir}/letsencrypt.key"
# echo "-----END RSA PRIVATE KEY-----" >> "${pdir}/letsencrypt.key"
# openssl rsa -noout -in "${pdir}/letsencrypt.key" -check # To check if the key is valid
# In the end, openssl was chosen because most users will need this script
# *because* of openssl combined with the fact that it will refuse to write the
# key if it does not parse out correctly. The other mechanisms were left as
# comments so that the user can choose the mechanism most appropriate to them.
echo -e "-----BEGIN RSA PRIVATE KEY-----\n${priv}\n-----END RSA PRIVATE KEY-----" \
| openssl rsa -inform pem -out "${pdir}/letsencrypt.key"
# Process the certificates for each of the domains in acme.json
domains=$(jq -r '.Certificates[].Domain.Main' ${acmefile}) || bad_acme
for domain in $domains; do
# Traefik stores a cert bundle for each domain. Within this cert
# bundle there is both proper the certificate and the Let's Encrypt CA
echo "Extracting cert bundle for ${domain}"
cert=$(jq -e -r --arg domain "$domain" '.Certificates[] |
select (.Domain.Main == $domain )| .Certificate' ${acmefile}) || bad_acme
echo "${cert}" | ${CMD_DECODE_BASE64} > "${cdir}/${domain}.crt"
echo "Extracting private key for ${domain}"
key=$(jq -e -r --arg domain "$domain" '.Certificates[] |
select (.Domain.Main == $domain )| .Key' ${acmefile}) || bad_acme
echo "${key}" | ${CMD_DECODE_BASE64} > "${pdir}/${domain}.key"
done

3
docs/.markdownlint.json
View file

@ -5,5 +5,6 @@
"MD013": false,
"MD026": false,
"MD033": false,
"MD034": false
"MD034": false,
"MD036": false
}

BIN
docs/content/assets/img/providers/rancher.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 2.2 KiB

2
docs/content/contributing/building-testing.md
View file

@ -58,7 +58,7 @@ PRE_TARGET= make test-unit
### Method 2: Using `go`
You need `go` v1.9+.
You need `go` v1.12+.
!!! tip "Source Directory"

8
docs/content/contributing/data-collection.md
View file

@ -50,8 +50,8 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
??? example "Original configuration"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
[api]
@ -80,8 +80,8 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
??? example "Resulting Obfuscated Configuration"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
[api]

5
docs/content/getting-started/concepts.md
View file

@ -5,7 +5,8 @@ Everything You Need to Know
## Edge Router
Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request: it knows all the logic and every rule that determine which services handle which requests (based on the [path](../../routing/routers/#rule), the [host](../../routing/routers/#rule), [headers](../../routing/routers/#rule), [and so on](../../routing/routers/#rule) ...).
Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request:
it knows all the logic and every rule that determine which services handle which requests (based on the [path](../routing/routers/index.md#rule), the [host](../routing/routers/index.md#rule), [headers](../routing/routers/index.md#rule), [and so on](../routing/routers/index.md#rule) ...).
![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png)
@ -18,7 +19,7 @@ Deploying your services, you attach information that tell Traefik the characteri
![Decentralized Configuration](../assets/img/traefik-concepts-2.png)
It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
The opposite is true: when you remove a service from your infrastructure, the route will disapear accordingly.
The opposite is true: when you remove a service from your infrastructure, the route will disappear accordingly.
You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.

2
docs/content/getting-started/configuration-overview.md
View file

@ -21,7 +21,7 @@ This configuration can change and is seamlessly hot-reloaded, without any reques
## The Dynamic Configuration
Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): wether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
!!! Note

4
docs/content/glossary.md
View file

@ -9,8 +9,8 @@ Where Every Technical Word finds its Definition`
- [ ] Routers
- [ ] Middleware
- [ ] Service
- [ ] Static Configuration
- [ ] Dynamic Configuration
- [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
- [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
- [ ] ACME
- [ ] TraefikEE
- [ ] Tracing

35
docs/content/https-tls/acme.md
View file

@ -13,11 +13,11 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
??? example "Enabling ACME"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
[entrypoints.http-tls]
[entryPoints.http-tls]
address = ":443"
[acme] # every router with TLS enabled will now be able to use ACME for its certificates
@ -31,11 +31,11 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
??? example "Configuring Wildcard Certificates"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
[entrypoints.http-tls]
[entryPoints.http-tls]
address = ":443"
[acme]
@ -49,9 +49,13 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
sans = ["mydomain.com"]
```
!!! note "Configuration Reference"
There are many available options for ACME. For a quick glance at what's possible, browse the [configuration reference](../reference/acme.md).
??? note "Configuration Reference"
There are many available options for ACME. For a quick glance at what's possible, browse the configuration reference:
```toml
--8<-- "content/https-tls/ref-acme.toml"
```
## The Different ACME Challenges
@ -110,7 +114,10 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
Here is a list of supported `providers`, that can automate the DNS verification,
along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
Do not hesitate to complete it.
Do not hesitate to complete it.
Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
| Provider Name | Provider Code | Environment Variables | Wildcard & Root Domain Support |
|-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
@ -127,6 +134,7 @@ Do not hesitate to complete it.
| [DNSimple](https://dnsimple.com) | `dnsimple` | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL` | YES |
| [DNS Made Easy](https://dnsmadeeasy.com) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX` | Not tested yet |
| [DNSPod](https://www.dnspod.com/) | `dnspod` | `DNSPOD_API_KEY` | Not tested yet |
| [Domain Offensive (do.de)](https://www.do.de/) | `dode` | `DODE_TOKEN` | YES |
| [DreamHost](https://www.dreamhost.com/) | `dreamhost` | `DREAMHOST_API_KEY` | YES |
| [Duck DNS](https://www.duckdns.org/) | `duckdns` | `DUCKDNS_TOKEN` | YES |
| [Dyn](https://dyn.com) | `dyn` | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD` | Not tested yet |
@ -138,7 +146,7 @@ Do not hesitate to complete it.
| [Glesys](https://glesys.com/) | `glesys` | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN` | Not tested yet |
| [GoDaddy](https://godaddy.com/domains) | `godaddy` | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | Not tested yet |
| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud` | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`] | YES |
| [hosting.de](https://www.hosting.de) | `hostingde` | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME` | Not tested yet |
| [hosting.de](https://www.hosting.de) | `hostingde` | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME` | YES |
| HTTP request | `httpreq` | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1] | YES |
| [IIJ](https://www.iij.ad.jp/) | `iij` | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE` | Not tested yet |
| [INWX](https://www.inwx.de/en) | `inwx` | `INWX_USERNAME`, `INWX_PASSWORD` | YES |
@ -209,9 +217,6 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
!!! note "Double Wildcard Certificates"
It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
Due to an ACME limitation it is not possible to define wildcards in SANs (alternative domains).
Thus, the wildcard domain has to be defined as a main domain.
Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
In this case the generated DNS TXT record for both domains is the same.
Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant,
@ -322,7 +327,7 @@ storage = "traefik/acme/account"
Because key-value stores have limited entry size, the certificates list is compressed _before_ it is saved.
For example, it is possible to store up to _approximately_ 100 ACME certificates in Consul.
## Fallbacks
## Fallback
If Let's Encrypt is not reachable, the following certificates will apply:

150
docs/content/https-tls/ref-acme.toml Normal file
View file

@ -0,0 +1,150 @@
# Enable ACME (Let's Encrypt): automatic SSL.
[acme]
# Email address used for registration.
#
# Required
#
email = "test@traefik.io"
# File used for certificates storage.
#
# Optional (Deprecated)
#
#storageFile = "acme.json"
# File or key used for certificates storage.
#
# Required
#
storage = "acme.json"
# or `storage = "traefik/acme/account"` if using KV store.
# Deprecated, replaced by [acme.dnsChallenge].
#
# Optional.
#
# dnsProvider = "digitalocean"
# Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
#
# Optional
# Default: 0
#
# delayDontCheckDNS = 0
# If true, display debug log messages from the acme client library.
#
# Optional
# Default: false
#
# acmeLogging = true
# If true, override certificates in key-value store when using storeconfig.
#
# Optional
# Default: false
#
# overrideCertificates = true
# Deprecated. Enable on demand certificate generation.
#
# Optional
# Default: false
#
# onDemand = true
# Enable certificate generation on frontends host rules.
#
# Optional
# Default: false
#
# onHostRule = true
# CA server to use.
# Uncomment the line to use Let's Encrypt's staging server,
# leave commented to go to prod.
#
# Optional
# Default: "https://acme-v02.api.letsencrypt.org/directory"
#
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# KeyType to use.
#
# Optional
# Default: "RSA4096"
#
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
#
# KeyType = "RSA4096"
# Use a TLS-ALPN-01 ACME challenge.
#
# Optional (but recommended)
#
[acme.tlsChallenge]
# Use a HTTP-01 ACME challenge.
#
# Optional
#
# [acme.httpChallenge]
# EntryPoint to use for the HTTP-01 challenges.
#
# Required
#
# entryPoint = "http"
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.
#
# Optional
#
# [acme.dnsChallenge]
# DNS provider used.
#
# Required
#
# provider = "digitalocean"
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
# Default: 0
#
# delayBeforeCheck = 0
# Use following DNS servers to resolve the FQDN authority.
#
# Optional
# Default: empty
#
# resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
#
# NOT RECOMMENDED:
# Increase the risk of reaching Let's Encrypt's rate limits.
#
# Optional
# Default: false
#
# disablePropagationCheck = true
# Domains list.
# Only domains defined here can generate wildcard certificates.
# The certificates for these domains are negotiated at traefik startup only.
#
# [[acme.domains]]
# main = "local1.com"
# sans = ["test1.local1.com", "test2.local1.com"]
# [[acme.domains]]
# main = "local2.com"
# [[acme.domains]]
# main = "*.local3.com"
# sans = ["local3.com", "test1.test1.local3.com"]

23
docs/content/middlewares/addprefix.md
View file

@ -12,17 +12,30 @@ The AddPrefix middleware updates the URL Path of the request before forwarding i
```yaml tab="Docker"
# Prefixing with /foo
labels:
- "traefik.http.middlewares.add-bar.addprefix.prefix=/foo"
- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
```
```yaml tab="Kubernetes"
# Prefixing with /foo
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: addprefix
name: add-foo
spec:
addprefix:
prefix: /bar
addPrefix:
prefix: /foo
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.add-foo.addprefix.prefix": "/foo"
}
```
```yaml tab="Rancher"
# Prefixing with /foo
labels:
- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
```
```toml tab="File"
@ -34,6 +47,6 @@ spec:
## Configuration Options
### prefix
### `prefix`
`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).

69
docs/content/middlewares/basicauth.md
View file

@ -12,15 +12,42 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
```yaml tab="Docker"
# Declaring the user list
labels:
- "traefik.http.middlewares.declared-users-only.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```yaml tab="Kubernetes"
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
- test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
}
```
```yaml tab="Rancher"
# Declaring the user list
labels:
- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.basicauth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
## Configuration Options
@ -33,7 +60,7 @@ Passwords must be encoded using MD5, SHA1, or BCrypt.
Use `htpasswd` to generate the passwords.
### users
### `users`
The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
@ -41,7 +68,7 @@ The `users` option is an array of authorized users. Each user will be declared u
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### usersFile
### `usersFile`
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@ -58,22 +85,36 @@ The file content is a list of `name:encoded-password`.
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### realm
### `realm`
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
### headerField
### `headerField`
You can customize the header field for the authenticated user using the `headerField`option.
??? example "File -- Passing Authenticated Users to Services Via Headers"
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
```
```toml
[http.middlewares.my-auth.basicauth]
usersFile = "path-to-file.ext"
headerField = "X-WebAuth-User" # header for the authenticated user
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: my-auth
spec:
basicAuth:
# ...
headerField: X-WebAuth-User
```
### removeHeader
```toml tab="File"
[http.middlewares.my-auth.basicauth]
# ...
headerField = "X-WebAuth-User"
```
### `removeHeader`
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)

37
docs/content/middlewares/buffering.md
View file

@ -16,39 +16,62 @@ This can help services deal with large data (multipart/form-data for example), a
```yaml tab="Docker"
# Sets the maximum request body to 2Mb
labels:
- "traefik.http.middlewares.2Mb-memory.buffering.maxRequestBodyBytes=250000",
- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
```
```yaml tab="Kubernetes"
# Sets the maximum request body to 2Mb
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: limit
spec:
buffering:
maxRequestBodyBytes: 250000
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "250000"
}
```
```yaml tab="Rancher"
# Sets the maximum request body to 2Mb
labels:
- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
```
```toml tab="File"
# Sets the maximum request body to 2Mb
[http.middlewares]
[http.middlewares.2Mb-limit.buffering]
[http.middlewares.limit.buffering]
maxRequestBodyBytes = 250000
```
## Configuration Options
### maxRequestBodyBytes
### `maxRequestBodyBytes`
With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
### memRequestBodyBytes
### `memRequestBodyBytes`
You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
### maxResponseBodyBytes
### `maxResponseBodyBytes`
With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
### memResponseBodyBytes
### `memResponseBodyBytes`
You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
### retryExpression
### `retryExpression`
You can have the Buffering middleware replay the request with the help of the `retryExpression` option.

156
docs/content/middlewares/chain.md
View file

@ -1,6 +1,6 @@
# Chain
When One Isn't Enougth
When One Isn't Enough
{: .subtitle }
![Chain](../assets/img/middleware/chain.png)
@ -10,31 +10,129 @@ It makes reusing the same groups easier.
## Configuration Example
??? example "A Chain for WhiteList, BasicAuth, and HTTPS"
```toml
# ...
[http.routers]
[http.routers.router1]
service = "service1"
middlewares = ["secured"]
rule = "Host: mydomain"
[http.middlewares]
[http.middlewares.secured.Chain]
middlewares = ["https-only", "known-ips", "auth-users"]
[http.middlewares.auth-users.BasicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.middlewares.https-only.SchemeRedirect]
scheme = "https"
[http.middlewares.known-ips.ipWhiteList]
sourceRange = ["192.168.1.7", "x.x.x.x", "x.x.x.x"]
[http.services]
[http.services.service1]
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:80"
Weight = 1
```
Example "A Chain for WhiteList, BasicAuth, and HTTPS"
```yaml tab="Docker"
labels:
- "traefik.http.routers.router1.service=service1"
- "traefik.http.routers.router1.middlewares=secured"
- "traefik.http.routers.router1.rule=Host(`mydomain`)"
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.schemeredirect.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "http.services.service1.loadbalancer.server.port=80"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`mydomain`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: secured
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: secured
spec:
chain:
middlewares:
- https-only
- known-ips
- auth-users
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth-users
spec:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-only
spec:
schemeRedirect:
scheme: https
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: known-ips
spec:
ipWhiteList:
sourceRange:
- 192.168.1.7
- 127.0.0.1/32
```
```json tab="Marathon"
"labels": {
"traefik.http.routers.router1.service": "service1",
"traefik.http.routers.router1.middlewares": "secured",
"traefik.http.routers.router1.rule": "Host(`mydomain`)",
"traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
"traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"traefik.http.middlewares.https-only.schemeredirect.scheme": "https",
"traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
"http.services.service1.loadbalancer.server.port": "80"
}
```
```yaml tab="Rancher"
labels:
- "traefik.http.routers.router1.service=service1"
- "traefik.http.routers.router1.middlewares=secured"
- "traefik.http.routers.router1.rule=Host(`mydomain`)"
- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.schemeredirect.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "http.services.service1.loadbalancer.server.port=80"
```
```toml tab="File"
# ...
[http.routers]
[http.routers.router1]
service = "service1"
middlewares = ["secured"]
rule = "Host(`mydomain`)"
[http.middlewares]
[http.middlewares.secured.Chain]
middlewares = ["https-only", "known-ips", "auth-users"]
[http.middlewares.auth-users.BasicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.middlewares.https-only.SchemeRedirect]
scheme = "https"
[http.middlewares.known-ips.ipWhiteList]
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
[http.services]
[http.services.service1]
[http.services.service1.LoadBalancer]
[[http.services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:80"
Weight = 1
```

48
docs/content/middlewares/circuitbreaker.md
View file

@ -29,10 +29,33 @@ labels:
- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
```
```yaml tab="Kubernetes"
# Latency Check
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: latency-check
spec:
circuitBreaker:
expression: LatencyAtQuantileMS(50.0) > 100
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"
}
```
```yaml tab="Rancher"
# Latency Check
labels:
- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
```
```toml tab="File"
# Latency Check
[http.middlewares]
[http.middlewares.latency-check.circuitbreaker]
[http.middlewares.latency-check.circuitBreaker]
expression = "LatencyAtQuantileMS(50.0) > 100"
```
@ -52,11 +75,14 @@ At specified intervals (`checkPeriod`), it will evaluate `expression` to decide
### Open
While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`. After this duration, it will enter the recovering state.
While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
After this duration, it will enter the recovering state.
### Recovering
While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`). If your service fails during recovery, the circuit breaker becomes open again. If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`).
If your service fails during recovery, the circuit breaker becomes open again.
If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
## Configuration Options
@ -70,11 +96,11 @@ The `expression` can check three different metrics:
- The status code ratio (`ResponseCodeRatio`)
- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
#### NetworkErrorRatio
#### `NetworkErrorRatio`
If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
#### ResponseCodeRatio
#### `ResponseCodeRatio`
You can trigger the circuit breaker based on the ratio of a given range of status codes.
@ -89,11 +115,11 @@ The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom
For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).
#### LatencyAtQuantileMS
#### `LatencyAtQuantileMS`
You can trigger the circuit breaker when a given proportion of your requests become too slow.
For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median lantency (quantile 50) reaches 100MS.
For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
!!! Note
@ -106,7 +132,7 @@ You can combine multiple metrics using operators in your expression.
Supported operators are:
- AND (`&&`)
- OR (`||)
- OR (`||`)
For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
@ -126,15 +152,15 @@ Here is the list of supported operators:
The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured.
### CheckPeriod
### `CheckPeriod`
The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
### FallbackDuration
### `FallbackDuration`
By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
### RecoveringDuration
### `RecoveringDuration`
The duration of the recovering mode (recovering state).

14
docs/content/middlewares/compress.md
View file

@ -12,7 +12,19 @@ The Compress middleware enables the gzip compression.
```yaml tab="Docker"
# Enable gzip compression
labels:
- "traefik.http.middlewares.test-compress.compress=true",
- "traefik.http.middlewares.test-compress.compress=true"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-compress.compress": "true"
}
```
```yaml tab="Rancher"
# Enable gzip compression
labels:
- "traefik.http.middlewares.test-compress.compress=true"
```
```toml tab="File"

77
docs/content/middlewares/digestauth.md
View file

@ -11,14 +11,40 @@ The DigestAuth middleware is a quick way to restrict access to your services to
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.declared-users-only.digestauth.usersFile=path-to-file.ext",
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
```
```yaml tab="Kubernetes"
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
users:
- test:traefik:a2688e031edb4be6a3797f3882655c05
- test2:traefik:518845800f9e2bfb1f1f740ec24f074e
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
}
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
```
```toml tab="File"
[http.middlewares]
[http.middlewares.test-auth.digestauth]
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
[http.middlewares.test-auth.digestAuth]
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]
```
!!! tip
@ -27,7 +53,7 @@ labels:
## Configuration Options
### Users
### `Users`
The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
@ -35,7 +61,7 @@ The `users` option is an array of authorized users. Each user will be declared u
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### UsersFile
### `UsersFile`
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@ -52,22 +78,43 @@ The file content is a list of `name:realm:encoded-password`.
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### Realm
### `Realm`
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
### HeaderField
### `HeaderField`
You can customize the header field for the authenticated user using the `headerField`option.
??? example "File -- Passing Authenticated Users to Services Via Headers"
Example "File -- Passing Authenticated User to Services Via Headers"
```toml
[http.middlewares.my-auth.digestauth]
usersFile = "path-to-file.ext"
headerField = "X-WebAuth-User" # header for the authenticated user
```
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
```
### RemoveHeader
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: my-auth
spec:
digestAuth:
# ...
headerField: X-WebAuth-User
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
```
```toml tab="File"
[http.middlewares.my-auth.digestAuth]
# ...
headerField = "X-WebAuth-User"
```
### `RemoveHeader`
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)

54
docs/content/middlewares/errorpages.md
View file

@ -15,24 +15,48 @@ The ErrorPage middleware returns a custom page in lieu of the default, according
```yaml tab="Docker"
# Dynamic Custom Error Page for 5XX Status Code
labels:
- "traefik.http.middlewares.test-errorpage.errors.status=500-599",
- "traefik.http.middlewares.test-errorpage.errors.service=serviceError",
- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html",
- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-errorpage
spec:
errors:
status:
- 500-599
service: serviceError
query: /{status}.html
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-errorpage.errors.status": "500-599",
"traefik.http.middlewares.test-errorpage.errors.service": "serviceError",
"traefik.http.middlewares.test-errorpage.errors.query": "/{status}.html"
}
```
```yaml tab="Rancher"
# Dynamic Custom Error Page for 5XX Status Code
labels:
- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
```
```toml tab="File"
# Custom Error Page for 5XX
[http.routers]
[http.routers.router1]
Service = "my-service"
Rule = Host(`my-domain`)
[http.middlewares]
[http.middlewares.5XX-errors.Errors]
[http.middlewares.test-errorpage.Errors]
status = ["500-599"]
service = "error-handler-service"
query = "/error.html"
service = "serviceError"
query = "/{status}.html"
[http.services]
# ... definition of error-handler-service and my-service
```
@ -42,7 +66,7 @@ labels:
## Configuration Options
### status
### `status`
The `status` that will trigger the error page.
@ -52,10 +76,10 @@ The status code ranges are inclusive (`500-599` will trigger with every code bet
You can define either a status code like `500` or ranges with a syntax like `500-599`.
### service
### `service`
The service that will serve the new requested error page.
### query
### `query`
The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.

83
docs/content/middlewares/forwardauth.md
View file

@ -11,21 +11,6 @@ Otherwise, the response from the authentication server is returned.
## Configuration Examples
```toml tab="File"
# Forward authentication to authserver.com
[http.middlewares]
[http.middlewares.test-auth.forwardauth]
address = "https://authserver.com/auth"
trustForwardHeader = true
authResponseHeaders = ["X-Auth-User", "X-Secret"]
[http.middlewares.test-auth.forwardauth.tls]
ca = "path/to/local.crt"
caOptional = true
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```yaml tab="Docker"
# Forward authentication to authserver.com
labels:
@ -39,20 +24,80 @@ labels:
- "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
forwardAuth:
address: https://authserver.com/auth
trustForwardHeader: true
authResponseHeaders:
- X-Auth-User
- X-Secret
tls:
ca: path/to/local.crt
caOptional: true
cert: path/to/foo.cert
key: path/to/foo.key
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-auth.ForwardAuth.Address": "https://authserver.com/auth",
"traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders": "X-Auth-User,X-Secret",
"traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA": "path/to/local.crt",
"traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional": "true",
"traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert": "path/to/foo.cert",
"traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify": "true",
"traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key": "path/to/foo.key",
"traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader": "true"
}
```
```yaml tab="Rancher"
# Forward authentication to authserver.com
labels:
- "traefik.http.middlewares.test-auth.ForwardAuth.Address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA=path/to/local.crt"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional=true"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key=path/to/foo.key"
- "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
```
```toml tab="File"
# Forward authentication to authserver.com
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://authserver.com/auth"
trustForwardHeader = true
authResponseHeaders = ["X-Auth-User", "X-Secret"]
[http.middlewares.test-auth.forwardauth.tls]
ca = "path/to/local.crt"
caOptional = true
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
## Configuration Options
### address
### `address`
The `address` option defines the authentication server address.
### trustForwardHeader
### `trustForwardHeader`
Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers.
### authResponseHeaders
### `authResponseHeaders`
The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
### tls
### `tls`
The `tls` option is the tls configuration from Traefik to the authentication server.

247
docs/content/middlewares/headers.md
View file

@ -14,11 +14,35 @@ The Headers middleware can manage the requests/responses headers.
Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` to the response
```yaml tab="Docker"
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test",
- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True",
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testHeader
spec:
headers:
CustomRequestHeaders:
X-Script-Name: "test"
CustomResponseHeaders:
X-Custom-Response-Header: "True"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name": "test",
"traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header": "True"
}
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
```
```toml tab="File"
@ -32,53 +56,122 @@ labels:
### Adding and Removing Headers
`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request, and the `X-Custom-Response-Header` header removed from the response.
`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request,
and the `X-Custom-Response-Header` header removed from the response.
??? example "File"
Please note that is not possible to remove headers through the use of Docker labels for now.
```toml
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.CustomRequestHeaders]
X-Script-Name = "test"
[http.middlewares.testHeader.headers.CustomResponseHeaders]
X-Custom-Response-Header = "True"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testHeader
spec:
headers:
CustomRequestHeaders:
X-Script-Name: "test" # Adds
X-Custom-Request-Header: "" # Removes
CustomResponseHeaders:
X-Custom-Response-Header: "" # Removes
```
??? example "Docker"
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
```
```yml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test",
- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True",
```
```toml tab="File"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.CustomRequestHeaders]
X-Script-Name = "test" # Adds
X-Custom-Request-Header = "" # Removes
[http.middlewares.testHeader.headers.CustomResponseHeaders]
X-Custom-Response-Header = "" # Removes
```
### Using Security Headers
Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above.
This functionality allows for some easy security features to quickly be set.
??? example "File"
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.testHeader.Headers.FrameDeny=true"
- "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true"
```
```toml
[http.middlewares]
[http.middlewares.testHeader.headers]
FrameDeny = true
SSLRedirect = true
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testHeader
spec:
headers:
FrameDeny: "true"
SSLRedirect: "true"
```
??? example "Docker"
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testHeader.Headers.FrameDeny=true"
- "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true"
```
```toml tab="File"
[http.middlewares]
[http.middlewares.testHeader.headers]
FrameDeny = true
SSLRedirect = true
```
### CORS Headers
CORS (Cross-Origin Resource Sharing) headers can be added and configured per frontend in a similar manner to the custom headers above.
This functionality allows for more advanced security features to quickly be set.
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods=GET,OPTIONS,PUT"
- "traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin=origin-list-or-null"
- "traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge=100"
- "traefik.http.middlewares.testHeader.Headers.AddVaryHeader=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testHeader
spec:
headers:
AccessControlAllowMethods:
- "GET"
- "OPTIONS"
- "PUT"
AccessControlAllowOrigin: "origin-list-or-null"
AccessControlMaxAge: 100
AddVaryHeader: "true"
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods=GET,OPTIONS,PUT"
- "traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin=origin-list-or-null"
- "traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge=100"
- "traefik.http.middlewares.testHeader.Headers.AddVaryHeader=true"
```
```toml tab="File"
[http.middlewares]
[http.middlewares.testHeader.headers]
AccessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
AccessControlAllowOrigin = "origin-list-or-null"
AccessControlMaxAge = 100
AddVaryHeader = true
```
```yml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.testHeader.Headers.FrameDeny=true",
- "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true",
```
## Configuration Options
### General
@ -89,87 +182,123 @@ This functionality allows for some easy security features to quickly be set.
!!! note
The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
### customRequestHeaders
### `customRequestHeaders`
The `customRequestHeaders` option lists the Header names and values to apply to the request.
### allowedHosts
### `customResponseHeaders`
The `customResponseHeaders` option lists the Header names and values to apply to the response.
### `accessControlAllowCredentials`
The `accessControlAllowCredentials` indicates whether the request can include user credentials.
### `accessControlAllowHeaders`
The `accessControlAllowHeaders` indicates which header field names can be used as part of the request.
### `accessControlAllowMethods`
The `accessControlAllowMethods` indicates which methods can be used during requests.
### `accessControlAllowOrigin`
The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values. The three options for this value are:
- `origin-list-or-null`
- `*`
- `null`
### `accessControlExposeHeaders`
The `accessControlExposeHeaders` indicates which headers are safe to expose to the api of a CORS API specification.
### `accessControlMaxAge`
The `accessControlMaxAge` indicates how long a preflight request can be cached.
### `addVaryHeader`
The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
### `allowedHosts`
The `allowedHosts` option lists fully qualified domain names that are allowed.
### hostsProxyHeaders
### `hostsProxyHeaders`
The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
### sslRedirect
### `sslRedirect`
The `sslRedirect` is set to true, then only allow https requests.
### sslTemporaryRedirect
### `sslTemporaryRedirect`
Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
### sslHost
### `sslHost`
The `SSLHost` option is the host name that is used to redirect http requests to https.
### sslProxyHeaders
### `sslProxyHeaders`
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
### sslForceHost
### `sslForceHost`
Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
### stsSeconds
### `stsSeconds`
The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
### stsIncludeSubdomains
### `stsIncludeSubdomains`
The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header.
### stsPreload
### `stsPreload`
Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
### forceSTSHeader
### `forceSTSHeader`
Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP.
### frameDeny
### `frameDeny`
Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
### customFrameOptionsValue
### `customFrameOptionsValue`
The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option.
### contentTypeNosniff
### `contentTypeNosniff`
Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.
### browserXssFilter
### `browserXssFilter`
Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
### customBrowserXSSValue
### `customBrowserXSSValue`
The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option.
### contentSecurityPolicy
### `contentSecurityPolicy`
The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
### publicKey
### `publicKey`
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
### referrerPolicy
### `referrerPolicy`
The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
### isDevelopment
### `isDevelopment`
Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain.
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.

128
docs/content/middlewares/ipwhitelist.md
View file

@ -12,7 +12,31 @@ IPWhitelist accepts / refuses requests based on the client IP.
```yaml tab="Docker"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.Middleware9.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange": "127.0.0.1/32,192.168.1.7"
}
```
```yaml tab="Rancher"
# Accepts request from defined IP
labels:
- "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File"
@ -24,19 +48,19 @@ labels:
## Configuration Options
### sourceRange
### `sourceRange`
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
### ipStrategy
### `ipStrategy`
The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
#### ipStrategy.depth
#### `ipStrategy.depth`
The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
!!! note "Examples of Depth & X-Forwaded-For"
!!! note "Examples of Depth & X-Forwarded-For"
If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
@ -47,10 +71,38 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
??? example "File -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
```toml
```yaml tab="Docker"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
```yaml tab="Kubernetes"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testIPwhitelist
spec:
ipWhiteList:
SourceRange:
- 127.0.0.1/32
- 192.168.1.7
ipstrategy:
depth: 2
```
```yaml tab="Rancher"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
```toml tab="File"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
@ -58,26 +110,16 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
depth = 2
```
??? example "Docker -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
```yml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
!!! note
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is is lesser than or equal to 0.
#### ipStrategy.excludedIPs
#### `ipStrategy.excludedIPs`
`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
!!! note "Examples of ExcludedIPs & X-Forwaded-For"
!!! note "Examples of ExcludedIPs & X-Forwarded-For"
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|-----------------------------------------|-----------------------|--------------|
@ -90,20 +132,36 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
!!! important
If `depth` is specified, `excludedIPs` is ignored.
??? example "File -- Exclude from `X-Forwarded-For`"
```yaml tab="Docker"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
```
```toml
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="Kubernetes"
# Exclude from `X-Forwarded-For`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
ipstrategy:
excludedIPs:
- 127.0.0.1/32
- 192.168.1.7
```
??? example "Docker -- Exclude from `X-Forwarded-For`"
```yaml tab="Rancher"
# Exclude from `X-Forwarded-For`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
```
```yml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File"
# Exclude from `X-Forwarded-For`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```

24
docs/content/middlewares/maxconnection.md
View file

@ -15,6 +15,28 @@ labels:
- "traefik.http.middlewares.test-maxconn.maxconn.amount=10"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: addprefix
spec:
addPrefix:
prefix: /bar
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-maxconn.maxconn.amount": "10"
}
```
```yaml tab="Rancher"
# Limiting to 10 simultaneous connections
labels:
- "traefik.http.middlewares.test-maxconn.maxconn.amount=10"
```
```toml tab="File"
# Limiting to 10 simultaneous connections
[http.middlewares]
@ -24,7 +46,7 @@ labels:
## Configuration Options
### amount
### `amount`
The `amount` option defines the maximum amount of allowed simultaneous connections.
The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `extractorfunc` strategy).

18
docs/content/middlewares/overview.md
View file

@ -18,7 +18,7 @@ Pieces of middleware can be combined in chains to fit every scenario.
whoami:
image: containous/whoami # A container that exposes an API to show its IP address
labels:
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo",
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
```
```yaml tab="Kubernetes"
@ -55,10 +55,22 @@ spec:
# more fields...
routes:
# more fields...
middleware:
middlewares:
- name: stripprefix
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo"
}
```
```yaml tab="Rancher"
# As a Rancher Label
labels:
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
```
```toml tab="File"
# As Toml Configuration File
[providers]
@ -111,7 +123,7 @@ If you use multiple `providers` and wish to reference a middleware declared in a
labels:
# Attach file.add-foo-prefix middleware (declared in file)
- "traefik.http.routers.middlewares=file.add-foo-prefix",
- "traefik.http.routers.middlewares=file.add-foo-prefix"
```
## Available Middlewares

143
docs/content/middlewares/passtlsclientcert.md
View file

@ -1,4 +1,4 @@
# TODO - PassTLSClientCert
# PassTLSClientCert
Adding Client Certificates in a Header
{: .subtitle }
@ -14,7 +14,29 @@ Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
```yaml tab="Docker"
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
labels:
- "traefik.http.middlewares.Middleware11.passtlsclientcert.pem=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: addprefix
spec:
passtlsclientcert:
pem: true
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
}
```
```yaml tab="Rancher"
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
labels:
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
```
```toml tab="File"
@ -48,6 +70,58 @@ labels:
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
```
```yaml tab="Kubernetes"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-passtlsclientcert
spec:
passtlsclientcert:
info:
notAfter: true
notBefore: true
sans: true
subject:
country: true
province: true
locality: true
organization: true
commonName: true
serialNumber: true
domainComponent: true
issuer:
country: true
province: true
locality: true
organization: true
commonName: true
serialNumber: true
domainComponent: true
```
```yaml tab="Rancher"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
labels:
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
```
```toml tab="File"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
[http.middlewares]
@ -80,8 +154,8 @@ labels:
PassTLSClientCert can add two headers to the request:
* `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
* `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
- `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
- `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
!!! note
The headers are filled with escaped string so it can be safely placed inside a URL query.
@ -192,9 +266,10 @@ In the following example, you can see a complete certificate. We will use each p
-----END CERTIFICATE-----
```
### pem
### `pem`
The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
??? example "The data used by the pem option"
@ -243,10 +318,16 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
The delimiters and `\n` will be removed.
If there are more than one certificate, they are separated by a "`;`".
### info
!!! note "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
The header size limit of web servers is commonly between 4kb and 8kb.
You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
### `info`
The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The value of the header will be an escaped concatenation of all the selected certificate details.
The following example shows an unescaped result that uses all the available fields:
```text
@ -257,9 +338,10 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO
If there are more than one certificate, they are separated by a `;`.
#### info.notafter
#### `info.notafter`
Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
The data are taken from the following certificate part:
```text
@ -273,7 +355,7 @@ The escape `notafter` info part will be like:
NA=1607166616
```
#### info.notbefore
#### `info.notbefore`
Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part.
@ -290,9 +372,10 @@ The escape `notafter` info part will be like:
NB=1544094616
```
#### info.sans
#### `info.sans`
Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
The data are taken from the following certificate part:
```text
@ -310,7 +393,7 @@ SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.
All the SANs data are separated by a `,`.
#### info.subject
#### `info.subject`
The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
@ -320,7 +403,7 @@ The data are taken from the following certificate part :
Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
```
##### info.subject.country
##### `info.subject.country`
Set the `info.subject.country` option to true to add the `country` information into the subject.
The data are taken from the subject part with the `C` key.
@ -330,7 +413,7 @@ The escape country info in the subject part will be like :
C=FR,C=US
```
##### info.subject.province
##### `info.subject.province`
Set the `info.subject.province` option to true to add the `province` information into the subject.
@ -342,7 +425,7 @@ The escape province info in the subject part will be like :
ST=Cheese org state,ST=Cheese com state
```
##### info.subject.locality
##### `info.subject.locality`
Set the `info.subject.locality` option to true to add the `locality` information into the subject.
@ -354,7 +437,7 @@ The escape locality info in the subject part will be like :
L=TOULOUSE,L=LYON
```
##### info.subject.organization
##### `info.subject.organization`
Set the `info.subject.organization` option to true to add the `organization` information into the subject.
@ -366,31 +449,31 @@ The escape organization info in the subject part will be like :
O=Cheese,O=Cheese 2
```
##### info.subject.commonname
##### `info.subject.commonname`
Set the `info.subject.commonname` option to true to add the `commonname` information into the subject.
The data are taken from the subject part with the `CN` key.
The escape commonname info in the subject part will be like :
The escape common name info in the subject part will be like :
```text
CN=*.cheese.com
```
##### info.subject.serialnumber
##### `info.subject.serialnumber`
Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject.
The data are taken from the subject part with the `SN` key.
The escape serialnumber info in the subject part will be like :
The escape serial number info in the subject part will be like :
```text
SN=1234567890
```
##### info.subject.domaincomponent
##### `info.subject.domaincomponent`
Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject.
@ -402,7 +485,7 @@ The escape domaincomponent info in the subject part will be like :
DC=org,DC=cheese
```
#### info.issuer
#### `info.issuer`
The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
@ -412,7 +495,7 @@ The data are taken from the following certificate part :
Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
```
##### info.issuer.country
##### `info.issuer.country`
Set the `info.issuer.country` option to true to add the `country` information into the issuer.
The data are taken from the issuer part with the `C` key.
@ -422,7 +505,7 @@ The escape country info in the issuer part will be like :
C=FR,C=US
```
##### info.issuer.province
##### `info.issuer.province`
Set the `info.issuer.province` option to true to add the `province` information into the issuer.
@ -434,7 +517,7 @@ The escape province info in the issuer part will be like :
ST=Signing State,ST=Signing State 2
```
##### info.issuer.locality
##### `info.issuer.locality`
Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
@ -446,7 +529,7 @@ The escape locality info in the issuer part will be like :
L=TOULOUSE,L=LYON
```
##### info.issuer.organization
##### `info.issuer.organization`
Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
@ -458,37 +541,37 @@ The escape organization info in the issuer part will be like :
O=Cheese,O=Cheese 2
```
##### info.issuer.commonname
##### `info.issuer.commonname`
Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer.
The data are taken from the issuer part with the `CN` key.
The escape commonname info in the issuer part will be like :
The escape common name info in the issuer part will be like :
```text
CN=Simple Signing CA 2
```
##### info.issuer.serialnumber
##### `info.issuer.serialnumber`
Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer.
The data are taken from the issuer part with the `SN` key.
The escape serialnumber info in the issuer part will be like :
The escape serial number info in the issuer part will be like :
```text
SN=1234567890
```
##### info.issuer.domaincomponent
##### `info.issuer.domaincomponent`
Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer.
The data are taken from the issuer part with the `DC` key.
The escape domaincomponent info in the issuer part will be like :
The escape domain component info in the issuer part will be like :
```text
DC=org,DC=cheese

115
docs/content/middlewares/ratelimit.md
View file

@ -1,4 +1,4 @@
# TODO -- RateLimit
# RateLimit
Protection from Too Many Calls
{: .subtitle }
@ -9,42 +9,87 @@ The RateLimit middleware ensures that services will receive a _fair_ number of r
## Configuration Example
??? example "Limit to 100 requests every 10 seconds (with a possible burst of 200)"
```toml
[http.middlewares]
[http.middlewares.fair-ratelimit.ratelimit]
extractorfunc = "client.ip"
[http.middlewares.fair-ratelimit.ratelimit.rateset1]
period = "10s"
average = 100
burst = 200
```
```yaml tab="Docker"
# Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
# These can "burst" up to 10 and 200 in each period, respectively.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.extractorfunc=client.ip"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.period=10s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.burst=200"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.period=3s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.average=5"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.burst=10"
```
??? example "Combine multiple limits"
```yaml tab="Kubernetes"
# Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
# These can "burst" up to 10 and 200 in each period, respectively.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
extractorfunc = "client.ip"
rate0:
period = "10s"
average = 100
burst = 200
rate1:
period = "3s"
average = 5
burst = 10
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.extractorfunc": "client.ip",
"traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.period": "10s",
"traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.average": "100",
"traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.burst": "200",
"traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.period": "3s",
"traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.average": "5",
"traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.burst": "10"
}
```
```yaml tab="Rancher"
# Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
# These can "burst" up to 10 and 200 in each period, respectively.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.extractorfunc=client.ip"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.period=10s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.burst=200"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.period=3s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.average=5"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.burst=10"
```
```toml tab="File"
# Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
# These can "burst" up to 10 and 200 in each period, respectively.
[http.middlewares]
[http.middlewares.test-ratelimit.ratelimit]
extractorfunc = "client.ip"
```toml
[http.middlewares]
[http.middlewares.fair-ratelimit.ratelimit]
extractorfunc = "client.ip"
[http.middlewares.test-ratelimit.ratelimit.rate0]
period = "10s"
average = 100
burst = 200
[http.middlewares.fair-ratelimit.ratelimit.rateset1]
period = "10s"
average = 100
burst = 200
[http.middlewares.fair-ratelimit.ratelimit.rateset2]
period = "3s"
average = 5
burst = 10
```
Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds. These can "burst" up to 10 and 200 in each period, respectively.
[http.middlewares.test-ratelimit.ratelimit.rate1]
period = "3s"
average = 5
burst = 10
```
## Configuration Options
### extractorfunc
### `extractorfunc`
The `extractorfunc` option defines the strategy used to categorize requests.
@ -54,12 +99,12 @@ The possible values are:
- `client.ip` categorizes requests based on the client ip.
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
### ratelimit (multiple values)
### `ratelimit`
You can combine multiple ratelimit.
The ratelimit will trigger with the first reached limit.
You can combine multiple rate limits.
The rate limit will trigger with the first reached limit.
Each ratelimit has 3 options, `period`, `average`, and `burst`.
Each rate limit has 3 options, `period`, `average`, and `burst`.
The rate limit will allow an average of `average` requests every `period`, with a maximum of `burst` request on that period.

62
docs/content/middlewares/redirectregex.md
View file

@ -1,4 +1,4 @@
# TODO - RedirectRegex
# RedirectRegex
Redirecting the Client to a Different Location
{: .subtitle }
@ -9,34 +9,56 @@ RegexRedirect redirect a request from an url to another with regex matching and
## Configuration Examples
??? example "File -- Redirect with domain replacement"
```yaml tab="Docker"
# Redirect with domain replacement
labels:
- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
```
```toml
[http.middlewares]
[http.middlewares.test-redirectregex.redirectregex]
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/$1"
```
```yaml tab="Kubernetes"
# Redirect with domain replacement
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-redirectregex
spec:
redirectRegex:
regex: ^http://localhost/(.*)
replacement: http://mydomain/$1
```
??? example "Docker -- Redirect with domain replacement"
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",
"traefik.http.middlewares.test-redirectregex.redirectregex.replacement": "http://mydomain/$1"
}
```
```yml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
```
```yaml tab="Rancher"
# Redirect with domain replacement
labels:
- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
```
```toml tab="File"
# Redirect with domain replacement
[http.middlewares]
[http.middlewares.test-redirectregex.redirectregex]
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/$1"
```
## Configuration Options
### permanent
### `permanent`
Set the `permanent` option to `true` to apply a permanent redirection.
### regex
### `regex`
The `Regex` option is the regular expression to match and capture elements form the request URL.
The `Regex` option is the regular expression to match and capture elements from the request URL.
!!! warning
@ -46,7 +68,7 @@ The `Regex` option is the regular expression to match and capture elements form
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
### replacement
### `replacement`
The `replacement` option defines how to modify the URl to have the new target URL.

53
docs/content/middlewares/redirectscheme.md
View file

@ -1,4 +1,4 @@
# TODO - RedirectScheme
# RedirectScheme
Redirecting the Client to a Different Scheme/Port
{: .subtitle }
@ -9,33 +9,52 @@ RegexRedirect redirect request from a scheme to another.
## Configuration Examples
??? example "File -- Redirect to https"
```yaml tab="Docker"
# Redirect to https
labels:
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
```
```toml
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectscheme]
scheme = "https"
```
```yaml tab="Kubernetes"
# Redirect to https
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-redirectscheme
spec:
redirectScheme:
scheme: https
```
??? example "Docker -- Redirect to https"
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
}
```
```yml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
```
```yaml tab="Rancher"
# Redirect to https
labels:
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
```
```toml tab="File"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectscheme]
scheme = "https"
```
## Configuration Options
### permanent
### `permanent`
Set the `permanent` option to `true` to apply a permanent redirection.
### scheme
### `scheme`
The `scheme` option defines the scheme of the new url.
### port
### `port`
The `port` option defines the port of the new url.

55
docs/content/middlewares/replacepath.md
View file

@ -1,4 +1,4 @@
# TODO -- ReplacePath
# ReplacePath
Updating the Path Before Forwarding the Request
{: .subtitle }
@ -9,32 +9,51 @@ Replace the path of the request url.
## Configuration Examples
??? example "File -- Replace the path by /foo"
```yaml tab="Docker"
# Replace the path by /foo
labels:
- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
```
```toml
[http.middlewares]
[http.middlewares.test-replacepath.ReplacePath]
path = "/foo"
```
```yaml tab="Kubernetes"
# Replace the path by /foo
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-replacepath
spec:
replacePath:
path: /foo
```
??? example "Docker --Replace the path by /foo"
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-replacepath.replacepath.path": "/foo"
}
```
```yaml tab="Rancher"
# Replace the path by /foo
labels:
- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
```
```toml tab="File"
# Replace the path by /foo
[http.middlewares]
[http.middlewares.test-replacepath.ReplacePath]
path = "/foo"
```
```yaml
a-container:
image: a-container-image
labels:
- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
```
## Configuration Options
### General
The ReplacePath middleware will:
* replace the actual path by the specified one.
* store the original path in a `X-Replaced-Path` header.
- replace the actual path by the specified one.
- store the original path in a `X-Replaced-Path` header.
### path
### `path`
The `path` option defines the path to use as replacement in the request url.

76
docs/content/middlewares/replacepathregex.md
View file

@ -1,4 +1,76 @@
# TODO -- ReplacePathRegex
# ReplacePathRegex
Updating the Path Before Forwarding the Request (Using a Regex)
{: .subtitle }
{: .subtitle }
`TODO: add schema`
The ReplaceRegex replace a path from an url to another with regex matching and replacement.
## Configuration Examples
```yaml tab="Docker"
# Replace path with regex
labels:
- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
```
```yaml tab="Kubernetes"
# Replace path with regex
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-replacepathregex
spec:
replacePathRegex:
regex: ^/foo/(.*)
replacement: /bar/$1
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-replacepathregex.replacepathregex.regex": "^/foo/(.*)",
"traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement": "/bar/$1"
}
```
```yaml tab="Rancher"
# Replace path with regex
labels:
- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
```
```toml tab="File"
# Redirect with domain replacement
[http.middlewares]
[http.middlewares.test-replacepathregex.replacePathRegex]
regex = "^/foo/(.*)"
replacement = "/bar/$1"
```
## Configuration Options
### General
The ReplacePathRegex middleware will:
- replace the matching path by the specified one.
- store the original path in a `X-Replaced-Path` header.
### `regex`
The `Regex` option is the regular expression to match and capture the path from the request URL.
!!! warning
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
!!! tip
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
### `replacement`
The `replacement` option defines how to modify the path to have the new target path.

58
docs/content/middlewares/retry.md
View file

@ -1,20 +1,54 @@
# TODO -- Retry
# Retry
Retrying until it Succeeds
{: .subtitle }
## Old Content
`TODO: add schema`
## Retry Configuration
Retry to send request on attempt failure.
```toml
# Enable retry sending request if network error
[retry]
## Configuration Examples
# Number of attempts
#
# Optional
# Default: (number servers in backend) -1
#
# attempts = 3
```yaml tab="Docker"
# Retry to send request 4 times
labels:
- "traefik.http.middlewares.test-retry.retry.attempts=4"
```
```yaml tab="Kubernetes"
# Retry to send request 4 times
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-retry
spec:
retry:
attempts: 4
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-retry.retry.attempts": "4"
}
```
```yaml tab="Rancher"
# Retry to send request 4 times
labels:
- "traefik.http.middlewares.test-retry.retry.attempts=4"
```
```toml tab="File"
# Retry to send request 4 times
[http.middlewares]
[http.middlewares.test-retry.Retry]
attempts = 4
```
## Configuration Options
### `attempts`
_mandatory_
The `attempts` option defines how many times to try sending the request.

73
docs/content/middlewares/stripprefix.md
View file

@ -1,13 +1,72 @@
# TODO -- StripPrefix
# StripPrefix
Removing Prefixes From the Path Before Forwarding the Request
{: .subtitle }
## OldContent
Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
`TODO: add schema`
Remove the specified prefixes from the URL path.
## Configuration Examples
```yaml tab="Docker"
# Replace the path by /foo
labels:
- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=foobar, fiibar"
```
```yaml tab="Kubernetes"
# Replace the path by /foo
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-stripprefix
spec:
StripPrefix:
prefixes: "foobar, fiibar"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "foobar, fiibar"
}
```
```yaml tab="Rancher"
# Replace the path by /foo
labels:
- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=foobar, fiibar"
```
```toml tab="File"
# Replace the path by /foo
[http.middlewares]
[http.middlewares.test-stripprefix.StripPrefix]
prefixes: "foobar, fiibar"
```
## Configuration Options
### General
The StripPrefix middleware will:
- strip the matching path prefix.
- store the matching path prefix in a `X-Forwarded-Prefix` header.
!!! tip
Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
### `prefixes`
The `prefixes` option defines the prefixes to strip from the request URL.
For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.
Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.
Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).
The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.

74
docs/content/middlewares/stripprefixregex.md
View file

@ -1,13 +1,77 @@
# TODO -- StripPrefix
# StripPrefix
Removing Prefixes From the Path Before Forwarding the Request (Using a Regex)
{: .subtitle }
## OldContent
`TODO: add schema`
Remove the matching prefixes from the URL path.
## Configuration Examples
```yaml tab="Docker"
# Replace the path by /foo
labels:
- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=^/foo/(.*)",
```
```yaml tab="Kubernetes"
# Replace the path by /foo
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-stripprefixregex
spec:
StripPrefixRegex:
regex: "^/foo/(.*)"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex": "^/foo/(.*)"
}
```
```yaml tab="Rancher"
# Replace the path by /foo
labels:
- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=^/foo/(.*)",
```
```toml tab="File"
# Replace the path by /foo
[http.middlewares]
[http.middlewares.test-stripprefixregex.StripPrefixRegex]
regex: "^/foo/(.*)"
```
## Configuration Options
### General
The StripPrefixRegex middleware will:
- strip the matching path prefix.
- store the matching path prefix in a `X-Forwarded-Prefix` header.
!!! tip
Use a `StripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
### `regex`
The `regex` option is the regular expression to match the path prefix from the request URL.
!!! tip
Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.
Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.
Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).
The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.

4
docs/content/observability/logs.md
View file

@ -37,9 +37,9 @@ You can configure a file path instead using the `filePath` option.
By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.
#### logLevel
#### log level
By default, the `logLevel` is set to `error`, but you can choose amongst `debug`, `panic`, `fatal`, `error`, `warn`, and `info`.
By default, the `level` is set to `error`, but you can choose amongst `debug`, `panic`, `fatal`, `error`, `warn`, and `info`.
## Log Rotation

2
docs/content/observability/tracing.md
View file

@ -7,7 +7,7 @@ The tracing system allows developers to visualize call flows in their infrastruc
Traefik uses OpenTracing, an open standard designed for distributed tracing.
Traefik supports three tracing backends: Jaeger, Zipkin, DataDog, and Instana.
Traefik supports four tracing backends: Jaeger, Zipkin, DataDog, and Instana.
## Configuration Reference

6
docs/content/operations/ping.md
View file

@ -14,11 +14,11 @@ Checking the Health of Your Traefik Instances
??? example "Enabling /ping on a dedicated EntryPoint"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
[entrypoints.ping]
[entryPoints.ping]
address = ":8082"
[ping]

57
docs/content/providers/docker.md
View file

@ -63,9 +63,9 @@ Attach labels to your containers and let Traefik do the rest!
## Provider Configuration Options
!!! tip "Browse the Reference"
If you're in a hurry, maybe you'd rather go through the [Docker Reference](../reference/providers/docker.md).
If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration.md) and the [dynamic](../reference/dynamic-configuration/docker.md) configuration references.
### endpoint
### `endpoint`
Traefik requires access to the docker socket to get its dynamic configuration.
@ -140,7 +140,9 @@ Traefik requires access to the docker socket to get its dynamic configuration.
endpoint = "unix:///var/run/docker.sock"
```
### usebindportip (_Optional_, _Default=false_)
### `usebindportip`
_Optional, Default=false_
Traefik routes requests to the IP/Port of the matching container.
When setting `usebindportip=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
@ -163,29 +165,42 @@ If it can't find such a binding, Traefik falls back on the internal network IP o
!!! note
In the above table, ExtIp stands for "external IP found in the binding", IntIp stands for "internal network container's IP", ExtPort stands for "external Port found in the binding", and IntPort stands for "internal network container's port."
### exposedByDefault (_Optional_, _Default=true_)
### `exposedByDefault`
_Optional, Default=true_
Expose containers by default through Traefik.
If set to false, containers that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
### network (_Optional_)
### `network`
_Optional_
Defines a default docker network to use for connections to all containers.
This option can be overridden on a container basis with the `traefik.docker.network` label.
### domain (_Optional_, _Default=docker.localhost_)
### `defaultRule`
This is the default base domain used for the router rules.
_Optional, Default=Host(`{{ normalize .Name }}`)_
This option can be overridden on a container basis with the
`traefik.domain` label.
For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
The container service name can be accessed as the Name identifier,
and the template has access to all the labels defined on this container.
### swarmMode (_Optional_, _Default=false_)
``defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"``
### `swarmMode`
_Optional, Default=false_
Activates the Swarm Mode.
### swarmModeRefreshSeconds (_Optional_, _Default=15_)
### `swarmModeRefreshSeconds`
_Optional, Default=15_
Defines the polling interval (in seconds) in Swarm Mode.
@ -195,11 +210,12 @@ Defines the polling interval (in seconds) in Swarm Mode.
Traefik creates, for each container, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md).
The Service automatically gets a server per instance of the container, and the router gets a default rule attached to it, based on the container name.
The Service automatically gets a server per instance of the container,
and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels).
### Routers
To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change. For example, to change the rule, you could add the label `traefik.http.routers.my-container.rule=Host(my-domain)`.
To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.http.routers.{name-of-your-choice}.` and followed by the option you want to change. For example, to change the rule, you could add the label `traefik.http.routers.my-container.rule=Host(my-domain)`.
Every [Router](../routing/routers/index.md) parameter can be updated this way.
@ -211,7 +227,7 @@ Every [Service](../routing/services/index.md) parameter can be updated this way.
### Middleware
You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options. For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.schemeredirect.scheme: https`.
You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options. For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
??? example "Declaring and Referencing a Middleware"
@ -251,17 +267,17 @@ You can declare TCP Routers and/or Services using labels.
### Specific Options
#### traefik.enable
#### `traefik.enable`
You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false.
This option overrides the value of `exposedByDefault`.
#### traefik.tags
#### `traefik.tags`
Sets the tags for [constraints filtering](./overview.md#constraints-configuration).
#### traefik.docker.network
#### `traefik.docker.network`
Overrides the default docker network to use for connections to the container.
@ -269,3 +285,10 @@ If a container is linked to several networks, be sure to set the proper network
!!! warning
When deploying a stack from a compose file `stack`, the networks defined are prefixed with `stack`.
#### `traefik.docker.lbswarm`
Enables Swarm's inbuilt load balancer (only relevant in Swarm Mode).
If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs.
Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm.

12
docs/content/providers/file.md
View file

@ -28,7 +28,7 @@ You can write these configuration elements:
# Add the router
[http.routers]
[http.routers.router0]
entrypoints = ["web"]
entryPoints = ["web"]
middlewares = ["my-basic-auth"]
service = "service-foo"
rule = "Path(`foo`)"
@ -56,9 +56,9 @@ You can write these configuration elements:
## Provider Configuration Options
!!! tip "Browse the Reference"
If you're in a hurry, maybe you'd rather go through the [File Reference](../reference/providers/file.md).
### filename (_Optional_)
If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration.md) and the [dynamic](../reference/dynamic-configuration/file.md) configuration references.
### `filename` (_Optional_)
Defines the path of the configuration file.
@ -68,7 +68,7 @@ Defines the path of the configuration file.
filename = "rules.toml"
```
### directory (_Optional_)
### `directory` (_Optional_)
Defines the directory that contains the configuration files.
@ -78,7 +78,7 @@ Defines the directory that contains the configuration files.
directory = "/path/to/config"
```
### watch (_Optional_)
### `watch` (_Optional_)
Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.
It works with both the `filename` and the `directory` options.

142
docs/content/providers/kubernetes-crd.md
View file

@ -13,7 +13,133 @@ it would manage access to a cluster services by supporting the [Ingress](https:/
However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
## Traefik IngressRoute definition
## Provider Configuration
### `endpoint`
_Optional, Default=empty_
The Kubernetes server endpoint as URL.
When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
Both are provided mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
In this case, the endpoint is required.
Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
```toml tab="File"
[Providers.KubernetesCRD]
endpoint = "http://localhost:8080"
# ...
```
```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.endpoint="http://localhost:8080"
```
### `token`
_Optional, Default=empty_
Bearer token used for the Kubernetes client configuration.
```toml tab="File"
[Providers.KubernetesCRD]
token = "mytoken"
# ...
```
```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.token="mytoken"
```
### `certAuthFilePath`
_Optional, Default=empty_
Path to the certificate authority file.
Used for the Kubernetes client configuration.
```toml tab="File"
[Providers.KubernetesCRD]
certAuthFilePath = "/my/ca.crt"
# ...
```
```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.certauthfilepath="/my/ca.crt"
```
### `namespaces`
_Optional, Default: all namespaces (empty array)_
Array of namespaces to watch.
```toml tab="File"
[Providers.KubernetesCRD]
namespaces = ["default", "production"]
# ...
```
```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.namespaces="default,production"
```
### `labelselector`
_Optional,Default: empty (process all Ingresses)_
By default, Traefik processes all Ingress objects in the configured namespaces.
A label selector can be defined to filter on specific Ingress objects only.
See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
```toml tab="File"
[Providers.KubernetesCRD]
labelselector = "A and not B"
# ...
```
```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.labelselector="A and not B"
```
### `ingressClass`
_Optional, Default: empty_
Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
```toml tab="File"
[Providers.KubernetesCRD]
ingressClass = "traefik-internal"
# ...
```
```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.ingressclass="traefik-internal"
```
## Resource Configuration
If you're in a hurry, maybe you'd rather go through the [dynamic](../reference/dynamic-configuration/kubernetes-crd.md) configuration reference.
### Traefik IngressRoute definition
```yaml
--8<-- "content/providers/crd_ingress_route.yml"
@ -28,7 +154,7 @@ metadata:
name: ingressroutefoo.crd
spec:
entrypoints:
entryPoints:
- web
routes:
# Match is the rule corresponding to an underlying router.
@ -46,7 +172,7 @@ spec:
port: 80
```
## Middleware
### Middleware
Additionally, to allow for the use of middlewares in an `IngressRoute`, we defined the CRD below for the `Middleware` kind.
@ -63,7 +189,7 @@ metadata:
name: stripprefix
spec:
stripprefix:
stripPrefix:
prefixes:
- /stripit
@ -74,7 +200,7 @@ metadata:
name: ingressroutebar.crd
spec:
entrypoints:
entryPoints:
- web
routes:
- match: Host(`bar.com`) && PathPrefix(`/stripit`)
@ -86,7 +212,7 @@ spec:
- name: stripprefix
```
## TLS
### TLS
To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`:
@ -119,10 +245,6 @@ spec:
secretName: supersecret
```
## Full reference example
[Traefik IngressRoute Reference](../reference/providers/kubernetescrd.md).
## Further
Also see the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.

325
docs/content/providers/marathon.md Normal file
View file

@ -0,0 +1,325 @@
# Traefik & Marathon
Traefik can be configured to use Marathon as a provider.
{: .subtitle }
See also [Marathon user guide](../user-guides/marathon.md).
## Configuration Examples
??? example "Configuring Marathon & Deploying / Exposing Applications"
Enabling the marathon provider
```toml tab="File"
[providers.marathon]
endpoint = "http://127.0.0.1:8080"
```
```txt tab="CLI"
--providers.marathon
--providers.marathon.endpoint="http://127.0.0.1:8080"
```
Attaching labels to marathon applications
```json
{
"id": "/whoami",
"container": {
"type": "DOCKER",
"docker": {
"image": "containous/whoami",
"network": "BRIDGE",
"portMappings": [
{
"containerPort": 80,
"hostPort": 0,
"protocol": "tcp"
}
]
}
},
"labels": {
"traefik.http.Routers.app.Rule": "PathPrefix(`/app`)"
}
}
```
## Provider Configuration Options
!!! tip "Browse the Reference"
If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration.md) and the [dynamic](../reference/dynamic-configuration/marathon.md) configuration references.
### `basic`
_Optional_
Enables Marathon basic authentication.
```toml tab="File"
[marathon.basic]
httpBasicAuthUser = "foo"
httpBasicPassword = "bar"
```
```txt tab="CLI"
--providers.marathon
--providers.marathon.basic.httpbasicauthuser="foo"
--providers.marathon.basic.httpbasicpassword="bar"
```
### `dcosToken`
_Optional_
DCOSToken for DCOS environment.
If set, it overrides the Authorization header.
```toml tab="File"
[marathon]
dcosToken = "xxxxxx"
# ...
```
```txt tab="CLI"
--providers.marathon
--providers.marathon.dcosToken="xxxxxx"
```
### `defaultRule`
_Optional, Default=```Host(`{{ normalize .Name }}`)```_
For a given application if no routing rule was defined by a label, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
The app ID can be accessed as the Name identifier,
and the template has access to all the labels defined on this Marathon application.
```toml tab="File"
[marathon]
defaultRule = ""
# ...
```
```txt tab="CLI"
--providers.marathon
--providers.marathon.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
```
### `dialerTimeout`
_Optional, Default=5s_
Overrides DialerTimeout.
Amount of time the Marathon provider should wait before timing out,
when trying to open a TCP connection to a Marathon master.
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
or directly as a number of seconds.
### `endpoint`
_Optional, Default=http://127.0.0.1:8080_
Marathon server endpoint.
You can optionally specify multiple endpoints:
```toml tab="File"
[marathon]
endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
# ...
```
```txt tab="CLI"
--providers.marathon
--providers.marathon.endpoint="http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
```
### `exposedByDefault`
_Optional, Default=true_
Exposes Marathon applications by default through Traefik.
If set to false, applications that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
### `filterMarathonConstraints`
_Optional, Default=false_
Enables filtering using Marathon constraints.
If enabled, Traefik will take into account Marathon constraints, as defined in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
Each individual constraint will be treated as a verbatim compounded tag,
e.g. "rack_id:CLUSTER:rack-1", with all constraint groups concatenated together using ":".
### `forceTaskHostname`
_Optional, Default=false_
By default, a task's IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
otherwise, the name of the host running the task is used.
The latter behavior can be enforced by enabling this switch.
### `keepAlive`
_Optional, Default=10s_
Set the TCP Keep Alive interval for the Marathon HTTP Client.
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
or directly as a number of seconds.
### `respectReadinessChecks`
_Optional, Default=false_
Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
Enabling respectReadinessChecks causes Traefik to filter out tasks whose readiness checks have not succeeded.
Note that the checks are only valid at deployment times.
See the Marathon guide for details.
### `responseHeaderTimeout`
_Optional, Default=60s_
Overrides ResponseHeaderTimeout.
Amount of time the Marathon provider should wait before timing out,
when waiting for the first response header from a Marathon master.
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration), or directly as a number of seconds.
### `TLS`
_Optional_
TLS client configuration. [tls/#Config](https://golang.org/pkg/crypto/tls/#Config).
```toml tab="File"
[marathon.TLS]
CA = "/etc/ssl/ca.crt"
Cert = "/etc/ssl/marathon.cert"
Key = "/etc/ssl/marathon.key"
insecureSkipVerify = true
```
```txt tab="CLI"
--providers.marathon.tls
--providers.marathon.tls.ca="/etc/ssl/ca.crt"
--providers.marathon.tls.cert="/etc/ssl/marathon.cert"
--providers.marathon.tls.key="/etc/ssl/marathon.key"
--providers.marathon.tls.insecureskipverify=true
```
### `TLSHandshakeTimeout`
_Optional, Default=5s_
Overrides TLSHandshakeTimeout.
Amount of time the Marathon provider should wait before timing out,
when waiting for the TLS handshake to complete.
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
or directly as a number of seconds.
### `trace`
_Optional, Default=false_
Displays additional provider logs (if available).
### `watch`
_Optional, Default=true_
Enables watching for Marathon changes.
## Routing Configuration Options
### General
Traefik creates, for each Marathon application, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md).
The Service automatically gets a server per instance of the application,
and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels).
### Routers
To update the configuration of the Router automatically attached to the application,
add labels starting with `traefik.HTTP.Routers.{router-name-of-your-choice}.` and followed by the option you want to change.
For example, to change the routing rule, you could add the label ```traefik.HTTP.Routers.Routername.Rule=Host(`my-domain`)```.
Every [Router](../routing/routers/index.md) parameter can be updated this way.
### Services
To update the configuration of the Service automatically attached to the container,
add labels starting with `traefik.HTTP.Services.{service-name-of-your-choice}.`, followed by the option you want to change.
For example, to change the load balancer method, you'd add the label `traefik.HTTP.Services.Servicename.LoadBalancer.Method=drr`.
Every [Service](../routing/services/index.md) parameter can be updated this way.
### Middleware
You can declare pieces of middleware using labels starting with `traefik.HTTP.Middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options.
For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.HTTP.Middlewares.my-redirect.RedirectScheme.Scheme: https`.
??? example "Declaring and Referencing a Middleware"
```json
{
...
"labels": {
"traefik.http.middlewares.my-redirect.schemeredirect.scheme": "https",
"traefik.http.routers.middlewares": "my-redirect"
}
}
```
!!! warning "Conflicts in Declaration"
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
### TCP
You can declare TCP Routers and/or Services using labels.
??? example "Declaring TCP Routers and Services"
```json
{
...
"labels": {
"traefik.tcp.routers.my-router.rule": "HostSNI(`my-host.com`)",
"traefik.tcp.routers.my-router.tls": "true",
"traefik.tcp.services.my-service.loadbalancer.server.port": "4123"
}
}
```
!!! warning "TCP and HTTP"
If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (as it would by default if no TCP Router/Service is defined).
Both a TCP Router/Service and an HTTP Router/Service can be created for the same application, but it has to be done explicitly in the config.
### Specific Options
#### `traefik.enable`
Setting this option controls whether Traefik exposes the application.
It overrides the value of `exposedByDefault`.
#### `traefik.tags`
Sets the tags for [constraints filtering](./overview.md#constraints-configuration).
#### `traefik.marathon.ipadressidx`
If a task has several IP addresses, this option specifies which one, in the list of available addresses, to select.

6
docs/content/providers/overview.md
View file

@ -31,11 +31,15 @@ Below is the list of the currently supported providers in Traefik.
| [Docker](./docker.md) | Orchestrator | Label |
| [File](./file.md) | Orchestrator | Custom Annotation |
| [Kubernetes](kubernetes-crd.md) | Orchestrator | Custom Resource |
| Marathon (not yet documented) | Orchestrator | Label |
| [Marathon](marathon.md) | Orchestrator | Label |
!!! note "More Providers"
The current version of Traefik is in development and doesn't support (yet) every provider. See the previous version (1.7) for more providers.
<!--
TODO (document TCP VS HTTP dynamic configuration)
-->
## Constraints Configuration

177
docs/content/providers/rancher.md Normal file
View file

@ -0,0 +1,177 @@
# Traefik & Rancher
A Story of Labels, Services & Container
{: .subtitle }
![Rancher](../assets/img/providers/rancher.png)
Attach labels to your services and let Traefik do the rest!
## Configuration Examples
??? example "Configuring Docker & Deploying / Exposing Services"
Enabling the rancher provider
```toml
[provider.rancher]
```
Attaching labels to services
```yaml
labels:
- traefik.http.services.my-service.rule=Host(my-domain)
```
## Provider Configuration Options
!!! tip "Browse the Reference"
If you're in a hurry, maybe you'd rather go through the configuration reference:
```toml
################################################################
# Rancher Provider
################################################################
# Enable Docker Provider.
[rancher]
# The default host rule for all services.
#
# Optionnal
#
DefaultRule = "unix:///var/run/docker.sock"
# Expose Rancher services by default in Traefik.
#
# Optional
#
ExposedByDefault = "docker.localhost"
# Enable watch docker changes.
#
# Optional
#
watch = true
# Filter services with unhealthy states and inactive states.
#
# Optional
#
EnableServiceHealthFilter = true
# Defines the polling interval (in seconds).
#
# Optional
#
RefreshSeconds = true
# Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
#
# Optional
#
IntervalPoll = false
# Prefix used for accessing the Rancher metadata service
#
# Optional
#
Prefix = 15
```
### `ExposedByDefault`
_Optional, Default=true_
Expose Rancher services by default in Traefik.
If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
### `DefaultRule`
_Optional_
The default host rule for all services.
This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.
### `EnableServiceHealthFilter`
_Optional, Default=true_
Filter services with unhealthy states and inactive states.
### `RefreshSeconds`
_Optional, Default=15_
Defines the polling interval (in seconds).
### `IntervalPoll`
_Optional, Default=false_
Poll the Rancher metadata service for changes every `rancher.refreshSeconds`,
which is less accurate than the default long polling technique which will provide near instantaneous updates to Traefik.
### `Prefix`
_Optional, Default=/latest_
Prefix used for accessing the Rancher metadata service
### General
Traefik creates, for each rancher service, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md).
The Service automatically gets a server per container in this rancher service, and the router gets a default rule attached to it, based on the service name.
### Routers
To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change.
For example, to change the rule, you could add the label `traefik.http.routers.my-container.rule=Host(my-domain)`.
Every [Router](../routing/routers/index.md) parameter can be updated this way.
### Services
To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.http.services.{name-of-your-choice}.`,
followed by the option you want to change. For example, to change the load balancer method,
you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.method=drr`.
Every [Service](../routing/services/index.md) parameter can be updated this way.
### Middleware
You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.
For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.schemeredirect.scheme: https`.
??? example "Declaring and Referencing a Middleware"
```yaml
# ...
labels:
- traefik.http.middlewares.my-redirect.schemeredirect.scheme=https
- traefik.http.routers.middlewares=my-redirect
```
!!! warning "Conflicts in Declaration"
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
### Specific Options
#### `traefik.enable`
You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false.
This option overrides the value of `exposedByDefault`.
#### `traefik.tags`
Sets the tags for [constraints filtering](./overview.md#constraints-configuration).
#### Port Lookup
Traefik is now capable of detecting the port to use, by following the default rancher flow.
That means, if you just expose lets say port :1337 on the rancher ui, traefik will pick up this port and use it.

166
docs/content/reference/acme.md
View file

@ -1,166 +0,0 @@
# ACME - Reference
Every Options for ACME
{: .subtitle}
## TOML
```toml
# Sample entrypoint configuration when using ACME.
[entrypoints]
[entrypoints.web]
address = ":80"
[entrypoints.web-secure]
address = ":443"
# Enable ACME (Let's Encrypt): automatic SSL.
[acme]
# Email address used for registration.
#
# Required
#
email = "test@traefik.io"
# File used for certificates storage.
#
# Optional (Deprecated)
#
#storageFile = "acme.json"
# File or key used for certificates storage.
#
# Required
#
storage = "acme.json"
# or `storage = "traefik/acme/account"` if using KV store.
# Deprecated, replaced by [acme.dnsChallenge].
#
# Optional.
#
# dnsProvider = "digitalocean"
# Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
#
# Optional
# Default: 0
#
# delayDontCheckDNS = 0
# If true, display debug log messages from the acme client library.
#
# Optional
# Default: false
#
# acmeLogging = true
# If true, override certificates in key-value store when using storeconfig.
#
# Optional
# Default: false
#
# overrideCertificates = true
# Deprecated. Enable on demand certificate generation.
#
# Optional
# Default: false
#
# onDemand = true
# Enable certificate generation on frontends host rules.
#
# Optional
# Default: false
#
# onHostRule = true
# CA server to use.
# Uncomment the line to use Let's Encrypt's staging server,
# leave commented to go to prod.
#
# Optional
# Default: "https://acme-v02.api.letsencrypt.org/directory"
#
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# KeyType to use.
#
# Optional
# Default: "RSA4096"
#
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
#
# KeyType = "RSA4096"
# Use a TLS-ALPN-01 ACME challenge.
#
# Optional (but recommended)
#
[acme.tlsChallenge]
# Use a HTTP-01 ACME challenge.
#
# Optional
#
# [acme.httpChallenge]
# EntryPoint to use for the HTTP-01 challenges.
#
# Required
#
# entryPoint = "http"
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.
#
# Optional
#
# [acme.dnsChallenge]
# DNS provider used.
#
# Required
#
# provider = "digitalocean"
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
# Default: 0
#
# delayBeforeCheck = 0
# Use following DNS servers to resolve the FQDN authority.
#
# Optional
# Default: empty
#
# resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
#
# NOT RECOMMENDED:
# Increase the risk of reaching Let's Encrypt's rate limits.
#
# Optional
# Default: false
#
# disablePropagationCheck = true
# Domains list.
# Only domains defined here can generate wildcard certificates.
# The certificates for these domains are negotiated at traefik startup only.
#
# [[acme.domains]]
# main = "local1.com"
# sans = ["test1.local1.com", "test2.local1.com"]
# [[acme.domains]]
# main = "local2.com"
# [[acme.domains]]
# main = "*.local3.com"
# sans = ["local3.com", "test1.test1.local3.com"]
```

8
docs/content/reference/dynamic-configuration/docker.md Normal file
View file

@ -0,0 +1,8 @@
# Docker Configuration Reference
Dynamic configuration with Docker Labels
{: .subtitle }
```yaml
--8<-- "content/reference/dynamic-configuration/labels.yml"
```

8
docs/content/reference/dynamic-configuration/file.md Normal file
View file

@ -0,0 +1,8 @@
# File Configuration Reference
Dynamic configuration with toml files
{: .subtitle }
```toml
--8<-- "content/reference/dynamic-configuration/file.toml"
```

265
docs/content/reference/dynamic-configuration/file.toml Normal file
View file

@ -0,0 +1,265 @@
[HTTP]
[HTTP.Routers]
[HTTP.Routers.Router0]
EntryPoints = ["foobar", "foobar"]
Middlewares = ["foobar", "foobar"]
Service = "foobar"
Rule = "foobar"
priority = 42
[HTTP.Routers.Router0.tls]
[HTTP.Middlewares]
[HTTP.Middlewares.Middleware0.AddPrefix]
Prefix = "foobar"
[HTTP.Middlewares.Middleware1.StripPrefix]
Prefixes = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware2.StripPrefixRegex]
Regex = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware3.ReplacePath]
Path = "foobar"
[HTTP.Middlewares.Middleware4.ReplacePathRegex]
Regex = "foobar"
Replacement = "foobar"
[HTTP.Middlewares.Middleware5.Chain]
Middlewares = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware6.IPWhiteList]
SourceRange = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware7.IPWhiteList.IPStrategy]
Depth = 42
ExcludedIPs = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware8.Headers]
AccessControlAllowCredentials = true
AccessControlAllowHeaders = ["foobar", "foobar"]
AccessControlAllowMethods = ["foobar", "foobar"]
AccessControlAllowOrigin = "foobar"
AccessControlExposeHeaders = ["foobar", "foobar"]
AccessControlMaxAge = 42
AddVaryHeader = true
AllowedHosts = ["foobar", "foobar"]
HostsProxyHeaders = ["foobar", "foobar"]
SSLRedirect = true
SSLTemporaryRedirect = true
SSLHost = "foobar"
SSLForceHost = true
STSSeconds = 42
STSIncludeSubdomains = true
STSPreload = true
ForceSTSHeader = true
FrameDeny = true
CustomFrameOptionsValue = "foobar"
ContentTypeNosniff = true
BrowserXSSFilter = true
CustomBrowserXSSValue = "foobar"
ContentSecurityPolicy = "foobar"
PublicKey = "foobar"
ReferrerPolicy = "foobar"
IsDevelopment = true
[HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders]
name0 = "foobar"
name1 = "foobar"
[HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders]
name0 = "foobar"
name1 = "foobar"
[HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders]
name0 = "foobar"
name1 = "foobar"
[HTTP.Middlewares.Middleware9.Errors]
Status = ["foobar", "foobar"]
Service = "foobar"
Query = "foobar"
[HTTP.Middlewares.Middleware10.RateLimit]
ExtractorFunc = "foobar"
[HTTP.Middlewares.Middleware10.RateLimit.RateSet]
[HTTP.Middlewares.Middleware10.RateLimit.RateSet.Rate0]
Period = 42
Average = 42
Burst = 42
[HTTP.Middlewares.Middleware10.RateLimit.RateSet.Rate1]
Period = 42
Average = 42
Burst = 42
[HTTP.Middlewares.Middleware11.RedirectRegex]
Regex = "foobar"
Replacement = "foobar"
Permanent = true
[HTTP.Middlewares.Middleware12.RedirectScheme]
Scheme = "foobar"
Port = "foobar"
Permanent = true
[HTTP.Middlewares.Middleware13.BasicAuth]
Users = ["foobar", "foobar"]
UsersFile = "foobar"
Realm = "foobar"
RemoveHeader = true
HeaderField = "foobar"
[HTTP.Middlewares.Middleware14.DigestAuth]
Users = ["foobar", "foobar"]
UsersFile = "foobar"
RemoveHeader = true
Realm = "foobar"
HeaderField = "foobar"
[HTTP.Middlewares.Middleware15.ForwardAuth]
Address = "foobar"
TrustForwardHeader = true
AuthResponseHeaders = ["foobar", "foobar"]
[HTTP.Middlewares.Middleware15.ForwardAuth.TLS]
CA = "foobar"
CAOptional = true
Cert = "foobar"
Key = "foobar"
InsecureSkipVerify = true
[HTTP.Middlewares.Middleware16.MaxConn]
Amount = 42
ExtractorFunc = "foobar"
[HTTP.Middlewares.Middleware17.Buffering]
MaxRequestBodyBytes = 42
MemRequestBodyBytes = 42
MaxResponseBodyBytes = 42
MemResponseBodyBytes = 42
RetryExpression = "foobar"
[HTTP.Middlewares.Middleware18.CircuitBreaker]
Expression = "foobar"
[HTTP.Middlewares.Middleware19.Compress]
[HTTP.Middlewares.Middleware20.PassTLSClientCert]
PEM = true
[HTTP.Middlewares.Middleware20.PassTLSClientCert.Info]
NotAfter = true
NotBefore = true
Sans = true
[HTTP.Middlewares.Middleware20.PassTLSClientCert.Info.Subject]
Country = true
Province = true
Locality = true
Organization = true
CommonName = true
SerialNumber = true
DomainComponent = true
[HTTP.Middlewares.Middleware20.PassTLSClientCert.Info.Issuer]
Country = true
Province = true
Locality = true
Organization = true
CommonName = true
SerialNumber = true
DomainComponent = true
[HTTP.Middlewares.Middleware21.Retry]
Attempts = 42
[HTTP.Services]
[HTTP.Services.Service0]
[HTTP.Services.Service0.LoadBalancer]
Method = "foobar"
PassHostHeader = true
[[HTTP.Services.Service0.LoadBalancer.Servers]]
URL = "foobar"
Weight = 42
[HTTP.Services.Service0.LoadBalancer.Stickiness]
CookieName = "foobar"
[[HTTP.Services.Service0.LoadBalancer.Servers]]
URL = "foobar"
Weight = 42
[HTTP.Services.Service0.LoadBalancer.HealthCheck]
Scheme = "foobar"
Path = "foobar"
Port = 42
Interval = "foobar"
Timeout = "foobar"
Hostname = "foobar"
[HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers]
name0 = "foobar"
name1 = "foobar"
[HTTP.Services.Service0.LoadBalancer.ResponseForwarding]
FlushInterval = "foobar"
[TCP]
[TCP.Routers]
[TCP.Routers.TCPRouter0]
EntryPoints = ["foobar", "foobar"]
Service = "foobar"
Rule = "foobar"
[TCP.Routers.TCPRouter0.tls]
passthrough = true
[TCP.Services]
[TCP.Services.TCPService0]
[TCP.Services.TCPService0.LoadBalancer]
Method = "foobar"
[[TCP.Services.TCPService0.LoadBalancer.Servers]]
Address = "foobar"
Weight = 42
[[TCP.Services.TCPService0.LoadBalancer.Servers]]
Address = "foobar"
Weight = 42
[[TLS]]
Stores = ["foobar", "foobar"]
[TLS.Certificate]
CertFile = "foobar"
KeyFile = "foobar"
[[TLS]]
Stores = ["foobar", "foobar"]
[TLS.Certificate]
CertFile = "foobar"
KeyFile = "foobar"
[TLSOptions]
[TLSOptions.TLS0]
MinVersion = "foobar"
CipherSuites = ["foobar", "foobar"]
SniStrict = true
[TLSOptions.TLS0.ClientCA]
Files = ["foobar", "foobar"]
Optional = true
[TLSOptions.TLS1]
MinVersion = "foobar"
CipherSuites = ["foobar", "foobar"]
SniStrict = true
[TLSOptions.TLS1.ClientCA]
Files = ["foobar", "foobar"]
Optional = true
[TLSStores]
[TLSStores.Store0]
[TLSStores.Store0.DefaultCertificate]
CertFile = "foobar"
KeyFile = "foobar"
[TLSStores.Store1]
[TLSStores.Store1.DefaultCertificate]
CertFile = "foobar"
KeyFile = "foobar"

8
docs/content/reference/dynamic-configuration/kubernetes-crd.md Normal file
View file

@ -0,0 +1,8 @@
# Kubernetes Configuration Reference
Dynamic configuration with Kubernetes Custom Resource
{: .subtitle }
```yaml
--8<-- "content/reference/dynamic-configuration/kubernetes-crd.yml"
```

71
docs/content/reference/dynamic-configuration/kubernetes-crd.yml Normal file
View file

@ -0,0 +1,71 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute.crd
spec:
entryPoints:
- web
- web-secure
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
# defining several services is possible and allowed, but for now the servers of
# all the services (for a given route) get merged altogether under the same
# load-balancing strategy.
services:
- name: s1
port: 80
healthCheck:
path: /health
host: baz.com
intervalSeconds: 7
timeoutSeconds: 60
# strategy defines the load balancing strategy between the servers. It defaults
# to Round Robin, and for now only Round Robin is supported anyway.
strategy: RoundRobin
- name: s2
port: 433
healthCheck:
path: /health
host: baz.com
intervalSeconds: 7
timeoutSeconds: 60
- match: PathPrefix(`/misc`)
services:
- name: s3
port: 80
middlewares:
- name: stripprefix
- name: addprefix
tls:
secretName: supersecret

159
docs/content/reference/dynamic-configuration/labels.yml Normal file
View file

@ -0,0 +1,159 @@
labels:
- "traefik.HTTP.Middlewares.Middleware0.AddPrefix.Prefix=foobar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.HeaderField=foobar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.Realm=foobar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.RemoveHeader=true"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.Users=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.UsersFile=foobar"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MaxRequestBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MaxResponseBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MemRequestBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MemResponseBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.RetryExpression=foobar"
- "traefik.HTTP.Middlewares.Middleware3.Chain.Middlewares=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware4.CircuitBreaker.Expression=foobar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.HeaderField=foobar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.Realm=foobar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.RemoveHeader=true"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.Users=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.UsersFile=foobar"
- "traefik.HTTP.Middlewares.Middleware6.Errors.Query=foobar"
- "traefik.HTTP.Middlewares.Middleware6.Errors.Service=foobar"
- "traefik.HTTP.Middlewares.Middleware6.Errors.Status=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.Address=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthResponseHeaders=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CA=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CAOptional=true"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Cert=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.InsecureSkipVerify=true"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Key=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TrustForwardHeader=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowCredentials=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowHeaders=X-foobar, X-fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowMethods=GET, PUT"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowOrigin=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlExposeHeaders=X-foobar, X-fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlMaxAge=200"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AddVaryHeader=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AllowedHosts=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.BrowserXSSFilter=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ContentSecurityPolicy=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ContentTypeNosniff=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomBrowserXSSValue=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomFrameOptionsValue=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders.name0=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders.name1=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders.name0=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders.name1=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ForceSTSHeader=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.FrameDeny=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.HostsProxyHeaders=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.IsDevelopment=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.PublicKey=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ReferrerPolicy=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLForceHost=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLHost=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name0=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name1=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLRedirect=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLTemporaryRedirect=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds=42"
- "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.Depth=42"
- "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.ExcludedIPs=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.SourceRange=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware10.MaxConn.Amount=42"
- "traefik.HTTP.Middlewares.Middleware10.MaxConn.ExtractorFunc=foobar"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotAfter=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotBefore=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Sans=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Country=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Province=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Locality=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Organization=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.CommonName=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.SerialNumber=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.DomainComponent=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Country=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Province=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Locality=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Organization=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.CommonName=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.SerialNumber=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.DomainComponent=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.PEM=true"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.ExtractorFunc=foobar"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Average=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Burst=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Period=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Average=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Burst=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Period=42"
- "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Regex=foobar"
- "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Replacement=foobar"
- "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Permanent=true"
- "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Scheme=https"
- "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Port=80"
- "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Permanent=true"
- "traefik.HTTP.Middlewares.Middleware14.ReplacePath.Path=foobar"
- "traefik.HTTP.Middlewares.Middleware15.ReplacePathRegex.Regex=foobar"
- "traefik.HTTP.Middlewares.Middleware15.ReplacePathRegex.Replacement=foobar"
- "traefik.HTTP.Middlewares.Middleware16.Retry.Attempts=42"
- "traefik.HTTP.Middlewares.Middleware17.StripPrefix.Prefixes=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware18.StripPrefixRegex.Regex=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware19.Compress=true"
- "traefik.HTTP.Routers.Router0.EntryPoints=foobar, fiibar"
- "traefik.HTTP.Routers.Router0.Middlewares=foobar, fiibar"
- "traefik.HTTP.Routers.Router0.Priority=42"
- "traefik.HTTP.Routers.Router0.Rule=foobar"
- "traefik.HTTP.Routers.Router0.Service=foobar"
- "traefik.HTTP.Routers.Router0.TLS=true"
- "traefik.HTTP.Routers.Router1.EntryPoints=foobar, fiibar"
- "traefik.HTTP.Routers.Router1.Middlewares=foobar, fiibar"
- "traefik.HTTP.Routers.Router1.Priority=42"
- "traefik.HTTP.Routers.Router1.Rule=foobar"
- "traefik.HTTP.Routers.Router1.Service=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name1=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Hostname=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Interval=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Path=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Port=42"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Scheme=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Timeout=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.Method=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.PassHostHeader=true"
- "traefik.HTTP.Services.Service0.LoadBalancer.ResponseForwarding.FlushInterval=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.server.Port=8080"
- "traefik.HTTP.Services.Service0.LoadBalancer.server.Scheme=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.server.Weight=42"
- "traefik.HTTP.Services.Service0.LoadBalancer.Stickiness.CookieName=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name0=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name1=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Hostname=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Interval=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Path=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Port=42"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Scheme=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Timeout=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.Method=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.PassHostHeader=true"
- "traefik.HTTP.Services.Service1.LoadBalancer.ResponseForwarding.FlushInterval=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.server.Port=8080"
- "traefik.HTTP.Services.Service1.LoadBalancer.server.Scheme=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.server.Weight=42"
- "traefik.TCP.Routers.Router0.Rule=foobar"
- "traefik.TCP.Routers.Router0.EntryPoints=foobar, fiibar"
- "traefik.TCP.Routers.Router0.Service=foobar"
- "traefik.TCP.Routers.Router0.TLS.Passthrough=false"
- "traefik.TCP.Routers.Router1.Rule=foobar"
- "traefik.TCP.Routers.Router1.EntryPoints=foobar, fiibar"
- "traefik.TCP.Routers.Router1.Service=foobar"
- "traefik.TCP.Routers.Router1.TLS.Passthrough=false"
- "traefik.TCP.Services.Service0.LoadBalancer.Method=foobar"
- "traefik.TCP.Services.Service0.LoadBalancer.server.Port=42"
- "traefik.TCP.Services.Service0.LoadBalancer.server.Weight=42"
- "traefik.TCP.Services.Service1.LoadBalancer.Method=foobar"
- "traefik.TCP.Services.Service1.LoadBalancer.server.Port=42"
- "traefik.TCP.Services.Service1.LoadBalancer.server.Weight=42"

8
docs/content/reference/dynamic-configuration/marathon.md Normal file
View file

@ -0,0 +1,8 @@
# Marathon Configuration Reference
Dynamic configuration with Marathon Labels
{: .subtitle }
```yaml
--8<-- "content/reference/dynamic-configuration/labels.yml"
```

35
docs/content/reference/entrypoints.md
View file

@ -1,35 +0,0 @@
# EntryPoints - Reference
Every Options for EntryPoints
{: .subtitle}
## TOML
```toml
# ...
[entrypoints]
[entrypoints.web]
address = ":80"
[entrypoints.web.proxyProtocol]
insecure = true
trustedIPs = ["10.10.10.1", "10.10.10.2"]
[entrypoints.web.forwardedHeaders]
trustedIPs = ["10.10.10.1", "10.10.10.2"]
insecure = false
[entrypoints.web-secure]
# ...
```
## CLI
```ini
Name:foo
Address::80
ProxyProtocol.TrustedIPs:192.168.0.1
ProxyProtocol.Insecure:true
ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
```

53
docs/content/reference/logs.md
View file

@ -1,53 +0,0 @@
# Logs - Reference
## TOML
```toml
logLevel = "INFO"
[traefikLog]
filePath = "/path/to/traefik.log"
format = "json"
[accessLog]
filePath = "/path/to/access.log"
format = "json"
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"ClientUsername" = "drop"
# ...
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
# ...
```
## CLI
For more information about the CLI, see the documentation about [Traefik command](../../operations/cli).
```shell
--logLevel="DEBUG"
--traefikLog.filePath="/path/to/traefik.log"
--traefikLog.format="json"
--accessLog.filePath="/path/to/access.log"
--accessLog.format="json"
--accessLog.filters.statusCodes="200,300-302"
--accessLog.filters.retryAttempts="true"
--accessLog.filters.minDuration="10ms"
--accessLog.fields.defaultMode="keep"
--accessLog.fields.names="Username=drop Hostname=drop"
--accessLog.fields.headers.defaultMode="keep"
--accessLog.fields.headers.names="User-Agent=redact Authorization=drop Content-Type=keep"
```

180
docs/content/reference/providers/docker.md
View file

@ -1,180 +0,0 @@
# Docker -- Reference
## Docker
```toml
################################################################
# Docker Provider
################################################################
# Enable Docker Provider.
[docker]
# Docker server endpoint. Can be a tcp or a unix socket endpoint.
#
# Required
#
endpoint = "unix:///var/run/docker.sock"
# Default base domain used for the frontend rules.
# Can be overridden by setting the "traefik.domain" label on a container.
#
# Optional
#
domain = "docker.localhost"
# Enable watch docker changes.
#
# Optional
#
watch = true
# Override default configuration template.
# For advanced users :)
#
# Optional
#
# filename = "docker.tmpl"
# Override template version
# For advanced users :)
#
# Optional
# - "1": previous template version (must be used only with older custom templates, see "filename")
# - "2": current template version (must be used to force template version when "filename" is used)
#
# templateVersion = 2
# Expose containers by default in Traefik.
# If set to false, containers that don't have `traefik.enable=true` will be ignored.
#
# Optional
# Default: true
#
exposedByDefault = true
# Use the IP address from the binded port instead of the inner network one.
#
# In case no IP address is attached to the binded port (or in case
# there is no bind), the inner network one will be used as a fallback.
#
# Optional
# Default: false
#
usebindportip = true
# Use Swarm Mode services as data provider.
#
# Optional
# Default: false
#
swarmMode = false
# Polling interval (in seconds) for Swarm Mode.
#
# Optional
# Default: 15
#
swarmModeRefreshSeconds = 15
# Define a default docker network to use for connections to all containers.
# Can be overridden by the traefik.docker.network label.
#
# Optional
#
network = "web"
# Enable docker TLS connection.
#
# Optional
#
# [docker.tls]
# ca = "/etc/ssl/ca.crt"
# cert = "/etc/ssl/docker.crt"
# key = "/etc/ssl/docker.key"
# insecureSkipVerify = true
```
## Docker Swarm Mode
```toml
################################################################
# Docker Swarm Mode Provider
################################################################
# Enable Docker Provider.
[docker]
# Docker server endpoint.
# Can be a tcp or a unix socket endpoint.
#
# Required
# Default: "unix:///var/run/docker.sock"
#
# swarm classic (1.12-)
# endpoint = "tcp://127.0.0.1:2375"
# docker swarm mode (1.12+)
endpoint = "tcp://127.0.0.1:2377"
# Default base domain used for the frontend rules.
# Can be overridden by setting the "traefik.domain" label on a services.
#
# Optional
# Default: ""
#
domain = "docker.localhost"
# Enable watch docker changes.
#
# Optional
# Default: true
#
watch = true
# Use Docker Swarm Mode as data provider.
#
# Optional
# Default: false
#
swarmMode = true
# Define a default docker network to use for connections to all containers.
# Can be overridden by the traefik.docker.network label.
#
# Optional
#
network = "web"
# Override default configuration template.
# For advanced users :)
#
# Optional
#
# filename = "docker.tmpl"
# Override template version
# For advanced users :)
#
# Optional
# - "1": previous template version (must be used only with older custom templates, see "filename")
# - "2": current template version (must be used to force template version when "filename" is used)
#
# templateVersion = 2
# Expose services by default in Traefik.
#
# Optional
# Default: true
#
exposedByDefault = false
# Enable docker TLS connection.
#
# Optional
#
# [docker.tls]
# ca = "/etc/ssl/ca.crt"
# cert = "/etc/ssl/docker.crt"
# key = "/etc/ssl/docker.key"
# insecureSkipVerify = true
```

261
docs/content/reference/providers/file.md
View file

@ -1,261 +0,0 @@
# File -- Reference
## File
```toml
################################################################
# File Provider
################################################################
[providers]
# Enable File Provider.
[providers.file]
# Define one separated configuration file.
#
# Optional
#
filename = "my-conf.toml"
# Define directory that contains a set of configuration files.
#
# Optional
#
directory = "/path/to/config"
# Enable watch file changes.
#
# Optional
#
watch = true
[http]
[http.routers]
[http.routers.router0]
entrypoints = ["foo", "bar"]
middlewares = ["foo", "bar"]
service = "service-foo"
rule = "Path(`foo`)"
priority = 42
[http.routers.router0.tls]
[http.middlewares]
[http.middlewares.my-add-prefix.AddPrefix]
prefix = "/foo"
[http.middlewares.my-strip-prefix.StripPrefix]
prefixes = ["/foo", "/bar"]
[http.middlewares.my-strip-prefix-regex.StripPrefixRegex]
regex = ["/foo/api/", "/bar/{category}/{id:[0-9]+}/"]
[http.middlewares.my-replace-path.ReplacePath]
path = "/foo"
[http.middlewares.my-replace-path-regex.ReplacePathRegex]
regex = "foo/(.*)"
replacement = "/foobar/$1"
[http.middlewares.my-chain.Chain]
middlewares = ["my-add-prefix", "my-basic-auth"]
[http.middlewares.Middleware0.IPWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[http.middlewares.Middleware0.IPWhiteList.IPStrategy]
depth = 2
excludedIPs = ["127.0.0.1/16", "192.168.1.7"]
[http.middlewares.my-headers.Headers]
allowedHosts = ["foobar", "foobar"]
hostsProxyHeaders = ["foobar", "foobar"]
sslRedirect = true
sslTemporaryRedirect = true
sslHost = "foobar"
sslForceHost = true
stsSeconds = 42
stsIncludeSubdomains = true
stsPreload = true
forceSTSHeader = true
frameDeny = true
customFrameOptionsValue = "foobar"
contentTypeNosniff = true
browserXSSFilter = true
customBrowserXSSValue = "foobar"
contentSecurityPolicy = "foobar"
publicKey = "foobar"
referrerPolicy = "foobar"
isDevelopment = true
[http.middlewares.my-headers.Headers.CustomRequestHeaders]
X-Script-Name = "foo"
[http.middlewares.my-headers.Headers.CustomResponseHeaders]
X-Custom-Response-Header = "True"
[http.middlewares.my-headers.Headers.SSLProxyHeaders]
X-Forwarded-Proto = "https"
[http.middlewares.my-errors.Errors]
status = ["400-404", "500-599"]
service = "foo-errors-service"
query = "/error.html"
[http.middlewares.my-rate-limit.RateLimit]
extractorFunc = "client.ip"
[http.middlewares.Middleware0.RateLimit.RateSet]
[http.middlewares.Middleware0.RateLimit.RateSet.Rate0]
period = 10
average = 100
burst = 200
[http.middlewares.my-redirect-regex.RedirectRegex]
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/$1"
permanent = true
[http.middlewares.my-redirect-scheme.RedirectScheme]
scheme = "https"
port = "8443"
permanent = true
[http.middlewares.my-basic-auth.BasicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
usersFile = "etc/traefik/.htpasswd"
realm = "myRealm"
removeHeader = true
headerField = "X-WebAuth-User"
[http.middlewares.my-digest-auth.DigestAuth]
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
usersFile = "etc/traefik/.htdigest"
removeHeader = true
realm = "traefik"
headerField = "X-WebAuth-User"
[http.middlewares.my-forward-auth.ForwardAuth]
address = "https://myauth.server:443"
trustForwardHeader = true
authResponseHeaders = ["X-Forwarded-Foo", "X-Forwarded-Bar"]
[http.middlewares.my-forward-auth.ForwardAuth.TLS]
ca = "/etc/traefik/crt/ca.pem"
caOptional = true
cert = "/etc/traefik/crt/cert.pem"
key = "/etc/traefik/crt/cert.key"
insecureSkipVerify = true
[http.middlewares.my-maxconn.MaxConn]
amount = 10
extractorFunc = "request.host"
[http.middlewares.my-buffering.Buffering]
maxRequestBodyBytes = 25000
memRequestBodyBytes = 25000
maxResponseBodyBytes = 25000
memResponseBodyBytes = 25000
retryExpression = "foobar"
[http.middlewares.my-circuit-breaker.CircuitBreaker]
Expression = "LatencyAtQuantileMS(50.0) > 100"
[http.middlewares.my-compress.Compress]
[http.middlewares.my-pass-tls-client-cert.PassTLSClientCert]
pem = true
[http.middlewares.Middleware0.PassTLSClientCert.Info]
notAfter = true
notBefore = true
sans = true
[http.middlewares.Middleware0.PassTLSClientCert.Info.Subject]
country = true
province = true
locality = true
organization = true
commonName = true
serialNumber = true
domainComponent = true
[http.middlewares.Middleware0.PassTLSClientCert.Info.Issuer]
country = true
province = true
locality = true
organization = true
commonName = true
serialNumber = true
domainComponent = true
[http.middlewares.my-retry.Retry]
attempts = 4
[http.services]
[http.services.service0]
[http.services.service0.LoadBalancer]
method = "wrr"
passHostHeader = true
[http.services.service0.LoadBalancer.Stickiness]
cookieName = "my-stickiness-cookie-name"
[[http.services.service0.LoadBalancer.Servers]]
url = "http://foo/"
weight = 30
[[http.services.service0.LoadBalancer.Servers]]
url = "http://bar/"
weight = 70
[http.services.service0.LoadBalancer.HealthCheck]
scheme = "https"
path = "/health"
port = 9443
interval = "10s"
timeout = "30s"
hostname = "foobar"
[http.services.service0.LoadBalancer.HealthCheck.Headers]
My-Custom-Header = "foobar"
[http.services.service0.LoadBalancer.ResponseForwarding]
flushInterval = "4s"
[tcp]
[tcp.routers]
[tcp.routers.tcpRouter0]
entryPoints = ["foobar", "foobar"]
service = "foobar"
rule = "foobar"
[tcp.routers.tcpRouter0.tlst]
passthrough = true
[tcp.services]
[tcp.services.tcpService0]
[tcp.services.tcpService0.tcpLoadBalancer]
method = "foobar"
[[tcp.services.tcpService0.tcpLoadBalancer.Servers]]
address = "foobar"
weight = 42
[[tcp.services.tcpService0.tcpLoadBalancer.Servers]]
address = "foobar"
weight = 42
[[tls]]
Store = ["my-store-foo", "my-store-bar"]
[tls.Certificate]
certFile = "/etc/traefik/cert.pem"
keyFile = "/etc/traefik/cert.key"
[tlsconfig]
[tlsconfig.TLS0]
minVersion = "VersionTLS12"
cipherSuites = [ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384"]
[tlsconfig.TLS0.ClientCA]
files = ["/etc/traefik/ca-foo.pem", "/etc/traefik/ca-bar.pem"]
optional = true
[tlsstore]
[tlsstore.my-store-foo]
sniStrict = true
[tlsstore.my-store-foo.DefaultCertificate]
certFile = "/etc/traefik/cert.pem"
keyFile = "/etc/traefik/cert.key"
```

81
docs/content/reference/providers/kubernetescrd.md
View file

@ -1,81 +0,0 @@
# Kubernetes -- Reference
## Kubernetes
```yaml
################################################################
# Kubernetes Provider
################################################################
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute.crd
spec:
entrypoints:
- web
- web-secure
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
priority: 12
# defining several services is possible and allowed, but for now the servers of
# all the services (for a given route) get merged altogether under the same
# load-balancing strategy.
services:
- name: s1
port: 80
healthcheck:
path: /health
host: baz.com
intervalseconds: 7
timeoutseconds: 60
# strategy defines the load balancing strategy between the servers. It defaults
# to Round Robin, and for now only Round Robin is supported anyway.
strategy: RoundRobin
- name: s2
port: 433
healthcheck:
path: /health
host: baz.com
intervalseconds: 7
timeoutseconds: 60
- match: PathPrefix(`/misc`)
services:
- name: s3
port: 80
middleware:
- name: stripprefix
- name: addprefix
tls:
secretName: supersecret
```

13
docs/content/reference/static-configuration.md Normal file
View file

@ -0,0 +1,13 @@
# Static Configuration
## File
```toml
--8<-- "content/reference/static-configuration.toml"
```
## CLI
```txt
--8<-- "content/reference/static-configuration.txt"
```

238
docs/content/reference/static-configuration.toml Normal file
View file

@ -0,0 +1,238 @@
[Global]
Debug = true
CheckNewVersion = true
SendAnonymousUsage = true
[ServersTransport]
InsecureSkipVerify = true
RootCAs = ["foobar", "foobar"]
MaxIdleConnsPerHost = 42
[ServersTransport.ForwardingTimeouts]
DialTimeout = 42
ResponseHeaderTimeout = 42
[EntryPoints]
[EntryPoints.EntryPoint0]
Address = "foobar"
[EntryPoints.EntryPoint0.Transport]
[EntryPoints.EntryPoint0.Transport.LifeCycle]
RequestAcceptGraceTimeout = 42
GraceTimeOut = 42
[EntryPoints.EntryPoint0.Transport.RespondingTimeouts]
ReadTimeout = 42
WriteTimeout = 42
IdleTimeout = 42
[EntryPoints.EntryPoint0.ProxyProtocol]
Insecure = true
TrustedIPs = ["foobar", "foobar"]
[EntryPoints.EntryPoint0.ForwardedHeaders]
Insecure = true
TrustedIPs = ["foobar", "foobar"]
[Providers]
ProvidersThrottleDuration = 42
[Providers.Docker]
Watch = true
Endpoint = "foobar"
DefaultRule = "foobar"
ExposedByDefault = true
UseBindPortIP = true
SwarmMode = true
Network = "foobar"
SwarmModeRefreshSeconds = 42
[[Providers.Docker.Constraints]]
Key = "foobar"
MustMatch = true
Regex = "foobar"
[[Providers.Docker.Constraints]]
Key = "foobar"
MustMatch = true
Regex = "foobar"
[Providers.Docker.TLS]
CA = "foobar"
CAOptional = true
Cert = "foobar"
Key = "foobar"
InsecureSkipVerify = true
[Providers.File]
Directory = "foobar"
Watch = true
Filename = "foobar"
DebugLogGeneratedTemplate = true
TraefikFile = "foobar"
[Providers.Marathon]
Trace = true
Watch = true
Endpoint = "foobar"
DefaultRule = "foobar"
ExposedByDefault = true
DCOSToken = "foobar"
FilterMarathonConstraints = true
DialerTimeout = 42
ResponseHeaderTimeout = 42
TLSHandshakeTimeout = 42
KeepAlive = 42
ForceTaskHostname = true
RespectReadinessChecks = true
[[Providers.Marathon.Constraints]]
Key = "foobar"
MustMatch = true
Regex = "foobar"
[[Providers.Marathon.Constraints]]
Key = "foobar"
MustMatch = true
Regex = "foobar"
[Providers.Marathon.TLS]
CA = "foobar"
CAOptional = true
Cert = "foobar"
Key = "foobar"
InsecureSkipVerify = true
[Providers.Marathon.Basic]
HTTPBasicAuthUser = "foobar"
HTTPBasicPassword = "foobar"
[Providers.Kubernetes]
Endpoint = "foobar"
Token = "foobar"
CertAuthFilePath = "foobar"
DisablePassHostHeaders = true
Namespaces = ["foobar", "foobar"]
LabelSelector = "foobar"
IngressClass = "foobar"
[Providers.Kubernetes.IngressEndpoint]
IP = "foobar"
Hostname = "foobar"
PublishedService = "foobar"
[Providers.KubernetesCRD]
Endpoint = "foobar"
Token = "foobar"
CertAuthFilePath = "foobar"
DisablePassHostHeaders = true
Namespaces = ["foobar", "foobar"]
LabelSelector = "foobar"
IngressClass = "foobar"
[Providers.Rest]
EntryPoint = "foobar"
[API]
EntryPoint = "foobar"
Dashboard = true
Middlewares = ["foobar", "foobar"]
[API.Statistics]
RecentErrors = 42
[Metrics]
[Metrics.Prometheus]
Buckets = [42.0, 42.0]
EntryPoint = "foobar"
Middlewares = ["foobar", "foobar"]
[Metrics.Datadog]
Address = "foobar"
PushInterval = "foobar"
[Metrics.StatsD]
Address = "foobar"
PushInterval = "foobar"
[Metrics.InfluxDB]
Address = "foobar"
Protocol = "foobar"
PushInterval = "foobar"
Database = "foobar"
RetentionPolicy = "foobar"
Username = "foobar"
Password = "foobar"
[Ping]
EntryPoint = "foobar"
Middlewares = ["foobar", "foobar"]
[Log]
Level = "foobar"
FilePath = "foobar"
Format = "foobar"
[AccessLog]
FilePath = "foobar"
Format = "foobar"
BufferingSize = 42
[AccessLog.Filters]
StatusCodes = ["foobar", "foobar"]
RetryAttempts = true
MinDuration = 42
[AccessLog.Fields]
DefaultMode = "foobar"
[AccessLog.Fields.Names]
name0 = "foobar"
name1 = "foobar"
[AccessLog.Fields.Headers]
DefaultMode = "foobar"
[AccessLog.Fields.Headers.Names]
name0 = "foobar"
name1 = "foobar"
[Tracing]
Backend = "foobar"
ServiceName = "foobar"
SpanNameLimit = 42
[Tracing.Jaeger]
SamplingServerURL = "foobar"
SamplingType = "foobar"
SamplingParam = 42.0
LocalAgentHostPort = "foobar"
Gen128Bit = true
Propagation = "foobar"
TraceContextHeaderName = "foobar"
[Tracing.Zipkin]
HTTPEndpoint = "foobar"
SameSpan = true
ID128Bit = true
Debug = true
SampleRate = 42.0
[Tracing.DataDog]
LocalAgentHostPort = "foobar"
GlobalTag = "foobar"
Debug = true
PrioritySampling = true
TraceIDHeaderName = "foobar"
ParentIDHeaderName = "foobar"
SamplingPriorityHeaderName = "foobar"
BagagePrefixHeaderName = "foobar"
[Tracing.Instana]
LocalAgentHost = "foobar"
LocalAgentPort = 42
Level = "foobar"
[HostResolver]
CnameFlattening = true
ResolvConfig = "foobar"
ResolvDepth = 42
[ACME]
Email = "foobar"
ACMELogging = true
CAServer = "foobar"
Storage = "foobar"
EntryPoint = "foobar"
KeyType = "foobar"
OnHostRule = true
[ACME.DNSChallenge]
Provider = "foobar"
DelayBeforeCheck = 42
Resolvers = ["foobar", "foobar"]
DisablePropagationCheck = true
[ACME.HTTPChallenge]
EntryPoint = "foobar"
[ACME.TLSChallenge]
[[ACME.Domains]]
Main = "foobar"
SANs = ["foobar", "foobar"]
[[ACME.Domains]]
Main = "foobar"
SANs = ["foobar", "foobar"]

203
docs/content/reference/static-configuration.txt Normal file
View file

@ -0,0 +1,203 @@
--accesslog Access log settings (default "false")
--accesslog.bufferingsize Number of access log lines to process in a buffered way. Default 0. (default "0")
--accesslog.fields AccessLogFields (default "false")
--accesslog.fields.defaultmode Default mode for fields: keep | drop (default "keep")
--accesslog.fields.headers Headers to keep, drop or redact (default "false")
--accesslog.fields.headers.defaultmode Default mode for fields: keep | drop | redact (default "keep")
--accesslog.fields.headers.names Override mode for headers (default "map[]")
--accesslog.fields.names Override mode for fields (default "map[]")
--accesslog.filepath Access log file path. Stdout is used when omitted or empty
--accesslog.filters Access log filters, used to keep only specific access logs (default "false")
--accesslog.filters.minduration Keep access logs when request took longer than the specified duration (default "0s")
--accesslog.filters.retryattempts Keep access logs when at least one retry happened (default "false")
--accesslog.filters.statuscodes Keep access logs with status codes in the specified range (default "[]")
--accesslog.format Access log format: json | common (default "common")
--acme Enable ACME (Let's Encrypt): automatic SSL (default "false")
--acme.acmelogging Enable debug logging of ACME actions. (default "false")
--acme.caserver CA server to use.
--acme.dnschallenge Activate DNS-01 Challenge (default "false")
--acme.dnschallenge.delaybeforecheck Assume DNS propagates after a delay in seconds rather than finding and querying (default "0s")
nameservers.
--acme.dnschallenge.disablepropagationcheck Disable the DNS propagation checks before notifying ACME that the DNS challenge (default "false")
is ready. [not recommended]
--acme.dnschallenge.provider Use a DNS-01 based challenge provider rather than HTTPS.
--acme.dnschallenge.resolvers Use following DNS servers to resolve the FQDN authority.
--acme.domains CN and SANs (alternative domains) to each main domain using format: (default "[]")
--acme.domains='main.com,san1.com,san2.com' --acme.domains='*.main.net'. No
SANs for wildcards domain. Wildcard domains only accepted with DNSChallenge
--acme.email Email address used for registration
--acme.entrypoint EntryPoint to use.
--acme.httpchallenge Activate HTTP-01 Challenge (default "false")
--acme.httpchallenge.entrypoint HTTP challenge EntryPoint
--acme.keytype KeyType used for generating certificate private key. Allow value 'EC256',
'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'
--acme.onhostrule Enable certificate generation on frontends Host rules. (default "false")
--acme.storage Storage to use.
--acme.tlschallenge Activate TLS-ALPN-01 Challenge (default "false")
--api Enable api/dashboard (default "false")
--api.dashboard Activate dashboard (default "true")
--api.entrypoint EntryPoint (default "traefik")
--api.middlewares Middleware list
--api.statistics Enable more detailed statistics (default "true")
--api.statistics.recenterrors Number of recent errors logged (default "10")
-c, --configfile Configuration file to use (TOML).
--entrypoints Entrypoints definition using format: --entryPoints='Name:http Address::8000 (default "map[]")
Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442
TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'
--global Global configuration options (default "true")
--global.checknewversion Periodically check if a new version has been released (default "true")
-d, --global.debug Enable debug mode (default "false")
--global.sendanonymoususage send periodically anonymous usage statistics (default "false")
--hostresolver Enable CNAME Flattening (default "false")
--hostresolver.cnameflattening A flag to enable/disable CNAME flattening (default "false")
--hostresolver.resolvconfig resolv.conf used for DNS resolving (default "/etc/resolv.conf")
--hostresolver.resolvdepth The maximal depth of DNS recursive resolving (default "5")
--log Traefik log settings (default "false")
--log.filepath Traefik log file path. Stdout is used when omitted or empty
--log.format Traefik log format: json | common (default "common")
--log.level Log level set to traefik logs.
--metrics Enable a metrics exporter (default "false")
--metrics.datadog DataDog metrics exporter type (default "false")
--metrics.datadog.address DataDog's address (default "localhost:8125")
--metrics.datadog.pushinterval DataDog push interval (default "10s")
--metrics.influxdb InfluxDB metrics exporter type (default "false")
--metrics.influxdb.address InfluxDB address (default "localhost:8089")
--metrics.influxdb.database InfluxDB database used when protocol is http
--metrics.influxdb.password InfluxDB password (only with http)
--metrics.influxdb.protocol InfluxDB address protocol (udp or http) (default "udp")
--metrics.influxdb.pushinterval InfluxDB push interval (default "10s")
--metrics.influxdb.retentionpolicy InfluxDB retention policy used when protocol is http
--metrics.influxdb.username InfluxDB username (only with http)
--metrics.prometheus Prometheus metrics exporter type (default "false")
--metrics.prometheus.buckets Buckets for latency metrics (default "[0.1 0.3 1.2 5]")
--metrics.prometheus.entrypoint EntryPoint (default "traefik")
--metrics.prometheus.middlewares Middlewares
--metrics.statsd StatsD metrics exporter type (default "false")
--metrics.statsd.address StatsD address (default "localhost:8125")
--metrics.statsd.pushinterval StatsD push interval (default "10s")
--ping Enable ping (default "false")
--ping.entrypoint Ping entryPoint (default "traefik")
--ping.middlewares Middleware list
--providers Providers configuration (default "false")
--providers.docker Enable Docker backend with default settings (default "false")
--providers.docker.constraints Filter services by constraint, matching with Traefik tags. (default "[]")
--providers.docker.defaultrule Default rule (default "Host(`{{ normalize .Name }}`)")
--providers.docker.endpoint Docker server endpoint. Can be a tcp or a unix socket endpoint (default "unix:///var/run/docker.sock")
--providers.docker.exposedbydefault Expose containers by default (default "true")
--providers.docker.network Default Docker network used
--providers.docker.swarmmode Use Docker on Swarm Mode (default "false")
--providers.docker.swarmmoderefreshseconds Polling interval for swarm mode (in seconds) (default "15")
--providers.docker.tls Enable Docker TLS support (default "false")
--providers.docker.tls.ca TLS CA
--providers.docker.tls.caoptional TLS CA.Optional (default "false")
--providers.docker.tls.cert TLS cert
--providers.docker.tls.insecureskipverify TLS insecure skip verify (default "false")
--providers.docker.tls.key TLS key
--providers.docker.usebindportip Use the ip address from the bound port, rather than from the inner network (default "false")
--providers.docker.watch Watch provider (default "true")
--providers.file Enable File backend with default settings (default "true")
--providers.file.debugloggeneratedtemplate Enable debug logging of generated configuration template. (default "false")
--providers.file.directory Load configuration from one or more .toml files in a directory
--providers.file.filename Override default configuration template. For advanced users :)
--providers.file.watch Watch provider (default "true")
--providers.kubernetes Enable Kubernetes backend with default settings (default "true")
--providers.kubernetes.certauthfilepath Kubernetes certificate authority file path (not needed for in-cluster client)
--providers.kubernetes.disablepasshostheaders Kubernetes disable PassHost Headers (default "false")
--providers.kubernetes.endpoint Kubernetes server endpoint (required for external cluster client)
--providers.kubernetes.ingressclass Value of kubernetes.io/ingress.class annotation to watch for
--providers.kubernetes.ingressendpoint Kubernetes Ingress Endpoint (default "false")
--providers.kubernetes.ingressendpoint.hostname Hostname used for Kubernetes Ingress endpoints
--providers.kubernetes.ingressendpoint.ip IP used for Kubernetes Ingress endpoints
--providers.kubernetes.ingressendpoint.publishedservice Published Kubernetes Service to copy status from
--providers.kubernetes.labelselector Kubernetes Ingress label selector to use
--providers.kubernetes.namespaces Kubernetes namespaces (default "[]")
--providers.kubernetes.token Kubernetes bearer token (not needed for in-cluster client)
--providers.kubernetescrd Enable Kubernetes backend with default settings (default "false")
--providers.kubernetescrd.certauthfilepath Kubernetes certificate authority file path (not needed for in-cluster client)
--providers.kubernetescrd.disablepasshostheaders Kubernetes disable PassHost Headers (default "false")
--providers.kubernetescrd.endpoint Kubernetes server endpoint (required for external cluster client)
--providers.kubernetescrd.ingressclass Value of kubernetes.io/ingress.class annotation to watch for
--providers.kubernetescrd.labelselector Kubernetes label selector to use
--providers.kubernetescrd.namespaces Kubernetes namespaces (default "[]")
--providers.kubernetescrd.token Kubernetes bearer token (not needed for in-cluster client)
--providers.marathon Enable Marathon backend with default settings (default "false")
--providers.marathon.basic Enable basic authentication (default "false")
--providers.marathon.basic.httpbasicauthuser Basic authentication User
--providers.marathon.basic.httpbasicpassword Basic authentication Password
--providers.marathon.constraints Filter services by constraint, matching with Traefik tags. (default "[]")
--providers.marathon.dcostoken DCOSToken for DCOS environment, This will override the Authorization header
--providers.marathon.defaultrule Default rule (default "Host(`{{ normalize .Name }}`)")
--providers.marathon.dialertimeout Set a dialer timeout for Marathon (default "5s")
--providers.marathon.endpoint Marathon server endpoint. You can also specify multiple endpoint for Marathon (default "http://127.0.0.1:8080")
--providers.marathon.exposedbydefault Expose Marathon apps by default (default "true")
--providers.marathon.filtermarathonconstraints Enable use of Marathon constraints in constraint filtering (default "false")
--providers.marathon.forcetaskhostname Force to use the task's hostname. (default "false")
--providers.marathon.keepalive Set a TCP Keep Alive time in seconds (default "10s")
--providers.marathon.respectreadinesschecks Filter out tasks with non-successful readiness checks during deployments (default "false")
--providers.marathon.responseheadertimeout Set a response header timeout for Marathon (default "1m0s")
--providers.marathon.tls Enable TLS support (default "false")
--providers.marathon.tls.ca TLS CA
--providers.marathon.tls.caoptional TLS CA.Optional (default "false")
--providers.marathon.tls.cert TLS cert
--providers.marathon.tls.insecureskipverify TLS insecure skip verify (default "false")
--providers.marathon.tls.key TLS key
--providers.marathon.tlshandshaketimeout Set a TLS handhsake timeout for Marathon (default "5s")
--providers.marathon.trace Display additional provider logs. (default "false")
--providers.marathon.watch Watch provider (default "true")
--providers.providersthrottleduration Backends throttle duration: minimum duration between 2 events from providers (default "2s")
before applying a new configuration. It avoids unnecessary reloads if multiples
events are sent in a short amount of time.
--providers.rancher Enable Rancher backend with default settings (default "true")
--providers.rancher.constraints Filter services by constraint, matching with Traefik tags. (default "[]")
--providers.rancher.defaultrule Default rule (default "Host(`{{ normalize .Name }}`)")
--providers.rancher.exposedbydefault Expose containers by default (default "true")
--providers.rancher.intervalpoll Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate) (default "false")
--providers.rancher.prefix Prefix used for accessing the Rancher metadata service (default "latest")
--providers.rancher.watch Watch provider (default "true")
--providers.rest Enable Rest backend with default settings (default "true")
--providers.rest.entrypoint EntryPoint (default "traefik")
--serverstransport Servers default transport (default "true")
--serverstransport.forwardingtimeouts Timeouts for requests forwarded to the backend servers (default "true")
--serverstransport.forwardingtimeouts.dialtimeout The amount of time to wait until a connection to a backend server can be (default "0s")
established. Defaults to 30 seconds. If zero, no timeout exists
--serverstransport.forwardingtimeouts.responseheadertimeout The amount of time to wait for a server's response headers after fully writing (default "0s")
the request (including its body, if any). If zero, no timeout exists
--serverstransport.insecureskipverify Disable SSL certificate verification (default "false")
--serverstransport.maxidleconnsperhost If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, (default "200")
DefaultMaxIdleConnsPerHost is used
--serverstransport.rootcas Add cert file for self-signed certificate
--tracing OpenTracing configuration (default "false")
--tracing.backend Selects the tracking backend ('jaeger','zipkin','datadog','instana'). (default "jaeger")
--tracing.datadog Settings for DataDog (default "false")
--tracing.datadog.bagageprefixheadername specifies the header name prefix that will be used to store baggage items in a
map.
--tracing.datadog.debug Enable DataDog debug. (default "false")
--tracing.datadog.globaltag Key:Value tag to be set on all the spans.
--tracing.datadog.localagenthostport Set datadog-agent's host:port that the reporter will used. Defaults to (default "localhost:8126")
localhost:8126
--tracing.datadog.parentidheadername Specifies the header name that will be used to store the parent ID.
--tracing.datadog.prioritysampling Enable priority sampling. When using distributed tracing, this option must be (default "false")
enabled in order to get all the parts of a distributed trace sampled.
--tracing.datadog.samplingpriorityheadername Specifies the header name that will be used to store the sampling priority.
--tracing.datadog.traceidheadername Specifies the header name that will be used to store the trace ID.
--tracing.instana Settings for Instana (default "false")
--tracing.instana.localagenthost Set instana-agent's host that the reporter will used. (default "localhost")
--tracing.instana.localagentport Set instana-agent's port that the reporter will used. (default "42699")
--tracing.instana.loglevel Set instana-agent's log level. ('error','warn','info','debug') (default "info")
--tracing.jaeger Settings for jaeger (default "false")
--tracing.jaeger.gen128bit generate 128 bit span IDs. (default "false")
--tracing.jaeger.localagenthostport set jaeger-agent's host:port that the reporter will used. (default "127.0.0.1:6831")
--tracing.jaeger.propagation which propgation format to use (jaeger/b3). (default "jaeger")
--tracing.jaeger.samplingparam set the sampling parameter. (default "1")
--tracing.jaeger.samplingserverurl set the sampling server url. (default "http://localhost:5778/sampling")
--tracing.jaeger.samplingtype set the sampling type. (default "const")
--tracing.jaeger.tracecontextheadername set the header to use for the trace-id. (default "uber-trace-id")
--tracing.servicename Set the name for this service (default "traefik")
--tracing.spannamelimit Set the maximum character limit for Span names (default 0 = no limit) (default "0")
--tracing.zipkin Settings for zipkin (default "false")
--tracing.zipkin.debug Enable Zipkin debug. (default "false")
--tracing.zipkin.httpendpoint HTTP Endpoint to report traces to. (default "http://localhost:9411/api/v1/spans")
--tracing.zipkin.id128bit Use Zipkin 128 bit root span IDs. (default "true")
--tracing.zipkin.samespan Use Zipkin SameSpan RPC style traces. (default "false")
--tracing.zipkin.samplerate The rate between 0.0 and 1.0 of requests to trace. (default "1")
-h, --help Print Help (this message) and exit

78
docs/content/routing/entrypoints.md
View file

@ -5,7 +5,7 @@ Opening Connections for Incoming Requests
![EntryPoints](../assets/img/entrypoints.png)
Entrypoints are the network entry points into Traefik.
EntryPoints are the network entry points into Traefik.
They define the port which will receive the requests (whether HTTP or TCP).
## Configuration Examples
@ -13,8 +13,8 @@ They define the port which will receive the requests (whether HTTP or TCP).
??? example "Port 80 only"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
```
@ -23,11 +23,11 @@ They define the port which will receive the requests (whether HTTP or TCP).
??? example "Port 80 & 443"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
[entrypoints.web-secure]
[entryPoints.web-secure]
address = ":443"
```
@ -38,7 +38,45 @@ They define the port which will receive the requests (whether HTTP or TCP).
### General
Entrypoints are part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration). You can define them using a toml file, CLI arguments, or a key-value store. See the [complete reference](../reference/entrypoints.md) for the list of available options.
EntryPoints are part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
You can define them using a toml file, CLI arguments, or a key-value store.
See the complete reference for the list of available options:
```toml tab="File"
[EntryPoints]
[EntryPoints.EntryPoint0]
Address = "foobar"
[EntryPoints.EntryPoint0.Transport]
[EntryPoints.EntryPoint0.Transport.LifeCycle]
RequestAcceptGraceTimeout = 42
GraceTimeOut = 42
[EntryPoints.EntryPoint0.Transport.RespondingTimeouts]
ReadTimeout = 42
WriteTimeout = 42
IdleTimeout = 42
[EntryPoints.EntryPoint0.ProxyProtocol]
Insecure = true
TrustedIPs = ["foobar", "foobar"]
[EntryPoints.EntryPoint0.ForwardedHeaders]
Insecure = true
TrustedIPs = ["foobar", "foobar"]
```
```ini tab="CLI"
Name:EntryPoint0
Address:foobar
Transport.LifeCycle.RequestAcceptGraceTimeout:42
Transport.LifeCycle.GraceTimeOut:42
Transport.RespondingTimeouts.ReadTimeout:42
Transport.RespondingTimeouts.WriteTimeout:42
Transport.RespondingTimeouts.IdleTimeout:42
ProxyProtocol.Insecure:true
ProxyProtocol.TrustedIPs:foobar,foobar
ForwardedHeaders.Insecure:true
ForwardedHeaders.TrustedIPs:foobar,foobar
```
??? example "Using the CLI"
@ -50,7 +88,7 @@ Entrypoints are part of the [static configuration](../getting-started/configurat
```
!!! note
The whitespace character (` `) is the option separator, and the comma (`,`) is the value separator for lists.
The whitespace character (` `) is the option separator, and the comma (`,`) is the value separator for lists inside an option.
The option names are case-insensitive.
!!! warning "Using Docker Compose Files"
@ -80,11 +118,11 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
??? example "Enabling Proxy Protocol with Trusted IPs"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
[entrypoints.web.proxyProtocol]
[entryPoints.web.proxyProtocol]
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
@ -95,11 +133,11 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
In a test environments, you can configure Traefik to trust every incoming connection. Doing so, every remote client address will be replaced (`trustedIPs` won't have any effect)
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
[entrypoints.web.proxyProtocol]
[entryPoints.web.proxyProtocol]
insecure = true
```
@ -115,21 +153,21 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
??? example "Trusting Forwarded Headers from specific IPs"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
[entrypoints.web.forwardedHeaders]
[entryPoints.web.forwardedHeaders]
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
??? example "Insecure Mode -- Always Trusting Forwarded Headers"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":80"
[entrypoints.web.forwardedHeaders]
[entryPoints.web.forwardedHeaders]
insecure = true
```

8
docs/content/routing/overview.md
View file

@ -25,8 +25,8 @@ Below is an example of a full configuration file for the [file provider](../prov
In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware](../middlewares/basicauth.md)).
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":8081" # Listen on port 8081 for incoming requests
[providers]
@ -62,8 +62,8 @@ In the process, Traefik will make sure that the user is authenticated (using the
??? example "Adding a TCP route for TLS requests on whoami.traefik.io"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":8081" # Listen on port 8081 for incoming requests
[providers]

40
docs/content/routing/routers/index.md
View file

@ -32,16 +32,16 @@ In the process, routers may use pieces of [middleware](../../middlewares/overvie
??? example "Forwarding all (non-tls) requests on port 3306 to a database service"
```toml
[entrypoints]
[entrypoints.mysql-default]
[entryPoints]
[entryPoints.mysql-default]
address = ":80"
[entrypoints.mysql-default]
[entryPoints.mysql-default]
address = ":3306"
[tcp]
[tcp.routers]
[tcp.routers.to-database]
entrypoints = ["mysql-default"]
entryPoints = ["mysql-default"]
rule = "HostSNI(`*`)" # Catch every request (only available rule for non-tls routers. See below.)
service = "database"
```
@ -56,12 +56,12 @@ If you want to limit the router scope to a set of entrypoint, set the entrypoint
??? example "Listens to Every EntryPoint"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
# ...
[entrypoints.web-secure]
[entryPoints.web-secure]
# ...
[entrypoints.other]
[entryPoints.other]
# ...
[http.routers]
@ -74,12 +74,12 @@ If you want to limit the router scope to a set of entrypoint, set the entrypoint
??? example "Listens to Specific EntryPoints"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
# ...
[entrypoint.web-secure]
[entryPoints.web-secure]
# ...
[entrypoint.other]
[entryPoints.other]
# ...
[http.routers]
@ -211,12 +211,12 @@ If you want to limit the router scope to a set of entrypoints, set the entrypoin
??? example "Listens to Every EntryPoint"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
# ...
[entrypoints.web-secure]
[entryPoints.web-secure]
# ...
[entrypoints.other]
[entryPoints.other]
# ...
[tcp.routers]
@ -230,12 +230,12 @@ If you want to limit the router scope to a set of entrypoints, set the entrypoin
??? example "Listens to Specific EntryPoints"
```toml
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
# ...
[entrypoint.web-secure]
[entryPoints.web-secure]
# ...
[entrypoint.other]
[entryPoints.other]
# ...
[tcp.routers]

4
docs/content/user-guides/crd-acme/04-ingressroutes.yml
View file

@ -3,7 +3,7 @@ kind: IngressRoute
metadata:
name: simpleingressroute
spec:
entrypoints:
entryPoints:
- web
routes:
- match: Host(`your.domain.com`) && PathPrefix(`/notls`)
@ -18,7 +18,7 @@ kind: IngressRoute
metadata:
name: ingressroutetls
spec:
entrypoints:
entryPoints:
- websecure
routes:
- match: Host(`your.domain.com`) && PathPrefix(`/tls`)

14
docs/content/user-guides/crd-acme/index.md
View file

@ -16,7 +16,7 @@ In the following, the Kubernetes resources defined in YAML configuration files c
- the first, and usual way, is simply with the `kubectl apply` command.
- the second, which can be used for this tutorial, is to directly place the files in the directory used by the k3s docker image for such inputs (`/var/lib/rancher/k3s/server/manifests`).
## k3s Docker-compose Configuration ##
## k3s Docker-compose Configuration
Our starting point is the docker-compose configuration file, to start the k3s cluster.
You can start it with:
@ -29,11 +29,11 @@ docker-compose -f k3s.yml up
--8<-- "content/user-guides/crd-acme/k3s.yml"
```
## Cluster Resources ##
## Cluster Resources
Let's now have a look (in the order they should be applied, if using `kubectl apply`) at all the required resources for the full setup.
### IngressRoute Definition ###
### IngressRoute Definition
First, the definition of the `IngressRoute` and the `Middleware` kinds.
Also note the RBAC authorization resources; they'll be referenced through the `serviceAccountName` of the deployment, later on.
@ -42,7 +42,7 @@ Also note the RBAC authorization resources; they'll be referenced through the `s
--8<-- "content/user-guides/crd-acme/01-crd.yml"
```
### Services ###
### Services
Then, the services. One for Traefik itself, and one for the app it routes for, i.e. in this case our demo HTTP server: [whoami](https://github.com/containous/whoami).
@ -50,7 +50,7 @@ Then, the services. One for Traefik itself, and one for the app it routes for, i
--8<-- "content/user-guides/crd-acme/02-services.yml"
```
### Deployments ###
### Deployments
Next, the deployments, i.e. the actual pods behind the services.
Again, one pod for Traefik, and one for the whoami app.
@ -59,7 +59,7 @@ Again, one pod for Traefik, and one for the whoami app.
--8<-- "content/user-guides/crd-acme/03-deployments.yml"
```
### Port Forwarding ###
### Port Forwarding
Now, as an exception to what we said above, please note that you should not let the ingressRoute resources below be applied automatically to your cluster.
The reason is, as soon as the ACME provider of Traefik detects we have TLS routers, it will try to generate the certificates for the corresponding domains.
@ -74,7 +74,7 @@ Also, and this is out of the scope if this guide, please note that because of th
In which case you can use tricks such as elevating caps of `kubectl` with `setcaps`, or using `authbind`, or setting up a NAT between your host and the WAN.
Look it up.
### Traefik Routers ###
### Traefik Routers
We can now finally apply the actual ingressRoutes, with:

120
docs/content/user-guides/marathon.md Normal file
View file

@ -0,0 +1,120 @@
# Marathon
This guide explains how to integrate Marathon and operate the cluster in a reliable way from Traefik's standpoint.
## Host detection
Marathon offers multiple ways to run (Docker-containerized) applications, the most popular ones being
- BRIDGE-networked containers with dynamic high ports exposed
- HOST-networked containers with host machine ports
- containers with dedicated IP addresses ([IP-per-task](https://mesosphere.github.io/marathon/docs/ip-per-task.html)).
Traefik tries to detect the configured mode and route traffic to the right IP addresses. It is possible to force using task hosts with the `forceTaskHostname` option.
## Port detection
Traefik also attempts to determine the right port (which is a [non-trivial matter in Marathon](https://mesosphere.github.io/marathon/docs/ports.html)).
Following is the order by which Traefik tries to identify the port (the first one that yields a positive result will be used):
1. A arbitrary port specified through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=8080`
1. The task port (possibly indexed through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=index:0` label, otherwise the first one).
1. The port from the application's `portDefinitions` field (possibly indexed through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=index:0` label, otherwise the first one).
1. The port from the application's `ipAddressPerTask` field (possibly indexed through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=index:0` label, otherwise the first one).
## Achieving high availability
### Scenarios
There are three scenarios where the availability of a Marathon application could be impaired along with the risk of losing or failing requests:
- During the startup phase when Traefik already routes requests to the backend even though it has not completed its bootstrapping process yet.
- During the shutdown phase when Traefik still routes requests to the backend while the backend is already terminating.
- During a failure of the application when Traefik has not yet identified the backend as being erroneous.
The first two scenarios are common with every rolling upgrade of an application (i.e. a new version release or configuration update).
The following sub-sections describe how to resolve or mitigate each scenario.
#### Startup
It is possible to define [readiness checks](https://mesosphere.github.io/marathon/docs/readiness-checks.html) (available since Marathon version 1.1) per application and have Marathon take these into account during the startup phase.
The idea is that each application provides an HTTP endpoint that Marathon queries periodically during an ongoing deployment in order to mark the associated readiness check result as successful if and only if the endpoint returns a response within the configured HTTP code range.
As long as the check keeps failing, Marathon will not proceed with the deployment (within the configured upgrade strategy bounds).
Beginning with version 1.4, Traefik respects readiness check results if the Traefik option is set and checks are configured on the applications accordingly.
!!! note
Due to the way readiness check results are currently exposed by the Marathon API, ready tasks may be taken into rotation with a small delay.
It is on the order of one readiness check timeout interval (as configured on the application specifiation) and guarantees that non-ready tasks do not receive traffic prematurely.
If readiness checks are not possible, a current mitigation strategy is to enable [retries](../middlewares/retry.md) and make sure that a sufficient number of healthy application tasks exist so that one retry will likely hit one of those.
Apart from its probabilistic nature, the workaround comes at the price of increased latency.
#### Shutdown
It is possible to install a [termination handler](https://mesosphere.github.io/marathon/docs/health-checks.html) (available since Marathon version 1.3) with each application whose responsibility it is to delay the shutdown process long enough until the backend has been taken out of load-balancing rotation with reasonable confidence (i.e., Traefik has received an update from the Marathon event bus, recomputes the available Marathon backends, and applies the new configuration).
Specifically, each termination handler should install a signal handler listening for a SIGTERM signal and implement the following steps on signal reception:
1. Disable Keep-Alive HTTP connections.
1. Keep accepting HTTP requests for a certain period of time.
1. Stop accepting new connections.
1. Finish serving any in-flight requests.
1. Shut down.
Traefik already ignores Marathon tasks whose state does not match `TASK_RUNNING`; since terminating tasks transition into the `TASK_KILLING` and eventually `TASK_KILLED` state, there is nothing further that needs to be done on Traefik's end.
How long HTTP requests should continue to be accepted in step 2 depends on how long Traefik needs to receive and process the Marathon configuration update.
Under regular operational conditions, it should be on the order of seconds, with 10 seconds possibly being a good default value.
Again, configuring Traefik to do retries (as discussed in the previous section) can serve as a decent workaround strategy.
Paired with termination handlers, they would cover for those cases where either the termination sequence or Traefik cannot complete their part of the orchestration process in time.
#### Failure
A failing application always happens unexpectedly, and hence, it is very difficult or even impossible to rule out the adversal effects categorically.
Failure reasons vary broadly and could stretch from unacceptable slowness, a task crash, or a network split.
There are two mitigaton efforts:
1. Configure [Marathon health checks](https://mesosphere.github.io/marathon/docs/health-checks.html) on each application.
2. Configure Traefik health checks (possibly via the `traefik.HTTP.Services.YourServiceName.LoadBalancer.HealthCheck.*` labels) and make sure they probe with proper frequency.
The Marathon health check makes sure that applications once deemed dysfunctional are being rescheduled to different slaves.
However, they might take a while to get triggered and the follow-up processes to complete.
For that reason, the Treafik health check provides an additional check that responds more rapidly and does not require a configuration reload to happen.
Additionally, it protects from cases that the Marathon health check may not be able to cover, such as a network split.
### (Non-)Alternatives
There are a few alternatives of varying quality that are frequently asked for.
The remaining section is going to explore them along with a benefit/cost trade-off.
#### Reusing Marathon health checks
It may seem obvious to reuse the Marathon health checks as a signal to Traefik whether an application should be taken into load-balancing rotation or not.
Apart from the increased latency a failing health check may have, a major problem with this is is that Marathon does not persist the health check results.
Consequently, if a master re-election occurs in the Marathon clusters, all health check results will revert to the _unknown_ state, effectively causing all applications inside the cluster to become unavailable and leading to a complete cluster failure.
Re-elections do not only happen during regular maintenance work (often requiring rolling upgrades of the Marathon nodes) but also when the Marathon leader fails spontaneously.
As such, there is no way to handle this situation deterministically.
Finally, Marathon health checks are not mandatory (the default is to use the task state as reported by Mesos), so requiring them for Traefik would raise the entry barrier for Marathon users.
Traefik used to use the health check results as a strict requirement but moved away from it as [users reported the dramatic consequences](https://github.com/containous/traefik/issues/653).
#### Draining
Another common approach is to let a proxy drain backends that are supposed to shut down.
That is, once a backend is supposed to shut down, Traefik would stop forwarding requests.
On the plus side, this would not require any modifications to the application in question.
However, implementing this fully within Traefik seems like a non-trivial undertaking.
Additionally, the approach is less flexible compared to a custom termination handler since only the latter allows for the implementation of custom termination sequences that go beyond simple request draining (e.g., persisting a snapshot state to disk prior to terminating).
The feature is currently not implemented; a request for draining in general is at [issue 41](https://github.com/containous/traefik/issues/41).

18
docs/mkdocs.yml
View file

@ -66,12 +66,6 @@ markdown_extensions:
# Page tree
nav:
- '': 'providers/kubernetes-ingress.md'
- '': 'reference/acme.md'
- '': 'reference/providers/docker.md'
- '': 'reference/providers/file.md'
- '': 'reference/providers/kubernetescrd.md'
- '': 'reference/entrypoints.md'
- 'Welcome': 'index.md'
- 'Getting Started':
- 'Concepts' : 'getting-started/concepts.md'
@ -80,8 +74,11 @@ nav:
- 'Configuration Discovery':
- 'Overview': 'providers/overview.md'
- 'Docker': 'providers/docker.md'
- 'File': 'providers/file.md'
- 'Kubernetes IngressRoute': 'providers/kubernetes-crd.md'
# - 'Kubernetes Ingress': 'providers/kubernetes-ingress.md'
- 'Rancher': 'providers/rancher.md'
- 'File': 'providers/file.md'
- 'Marathon': 'providers/marathon.md'
- 'Routing & Load Balancing':
- 'Overview': 'routing/overview.md'
- 'Entrypoints': 'routing/entrypoints.md'
@ -124,6 +121,7 @@ nav:
- 'Tracing': 'observability/tracing.md'
- 'User Guides':
- 'Kubernetes and Let''s Encrypt': 'user-guides/crd-acme/index.md'
- 'Marathon': 'user-guides/marathon.md'
- 'Contributing':
- 'Thank You!': 'contributing/thank-you.md'
- 'Submitting Issues': 'contributing/submitting-issues.md'
@ -134,3 +132,9 @@ nav:
- 'Advocating': 'contributing/advocating.md'
- 'Maintainers': 'contributing/maintainers.md'
- 'Glossary': 'glossary.md'
- 'References':
- 'Static Configuration': 'reference/static-configuration.md'
- 'Dynamic Configuration':
- 'Docker': 'reference/dynamic-configuration/docker.md'
- 'Kubernetes CRD': 'reference/dynamic-configuration/kubernetes-crd.md'
- 'File': 'reference/dynamic-configuration/file.md'

8
exp.Dockerfile
View file

@ -15,8 +15,9 @@ RUN npm run build
FROM golang:1.12-alpine as gobuild
RUN apk --update upgrade \
&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar \
&& rm -rf /var/cache/apk/*
&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
&& update-ca-certificates \
&& rm -rf /var/cache/apk/*
RUN mkdir -p /usr/local/bin \
&& curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
@ -33,7 +34,8 @@ RUN ./script/make.sh generate binary
## IMAGE
FROM scratch
COPY script/ca-certificates.crt /etc/ssl/certs/
COPY --from=gobuild /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=gobuild /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=gobuild /go/src/github.com/containous/traefik/dist/traefik /
EXPOSE 80

20
integration/fixtures/access_log_config.toml
View file

@ -1,24 +1,24 @@
[log]
logLevel = "ERROR"
filePath = "traefik.log"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "ERROR"
filePath = "traefik.log"
[accessLog]
filePath = "access.log"
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":8000"
[entrypoints.frontendRedirect]
[entryPoints.frontendRedirect]
address = ":8005"
[entrypoints.httpFrontendAuth]
[entryPoints.httpFrontendAuth]
address = ":8006"
[entrypoints.httpRateLimit]
[entryPoints.httpRateLimit]
address = ":8007"
[entrypoints.digestAuth]
[entryPoints.digestAuth]
address = ":8008"
[api]

14
integration/fixtures/acme/acme_base.toml
View file

@ -1,10 +1,14 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = "{{ .PortHTTP }}"
[entrypoints.web-secure]
[entryPoints.web-secure]
address = "{{ .PortHTTPS }}"
[acme]

14
integration/fixtures/acme/acme_tls.toml
View file

@ -1,10 +1,14 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = "{{ .PortHTTP }}"
[entrypoints.web-secure]
[entryPoints.web-secure]
address = "{{ .PortHTTPS }}"
[acme]

14
integration/fixtures/acme/acme_tls_dynamic.toml
View file

@ -1,10 +1,14 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = "{{ .PortHTTP }}"
[entrypoints.web-secure]
[entryPoints.web-secure]
address = "{{ .PortHTTPS }}"
[acme]

20
integration/fixtures/acme/acme_tls_multiple_entrypoints.toml
View file

@ -1,18 +1,22 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = "{{ .PortHTTP }}"
[entrypoints.web-secure]
[entryPoints.web-secure]
address = "{{ .PortHTTPS }}"
[entrypoints.traefik]
[entryPoints.traefik]
address = ":9000"
# FIXME
# [entrypoints.traefik.tls]
# [entrypoints.traefik.tls.DefaultCertificate]
# [entryPoints.traefik.tls]
# [entryPoints.traefik.tls.DefaultCertificate]
# certFile = "fixtures/acme/ssl/wildcard.crt"
# keyFile = "fixtures/acme/ssl/wildcard.key"

9
integration/fixtures/docker/minimal.toml
View file

@ -1,9 +1,12 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
logLevel = "DEBUG"
level = "DEBUG"
[entrypoints]
[entrypoints.web]
[entryPoints]
[entryPoints.web]
address = ":8000"
[api]

12
integration/fixtures/docker/simple.toml
View file

@ -1,8 +1,12 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[api]

12
integration/fixtures/error_pages/error.toml
View file

@ -1,8 +1,12 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8080"
[providers]

12
integration/fixtures/error_pages/simple.toml
View file

@ -1,8 +1,12 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8080"
[providers]

12
integration/fixtures/file/56-simple-panic.toml
View file

@ -1,8 +1,12 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"

12
integration/fixtures/file/directory.toml
View file

@ -1,8 +1,12 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[providers]

13
integration/fixtures/file/simple.toml
View file

@ -1,10 +1,13 @@
[entrypoints]
[entrypoints.web]
address = ":8000"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
logLevel = "DEBUG"
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[providers]
[providers.file]

14
integration/fixtures/grpc/config.toml
View file

@ -1,11 +1,15 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[serversTransport]
rootCAs = [ """{{ .CertContent }}""" ]
[global]
debug = true
[entrypoints]
[entrypoints.web-secure]
[entryPoints]
[entryPoints.web-secure]
address = ":4443"
[api]

10
integration/fixtures/grpc/config_h2c.toml
View file

@ -1,8 +1,12 @@
[global]
debug = true
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8081"
[api]

10
integration/fixtures/grpc/config_h2c_termination.toml
View file

@ -1,8 +1,12 @@
[global]
debug = true
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.web-secure]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web-secure]
address = ":4443"

13
integration/fixtures/grpc/config_insecure.toml
View file

@ -1,12 +1,15 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[serversTransport]
insecureSkipVerify = true
[global]
debug = true
[entrypoints]
[entrypoints.web-secure]
[entryPoints]
[entryPoints.web-secure]
address = ":4443"
[api]

11
integration/fixtures/grpc/config_retry.toml
View file

@ -1,8 +1,15 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[serversTransport]
rootCAs = [ """{{ .CertContent }}""" ]
[entrypoints]
[entrypoints.web-secure]
[entryPoints]
[entryPoints.web-secure]
address = ":4443"
[api]

10
integration/fixtures/grpc/config_with_flush.toml
View file

@ -1,9 +1,15 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[serversTransport]
rootCAs = [ """{{ .CertContent }}""" ]
[entrypoints]
[entrypoints.web-secure]
[entryPoints]
[entryPoints.web-secure]
address = ":4443"
[api]

24
integration/fixtures/headers/basic.toml Normal file
View file

@ -0,0 +1,24 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[providers]
[providers.file]
[http.routers]
[http.routers.router1]
rule = "Host(`test.localhost`)"
service = "service1"
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "http://172.17.0.2:80"
weight = 1

31
integration/fixtures/headers/cors.toml Normal file
View file

@ -0,0 +1,31 @@
[global]
checkNewVersion = false
sendAnonymousUsage = false
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.web]
address = ":8000"
[providers]
[providers.file]
[http.routers]
[http.routers.router1]
rule = "Host(`test.localhost`)"
service = "service1"
[http.middlewares]
[http.middlewares.cors.Headers]
AccessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
AccessControlAllowOrigin = "origin-list-or-null"
AccessControlMaxAge = 100
AddVaryHeader = true
[http.services]
[http.services.service1.loadbalancer]
[[http.services.service1.loadbalancer.servers]]
url = "http://172.17.0.2:80"
weight = 1

14
integration/fixtures/healthcheck/multiple-entrypoints-drr.toml
View file

@ -1,10 +1,14 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.http1]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.http1]
address = ":8000"
[entrypoints.http2]
[entryPoints.http2]
address = ":9000"
[api]

14
integration/fixtures/healthcheck/multiple-entrypoints-wrr.toml
View file

@ -1,10 +1,14 @@
[log]
logLevel = "DEBUG"
[global]
checkNewVersion = false
sendAnonymousUsage = false
[entrypoints]
[entrypoints.http1]
[log]
level = "DEBUG"
[entryPoints]
[entryPoints.http1]
address = ":8000"
[entrypoints.http2]
[entryPoints.http2]
address = ":9000"
[api]

Some files were not shown because too many files have changed in this diff Show more