diff --git a/.gitignore b/.gitignore index a5e8d1692..89f7d5fc4 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ /webui/.tmp/ .vscode/ /site/ +/docs/site/ *.log *.exe .DS_Store diff --git a/.travis.yml b/.travis.yml index 334150add..84991059b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,7 +16,7 @@ env: script: - echo "Skipping tests... (Tests are executed on SemaphoreCI)" -- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs-verify; fi +- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs; fi before_deploy: - > diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 718bc13fa..ab197c5d9 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -2,17 +2,11 @@ ## Our Pledge -In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to making participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, gender identity and expression, level of experience, -nationality, personal appearance, race, religion, or sexual identity and -orientation. +In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience,nationality, personal appearance, race, religion, or sexual identity and orientation. ## Our Standards -Examples of behavior that contributes to creating a positive environment -include: +Examples of behavior that contributes to creating a positive environment include: * Using welcoming and inclusive language * Being respectful of differing viewpoints and experiences @@ -22,53 +16,36 @@ include: Examples of unacceptable behavior by participants include: -* The use of sexualized language or imagery and unwelcome sexual attention or -advances +* The use of sexualized language or imagery and unwelcome sexual attention or advances * Trolling, insulting/derogatory comments, and personal or political attacks * Public or private harassment -* Publishing others' private information, such as a physical or electronic - address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting +* Publishing others' private information, such as a physical or electronic address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a professional setting ## Our Responsibilities -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior. +Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. -Project maintainers have the right and responsibility to remove, edit, or -reject comments, commits, code, wiki edits, issues, and other contributions -that are not aligned to this Code of Conduct, or to ban temporarily or -permanently any contributor for other behaviors that they deem inappropriate, -threatening, offensive, or harmful. +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. ## Scope -This Code of Conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. Examples of -representing a project or community include using an official project e-mail -address, posting via an official social media account, or acting as an appointed -representative at an online or offline event. Representation of a project may be -further defined and clarified by project maintainers. +This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. +Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. +Representation of a project may be further defined and clarified by project maintainers. ## Enforcement -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at contact@containo.us -All complaints will be reviewed and investigated and will result in a response that -is deemed necessary and appropriate to the circumstances. The project team is -obligated to maintain confidentiality with regard to the reporter of an incident. +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@containo.us +All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. +The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. -Project maintainers who do not follow or enforce the Code of Conduct in good -faith may face temporary or permanent repercussions as determined by other -members of the project's leadership. +Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. ## Attribution -This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at [http://contributor-covenant.org/version/1/4][version] +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] [homepage]: http://contributor-covenant.org -[version]: http://contributor-covenant.org/version/1/4/ +[version]: http://contributor-covenant.org/version/1/4/ \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index fd7d89d82..9a3a3a66c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,297 +1,3 @@ # Contributing -## Building - -You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik. -For changes to its dependencies, the `dep` dependency management tool is required. - -### Method 1: Using `Docker` and `Makefile` - -You need to run the `binary` target. This will create binaries for Linux platform in the `dist` folder. - -```bash -$ make binary -docker build -t "traefik-dev:no-more-godep-ever" -f build.Dockerfile . -Sending build context to Docker daemon 295.3 MB -Step 0 : FROM golang:1.11-alpine - ---> 8c6473912976 -Step 1 : RUN go get github.com/golang/dep/cmd/dep -[...] -docker run --rm -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:no-more-godep-ever" ./script/make.sh generate binary ----> Making bundle: generate (in .) -removed 'gen.go' - ----> Making bundle: binary (in .) - -$ ls dist/ -traefik* -``` - -### Method 2: Using `go` - -##### Setting up your `go` environment - -- You need `go` v1.9+ -- It is recommended you clone Traefik into a directory like `~/go/src/github.com/containous/traefik` (This is the official golang workspace hierarchy, and will allow dependencies to resolve properly) -- Set your `GOPATH` and `PATH` variable to be set to `~/go` via: - -```bash -export GOPATH=~/go -export PATH=$PATH:$GOPATH/bin -``` - -> Note: You will want to add those 2 export lines to your `.bashrc` or `.bash_profile` - -- Verify your environment is setup properly by running `$ go env`. Depending on your OS and environment you should see output similar to: - -```bash -GOARCH="amd64" -GOBIN="" -GOEXE="" -GOHOSTARCH="amd64" -GOHOSTOS="linux" -GOOS="linux" -GOPATH="/home//go" -GORACE="" -## more go env's will be listed -``` - -##### Build Traefik - -Once your environment is set up and the Traefik repository cloned you can build Traefik. You need get `go-bindata` once to be able to use `go generate` command as part of the build. The steps to build are: - -```bash -cd ~/go/src/github.com/containous/traefik - -# Get go-bindata. Please note, the ellipses are required -go get github.com/containous/go-bindata/... - -# Start build - -# generate -# (required to merge non-code components into the final binary, such as the web dashboard and provider's Go templates) -go generate - -# Standard go build -go build ./cmd/traefik -# run other commands like tests -``` - -You will find the Traefik executable in the `~/go/src/github.com/containous/traefik` folder as `traefik`. - -### Updating the templates - -If you happen to update the provider templates (in `/templates`), you need to run `go generate` to update the `autogen` package. - -### Setting up dependency management - -[dep](https://github.com/golang/dep) is not required for building; however, it is necessary to modify dependencies (i.e., add, update, or remove third-party packages) - -You need to use [dep](https://github.com/golang/dep) >= O.4.1. - -If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively). - -A following `make dep-prune` run should be triggered to trim down the size of the vendor folder. -The final result must be committed into VCS. - -Here's a full example using dep to add a new dependency: - -```bash -# install the new main dependency github.com/foo/bar and minimize vendor size -$ dep ensure -add github.com/foo/bar -# generate (Only required to integrate other components such as web dashboard) -$ go generate -# Standard go build -$ go build ./cmd/traefik -# run other commands like tests -``` - -### Tests - -#### Method 1: `Docker` and `make` - -You can run unit tests using the `test-unit` target and the -integration test using the `test-integration` target. - -```bash -$ make test-unit -docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile . -# […] -docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit ----> Making bundle: generate (in .) -removed 'gen.go' - ----> Making bundle: test-unit (in .) -+ go test -cover -coverprofile=cover.out . -ok github.com/containous/traefik 0.005s coverage: 4.1% of statements - -Test success -``` - -For development purposes, you can specify which tests to run by using: - -```bash -# Run every tests in the MyTest suite -TESTFLAGS="-check.f MyTestSuite" make test-integration - -# Run the test "MyTest" in the MyTest suite -TESTFLAGS="-check.f MyTestSuite.MyTest" make test-integration - -# Run every tests starting with "My", in the MyTest suite -TESTFLAGS="-check.f MyTestSuite.My" make test-integration - -# Run every tests ending with "Test", in the MyTest suite -TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration -``` - -More: https://labix.org/gocheck - -#### Method 2: `go` - -Unit tests can be run from the cloned directory by `$ go test ./...` which should return `ok` similar to: - -``` -ok _/home/user/go/src/github/containous/traefik 0.004s -``` - -Integration tests must be run from the `integration/` directory and require the `-integration` switch to be passed like this: `$ cd integration && go test -integration ./...`. - -## Documentation - -The [documentation site](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/) - -### Building Documentation - -#### Method 1: `Docker` and `make` - -You can build the documentation and serve it locally with livereloading, using the `docs` target: - -```bash -$ make docs -docker build -t traefik-docs -f docs.Dockerfile . -# […] -docker run --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve -# […] -[I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000 -[I 170828 20:47:48 handlers:60] Start watching changes -[I 170828 20:47:48 handlers:62] Start detecting changes -``` - -And go to [http://127.0.0.1:8000](http://127.0.0.1:8000). - -If you only want to build the documentation without serving it locally, you can use the following command: - -```bash -$ make docs-build -... -``` - -#### Method 2: `mkdocs` - -First make sure you have python and pip installed - -```bash -$ python --version -Python 2.7.2 -$ pip --version -pip 1.5.2 -``` - -Then install mkdocs with pip - -```bash -pip install --user -r requirements.txt -``` - -To build documentation locally and serve it locally, -run `mkdocs serve` in the root directory, -this should start a server locally to preview your changes. - -```bash -$ mkdocs serve -INFO - Building documentation... -INFO - Cleaning site directory -[I 160505 22:31:24 server:281] Serving on http://127.0.0.1:8000 -[I 160505 22:31:24 handlers:59] Start watching changes -[I 160505 22:31:24 handlers:61] Start detecting changes -``` - -### Verify Documentation - -You can verify that the documentation meets some expectations, as checking for dead links, html markup validity. - -```bash -$ make docs-verify -docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image -... -docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance -=== Checking HTML content... -Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html... -``` - -If you recently changed the documentation, do not forget to clean it to have it rebuilt: - -```bash -$ make docs-clean docs-verify -... -``` - -Please note that verification can be disabled by setting the environment variable `DOCS_VERIFY_SKIP` to `true`: - -```shell -DOCS_VERIFY_SKIP=true make docs-verify -... -DOCS_LINT_SKIP is true: no linting done. -``` - -## How to Write a Good Issue - -Please keep in mind that the GitHub issue tracker is not intended as a general support forum, but for reporting bugs and feature requests. - -For end-user related support questions, refer to one of the following: -- the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io) -- [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag) - -### Title - -The title must be short and descriptive. (~60 characters) - -### Description - -- Respect the issue template as much as possible. [template](.github/ISSUE_TEMPLATE.md) -- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I. -- Explain the conditions which led you to write this issue: the context. -- The context should lead to something, an idea or a problem that you’re facing. -- Remain clear and concise. -- Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown) - - -## How to Write a Good Pull Request - -### Title - -The title must be short and descriptive. (~60 characters) - -### Description - -- Respect the pull request template as much as possible. [template](.github/PULL_REQUEST_TEMPLATE.md) -- Explain the conditions which led you to write this PR: the context. -- The context should lead to something, an idea or a problem that you’re facing. -- Remain clear and concise. -- Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown) - -### Content - -- Make it small. -- Do only one thing. -- Write useful descriptions and titles. -- Avoid re-formatting. -- Make sure the code builds. -- Make sure all tests pass. -- Add tests. -- Address review comments in terms of additional commits. -- Do not amend/squash existing ones unless the PR is trivial. -- If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated. - - -Read [10 tips for better pull requests](http://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/). +See https://docs.traefik.io. diff --git a/Makefile b/Makefile index 336c5d54e..d84f0aacb 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: all docs-verify docs docs-clean docs-build +.PHONY: all docs docs-serve TRAEFIK_ENVS := \ -e OS_ARCH_ARG \ @@ -21,18 +21,11 @@ TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH))) REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]') TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik") INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock") -TRAEFIK_DOC_IMAGE := traefik-docs -TRAEFIK_DOC_VERIFY_IMAGE := $(TRAEFIK_DOC_IMAGE)-verify -DOCS_VERIFY_SKIP ?= false DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",) DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)" DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS) DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) -i $(DOCKER_RUN_OPTS) -DOCKER_RUN_DOC_PORT := 8000 -DOCKER_RUN_DOC_MOUNT := -v $(CURDIR):/mkdocs -DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNT) -p $(DOCKER_RUN_DOC_PORT):8000 - print-%: ; @echo $*=$($*) @@ -96,27 +89,11 @@ image-dirty: binary ## build a docker traefik image image: clear-static binary ## clean up static directory and build a docker traefik image docker build -t $(TRAEFIK_IMAGE) . -docs-image: - docker build -t $(TRAEFIK_DOC_IMAGE) -f docs.Dockerfile . +docs: + make -C ./docs docs -docs: docs-image - docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOC_IMAGE) mkdocs serve - -docs-build: site - -docs-verify: site -ifeq ($(DOCS_VERIFY_SKIP),false) - docker build -t $(TRAEFIK_DOC_VERIFY_IMAGE) ./script/docs-verify-docker-image - docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOC_VERIFY_IMAGE) -else - @echo "DOCS_LINT_SKIP is true: no linting done." -endif - -site: docs-image - docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOC_IMAGE) mkdocs build - -docs-clean: - rm -rf $(CURDIR)/site +docs-serve: + make -C ./docs docs-serve clear-static: rm -rf static diff --git a/docs/.dockerignore b/docs/.dockerignore new file mode 100644 index 000000000..45ddf0ae3 --- /dev/null +++ b/docs/.dockerignore @@ -0,0 +1 @@ +site/ diff --git a/docs/.markdownlint.json b/docs/.markdownlint.json new file mode 100644 index 000000000..c32e197fd --- /dev/null +++ b/docs/.markdownlint.json @@ -0,0 +1,9 @@ +{ + "no-hard-tabs": false, + "MD007": { "indent": 4 }, + "MD009": false, + "MD013": false, + "MD026": false, + "MD033": false, + "MD034": false +} diff --git a/docs/Makefile b/docs/Makefile new file mode 100644 index 000000000..e14f14b78 --- /dev/null +++ b/docs/Makefile @@ -0,0 +1,52 @@ + +####### +# This Makefile contains all targets related to the documentation +####### + +DOCS_VERIFY_SKIP ?= false +DOCS_LINT_SKIP ?= false + +TRAEFIK_DOCS_BUILD_IMAGE ?= traefik-docs +TRAEFIK_DOCS_CHECK_IMAGE ?= $(TRAEFIK_DOCS_BUILD_IMAGE)-check + +SITE_DIR := $(CURDIR)/site + +DOCKER_RUN_DOC_PORT := 8000 +DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs +DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNTS) -p $(DOCKER_RUN_DOC_PORT):8000 + +# Default: generates the documentation into $(SITE_DIR) +docs: docs-clean docs-image docs-lint docs-build docs-verify + +# Writer Mode: build and serve docs on http://localhost:8000 with livereload +docs-serve: docs-image + docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) mkdocs serve + +# Utilities Targets for each step +docs-image: + docker build -t $(TRAEFIK_DOCS_BUILD_IMAGE) -f docs.Dockerfile ./ + +docs-build: docs-image + docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) sh -c "mkdocs build \ + && chown -R $(shell id -u):$(shell id -g) ./site" + +docs-verify: docs-build + @if [ "$(DOCS_VERIFY_SKIP)" != "true" ]; then \ + docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./; \ + docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /verify.sh; \ + else \ + @echo "DOCS_VERIFY_SKIP is true: no verification done."; \ + fi + +docs-lint: + @if [ "$(DOCS_LINT_SKIP)" != "true" ]; then \ + docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./ && \ + docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /lint.sh; \ + else \ + @echo "DOCS_LINT_SKIP is true: no linting done."; \ + fi + +docs-clean: + rm -rf $(SITE_DIR) + +.PHONY: all docs-verify docs docs-clean docs-build docs-lint diff --git a/docs/basics.md b/docs/basics.md deleted file mode 100644 index 56b68667a..000000000 --- a/docs/basics.md +++ /dev/null @@ -1,769 +0,0 @@ -# Basics - -## Concepts - -Let's take our example from the [overview](/#overview) again: - - -> Imagine that you have deployed a bunch of microservices on your infrastructure. You probably used a service registry (like etcd or consul) and/or an orchestrator (swarm, Mesos/Marathon) to manage all these services. -> If you want your users to access some of your microservices from the Internet, you will have to use a reverse proxy and configure it using virtual hosts or prefix paths: - -> - domain `api.domain.com` will point the microservice `api` in your private network -> - path `domain.com/web` will point the microservice `web` in your private network -> - domain `backoffice.domain.com` will point the microservices `backoffice` in your private network, load-balancing between your multiple instances - -> ![Architecture](img/architecture.png) - -Let's zoom on Traefik and have an overview of its internal architecture: - - -![Architecture](img/internal.png) - -- Incoming requests end on [entrypoints](#entrypoints), as the name suggests, they are the network entry points into Traefik (listening port, SSL, traffic redirection...). -- Traffic is then forwarded to a matching [frontend](#frontends). A frontend defines routes from [entrypoints](#entrypoints) to [backends](#backends). -Routes are created using requests fields (`Host`, `Path`, `Headers`...) and can match or not a request. -- The [frontend](#frontends) will then send the request to a [backend](#backends). A backend can be composed by one or more [servers](#servers), and by a load-balancing strategy. -- Finally, the [server](#servers) will forward the request to the corresponding microservice in the private network. - -### Entrypoints - -Entrypoints are the network entry points into Traefik. -They can be defined using: - -- a port (80, 443...) -- SSL (Certificates, Keys, authentication with a client certificate signed by a trusted CA...) -- redirection to another entrypoint (redirect `HTTP` to `HTTPS`) - -Here is an example of entrypoints definition: - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - entryPoint = "https" - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - [[entryPoints.https.tls.certificates]] - certFile = "tests/traefik.crt" - keyFile = "tests/traefik.key" -``` - -- Two entrypoints are defined `http` and `https`. -- `http` listens on port `80` and `https` on port `443`. -- We enable SSL on `https` by giving a certificate and a key. -- We also redirect all the traffic from entrypoint `http` to `https`. - -And here is another example with client certificate authentication: - -```toml -[entryPoints] - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - [entryPoints.https.tls.ClientCA] - files = ["tests/clientca1.crt", "tests/clientca2.crt"] - optional = false - [[entryPoints.https.tls.certificates]] - certFile = "tests/traefik.crt" - keyFile = "tests/traefik.key" -``` - -- We enable SSL on `https` by giving a certificate and a key. -- One or several files containing Certificate Authorities in PEM format are added. -- It is possible to have multiple CA:s in the same file or keep them in separate files. - -### Frontends - -A frontend consists of a set of rules that determine how incoming requests are forwarded from an entrypoint to a backend. - -Rules may be classified in one of two groups: Modifiers and matchers. - -#### Modifiers - -Modifier rules only modify the request. They do not have any impact on routing decisions being made. - -Following is the list of existing modifier rules: - -- `AddPrefix: /products`: Add path prefix to the existing request path prior to forwarding the request to the backend. -- `ReplacePath: /serverless-path`: Replaces the path and adds the old path to the `X-Replaced-Path` header. Useful for mapping to AWS Lambda or Google Cloud Functions. -- `ReplacePathRegex: ^/api/v2/(.*) /api/$1`: Replaces the path with a regular expression and adds the old path to the `X-Replaced-Path` header. Separate the regular expression and the replacement by a space. - -#### Matchers - -Matcher rules determine if a particular request should be forwarded to a backend. - -The associativity rule is the following: - -- `,` is the `OR` operator (works **only inside a matcher**, ex: `Host:foo.com,bar.com`). - - i.e., forward a request if any rule matches. - - Does not work for `Headers` and `HeadersRegexp`. -- `;` is the `AND` operator (works **only between matchers**, ex: `Host:foo.com;Path:/bar`) - - i.e., forward a request if all rules match - -Following is the list of existing matcher rules along with examples: - -| Matcher | Description | -|------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `Headers: Content-Type, application/json` | Match HTTP header. It accepts a comma-separated key/value pair where both key and value must be literals. | -| `HeadersRegexp: Content-Type, application/(text/json)` | Match HTTP header. It accepts a comma-separated key/value pair where the key must be a literal and the value may be a literal or a regular expression. | -| `Host: traefik.io, www.traefik.io` | Match request host. It accepts a sequence of literal hosts. | -| `HostRegexp: traefik.io, {subdomain:[a-z]+}.traefik.io` | Match request host. It accepts a sequence of literal and regular expression hosts. | -| `Method: GET, POST, PUT` | Match request HTTP method. It accepts a sequence of HTTP methods. | -| `Path: /products/, /articles/{category}/{id:[0-9]+}` | Match exact request path. It accepts a sequence of literal and regular expression paths. | -| `PathStrip: /products/` | Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal paths. | -| `PathStripRegex: /articles/{category}/{id:[0-9]+}` | Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression paths. | -| `PathPrefix: /products/, /articles/{category}/{id:[0-9]+}` | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths. | -| `PathPrefixStrip: /products/` | Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header. | -| `PathPrefixStripRegex: /articles/{category}/{id:[0-9]+}` | Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header. | -| `Query: foo=bar, bar=baz` | Match Query String parameters. It accepts a sequence of key=value pairs. | - -In order to use regular expressions with Host and Path matchers, you must declare an arbitrarily named variable followed by the colon-separated regular expression, all enclosed in curly braces. Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `/posts/{id:[0-9]+}`). - -!!! note - The variable has no special meaning; however, it is required by the [gorilla/mux](https://github.com/gorilla/mux) dependency which embeds the regular expression and defines the syntax. - -You can optionally enable `passHostHeader` to forward client `Host` header to the backend. -You can also optionally configure the `passTLSClientCert` option to pass the Client certificates to the backend in a specific header. - -##### Path Matcher Usage Guidelines - -This section explains when to use the various path matchers. - -Use `Path` if your backend listens on the exact path only. For instance, `Path: /products` would match `/products` but not `/products/shoes`. - -Use a `*Prefix*` matcher if your backend listens on a particular base path but also serves requests on sub-paths. -For instance, `PathPrefix: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. -Since the path is forwarded as-is, your backend is expected to listen on `/products`. - -Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix. -For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. -Since the path is stripped prior to forwarding, your backend is expected to listen on `/`. -If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs. -Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend). -The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically. - -Instead of distinguishing your backends by path only, you can add a Host matcher to the mix. -That way, namespacing of your backends happens on the basis of hosts in addition to paths. - -#### Examples - -Here is an example of frontends definition: - -```toml -[frontends] - [frontends.frontend1] - backend = "backend2" - [frontends.frontend1.routes.test_1] - rule = "Host:test.localhost,test2.localhost" - [frontends.frontend2] - backend = "backend1" - passHostHeader = true - [frontends.frontend2.passTLSClientCert] - pem = true - priority = 10 - entrypoints = ["https"] # overrides defaultEntryPoints - [frontends.frontend2.routes.test_1] - rule = "HostRegexp:localhost,{subdomain:[a-z]+}.localhost" - [frontends.frontend3] - backend = "backend2" - [frontends.frontend3.routes.test_1] - rule = "Host:test3.localhost;Path:/test" -``` - -- Three frontends are defined: `frontend1`, `frontend2` and `frontend3` -- `frontend1` will forward the traffic to the `backend2` if the rule `Host:test.localhost,test2.localhost` is matched -- `frontend2` will forward the traffic to the `backend1` if the rule `HostRegexp:localhost,{subdomain:[a-z]+}.localhost` is matched (forwarding client `Host` header to the backend) -- `frontend3` will forward the traffic to the `backend2` if the rules `Host:test3.localhost` **AND** `Path:/test` are matched - -#### Combining multiple rules - -As seen in the previous example, you can combine multiple rules. -In TOML file, you can use multiple routes: - -```toml - [frontends.frontend3] - backend = "backend2" - [frontends.frontend3.routes.test_1] - rule = "Host:test3.localhost" - [frontends.frontend3.routes.test_2] - rule = "Path:/test" -``` - -Here `frontend3` will forward the traffic to the `backend2` if the rules `Host:test3.localhost` **AND** `Path:/test` are matched. - -You can also use the notation using a `;` separator, same result: - -```toml - [frontends.frontend3] - backend = "backend2" - [frontends.frontend3.routes.test_1] - rule = "Host:test3.localhost;Path:/test" -``` - -Finally, you can create a rule to bind multiple domains or Path to a frontend, using the `,` separator: - -```toml - [frontends.frontend2] - [frontends.frontend2.routes.test_1] - rule = "Host:test1.localhost,test2.localhost" - [frontends.frontend3] - backend = "backend2" - [frontends.frontend3.routes.test_1] - rule = "Path:/test1,/test2" -``` - -#### Rules Order - -When combining `Modifier` rules with `Matcher` rules, it is important to remember that `Modifier` rules **ALWAYS** apply after the `Matcher` rules. - -The following rules are both `Matchers` and `Modifiers`, so the `Matcher` portion of the rule will apply first, and the `Modifier` will apply later. - -- `PathStrip` -- `PathStripRegex` -- `PathPrefixStrip` -- `PathPrefixStripRegex` - -`Modifiers` will be applied in a pre-determined order regardless of their order in the `rule` configuration section. - -1. `PathStrip` -2. `PathPrefixStrip` -3. `PathStripRegex` -4. `PathPrefixStripRegex` -5. `AddPrefix` -6. `ReplacePath` - -#### Priorities - -By default, routes will be sorted (in descending order) using rules length (to avoid path overlap): -- `PathPrefix:/foo;Host:foo.com` (length == 28) will be matched before `PathPrefixStrip:/foobar` (length == 23) will be matched before `PathPrefix:/foo,/bar` (length == 20). -- A priority value of 0 will be ignored, so the default value will be calculated (rules length). - -You can customize priority by frontend. The priority value override the rule length during sorting: - -```toml - [frontends] - [frontends.frontend1] - backend = "backend1" - priority = 20 - passHostHeader = true - [frontends.frontend1.routes.test_1] - rule = "PathPrefix:/to" - [frontends.frontend2] - backend = "backend2" - passHostHeader = true - [frontends.frontend2.routes.test_1] - rule = "PathPrefix:/toto" -``` - -Here, `frontend1` will be matched before `frontend2` (`20 > 16`). - -#### Custom headers - -Custom headers can be configured through the frontends, to add headers to either requests or responses that match the frontend's rules. -This allows for setting headers such as `X-Script-Name` to be added to the request, or custom headers to be added to the response. - -!!! warning - If the custom header name is the same as one header name of the request or response, it will be replaced. - -In this example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request and the `X-Custom-Response-Header` header added to the response. - -```toml -[frontends] - [frontends.frontend1] - backend = "backend1" - [frontends.frontend1.headers.customresponseheaders] - X-Custom-Response-Header = "True" - [frontends.frontend1.headers.customrequestheaders] - X-Script-Name = "test" - [frontends.frontend1.routes.test_1] - rule = "PathPrefixStrip:/cheese" -``` - -In this second example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request, and the `X-Custom-Response-Header` header removed from the response. - -```toml -[frontends] - [frontends.frontend1] - backend = "backend1" - [frontends.frontend1.headers.customresponseheaders] - X-Custom-Response-Header = "" - [frontends.frontend1.headers.customrequestheaders] - X-Script-Name = "test" - X-Custom-Request-Header = "" - [frontends.frontend1.routes.test_1] - rule = "PathPrefixStrip:/cheese" -``` - -#### Security headers - -Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above. -This functionality allows for some easy security features to quickly be set. - -An example of some of the security headers: - -```toml -[frontends] - [frontends.frontend1] - backend = "backend1" - [frontends.frontend1.headers] - FrameDeny = true - [frontends.frontend1.routes.test_1] - rule = "PathPrefixStrip:/cheddar" - [frontends.frontend2] - backend = "backend2" - [frontends.frontend2.headers] - SSLRedirect = true - [frontends.frontend2.routes.test_1] - rule = "PathPrefixStrip:/stilton" -``` - -In this example, traffic routed through the first frontend will have the `X-Frame-Options` header set to `DENY`, and the second will only allow HTTPS request through, otherwise will return a 301 HTTPS redirect. - -!!! note - The detailed documentation for those security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options). - -### Backends - -A backend is responsible to load-balance the traffic coming from one or more frontends to a set of http servers. - -#### Servers - -Servers are simply defined using a `url`. You can also apply a custom `weight` to each server (this will be used by load-balancing). - -!!! note - Paths in `url` are ignored. Use `Modifier` to specify paths instead. - -Here is an example of backends and servers definition: - -```toml -[backends] - [backends.backend1] - # ... - [backends.backend1.servers.server1] - url = "http://172.17.0.2:80" - weight = 10 - [backends.backend1.servers.server2] - url = "http://172.17.0.3:80" - weight = 1 - [backends.backend2] - # ... - [backends.backend2.servers.server1] - url = "https://172.17.0.4:443" - weight = 1 - [backends.backend2.servers.server2] - url = "https://172.17.0.5:443" - weight = 2 - [backends.backend3] - # ... - [backends.backend3.servers.server1] - url = "h2c://172.17.0.6:80" - weight = 1 -``` - -- Two backends are defined: `backend1` and `backend2` -- `backend1` will forward the traffic to two servers: `172.17.0.2:80` with weight `10` and `172.17.0.3:80` with weight `1`. -- `backend2` will forward the traffic to two servers: `172.17.0.4:443` with weight `1` and `172.17.0.5:443` with weight `2` both using TLS. -- `backend3` will forward the traffic to: `172.17.0.6:80` with weight `1` using HTTP2 without TLS. - -#### Load-balancing - -Various methods of load-balancing are supported: - -- `wrr`: Weighted Round Robin. -- `drr`: Dynamic Round Robin: increases weights on servers that perform better than others. - It also rolls back to original weights if the servers have changed. - -#### Circuit breakers - -A circuit breaker can also be applied to a backend, preventing high loads on failing servers. -Initial state is Standby. CB observes the statistics and does not modify the request. -In case the condition matches, CB enters Tripped state, where it responds with predefined code or redirects to another frontend. -Once Tripped timer expires, CB enters Recovering state and resets all stats. -In case the condition does not match and recovery timer expires, CB enters Standby state. - -It can be configured using: - -- Methods: `LatencyAtQuantileMS`, `NetworkErrorRatio`, `ResponseCodeRatio` -- Operators: `AND`, `OR`, `EQ`, `NEQ`, `LT`, `LE`, `GT`, `GE` - -For example: - -- `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window for a frontend. -- `LatencyAtQuantileMS(50.0) > 50`: watch latency at quantile in milliseconds. -- `ResponseCodeRatio(500, 600, 0, 600) > 0.5`: ratio of response codes in ranges [500-600) and [0-600). - -Here is an example of backends and servers definition: - -```toml -[backends] - [backends.backend1] - [backends.backend1.circuitbreaker] - expression = "NetworkErrorRatio() > 0.5" - [backends.backend1.servers.server1] - url = "http://172.17.0.2:80" - weight = 10 - [backends.backend1.servers.server2] - url = "http://172.17.0.3:80" - weight = 1 -``` - -- `backend1` will forward the traffic to two servers: `http://172.17.0.2:80"` with weight `10` and `http://172.17.0.3:80` with weight `1` using default `wrr` load-balancing strategy. -- a circuit breaker is added on `backend1` using the expression `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window - -#### Maximum connections - -To proactively prevent backends from being overwhelmed with high load, a maximum connection limit can also be applied to each backend. - -Maximum connections can be configured by specifying an integer value for `maxconn.amount` and `maxconn.extractorfunc` which is a strategy used to determine how to categorize requests in order to evaluate the maximum connections. - -For example: -```toml -[backends] - [backends.backend1] - [backends.backend1.maxconn] - amount = 10 - extractorfunc = "request.host" - # ... -``` - -- `backend1` will return `HTTP code 429 Too Many Requests` if there are already 10 requests in progress for the same Host header. -- Another possible value for `extractorfunc` is `client.ip` which will categorize requests based on client source ip. -- Lastly `extractorfunc` can take the value of `request.header.ANY_HEADER` which will categorize requests based on `ANY_HEADER` that you provide. - -#### Sticky sessions - -Sticky sessions are supported with both load balancers. -When sticky sessions are enabled, a cookie is set on the initial request. -The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`). -On subsequent requests, the client will be directed to the backend stored in the cookie if it is still healthy. -If not, a new backend will be assigned. - -```toml -[backends] - [backends.backend1] - # Enable sticky session - [backends.backend1.loadbalancer.stickiness] - - # Customize the cookie name - # - # Optional - # Default: a sha1 (6 chars) - # - # cookieName = "my_cookie" -``` - -#### Health Check - -A health check can be configured in order to remove a backend from LB rotation as long as it keeps returning HTTP status codes other than `2xx` or `3xx` to HTTP GET requests periodically carried out by Traefik. -The check is defined by a path appended to the backend URL and an interval specifying how often the health check should be executed (the default being 30 seconds.) -Each backend must respond to the health check within a timeout duration (the default being 5 seconds.) -Interval and timeout are to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). -The interval must be greater than the timeout. If configuration doesn't reflect this, the interval will be set to timeout + 1 second. -By default, the port of the backend server is used, however, this may be overridden. - -A recovering backend returning `2xx` or `3xx` responses again is being returned to the LB rotation pool. - -For example: -```toml -[backends] - [backends.backend1] - [backends.backend1.healthcheck] - path = "/health" - interval = "10s" - timeout = "3s" -``` - -To use a different port for the health check: -```toml -[backends] - [backends.backend1] - [backends.backend1.healthcheck] - path = "/health" - interval = "10s" - timeout = "3s" - port = 8080 -``` - - -To use a different scheme for the health check: -```toml -[backends] - [backends.backend1] - [backends.backend1.healthcheck] - path = "/health" - interval = "10s" - timeout = "3s" - scheme = "http" -``` - -Additional http headers and hostname to health check request can be specified, for instance: -```toml -[backends] - [backends.backend1] - [backends.backend1.healthcheck] - path = "/health" - interval = "10s" - timeout = "3s" - hostname = "myhost.com" - port = 8080 - [backends.backend1.healthcheck.headers] - My-Custom-Header = "foo" - My-Header = "bar" -``` - -## Configuration - -Traefik's configuration has two parts: - -- The [static Traefik configuration](/basics#static-traefik-configuration) which is loaded only at the beginning. -- The [dynamic Traefik configuration](/basics#dynamic-traefik-configuration) which can be hot-reloaded (no need to restart the process). - -### Static Traefik configuration - -The static configuration is the global configuration which is setting up connections to configuration backends and entrypoints. - -Traefik can be configured using many configuration sources with the following precedence order. -Each item takes precedence over the item below it: - -- [Key-value store](/basics/#key-value-stores) -- [Arguments](/basics/#arguments) -- [Configuration file](/basics/#configuration-file) -- Default - -It means that arguments override configuration file, and key-value store overrides arguments. - -!!! note - the provider-enabling argument parameters (e.g., `--docker`) set all default values for the specific provider. - It must not be used if a configuration source with less precedence wants to set a non-default provider value. - -#### Configuration file - -By default, Traefik will try to find a `traefik.toml` in the following places: - -- `/etc/traefik/` -- `$HOME/.traefik/` -- `.` _the working directory_ - -You can override this by setting a `configFile` argument: - -```bash -traefik --configFile=foo/bar/myconfigfile.toml -``` - -Please refer to the [global configuration](/configuration/commons) section to get documentation on it. - -#### Arguments - -Each argument (and command) is described in the help section: - -```bash -traefik --help -``` - -Note that all default values will be displayed as well. - -#### Key-value stores - -Traefik supports several Key-value stores: - -- [Consul](https://consul.io) -- [etcd](https://coreos.com/etcd/) -- [ZooKeeper](https://zookeeper.apache.org/) -- [boltdb](https://github.com/boltdb/bolt) - -Please refer to the [User Guide Key-value store configuration](/user-guide/kv-config/) section to get documentation on it. - -### Dynamic Traefik configuration - -The dynamic configuration concerns : - -- [Frontends](/basics/#frontends) -- [Backends](/basics/#backends) -- [Servers](/basics/#servers) -- HTTPS Certificates - -Traefik can hot-reload those rules which could be provided by [multiple configuration backends](/configuration/commons). - -We only need to enable `watch` option to make Traefik watch configuration backend changes and generate its configuration automatically. -Routes to services will be created and updated instantly at any changes. - -Please refer to the [configuration backends](/configuration/commons) section to get documentation on it. - -## Commands - -### traefik - -Usage: -```bash -traefik [command] [--flag=flag_argument] -``` - -List of Traefik available commands with description : - -- `version` : Print version -- `storeconfig` : Store the static Traefik configuration into a Key-value stores. Please refer to the [Store Traefik configuration](/user-guide/kv-config/#store-configuration-in-key-value-store) section to get documentation on it. -- `bug`: The easiest way to submit a pre-filled issue. -- `healthcheck`: Calls Traefik `/ping` to check health. - -Each command may have related flags. - -All those related flags will be displayed with : - -```bash -traefik [command] --help -``` - -Each command is described at the beginning of the help section: - -```bash -traefik --help - -# or - -docker run traefik[:version] --help -# ex: docker run traefik:1.5 --help -``` - -### Command: bug - -Here is the easiest way to submit a pre-filled issue on [Traefik GitHub](https://github.com/containous/traefik). - -```bash -traefik bug -``` - -Watch [this demo](https://www.youtube.com/watch?v=Lyz62L8m93I). - -### Command: healthcheck - -This command allows to check the health of Traefik. Its exit status is `0` if Traefik is healthy and `1` if it is unhealthy. - -This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism. - -!!! note - The [`ping`](/configuration/ping) must be enabled to allow the `healthcheck` command to call `/ping`. - -```bash -traefik healthcheck -``` -```bash -OK: http://:8082/ping -``` - - -## Collected Data - -**This feature is disabled by default.** - -You can read the public proposal on this topic [here](https://github.com/containous/traefik/issues/2369). - -### Why ? - -In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances. -Those data help us prioritize our developments and focus on what's more important (for example, which configuration backend is used and which is not used). - -### What ? - -Once a day (the first call begins 10 minutes after the start of Traefik), we collect: - -- the Traefik version -- a hash of the configuration -- an **anonymous version** of the static configuration: - - token, user name, password, URL, IP, domain, email, etc, are removed - -!!! note - We do not collect the dynamic configuration (frontends & backends). - -!!! note - We do not collect data behind the scenes to run advertising programs or to sell such data to third-party. - -#### Here is an example - -- Source configuration: - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - -[api] - -[Docker] - endpoint = "tcp://10.10.10.10:2375" - domain = "foo.bir" - exposedByDefault = true - swarmMode = true - - [Docker.TLS] - ca = "dockerCA" - cert = "dockerCert" - key = "dockerKey" - insecureSkipVerify = true - -[ECS] - domain = "foo.bar" - exposedByDefault = true - clusters = ["foo-bar"] - region = "us-west-2" - accessKeyID = "AccessKeyID" - secretAccessKey = "SecretAccessKey" -``` - -- Obfuscated and anonymous configuration: - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - -[api] - -[Docker] - endpoint = "xxxx" - domain = "xxxx" - exposedByDefault = true - swarmMode = true - - [Docker.TLS] - ca = "xxxx" - cert = "xxxx" - key = "xxxx" - insecureSkipVerify = false - -[ECS] - domain = "xxxx" - exposedByDefault = true - clusters = [] - region = "us-west-2" - accessKeyID = "xxxx" - secretAccessKey = "xxxx" -``` - -### Show me the code ! - -If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/collector/collector.go) - -By default we anonymize all configuration fields, except fields tagged with `export=true`. - -### How to enable this ? - -You can enable the collecting system by: - -- adding this line in the configuration TOML file: - -```toml -# Send anonymous usage data -# -# Optional -# Default: false -# -sendAnonymousUsage = true -``` - -- adding this flag in the CLI: - -```bash -./traefik --sendAnonymousUsage=true -``` diff --git a/docs/check.Dockerfile b/docs/check.Dockerfile new file mode 100644 index 000000000..bbc51e6b4 --- /dev/null +++ b/docs/check.Dockerfile @@ -0,0 +1,43 @@ + +FROM alpine:3.9 as alpine + +# The "build-dependencies" virtual package provides build tools for html-proofer installation. +# It compile ruby-nokogiri, because alpine native version is always out of date +# This virtual package is cleaned at the end. +RUN apk --no-cache --no-progress add \ + libcurl \ + ruby \ + ruby-bigdecimal \ + ruby-etc \ + ruby-ffi \ + ruby-json \ + && apk add --no-cache --virtual build-dependencies \ + build-base \ + libcurl \ + libxml2-dev \ + libxslt-dev \ + ruby-dev \ + && gem install --no-document html-proofer -v 3.10.2 \ + && apk del build-dependencies + +# After Ruby, some NodeJS YAY! +RUN apk --no-cache --no-progress add \ + git \ + nodejs \ + npm \ + && npm install markdownlint@0.12.0 markdownlint-cli@0.13.0 --global + +# Finally the shell tools we need for later +# tini helps to terminate properly all the parallelized tasks when sending CTRL-C +RUN apk --no-cache --no-progress add \ + ca-certificates \ + curl \ + tini + +COPY ./scripts/verify.sh /verify.sh +COPY ./scripts/lint.sh /lint.sh + +WORKDIR /app +VOLUME ["/tmp","/app"] + +ENTRYPOINT ["/sbin/tini","-g","sh"] diff --git a/docs/configuration/acme.md b/docs/configuration/acme.md deleted file mode 100644 index cc004443f..000000000 --- a/docs/configuration/acme.md +++ /dev/null @@ -1,520 +0,0 @@ -# ACME (Let's Encrypt) Configuration - -See [Let's Encrypt examples](/user-guide/examples/#lets-encrypt-support) and [Docker & Let's Encrypt user guide](/user-guide/docker-and-lets-encrypt) as well. - -## Configuration - -```toml -# Sample entrypoint configuration when using ACME. -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] -``` - -```toml -# Enable ACME (Let's Encrypt): automatic SSL. -[acme] - -# Email address used for registration. -# -# Required -# -email = "test@traefik.io" - -# File used for certificates storage. -# -# Optional (Deprecated) -# -#storageFile = "acme.json" - -# File or key used for certificates storage. -# -# Required -# -storage = "acme.json" -# or `storage = "traefik/acme/account"` if using KV store. - -# Entrypoint to proxy acme apply certificates to. -# -# Required -# -entryPoint = "https" - -# Deprecated, replaced by [acme.dnsChallenge]. -# -# Optional. -# -# dnsProvider = "digitalocean" - -# Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck]. -# -# Optional -# Default: 0 -# -# delayDontCheckDNS = 0 - -# If true, display debug log messages from the acme client library. -# -# Optional -# Default: false -# -# acmeLogging = true - -# If true, override certificates in key-value store when using storeconfig. -# -# Optional -# Default: false -# -# overrideCertificates = true - -# Deprecated. Enable on demand certificate generation. -# -# Optional -# Default: false -# -# onDemand = true - -# Enable certificate generation on frontends host rules. -# -# Optional -# Default: false -# -# onHostRule = true - -# CA server to use. -# Uncomment the line to use Let's Encrypt's staging server, -# leave commented to go to prod. -# -# Optional -# Default: "https://acme-v02.api.letsencrypt.org/directory" -# -# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory" - -# KeyType to use. -# -# Optional -# Default: "RSA4096" -# -# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192" -# -# KeyType = "RSA4096" - -# Use a TLS-ALPN-01 ACME challenge. -# -# Optional (but recommended) -# -[acme.tlsChallenge] - -# Use a HTTP-01 ACME challenge. -# -# Optional -# -# [acme.httpChallenge] - - # EntryPoint to use for the HTTP-01 challenges. - # - # Required - # - # entryPoint = "http" - -# Use a DNS-01 ACME challenge rather than HTTP-01 challenge. -# Note: mandatory for wildcard certificate generation. -# -# Optional -# -# [acme.dnsChallenge] - - # DNS provider used. - # - # Required - # - # provider = "digitalocean" - - # By default, the provider will verify the TXT DNS challenge record before letting ACME verify. - # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds. - # Useful if internal networks block external DNS queries. - # - # Optional - # Default: 0 - # - # delayBeforeCheck = 0 - - # Use following DNS servers to resolve the FQDN authority. - # - # Optional - # Default: empty - # - # resolvers = ["1.1.1.1:53", "8.8.8.8:53"] - - # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. - # - # NOT RECOMMENDED: - # Increase the risk of reaching Let's Encrypt's rate limits. - # - # Optional - # Default: false - # - # disablePropagationCheck = true - -# Domains list. -# Only domains defined here can generate wildcard certificates. -# The certificates for these domains are negotiated at traefik startup only. -# -# [[acme.domains]] -# main = "local1.com" -# sans = ["test1.local1.com", "test2.local1.com"] -# [[acme.domains]] -# main = "local2.com" -# [[acme.domains]] -# main = "*.local3.com" -# sans = ["local3.com", "test1.test1.local3.com"] -``` - -### `caServer` - -The CA server to use. - -This example shows the usage of Let's Encrypt's staging server: - -```toml -[acme] -# ... -caServer = "https://acme-staging-v02.api.letsencrypt.org/directory" -# ... -``` - -### ACME Challenge - -#### `tlsChallenge` - -Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate. - -```toml -[acme] -# ... -entryPoint = "https" -[acme.tlsChallenge] -``` - -!!! note - If the `TLS-ALPN-01` challenge is used, `acme.entryPoint` has to be reachable by Let's Encrypt through port 443. - This is a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72). - -#### `httpChallenge` - -Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning a HTTP resource under a well-known URI. - -Redirection is fully compatible with the `HTTP-01` challenge. - -```toml -[acme] -# ... -entryPoint = "https" -[acme.httpChallenge] - entryPoint = "http" -``` - -!!! note - If the `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through port 80. - This is a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72). - -##### `entryPoint` - -Specify the entryPoint to use during the challenges. - -```toml -defaultEntryPoints = ["http", "https"] - -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] -# ... - -[acme] - # ... - entryPoint = "https" - [acme.httpChallenge] - entryPoint = "http" -``` - -!!! note - `acme.httpChallenge.entryPoint` has to be reachable through port 80. It's a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72). - -#### `dnsChallenge` - -Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record. - -```toml -[acme] -# ... -[acme.dnsChallenge] - provider = "digitalocean" - delayBeforeCheck = 0 -# ... -``` - -##### `delayBeforeCheck` - -By default, the `provider` will verify the TXT DNS challenge record before letting ACME verify. -If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. - -Useful if internal networks block external DNS queries. - -!!! note - A `provider` is mandatory. - -##### `provider` - -Here is a list of supported `provider`s, that can automate the DNS verification, along with the required environment variables and their [wildcard & root domain support](/configuration/acme/#wildcard-domains) for each. -Do not hesitate to complete it. - -| Provider Name | Provider Code | Environment Variables | Wildcard & Root Domain Support | -|-------------------------------------------------------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------| -| [ACME DNS](https://github.com/joohoi/acme-dns) | `acme-dns` | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH` | Not tested yet | -| [Alibaba Cloud](https://www.vultr.com) | `alidns` | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID` | Not tested yet | -| [Auroradns](https://www.pcextreme.com/aurora/dns) | `auroradns` | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT` | Not tested yet | -| [Azure](https://azure.microsoft.com/services/dns/) | `azure` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]` | Not tested yet | -| [Blue Cat](https://www.bluecatnetworks.com/) | `bluecat` | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW` | Not tested yet | -| [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key` | YES | -| [CloudXNS](https://www.cloudxns.net) | `cloudxns` | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY` | Not tested yet | -| [ConoHa](https://www.conoha.jp) | `conoha` | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD` | YES | -| [DigitalOcean](https://www.digitalocean.com) | `digitalocean` | `DO_AUTH_TOKEN` | YES | -| [DNSimple](https://dnsimple.com) | `dnsimple` | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL` | YES | -| [DNS Made Easy](https://dnsmadeeasy.com) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX` | Not tested yet | -| [DNSPod](https://www.dnspod.com/) | `dnspod` | `DNSPOD_API_KEY` | Not tested yet | -| [DreamHost](https://www.dreamhost.com/) | `dreamhost` | `DREAMHOST_API_KEY` | YES | -| [Duck DNS](https://www.duckdns.org/) | `duckdns` | `DUCKDNS_TOKEN` | YES | -| [Dyn](https://dyn.com) | `dyn` | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD` | Not tested yet | -| External Program | `exec` | `EXEC_PATH` | YES | -| [Exoscale](https://www.exoscale.com) | `exoscale` | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT` | YES | -| [Fast DNS](https://www.akamai.com/) | `fastdns` | `AKAMAI_CLIENT_TOKEN`, `AKAMAI_CLIENT_SECRET`, `AKAMAI_ACCESS_TOKEN` | YES | -| [Gandi](https://www.gandi.net) | `gandi` | `GANDI_API_KEY` | Not tested yet | -| [Gandi v5](http://doc.livedns.gandi.net) | `gandiv5` | `GANDIV5_API_KEY` | YES | -| [Glesys](https://glesys.com/) | `glesys` | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN` | Not tested yet | -| [GoDaddy](https://godaddy.com/domains) | `godaddy` | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | Not tested yet | -| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud` | `GCE_PROJECT`, Application Default Credentials (2) (3), [`GCE_SERVICE_ACCOUNT_FILE`] | YES | -| [hosting.de](https://www.hosting.de) | `hostingde` | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME` | Not tested yet | -| HTTP request | `httpreq` | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` (1) | YES | -| [IIJ](https://www.iij.ad.jp/) | `iij` | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE` | Not tested yet | -| [INWX](https://www.inwx.de/en) | `inwx` | `INWX_USERNAME`, `INWX_PASSWORD` | YES | -| [Lightsail](https://aws.amazon.com/lightsail/) | `lightsail` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE` | Not tested yet | -| [Linode](https://www.linode.com) | `linode` | `LINODE_API_KEY` | Not tested yet | -| [Linode v4](https://www.linode.com) | `linodev4` | `LINODE_TOKEN` | Not tested yet | -| manual | - | none, but you need to run Traefik interactively, turn on `acmeLogging` to see instructions and press Enter. | YES | -| [MyDNS.jp](https://www.mydns.jp/) | `mydnsjp` | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD` | YES | -| [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` | YES | -| [name.com](https://www.name.com/) | `namedotcom` | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER` | Not tested yet | -| [Netcup](https://www.netcup.eu/) | `netcup` | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD` | Not tested yet | -| [NIFCloud](https://cloud.nifty.com/service/dns.htm) | `nifcloud` | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY` | Not tested yet | -| [Ns1](https://ns1.com/) | `ns1` | `NS1_API_KEY` | Not tested yet | -| [Open Telekom Cloud](https://cloud.telekom.de) | `otc` | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT` | Not tested yet | -| [OVH](https://www.ovh.com) | `ovh` | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY` | YES | -| [Openstack Designate](https://docs.openstack.org/designate) | `designate` | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME` | YES | -| [PowerDNS](https://www.powerdns.com) | `pdns` | `PDNS_API_KEY`, `PDNS_API_URL` | Not tested yet | -| [Rackspace](https://www.rackspace.com/cloud/dns) | `rackspace` | `RACKSPACE_USER`, `RACKSPACE_API_KEY` | Not tested yet | -| [RFC2136](https://tools.ietf.org/html/rfc2136) | `rfc2136` | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER` | Not tested yet | -| [Route 53](https://aws.amazon.com/route53/) | `route53` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile. | YES | -| [Sakura Cloud](https://cloud.sakura.ad.jp/) | `sakuracloud` | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET` | Not tested yet | -| [Selectel](https://selectel.ru/en/) | `selectel` | `SELECTEL_API_TOKEN` | YES | -| [Stackpath](https://www.stackpath.com/) | `stackpath` | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID` | Not tested yet | -| [TransIP](https://www.transip.nl/) | `transip` | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH` | YES | -| [VegaDNS](https://github.com/shupp/VegaDNS-API) | `vegadns` | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL` | Not tested yet | -| [Vscale](https://vscale.io/) | `vscale` | `VSCALE_API_TOKEN` | YES | -| [VULTR](https://www.vultr.com) | `vultr` | `VULTR_API_KEY` | Not tested yet | -| [Zone.ee](https://www.zone.ee) | `zoneee` | `ZONEEE_API_USER`, `ZONEEE_API_KEY` | YES | - -- (1): more information about the HTTP message format can be found [here](https://github.com/xenolf/lego/blob/master/providers/dns/httpreq/readme.md) -- (2): https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application -- (3): https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76 - -#### `resolvers` - -Use custom DNS servers to resolve the FQDN authority. - -```toml -[acme] -# ... -[acme.dnsChallenge] - # ... - resolvers = ["1.1.1.1:53", "8.8.8.8:53"] -``` - -### `domains` - -You can provide SANs (alternative domains) to each main domain. -All domains must have A/AAAA records pointing to Traefik. -Each domain & SAN will lead to a certificate request. - -!!! note - The certificates for the domains listed in `acme.domains` are negotiated at traefik startup only. - -```toml -[acme] -# ... -[[acme.domains]] - main = "local1.com" - sans = ["test1.local1.com", "test2.local1.com"] -[[acme.domains]] - main = "local2.com" -[[acme.domains]] - main = "*.local3.com" - sans = ["local3.com", "test1.test1.local3.com"] -# ... -``` - -!!! warning - Take note that Let's Encrypt applies [rate limiting](https://letsencrypt.org/docs/rate-limits). - -!!! note - Wildcard certificates can only be verified through a `DNS-01` challenge. - -#### Wildcard Domains - -[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) allows wildcard certificate support. -As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](/configuration/acme/#dnschallenge). - -```toml -[acme] -# ... -[[acme.domains]] - main = "*.local1.com" - sans = ["local1.com"] -# ... -``` - -It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`). -Due to ACME limitation it is not possible to define wildcards in SANs (alternative domains). Thus, the wildcard domain has to be defined as a main domain. -Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed. -In this case the generated DNS TXT record for both domains is the same. -Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant, it can lead to problems as all DNS providers keep DNS records cached for a certain time (TTL) and this TTL can be superior to the challenge timeout making the `DNS-01` challenge fail. -The Traefik ACME client library [LEGO](https://github.com/xenolf/lego) supports some but not all DNS providers to work around this issue. -The [`provider` table](/configuration/acme/#provider) indicates if they allow generating certificates for a wildcard domain and its root domain. - -### `onDemand` (Deprecated) - -!!! danger "DEPRECATED" - This option is deprecated. - -```toml -[acme] -# ... -onDemand = true -# ... -``` - -Enable on demand certificate generation. - -This will request certificates from Let's Encrypt during the first TLS handshake for host names that do not yet have certificates. - -!!! warning - TLS handshakes are slow when requesting a host name certificate for the first time. This can lead to DoS attacks! - -!!! warning - Take note that Let's Encrypt applies [rate limiting](https://letsencrypt.org/docs/rate-limits). - -### `onHostRule` - -```toml -[acme] -# ... -onHostRule = true -# ... -``` - -Enable certificate generation on frontend `Host` rules (for frontends wired to the `acme.entryPoint`). - -This will request a certificate from Let's Encrypt for each frontend with a Host rule. - -For example, the rule `Host:test1.traefik.io,test2.traefik.io` will request a certificate with main domain `test1.traefik.io` and SAN `test2.traefik.io`. - -!!! warning - `onHostRule` option can not be used to generate wildcard certificates. - Refer to [wildcard generation](/configuration/acme/#wildcard-domains) for further information. - -### `storage` - -The `storage` option sets the location where your ACME certificates are saved to. - -```toml -[acme] -# ... -storage = "acme.json" -# ... -``` - -The value can refer to two kinds of storage: - -- a JSON file -- a KV store entry - -!!! danger "DEPRECATED" - `storage` replaces `storageFile` which is deprecated. - -!!! note - During migration to a KV store use both `storageFile` and `storage` to migrate ACME certificates too. See [`storeconfig` subcommand](/user-guide/kv-config/#store-configuration-in-key-value-store) for further information. - -#### As a File - -ACME certificates can be stored in a JSON file that needs to have file mode `600`. - -In Docker you can either mount the JSON file or the folder containing it: - -```bash -docker run -v "/my/host/acme.json:acme.json" traefik -``` -```bash -docker run -v "/my/host/acme:/etc/traefik/acme" traefik -``` - -!!! warning - This file cannot be shared across multiple instances of Traefik at the same time. Please use a [KV Store entry](/configuration/acme/#as-a-key-value-store-entry) instead. - -#### As a Key Value Store Entry - -ACME certificates can be stored in a KV Store entry. This kind of storage is **mandatory in cluster mode**. - -```toml -storage = "traefik/acme/account" -``` - -Because KV stores (like Consul) have limited entry size the certificates list is compressed before it is saved as KV store entry. - -!!! note - It is possible to store up to approximately 100 ACME certificates in Consul. - -#### ACME v2 Migration - -During migration from ACME v1 to ACME v2, using a storage file, a backup of the original file is created in the same place as the latter (with a `.bak` extension). - -For example: if `acme.storage`'s value is `/etc/traefik/acme/acme.json`, the backup file will be `/etc/traefik/acme/acme.json.bak`. - -!!! note - When Traefik is launched in a container, the storage file's parent directory needs to be mounted to be able to access the backup file on the host. - Otherwise the backup file will be deleted when the container is stopped. Traefik will only generate it once! - -### `dnsProvider` (Deprecated) - -!!! danger "DEPRECATED" - This option is deprecated. Please use [dnsChallenge.provider](/configuration/acme/#provider) instead. - -### `delayDontCheckDNS` (Deprecated) - -!!! danger "DEPRECATED" - This option is deprecated. Please use [dnsChallenge.delayBeforeCheck](/configuration/acme/#dnschallenge) instead. - -## Fallbacks - -If Let's Encrypt is not reachable, these certificates will be used: - - 1. ACME certificates already generated before downtime - 1. Expired ACME certificates - 1. Provided certificates - -!!! note - For new (sub)domains which need Let's Encrypt authentification, the default Traefik certificate will be used until Traefik is restarted. diff --git a/docs/configuration/backends/docker.md b/docs/configuration/backends/docker.md deleted file mode 100644 index d50f9f3a6..000000000 --- a/docs/configuration/backends/docker.md +++ /dev/null @@ -1,539 +0,0 @@ - -# Docker Provider - -Traefik can be configured to use Docker as a provider. - -## Docker - -```toml -################################################################ -# Docker Provider -################################################################ - -# Enable Docker Provider. -[docker] - -# Docker server endpoint. Can be a tcp or a unix socket endpoint. -# -# Required -# -endpoint = "unix:///var/run/docker.sock" - -# Default base domain used for the frontend rules. -# Can be overridden by setting the "traefik.domain" label on a container. -# -# Optional -# -domain = "docker.localhost" - -# Enable watch docker changes. -# -# Optional -# -watch = true - -# Override default configuration template. -# For advanced users :) -# -# Optional -# -# filename = "docker.tmpl" - -# Override template version -# For advanced users :) -# -# Optional -# - "1": previous template version (must be used only with older custom templates, see "filename") -# - "2": current template version (must be used to force template version when "filename" is used) -# -# templateVersion = 2 - -# Expose containers by default in Traefik. -# If set to false, containers that don't have `traefik.enable=true` will be ignored. -# -# Optional -# Default: true -# -exposedByDefault = true - -# Use the IP address from the binded port instead of the inner network one. -# -# In case no IP address is attached to the binded port (or in case -# there is no bind), the inner network one will be used as a fallback. -# -# Optional -# Default: false -# -usebindportip = true - -# Use Swarm Mode services as data provider. -# -# Optional -# Default: false -# -swarmMode = false - -# Polling interval (in seconds) for Swarm Mode. -# -# Optional -# Default: 15 -# -swarmModeRefreshSeconds = 15 - -# Define a default docker network to use for connections to all containers. -# Can be overridden by the traefik.docker.network label. -# -# Optional -# -network = "web" - -# Enable docker TLS connection. -# -# Optional -# -# [docker.tls] -# ca = "/etc/ssl/ca.crt" -# cert = "/etc/ssl/docker.crt" -# key = "/etc/ssl/docker.key" -# insecureSkipVerify = true -``` - -To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific). - -## Docker Swarm Mode - -```toml -################################################################ -# Docker Swarm Mode Provider -################################################################ - -# Enable Docker Provider. -[docker] - -# Docker server endpoint. -# Can be a tcp or a unix socket endpoint. -# -# Required -# Default: "unix:///var/run/docker.sock" -# -# swarm classic (1.12-) -# endpoint = "tcp://127.0.0.1:2375" -# docker swarm mode (1.12+) -endpoint = "tcp://127.0.0.1:2377" - -# Default base domain used for the frontend rules. -# Can be overridden by setting the "traefik.domain" label on a services. -# -# Optional -# Default: "" -# -domain = "docker.localhost" - -# Enable watch docker changes. -# -# Optional -# Default: true -# -watch = true - -# Use Docker Swarm Mode as data provider. -# -# Optional -# Default: false -# -swarmMode = true - -# Define a default docker network to use for connections to all containers. -# Can be overridden by the traefik.docker.network label. -# -# Optional -# -network = "web" - -# Override default configuration template. -# For advanced users :) -# -# Optional -# -# filename = "docker.tmpl" - -# Override template version -# For advanced users :) -# -# Optional -# - "1": previous template version (must be used only with older custom templates, see "filename") -# - "2": current template version (must be used to force template version when "filename" is used) -# -# templateVersion = 2 - -# Expose services by default in Traefik. -# -# Optional -# Default: true -# -exposedByDefault = false - -# Enable docker TLS connection. -# -# Optional -# -# [docker.tls] -# ca = "/etc/ssl/ca.crt" -# cert = "/etc/ssl/docker.crt" -# key = "/etc/ssl/docker.key" -# insecureSkipVerify = true -``` - -To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific). - -## Security Considerations - -### Security Challenge with the Docker Socket - -Traefik requires access to the docker socket to get its dynamic configuration, -by watching the Docker API through this socket. - -!!! important - Depending on your context and your usage, accessing the Docker API without any restriction might be a security concern. - -As explained on the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)): - -`[...] only **trusted** users should be allowed to control your Docker daemon [...]` - -If the Traefik processes (handling requests from the outside world) is attacked, -then the attacker can access the Docker (or Swarm Mode) backend. - -Also, when using Swarm Mode, it is mandatory to schedule Traefik's containers on the Swarm manager nodes, -to let Traefik accessing the Docker Socket of the Swarm manager node. - -More information about Docker's security: - -- [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY) -- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html) -- [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623) -- [To Dind or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html) - -### Security Compensation - -The main security compensation is to expose the Docker socket over TCP, instead of the default Unix socket file. -It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment: - -- Authentication with Client Certificates as described in [the "Protect the Docker daemon socket" page of Docker's documentation](https://docs.docker.com/engine/security/https/) - -- Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/) - -- Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik. - -- Accounting at container level, by exposing the socket on a another container than Traefik's. - With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes. - -- Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), - to only allows an identified set of actions for Traefik's process (or the "socket exposer" process). - -Use the following ressources to get started: - -- [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174) -- [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/) -- [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/) -- [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy) - -## Labels: overriding default behavior - -### Using Docker with Swarm Mode - -If you use a compose file with the Swarm mode, labels should be defined in the `deploy` part of your service. -This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)). - -```yaml -version: "3" -services: - whoami: - deploy: - labels: - traefik.docker.network: traefik -``` - -### Using Docker Compose - -If you are intending to use only Docker Compose commands (e.g. `docker-compose up --scale whoami=2 -d`), labels should be under your service, otherwise they will be ignored. - -```yaml -version: "3" -services: - whoami: - labels: - traefik.docker.network: traefik -``` - -### On Containers - -Labels can be used on containers to override default behavior. - -| Label | Description | -|-------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `traefik.docker.network` | Overrides the default docker network to use for connections to the container. [1] | -| `traefik.domain` | Sets the default base domain for the frontend rules. For more information, check the [Container Labels section's of the user guide "Let's Encrypt & Docker"](/user-guide/docker-and-lets-encrypt/#container-labels) | -| `traefik.enable=false` | Disables this container in Traefik. | -| `traefik.port=80` | Registers this port. Useful when the container exposes multiples ports. | -| `traefik.tags=foo,bar,myTag` | Adds Traefik tags to the Docker container/service to be used in [constraints](/configuration/commons/#constraints). | -| `traefik.protocol=https` | Overrides the default `http` protocol | -| `traefik.weight=10` | Assigns this weight to the container | -| `traefik.backend=foo` | Overrides the container name by `foo` in the generated name of the backend. | -| `traefik.backend.buffering.maxRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. | -| `traefik.backend.buffering.maxResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. | -| `traefik.backend.buffering.memRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. | -| `traefik.backend.buffering.memResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. | -| `traefik.backend.buffering.retryExpression=EXPR` | See [buffering](/configuration/commons/#buffering) section. | -| `traefik.backend.circuitbreaker.expression=EXPR` | Creates a [circuit breaker](/basics/#backends) to be used against the backend | -| `traefik.backend.responseForwarding.flushInterval=10ms` | Defines the interval between two flushes when forwarding response from backend to client. | -| `traefik.backend.healthcheck.path=/health` | Enables health check for the backend, hitting the container at `path`. | -| `traefik.backend.healthcheck.interval=5s` | Defines the health check interval. | -| `traefik.backend.healthcheck.timeout=3s` | Defines the health check request timeout. | -| `traefik.backend.healthcheck.port=8080` | Sets a different port for the health check. | -| `traefik.backend.healthcheck.scheme=http` | Overrides the server URL scheme. | -| `traefik.backend.healthcheck.hostname=foobar.com` | Defines the health check hostname. | -| `traefik.backend.healthcheck.headers=EXPR` | Defines the health check request headers
Format: HEADER:value||HEADER2:value2 | -| `traefik.backend.loadbalancer.method=drr` | Overrides the default `wrr` load balancer algorithm | -| `traefik.backend.loadbalancer.stickiness=true` | Enables backend sticky sessions | -| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Sets the cookie name manually for sticky sessions | -| `traefik.backend.loadbalancer.swarm=true` | Uses Swarm's inbuilt load balancer (only relevant under Swarm Mode). [3]. | -| `traefik.backend.maxconn.amount=10` | Sets a maximum number of connections to the backend.
Must be used in conjunction with the below label to take effect. | -| `traefik.backend.maxconn.extractorfunc=client.ip` | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.
Must be used in conjunction with the above label to take effect. | -| `traefik.frontend.auth.basic=EXPR` | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` [2] (DEPRECATED). | -| `traefik.frontend.auth.basic.realm=REALM` | Sets the realm of basic authentication to this frontend. | -| `traefik.frontend.auth.basic.removeHeader=true` | If set to `true`, removes the `Authorization` header. | -| `traefik.frontend.auth.basic.users=EXPR` | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` [2]. | -| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd` | Sets the basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. | -| `traefik.frontend.auth.digest.removeHeader=true` | If set to `true`, removes the `Authorization` header. | -| `traefik.frontend.auth.digest.users=EXPR` | Sets the digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. | -| `traefik.frontend.auth.digest.usersFile=/path/.htdigest` | Sets the digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. | -| `traefik.frontend.auth.forward.address=https://example.com` | Sets the URL of the authentication server. | -| `traefik.frontend.auth.forward.authResponseHeaders=EXPR` | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header` | -| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Sets the Certificate Authority (CA) for the TLS connection with the authentication server. | -| `traefik.frontend.auth.forward.tls.caOptional=true` | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA). | -| `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Sets the Certificate for the TLS connection with the authentication server. | -| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true` | If set to true invalid SSL certificates are accepted. | -| `traefik.frontend.auth.forward.tls.key=/path/server.key` | Sets the Certificate for the TLS connection with the authentication server. | -| `traefik.frontend.auth.forward.trustForwardHeader=true` | Trusts X-Forwarded-* headers. | -| `traefik.frontend.auth.headerField=X-WebAuth-User` | Sets the header user to pass the authenticated user to the application. | -| `traefik.frontend.entryPoints=http,https` | Assigns this frontend to entry points `http` and `https`.
Overrides `defaultEntryPoints` | -| `traefik.frontend.errors..backend=NAME` | See [custom error pages](/configuration/commons/#custom-error-pages) section. | -| `traefik.frontend.errors..query=PATH` | See [custom error pages](/configuration/commons/#custom-error-pages) section. | -| `traefik.frontend.errors..status=RANGE` | See [custom error pages](/configuration/commons/#custom-error-pages) section. | -| `traefik.frontend.passHostHeader=true` | Forwards client `Host` header to the backend. | -| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true` | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.issuer.country=true` | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true` | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true` | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.issuer.province=true` | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.notAfter=true` | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.notBefore=true` | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.sans=true` | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true` | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.subject.country=true` | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.subject.locality=true` | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.subject.organization=true` | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.subject.province=true` | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true` | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. | -| `traefik.frontend.passTLSClientCert.pem=true` | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header. | -| `traefik.frontend.passTLSCert=true` | Forwards TLS Client certificates to the backend (DEPRECATED). | -| `traefik.frontend.priority=10` | Overrides default frontend priority | -| `traefik.frontend.rateLimit.extractorFunc=EXP` | See [rate limiting](/configuration/commons/#rate-limiting) section. | -| `traefik.frontend.rateLimit.rateSet..period=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. | -| `traefik.frontend.rateLimit.rateSet..average=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. | -| `traefik.frontend.rateLimit.rateSet..burst=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. | -| `traefik.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS) | -| `traefik.frontend.redirect.regex=^http://localhost/(.*)` | Redirects to another URL to this frontend.
Must be set with `traefik.frontend.redirect.replacement`. | -| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.
Must be set with `traefik.frontend.redirect.regex`. | -| `traefik.frontend.redirect.permanent=true` | Returns 301 instead of 302. | -| `traefik.frontend.rule=EXPR` | Overrides the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`. | -| `traefik.frontend.whiteList.sourceRange=RANGE` | Sets a list of IP-Ranges which are allowed to access.
An unset or empty list allows all Source-IPs to access.
If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. | -| `traefik.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.
Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. | -| `traefik.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) | -| `traefik.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) | - -[1] `traefik.docker.network`: -If a container is linked to several networks, be sure to set the proper network name (you can check with `docker inspect `) otherwise it will randomly pick one (depending on how docker is returning them). -For instance when deploying docker `stack` from compose files, the compose defined networks will be prefixed with the `stack` name. -Or if your service references external network use it's name instead. - -[2] `traefik.frontend.auth.basic.users=EXPR`: -To create `user:password` pair, it's possible to use this command: -`echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g`. -The result will be `user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/`, note additional symbol `$` makes escaping. - -[3] `traefik.backend.loadbalancer.swarm`: -If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs. -Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm. -It also means that Traefik will manipulate only one backend, not one backend per container. - -#### Custom Headers - -| Label | Description | -|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `traefik.frontend.headers.customRequestHeaders=EXPR` | Provides the container with custom request headers that will be appended to each request forwarded to the container.
Format: HEADER:value||HEADER2:value2 | -| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.
Format: HEADER:value||HEADER2:value2 | - -#### Security Headers - -| Label | Description | -|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `traefik.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.
Format: `Host1,Host2` | -| `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. | -| `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. | -| `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | -| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. | -| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. | -| `traefik.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. | -| `traefik.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. | -| `traefik.frontend.headers.hostsProxyHeaders=EXPR` | Provides a list of headers that the proxied hostname may be stored.
Format: `HEADER1,HEADER2` | -| `traefik.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.
When deploying to production, be sure to set this to false. | -| `traefik.frontend.headers.publicKey=VALUE` | Adds HPKP header. | -| `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. | -| `traefik.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. | -| `traefik.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. | -| `traefik.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. | -| `traefik.frontend.headers.SSLForceHost=true` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. | -| `traefik.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).
Format: HEADER:value||HEADER2:value2 | -| `traefik.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. | -| `traefik.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. | -| `traefik.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. | - -### On containers with Multiple Ports (segment labels) - -Segment labels are used to define routes to a container exposing multiple ports. -A segment is a group of labels that apply to a port exposed by a container. -You can define as many segments as ports exposed in a container. - -Segment labels override the default behavior. - -| Label | Description | -|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------| -| `traefik..backend=BACKEND` | Same as `traefik.backend` | -| `traefik..domain=DOMAIN` | Same as `traefik.domain` | -| `traefik..port=PORT` | Same as `traefik.port` | -| `traefik..protocol=http` | Same as `traefik.protocol` | -| `traefik..weight=10` | Same as `traefik.weight` | -| `traefik..frontend.auth.basic=EXPR` | Same as `traefik.frontend.auth.basic` | -| `traefik..frontend.auth.basic.removeHeader=true` | Same as `traefik.frontend.auth.basic.removeHeader` | -| `traefik..frontend.auth.basic.users=EXPR` | Same as `traefik.frontend.auth.basic.users` | -| `traefik..frontend.auth.basic.usersFile=/path/.htpasswd` | Same as `traefik.frontend.auth.basic.usersFile` | -| `traefik..frontend.auth.digest.removeHeader=true` | Same as `traefik.frontend.auth.digest.removeHeader` | -| `traefik..frontend.auth.digest.users=EXPR` | Same as `traefik.frontend.auth.digest.users` | -| `traefik..frontend.auth.digest.usersFile=/path/.htdigest` | Same as `traefik.frontend.auth.digest.usersFile` | -| `traefik..frontend.auth.forward.address=https://example.com` | Same as `traefik.frontend.auth.forward.address` | -| `traefik..frontend.auth.forward.authResponseHeaders=EXPR` | Same as `traefik.frontend.auth.forward.authResponseHeaders` | -| `traefik..frontend.auth.forward.tls.ca=/path/ca.pem` | Same as `traefik.frontend.auth.forward.tls.ca` | -| `traefik..frontend.auth.forward.tls.caOptional=true` | Same as `traefik.frontend.auth.forward.tls.caOptional` | -| `traefik..frontend.auth.forward.tls.cert=/path/server.pem` | Same as `traefik.frontend.auth.forward.tls.cert` | -| `traefik..frontend.auth.forward.tls.insecureSkipVerify=true` | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify` | -| `traefik..frontend.auth.forward.tls.key=/path/server.key` | Same as `traefik.frontend.auth.forward.tls.key` | -| `traefik..frontend.auth.forward.trustForwardHeader=true` | Same as `traefik.frontend.auth.forward.trustForwardHeader` | -| `traefik..frontend.auth.headerField=X-WebAuth-User` | Same as `traefik.frontend.auth.headerField` | -| `traefik..frontend.entryPoints=https` | Same as `traefik.frontend.entryPoints` | -| `traefik..frontend.errors..backend=NAME` | Same as `traefik.frontend.errors..backend` | -| `traefik..frontend.errors..query=PATH` | Same as `traefik.frontend.errors..query` | -| `traefik..frontend.errors..status=RANGE` | Same as `traefik.frontend.errors..status` | -| `traefik..frontend.passHostHeader=true` | Same as `traefik.frontend.passHostHeader` | -| `traefik..frontend.passTLSClientCert.infos.issuer.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.commonName` | -| `traefik..frontend.passTLSClientCert.infos.issuer.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.country` | -| `traefik..frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent` | -| `traefik..frontend.passTLSClientCert.infos.issuer.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.locality` | -| `traefik..frontend.passTLSClientCert.infos.issuer.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.organization` | -| `traefik..frontend.passTLSClientCert.infos.issuer.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.province` | -| `traefik..frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber` | -| `traefik..frontend.passTLSClientCert.infos.notAfter=true` | Same as `traefik.frontend.passTLSClientCert.infos.notAfter` | -| `traefik..frontend.passTLSClientCert.infos.notBefore=true` | Same as `traefik.frontend.passTLSClientCert.infos.notBefore` | -| `traefik..frontend.passTLSClientCert.infos.sans=true` | Same as `traefik.frontend.passTLSClientCert.infos.sans` | -| `traefik..frontend.passTLSClientCert.infos.subject.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName` | -| `traefik..frontend.passTLSClientCert.infos.subject.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.country` | -| `traefik..frontend.passTLSClientCert.infos.subject.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.domainComponent` | -| `traefik..frontend.passTLSClientCert.infos.subject.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality` | -| `traefik..frontend.passTLSClientCert.infos.subject.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.organization` | -| `traefik..frontend.passTLSClientCert.infos.subject.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.province` | -| `traefik..frontend.passTLSClientCert.infos.subject.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber` | -| `traefik..frontend.passTLSClientCert.pem=true` | Same as `traefik.frontend.passTLSClientCert.infos.pem` | -| `traefik..frontend.passTLSCert=true` | Same as `traefik.frontend.passTLSCert` | -| `traefik..frontend.priority=10` | Same as `traefik.frontend.priority` | -| `traefik..frontend.rateLimit.extractorFunc=EXP` | Same as `traefik.frontend.rateLimit.extractorFunc` | -| `traefik..frontend.rateLimit.rateSet..period=6` | Same as `traefik.frontend.rateLimit.rateSet..period` | -| `traefik..frontend.rateLimit.rateSet..average=6` | Same as `traefik.frontend.rateLimit.rateSet..average` | -| `traefik..frontend.rateLimit.rateSet..burst=6` | Same as `traefik.frontend.rateLimit.rateSet..burst` | -| `traefik..frontend.redirect.entryPoint=https` | Same as `traefik.frontend.redirect.entryPoint` | -| `traefik..frontend.redirect.regex=^http://localhost/(.*)` | Same as `traefik.frontend.redirect.regex` | -| `traefik..frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement` | -| `traefik..frontend.redirect.permanent=true` | Same as `traefik.frontend.redirect.permanent` | -| `traefik..frontend.rule=EXP` | Same as `traefik.frontend.rule` | -| `traefik..frontend.whiteList.sourceRange=RANGE` | Same as `traefik.frontend.whiteList.sourceRange` | -| `traefik..frontend.whiteList.ipStrategy=true` | Same as `traefik.frontend.whiteList.ipStrategy` | -| `traefik..frontend.whiteList.ipStrategy.depth=5` | Same as `traefik.frontend.whiteList.ipStrategy.depth` | -| `traefik..frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | Same as `traefik.frontend.whiteList.ipStrategy.excludedIPs` | - -#### Custom Headers - -| Label | Description | -|----------------------------------------------------------------------|----------------------------------------------------------| -| `traefik..frontend.headers.customRequestHeaders=EXPR` | Same as `traefik.frontend.headers.customRequestHeaders` | -| `traefik..frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` | - -#### Security Headers - -| Label | Description | -|-------------------------------------------------------------------------|--------------------------------------------------------------| -| `traefik..frontend.headers.allowedHosts=EXPR` | Same as `traefik.frontend.headers.allowedHosts` | -| `traefik..frontend.headers.browserXSSFilter=true` | Same as `traefik.frontend.headers.browserXSSFilter` | -| `traefik..frontend.headers.contentSecurityPolicy=VALUE` | Same as `traefik.frontend.headers.contentSecurityPolicy` | -| `traefik..frontend.headers.contentTypeNosniff=true` | Same as `traefik.frontend.headers.contentTypeNosniff` | -| `traefik..frontend.headers.customBrowserXSSValue=VALUE` | Same as `traefik.frontend.headers.customBrowserXSSValue` | -| `traefik..frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue` | -| `traefik..frontend.headers.forceSTSHeader=false` | Same as `traefik.frontend.headers.forceSTSHeader` | -| `traefik..frontend.headers.frameDeny=false` | Same as `traefik.frontend.headers.frameDeny` | -| `traefik..frontend.headers.hostsProxyHeaders=EXPR` | Same as `traefik.frontend.headers.hostsProxyHeaders` | -| `traefik..frontend.headers.isDevelopment=false` | Same as `traefik.frontend.headers.isDevelopment` | -| `traefik..frontend.headers.publicKey=VALUE` | Same as `traefik.frontend.headers.publicKey` | -| `traefik..frontend.headers.referrerPolicy=VALUE` | Same as `traefik.frontend.headers.referrerPolicy` | -| `traefik..frontend.headers.SSLRedirect=true` | Same as `traefik.frontend.headers.SSLRedirect` | -| `traefik..frontend.headers.SSLTemporaryRedirect=true` | Same as `traefik.frontend.headers.SSLTemporaryRedirect` | -| `traefik..frontend.headers.SSLHost=HOST` | Same as `traefik.frontend.headers.SSLHost` | -| `traefik..frontend.headers.SSLForceHost=true` | Same as `traefik.frontend.headers.SSLForceHost` | -| `traefik..frontend.headers.SSLProxyHeaders=EXPR` | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR` | -| `traefik..frontend.headers.STSSeconds=315360000` | Same as `traefik.frontend.headers.STSSeconds=315360000` | -| `traefik..frontend.headers.STSIncludeSubdomains=true` | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` | -| `traefik..frontend.headers.STSPreload=true` | Same as `traefik.frontend.headers.STSPreload=true` | - -!!! note - If a label is defined both as a `container label` and a `segment label` (for example `traefik..port=PORT` and `traefik.port=PORT` ), the `segment label` is used to defined the `` property (`port` in the example). - - It's possible to mix `container labels` and `segment labels`, in this case `container labels` are used as default value for missing `segment labels` but no frontends are going to be created with the `container labels`. - - More details in this [example](/user-guide/docker-and-lets-encrypt/#labels). - -!!! warning - When running inside a container, Traefik will need network access through: - - `docker network connect ` - -## usebindportip - -The default behavior of Traefik is to route requests to the IP/Port of the matching container. -When setting `usebindportip` to true, you tell Traefik to use the IP/Port attached to the container's binding instead of the inner network IP/Port. - -When used in conjunction with the `traefik.port` label (that tells Traefik to route requests to a specific port), Traefik tries to find a binding with `traefik.port` port to select the container. If it can't find such a binding, Traefik falls back on the internal network IP of the container, but still uses the `traefik.port` that is set in the label. - -Below is a recap of the behavior of `usebindportip` in different situations. - -| traefik.port label | Container's binding | Routes to | -|--------------------|----------------------------------------------------|----------------| -| - | - | IntIP:IntPort | -| - | ExtPort:IntPort | IntIP:IntPort | -| - | ExtIp:ExtPort:IntPort | ExtIp:ExtPort | -| LblPort | - | IntIp:LblPort | -| LblPort | ExtIp:ExtPort:LblPort | ExtIp:ExtPort | -| LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort | -| LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort | - -!!! note - In the above table, ExtIp stands for "external IP found in the binding", IntIp stands for "internal network container's IP", ExtPort stands for "external Port found in the binding", and IntPort stands for "internal network container's port." diff --git a/docs/configuration/entrypoints.md b/docs/configuration/entrypoints.md deleted file mode 100644 index 8ca9a7e1d..000000000 --- a/docs/configuration/entrypoints.md +++ /dev/null @@ -1,647 +0,0 @@ -# Entry Points Definition - -## Reference - -### TOML - -```toml -defaultEntryPoints = ["http", "https"] - -# ... -# ... - -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.compress] - - [entryPoints.http.clientIPStrategy] - depth = 5 - excludedIPs = ["127.0.0.1/32", "192.168.1.7"] - - [entryPoints.http.whitelist] - sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"] - [entryPoints.http.whitelist.IPStrategy] - depth = 5 - excludedIPs = ["127.0.0.1/32", "192.168.1.7"] - - [entryPoints.http.tls] - minVersion = "VersionTLS12" - cipherSuites = [ - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_GCM_SHA384" - ] - [[entryPoints.http.tls.certificates]] - certFile = "path/to/my.cert" - keyFile = "path/to/my.key" - [[entryPoints.http.tls.certificates]] - certFile = "path/to/other.cert" - keyFile = "path/to/other.key" - # ... - [entryPoints.http.tls.clientCA] - files = ["path/to/ca1.crt", "path/to/ca2.crt"] - optional = false - - [entryPoints.http.redirect] - entryPoint = "https" - regex = "^http://localhost/(.*)" - replacement = "http://mydomain/$1" - permanent = true - - [entryPoints.http.auth] - headerField = "X-WebAuth-User" - [entryPoints.http.auth.basic] - removeHeader = true - realm = "Your realm" - users = [ - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0", - ] - usersFile = "/path/to/.htpasswd" - [entryPoints.http.auth.digest] - removeHeader = true - users = [ - "test:traefik:a2688e031edb4be6a3797f3882655c05", - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e", - ] - usersFile = "/path/to/.htdigest" - [entryPoints.http.auth.forward] - address = "https://authserver.com/auth" - trustForwardHeader = true - authResponseHeaders = ["X-Auth-User"] - [entryPoints.http.auth.forward.tls] - ca = "path/to/local.crt" - caOptional = true - cert = "path/to/foo.cert" - key = "path/to/foo.key" - insecureSkipVerify = true - - [entryPoints.http.proxyProtocol] - insecure = true - trustedIPs = ["10.10.10.1", "10.10.10.2"] - - [entryPoints.http.forwardedHeaders] - trustedIPs = ["10.10.10.1", "10.10.10.2"] - insecure = false - - [entryPoints.https] - # ... -``` - -### CLI - -For more information about the CLI, see the documentation about [Traefik command](/basics/#traefik). - -```shell ---entryPoints='Name:http Address::80' ---entryPoints='Name:https Address::443 TLS' -``` - -!!! note - Whitespace is used as option separator and `,` is used as value separator for the list. - The names of the options are case-insensitive. - -In compose file the entrypoint syntax is different. Notice how quotes are used: - -```yaml -traefik: - image: traefik - command: - - --defaultentrypoints=powpow - - "--entryPoints=Name:powpow Address::42 Compress:true" -``` -or -```yaml -traefik: - image: traefik - command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true' -``` - -#### All available options: - -```ini -Name:foo -Address::80 -TLS:/my/path/foo.cert,/my/path/foo.key;/my/path/goo.cert,/my/path/goo.key;/my/path/hoo.cert,/my/path/hoo.key -TLS -TLS.MinVersion:VersionTLS11 -TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384 -TLS.SniStrict:true -TLS.DefaultCertificate.Cert:path/to/foo.cert -TLS.DefaultCertificate.Key:path/to/foo.key -CA:car -CA.Optional:true -Redirect.EntryPoint:https -Redirect.Regex:http://localhost/(.*) -Redirect.Replacement:http://mydomain/$1 -Redirect.Permanent:true -Compress:true -WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 -WhiteList.IPStrategy.depth:3 -WhiteList.IPStrategy.ExcludedIPs:10.0.0.3/24,20.0.0.3/24 -ProxyProtocol.TrustedIPs:192.168.0.1 -ProxyProtocol.Insecure:true -ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 -Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 -Auth.Basic.Removeheader:true -Auth.Basic.Realm:traefik -Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e -Auth.Digest.Removeheader:true -Auth.HeaderField:X-WebAuth-User -Auth.Forward.Address:https://authserver.com/auth -Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret -Auth.Forward.TrustForwardHeader:true -Auth.Forward.TLS.CA:path/to/local.crt -Auth.Forward.TLS.CAOptional:true -Auth.Forward.TLS.Cert:path/to/foo.cert -Auth.Forward.TLS.Key:path/to/foo.key -Auth.Forward.TLS.InsecureSkipVerify:true -``` - -## Basic - -```toml -# Entrypoints definition -# -# Default: -# [entryPoints] -# [entryPoints.http] -# address = ":80" -# -[entryPoints] - [entryPoints.http] - address = ":80" -``` - -## Redirect HTTP to HTTPS - -To redirect an http entrypoint to an https entrypoint (with SNI support). - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - entryPoint = "https" - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - [[entryPoints.https.tls.certificates]] - certFile = "integration/fixtures/https/snitest.com.cert" - keyFile = "integration/fixtures/https/snitest.com.key" - [[entryPoints.https.tls.certificates]] - certFile = "integration/fixtures/https/snitest.org.cert" - keyFile = "integration/fixtures/https/snitest.org.key" -``` - -!!! note - Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case). - -## Rewriting URL - -To redirect an entrypoint rewriting the URL. - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - regex = "^http://localhost/(.*)" - replacement = "http://mydomain/$1" -``` - -!!! note - Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an `entrypoint` is defined for the redirection (they will not be used in this case). - -Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax. - -Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2). - -## TLS - -### Static Certificates - -Define an entrypoint with SNI support. - -```toml -[entryPoints] - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - [[entryPoints.https.tls.certificates]] - certFile = "integration/fixtures/https/snitest.com.cert" - keyFile = "integration/fixtures/https/snitest.com.key" -``` - -!!! note - If an empty TLS configuration is provided, default self-signed certificates are generated. - - -### Dynamic Certificates - -If you need to add or remove TLS certificates while Traefik is started, Dynamic TLS certificates are supported using the [file provider](/configuration/backends/file). - - -## TLS Mutual Authentication - -TLS Mutual Authentication can be `optional` or not. -If it's `optional`, Traefik will authorize connection with certificates not signed by a specified Certificate Authority (CA). -Otherwise, Traefik will only accept clients that present a certificate signed by a specified Certificate Authority (CA). -`ClientCA.files` can be configured with multiple `CA:s` in the same file or use multiple files containing one or several `CA:s`. -The `CA:s` has to be in PEM format. - -By default, `ClientCA.files` is not optional, all clients will be required to present a valid cert. -The requirement will apply to all server certs in the entrypoint. - -In the example below both `snitest.com` and `snitest.org` will require client certs - -```toml -[entryPoints] - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - [entryPoints.https.tls.ClientCA] - files = ["tests/clientca1.crt", "tests/clientca2.crt"] - optional = false - [[entryPoints.https.tls.certificates]] - certFile = "integration/fixtures/https/snitest.com.cert" - keyFile = "integration/fixtures/https/snitest.com.key" - [[entryPoints.https.tls.certificates]] - certFile = "integration/fixtures/https/snitest.org.cert" - keyFile = "integration/fixtures/https/snitest.org.key" -``` - -## Authentication - -### Basic Authentication - -Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate them. - -Users can be specified directly in the TOML file, or indirectly by referencing an external file; - if both are provided, the two are merged, with external file contents having precedence. - -```toml -# To enable basic auth on an entrypoint with 2 user/pass: test:test and test2:test2 -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.auth.basic] - users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] - usersFile = "/path/to/.htpasswd" -``` - -Optionally, you can: - -- customize the realm - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.auth] - [entryPoints.http.auth.basic] - realm = "Your realm" - users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] -``` - -- pass authenticated user to application via headers - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.auth] - headerField = "X-WebAuth-User" # <-- header for the authenticated user - [entryPoints.http.auth.basic] - users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] -``` - -- remove the Authorization header - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.auth] - [entryPoints.http.auth.basic] - removeHeader = true # <-- remove the Authorization header - users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] -``` - -### Digest Authentication - -You can use `htdigest` to generate them. - -Users can be specified directly in the TOML file, or indirectly by referencing an external file; - if both are provided, the two are merged, with external file contents having precedence - -```toml -# To enable digest auth on an entrypoint with 2 user/realm/pass: test:traefik:test and test2:traefik:test2 -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.auth.digest] - users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"] - usersFile = "/path/to/.htdigest" -``` - -Optionally, you can! - -- pass authenticated user to application via headers. - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.auth] - headerField = "X-WebAuth-User" # <-- header for the authenticated user - [entryPoints.http.auth.digest] - users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"] -``` - -- remove the Authorization header. - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.auth] - [entryPoints.http.auth.digest] - removeHeader = true # <-- remove the Authorization header - users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"] -``` - -### Forward Authentication - -This configuration will first forward the request to `http://authserver.com/auth`. - -If the response code is 2XX, access is granted and the original request is performed. -Otherwise, the response from the authentication server is returned. - -```toml -[entryPoints] - [entryPoints.http] - # ... - # To enable forward auth on an entrypoint - [entryPoints.http.auth.forward] - address = "https://authserver.com/auth" - - # Trust existing X-Forwarded-* headers. - # Useful with another reverse proxy in front of Traefik. - # - # Optional - # Default: false - # - trustForwardHeader = true - - # Copy headers from the authentication server to the request. - # - # Optional - # - authResponseHeaders = ["X-Auth-User", "X-Secret"] - - # Enable forward auth TLS connection. - # - # Optional - # - [entryPoints.http.auth.forward.tls] - ca = "path/to/local.crt" - caOptional = true - cert = "path/to/foo.cert" - key = "path/to/foo.key" -``` - -## Specify Minimum TLS Version - -To specify an https entry point with a minimum TLS version, and specifying an array of cipher suites (from [crypto/tls](https://godoc.org/crypto/tls#pkg-constants)). - -```toml -[entryPoints] - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - minVersion = "VersionTLS12" - cipherSuites = [ - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_GCM_SHA384" - ] - [[entryPoints.https.tls.certificates]] - certFile = "integration/fixtures/https/snitest.com.cert" - keyFile = "integration/fixtures/https/snitest.com.key" - [[entryPoints.https.tls.certificates]] - certFile = "integration/fixtures/https/snitest.org.cert" - keyFile = "integration/fixtures/https/snitest.org.key" -``` - -## Strict SNI Checking - -To enable strict SNI checking, so that connections cannot be made if a matching certificate does not exist. - -```toml -[entryPoints] - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - sniStrict = true - [[entryPoints.https.tls.certificates]] - certFile = "integration/fixtures/https/snitest.com.cert" - keyFile = "integration/fixtures/https/snitest.com.key" -``` - -## Default Certificate - -To enable a default certificate to serve, so that connections without SNI or without a matching domain will be served this certificate. - -```toml -[entryPoints] - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - [entryPoints.https.tls.defaultCertificate] - certFile = "integration/fixtures/https/snitest.com.cert" - keyFile = "integration/fixtures/https/snitest.com.key" -``` - -!!! note - There can only be one `defaultCertificate` set per entrypoint. - Use a single set of square brackets `[ ]`, instead of the two needed for normal certificates. - If no default certificate is provided, a self-signed certificate will be generated by Traefik, and used instead. - -## Compression - -To enable compression support using gzip format. - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.compress] -``` - -Responses are compressed when: - -* The response body is larger than `512` bytes -* And the `Accept-Encoding` request header contains `gzip` -* And the response is not already compressed, i.e. the `Content-Encoding` response header is not already set. - -## White Listing - -Traefik supports whitelisting to accept or refuse requests based on the client IP. - -The following example enables IP white listing and accepts requests from client IPs defined in `sourceRange`. - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - - [entryPoints.http.whiteList] - sourceRange = ["127.0.0.1/32", "192.168.1.7"] - # [entryPoints.http.whiteList.IPStrategy] - # Override the clientIPStrategy -``` - -By default, Traefik uses the client IP (see [ClientIPStrategy](/configuration/entrypoints/#clientipstrategy)) for the whitelisting. - -If you want to use another IP than the one determined by `ClientIPStrategy` for the whitelisting, you can define the `IPStrategy` option: - -```toml -[entryPoints] - [entryPoints.http.clientIPStrategy] - depth = 4 - [entryPoints.http] - address = ":80" - - [entryPoints.http.whiteList] - sourceRange = ["127.0.0.1/32", "192.168.1.7"] - [entryPoints.http.whiteList.IPStrategy] - depth = 2 -``` - -In the above example, if the value of the `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the client IP would be `"10.0.0.1"` (`clientIPStrategy.depth=4`) but the IP used for the whitelisting would be `"12.0.0.1"` (`whitelist.IPStrategy.depth=2`). - -## ClientIPStrategy - -The `clientIPStrategy` defines how you want Traefik to determine the client IP (used for whitelisting for example). - -There are several option available: - -### Depth - -This option uses the `X-Forwarded-For` header and takes the IP located at the `depth` position (starting from the right). -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - - [entryPoints.http.clientIPStrategy] -``` - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - - [entryPoints.http.clientIPStrategy] - depth = 5 -``` - -!!! note - - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then clientIP will be empty. - - If `depth` is lesser than or equal to 0, then the option is ignored. - -Examples: - -| `X-Forwarded-For` | `depth` | clientIP | -|-----------------------------------------|---------|--------------| -| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` | -| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` | -| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` | - -### Excluded IPs - -Traefik will scan the `X-Forwarded-For` header (from the right) and pick the first IP not in the `excludedIPs` list. - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - - [entryPoints.http.clientIPStrategy] - excludedIPs = ["127.0.0.1/32", "192.168.1.7"] -``` - -!!! note - If `depth` is specified, `excludedIPs` is ignored. - -Examples: - -| `X-Forwarded-For` | `excludedIPs` | clientIP | -|-----------------------------------------|-----------------------|--------------| -| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` | -| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` | -| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` | -| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` | -| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` | - -### Default - -If there are no `depth` or `excludedIPs`, then the client IP is the IP of the computer that initiated the connection with the Traefik server (the remote address). - -## ProxyProtocol - -To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support. -Only IPs in `trustedIPs` will lead to remote client address replacement: you should declare your load-balancer IP or CIDR range here (in testing environment, you can trust everyone using `insecure = true`). - -!!! danger - When queuing Traefik behind another load-balancer, be sure to carefully configure Proxy Protocol on both sides. - Otherwise, it could introduce a security risk in your system by forging requests. - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - - # Enable ProxyProtocol - [entryPoints.http.proxyProtocol] - # List of trusted IPs - # - # Required - # Default: [] - # - trustedIPs = ["127.0.0.1/32", "192.168.1.7"] - - # Insecure mode FOR TESTING ENVIRONNEMENT ONLY - # - # Optional - # Default: false - # - # insecure = true -``` - -## Forwarded Header - -Only IPs in `trustedIPs` will be authorized to trust the client forwarded headers (`X-Forwarded-*`). - -```toml -[entryPoints] - [entryPoints.http] - address = ":80" - - # Enable Forwarded Headers - [entryPoints.http.forwardedHeaders] - # List of trusted IPs - # - # Required - # Default: [] - # - trustedIPs = ["127.0.0.1/32", "192.168.1.7"] - - # Insecure mode - # - # Optional - # Default: false - # - # insecure = true - -``` diff --git a/docs/configuration/logs.md b/docs/configuration/logs.md deleted file mode 100644 index 0cfde76ba..000000000 --- a/docs/configuration/logs.md +++ /dev/null @@ -1,264 +0,0 @@ -# Logs Definition - -## Reference - -### TOML - -```toml -logLevel = "INFO" - -[traefikLog] - filePath = "/path/to/traefik.log" - format = "json" - -[accessLog] - filePath = "/path/to/access.log" - format = "json" - - [accessLog.filters] - statusCodes = ["200", "300-302"] - retryAttempts = true - minDuration = "10ms" - - [accessLog.fields] - defaultMode = "keep" - [accessLog.fields.names] - "ClientUsername" = "drop" - # ... - - [accessLog.fields.headers] - defaultMode = "keep" - [accessLog.fields.headers.names] - "User-Agent" = "redact" - "Authorization" = "drop" - "Content-Type" = "keep" - # ... -``` - -### CLI - -For more information about the CLI, see the documentation about [Traefik command](/basics/#traefik). - -```shell ---logLevel="DEBUG" ---traefikLog.filePath="/path/to/traefik.log" ---traefikLog.format="json" ---accessLog.filePath="/path/to/access.log" ---accessLog.format="json" ---accessLog.filters.statusCodes="200,300-302" ---accessLog.filters.retryAttempts="true" ---accessLog.filters.minDuration="10ms" ---accessLog.fields.defaultMode="keep" ---accessLog.fields.names="Username=drop Hostname=drop" ---accessLog.fields.headers.defaultMode="keep" ---accessLog.fields.headers.names="User-Agent=redact Authorization=drop Content-Type=keep" -``` - - -## Traefik Logs - -By default the Traefik log is written to stdout in text format. - -To write the logs into a log file specify the `filePath`: - -```toml -[traefikLog] - filePath = "/path/to/traefik.log" -``` - -To write JSON format logs, specify `json` as the format: - -```toml -[traefikLog] - filePath = "/path/to/traefik.log" - format = "json" -``` - -To customize the log level: - -```toml -# Log level -# -# Optional -# Default: "ERROR" -# -# Accepted values, in order of severity: "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" -# Messages at and above the selected level will be logged. -# -logLevel = "ERROR" -``` - - -## Access Logs - -Access logs are written when `[accessLog]` is defined. -By default it will write to stdout and produce logs in the textual Common Log Format (CLF), extended with additional fields. - -To enable access logs using the default settings just add the `[accessLog]` entry: - -```toml -[accessLog] -``` - -To write the logs into a log file specify the `filePath`: - -```toml -[accessLog] -filePath = "/path/to/access.log" -``` - -To write JSON format logs, specify `json` as the format: - -```toml -[accessLog] -filePath = "/path/to/access.log" -format = "json" -``` - -To write the logs in async, specify `bufferingSize` as the format (must be >0): - -```toml -[accessLog] -filePath = "/path/to/access.log" -# Buffering Size -# -# Optional -# Default: 0 -# -# Number of access log lines to process in a buffered way. -# -bufferingSize = 100 -``` - -To filter logs you can specify a set of filters which are logically "OR-connected". Thus, specifying multiple filters will keep more access logs than specifying only one: - -```toml -[accessLog] -filePath = "/path/to/access.log" -format = "json" - - [accessLog.filters] - - # statusCodes: keep access logs with status codes in the specified range - # - # Optional - # Default: [] - # - statusCodes = ["200", "300-302"] - - # retryAttempts: keep access logs when at least one retry happened - # - # Optional - # Default: false - # - retryAttempts = true - - # minDuration: keep access logs when request took longer than the specified duration - # - # Optional - # Default: 0 - # - minDuration = "10ms" -``` - -To customize logs format: - -```toml -[accessLog] -filePath = "/path/to/access.log" -format = "json" - - [accessLog.filters] - - # statusCodes keep only access logs with status codes in the specified range - # - # Optional - # Default: [] - # - statusCodes = ["200", "300-302"] - - [accessLog.fields] - - # defaultMode - # - # Optional - # Default: "keep" - # - # Accepted values "keep", "drop" - # - defaultMode = "keep" - - # Fields map which is used to override fields defaultMode - [accessLog.fields.names] - "ClientUsername" = "drop" - # ... - - [accessLog.fields.headers] - # defaultMode - # - # Optional - # Default: "keep" - # - # Accepted values "keep", "drop", "redact" - # - defaultMode = "keep" - # Fields map which is used to override headers defaultMode - [accessLog.fields.headers.names] - "User-Agent" = "redact" - "Authorization" = "drop" - "Content-Type" = "keep" - # ... -``` - - -### List of all available fields - -```ini -StartUTC -StartLocal -Duration -FrontendName -BackendName -BackendURL -BackendAddr -ClientAddr -ClientHost -ClientPort -ClientUsername -RequestAddr -RequestHost -RequestPort -RequestMethod -RequestPath -RequestProtocol -RequestLine -RequestContentSize -OriginDuration -OriginContentSize -OriginStatus -OriginStatusLine -DownstreamStatus -DownstreamStatusLine -DownstreamContentSize -RequestCount -GzipRatio -Overhead -RetryAttempts -``` - -### CLF - Common Log Format - -By default, Traefik use the CLF (`common`) as access log format. - -```html - - [] " " "" "" "" "" ms -``` - - -## Log Rotation - -Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal. -This allows the logs to be rotated and processed by an external program, such as `logrotate`. - -!!! note - This does not work on Windows due to the lack of USR signals. diff --git a/docs/configuration/ping.md b/docs/configuration/ping.md deleted file mode 100644 index c36ceb24c..000000000 --- a/docs/configuration/ping.md +++ /dev/null @@ -1,91 +0,0 @@ -# Ping Definition - -## Configuration - -```toml -# Ping definition -[ping] - # Name of the related entry point - # - # Optional - # Default: "traefik" - # - entryPoint = "traefik" -``` - -| Path | Method | Description | -|---------|---------------|----------------------------------------------------------------------------------------------------| -| `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` | - - -!!! warning - Even if you have authentication configured on entry point, the `/ping` path of the api is excluded from authentication. - -## Examples - -The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`. -Thus, if you have a regular path for `/foo` and an entrypoint on `:80`, you would access them as follows: - -* Regular path: `http://hostname:80/foo` -* Admin panel: `http://hostname:8080/` -* Ping URL: `http://hostname:8080/ping` - -However, for security reasons, you may want to be able to expose the `/ping` health-check URL to outside health-checkers, e.g. an Internet service or cloud load-balancer, _without_ exposing your dashboard's port. -In many environments, the security staff may not _allow_ you to expose it. - -You have two options: - -* Enable `/ping` on a regular entry point -* Enable `/ping` on a dedicated port - -### Ping health check on a regular entry point - -To proxy `/ping` from a regular entry point to the administration one without exposing the dashboard, do the following: - -```toml -defaultEntryPoints = ["http"] - -[entryPoints] - [entryPoints.http] - address = ":80" - -[ping] -entryPoint = "http" - -``` - -The above link `ping` on the `http` entry point and then expose it on port `80` - -### Enable ping health check on dedicated port - -If you do not want to or cannot expose the health-check on a regular entry point - e.g. your security rules do not allow it, or you have a conflicting path - then you can enable health-check on its own entry point. -Use the following configuration: - -```toml -defaultEntryPoints = ["http"] - -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.ping] - address = ":8082" - -[ping] -entryPoint = "ping" -``` - -The above is similar to the previous example, but instead of enabling `/ping` on the _default_ entry point, we enable it on a _dedicated_ entry point. - -In the above example, you would access a regular path and health-check as follows: - -* Regular path: `http://hostname:80/foo` -* Ping URL: `http://hostname:8082/ping` - -Note the dedicated port `:8082` for `/ping`. - -In the above example, it is _very_ important to create a named dedicated entry point, and do **not** include it in `defaultEntryPoints`. -Otherwise, you are likely to expose _all_ services via this entry point. - -### Using ping for external Load-balancer rotation health check - -If you are running traefik behind a external Load-balancer, and want to configure rotation health check on the Load-balancer to take a traefik instance out of rotation gracefully, you can configure [lifecycle.requestAcceptGraceTimeout](/configuration/commons.md#life-cycle) and the ping endpoint will return `503` response on traefik server termination, so that the Load-balancer can take the terminating traefik instance out of rotation, before it stops responding. diff --git a/docs/configuration/tracing.md b/docs/configuration/tracing.md deleted file mode 100644 index beec684c2..000000000 --- a/docs/configuration/tracing.md +++ /dev/null @@ -1,228 +0,0 @@ -# Tracing - -The tracing system allows developers to visualize call flows in their infrastructure. - -We use [OpenTracing](http://opentracing.io). It is an open standard designed for distributed tracing. - -Traefik supports four tracing backends: Jaeger, Zipkin, DataDog, and Instana. - -## Jaeger - -```toml -# Tracing definition -[tracing] - # Backend name used to send tracing data - # - # Default: "jaeger" - # - backend = "jaeger" - - # Service name used in Jaeger backend - # - # Default: "traefik" - # - serviceName = "traefik" - - # Span name limit allows for name truncation in case of very long Frontend/Backend names - # This can prevent certain tracing providers to drop traces that exceed their length limits - # - # Default: 0 - no truncation will occur - # - spanNameLimit = 0 - - [tracing.jaeger] - # Sampling Server URL is the address of jaeger-agent's HTTP sampling server - # - # Default: "http://localhost:5778/sampling" - # - samplingServerURL = "http://localhost:5778/sampling" - - # Sampling Type specifies the type of the sampler: const, probabilistic, rateLimiting - # - # Default: "const" - # - samplingType = "const" - - # Sampling Param is a value passed to the sampler. - # Valid values for Param field are: - # - for "const" sampler, 0 or 1 for always false/true respectively - # - for "probabilistic" sampler, a probability between 0 and 1 - # - for "rateLimiting" sampler, the number of spans per second - # - # Default: 1.0 - # - samplingParam = 1.0 - - # Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address - # - # Default: "127.0.0.1:6831" - # - localAgentHostPort = "127.0.0.1:6831" - - # Generate 128-bit trace IDs, compatible with OpenCensus - # - # Default: false - gen128Bit = true - - # Set the propagation header type. This can be either: - # - "jaeger", jaeger's default trace header. - # - "b3", compatible with OpenZipkin - # - # Default: "jaeger" - propagation = "jaeger" - - # Trace Context Header Name is the http header name used to propagate tracing context. - # This must be in lower-case to avoid mismatches when decoding incoming headers. - # - # Default: "uber-trace-id" - # - traceContextHeaderName = "uber-trace-id" -``` - -!!! warning - Traefik is only able to send data over compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent). - -## Zipkin - -```toml -# Tracing definition -[tracing] - # Backend name used to send tracing data - # - # Default: "jaeger" - # - backend = "zipkin" - - # Service name used in Zipkin backend - # - # Default: "traefik" - # - serviceName = "traefik" - - # Span name limit allows for name truncation in case of very long Frontend/Backend names - # This can prevent certain tracing providers to drop traces that exceed their length limits - # - # Default: 0 - no truncation will occur - # - spanNameLimit = 150 - - [tracing.zipkin] - # Zipkin HTTP endpoint used to send data - # - # Default: "http://localhost:9411/api/v1/spans" - # - httpEndpoint = "http://localhost:9411/api/v1/spans" - - # Enable Zipkin debug - # - # Default: false - # - debug = false - - # Use Zipkin SameSpan RPC style traces - # - # Default: false - # - sameSpan = false - - # Use Zipkin 128 bit root span IDs - # - # Default: true - # - id128Bit = true - - # The rate between 0.0 and 1.0 of requests to trace. - # - # Default: 1.0 - # - sampleRate = 0.2 -``` - -## DataDog - -```toml -# Tracing definition -[tracing] - # Backend name used to send tracing data - # - # Default: "jaeger" - # - backend = "datadog" - - # Service name used in DataDog backend - # - # Default: "traefik" - # - serviceName = "traefik" - - # Span name limit allows for name truncation in case of very long Frontend/Backend names - # This can prevent certain tracing providers to drop traces that exceed their length limits - # - # Default: 0 - no truncation will occur - # - spanNameLimit = 100 - - [tracing.datadog] - # Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address - # - # Default: "127.0.0.1:8126" - # - localAgentHostPort = "127.0.0.1:8126" - - # Enable DataDog debug - # - # Default: false - # - debug = false - - # Apply shared tag in a form of Key:Value to all the traces - # - # Default: "" - # - globalTag = "" - - # Enable priority sampling. When using distributed tracing, this option must be enabled in order - # to get all the parts of a distributed trace sampled. - # - # Default: false - # - prioritySampling = false -``` - -## Instana - -```toml -# Tracing definition -[tracing] - # Backend name used to send tracing data - # - # Default: "jaeger" - # - backend = "instana" - # Service name used in Instana backend - # - # Default: "traefik" - # - serviceName = "traefik" - [tracing.instana] - # Local Agent Host instructs reporter to send spans to instana-agent at this address - # - # Default: "127.0.0.1" - # - localAgentHost = "127.0.0.1" - # Local Agent port instructs reporter to send spans to the instana-agent at this port - # - # Default: 42699 - # - localAgentPort = 42699 - # Set Instana tracer log level - # - # Default: info - # Valid values for logLevel field are: - # - error - # - warn - # - debug - # - info - # - logLevel = "info" -``` \ No newline at end of file diff --git a/docs/content/assets/img/architecture-overview.png b/docs/content/assets/img/architecture-overview.png new file mode 100644 index 000000000..e11996615 Binary files /dev/null and b/docs/content/assets/img/architecture-overview.png differ diff --git a/docs/img/traefik-health.png b/docs/content/assets/img/dashboard-health.png similarity index 100% rename from docs/img/traefik-health.png rename to docs/content/assets/img/dashboard-health.png diff --git a/docs/img/web.frontend.png b/docs/content/assets/img/dashboard-main.png similarity index 100% rename from docs/img/web.frontend.png rename to docs/content/assets/img/dashboard-main.png diff --git a/docs/content/assets/img/entrypoints.png b/docs/content/assets/img/entrypoints.png new file mode 100644 index 000000000..ac80e921e Binary files /dev/null and b/docs/content/assets/img/entrypoints.png differ diff --git a/docs/content/assets/img/middleware/addprefix.png b/docs/content/assets/img/middleware/addprefix.png new file mode 100644 index 000000000..5899a8bfa Binary files /dev/null and b/docs/content/assets/img/middleware/addprefix.png differ diff --git a/docs/content/assets/img/middleware/authforward.png b/docs/content/assets/img/middleware/authforward.png new file mode 100644 index 000000000..149a915c3 Binary files /dev/null and b/docs/content/assets/img/middleware/authforward.png differ diff --git a/docs/content/assets/img/middleware/basicauth.png b/docs/content/assets/img/middleware/basicauth.png new file mode 100644 index 000000000..fd2851f5a Binary files /dev/null and b/docs/content/assets/img/middleware/basicauth.png differ diff --git a/docs/content/assets/img/middleware/buffering.png b/docs/content/assets/img/middleware/buffering.png new file mode 100644 index 000000000..29c2f6722 Binary files /dev/null and b/docs/content/assets/img/middleware/buffering.png differ diff --git a/docs/content/assets/img/middleware/chain.png b/docs/content/assets/img/middleware/chain.png new file mode 100644 index 000000000..e0331ff11 Binary files /dev/null and b/docs/content/assets/img/middleware/chain.png differ diff --git a/docs/content/assets/img/middleware/circuitbreaker.png b/docs/content/assets/img/middleware/circuitbreaker.png new file mode 100644 index 000000000..a18536054 Binary files /dev/null and b/docs/content/assets/img/middleware/circuitbreaker.png differ diff --git a/docs/content/assets/img/middleware/compress.png b/docs/content/assets/img/middleware/compress.png new file mode 100644 index 000000000..696b9617e Binary files /dev/null and b/docs/content/assets/img/middleware/compress.png differ diff --git a/docs/content/assets/img/middleware/digestauth.png b/docs/content/assets/img/middleware/digestauth.png new file mode 100644 index 000000000..8f2cab4f3 Binary files /dev/null and b/docs/content/assets/img/middleware/digestauth.png differ diff --git a/docs/content/assets/img/middleware/errorpages.png b/docs/content/assets/img/middleware/errorpages.png new file mode 100644 index 000000000..5462e2472 Binary files /dev/null and b/docs/content/assets/img/middleware/errorpages.png differ diff --git a/docs/content/assets/img/middleware/headers.png b/docs/content/assets/img/middleware/headers.png new file mode 100644 index 000000000..3f63fe7ff Binary files /dev/null and b/docs/content/assets/img/middleware/headers.png differ diff --git a/docs/content/assets/img/middleware/ipwhitelist.png b/docs/content/assets/img/middleware/ipwhitelist.png new file mode 100644 index 000000000..8c6b0c97a Binary files /dev/null and b/docs/content/assets/img/middleware/ipwhitelist.png differ diff --git a/docs/content/assets/img/middleware/maxconnection.png b/docs/content/assets/img/middleware/maxconnection.png new file mode 100644 index 000000000..b8b715f20 Binary files /dev/null and b/docs/content/assets/img/middleware/maxconnection.png differ diff --git a/docs/content/assets/img/middleware/overview.png b/docs/content/assets/img/middleware/overview.png new file mode 100644 index 000000000..d99487dc3 Binary files /dev/null and b/docs/content/assets/img/middleware/overview.png differ diff --git a/docs/content/assets/img/middleware/ratelimit.png b/docs/content/assets/img/middleware/ratelimit.png new file mode 100644 index 000000000..049af712e Binary files /dev/null and b/docs/content/assets/img/middleware/ratelimit.png differ diff --git a/docs/content/assets/img/providers.png b/docs/content/assets/img/providers.png new file mode 100644 index 000000000..2e0f576c0 Binary files /dev/null and b/docs/content/assets/img/providers.png differ diff --git a/docs/content/assets/img/providers/docker.png b/docs/content/assets/img/providers/docker.png new file mode 100644 index 000000000..2e633f5a5 Binary files /dev/null and b/docs/content/assets/img/providers/docker.png differ diff --git a/docs/content/assets/img/quickstart-diagram.png b/docs/content/assets/img/quickstart-diagram.png new file mode 100644 index 000000000..35648547c Binary files /dev/null and b/docs/content/assets/img/quickstart-diagram.png differ diff --git a/docs/content/assets/img/routers.png b/docs/content/assets/img/routers.png new file mode 100644 index 000000000..df8759935 Binary files /dev/null and b/docs/content/assets/img/routers.png differ diff --git a/docs/content/assets/img/services.png b/docs/content/assets/img/services.png new file mode 100644 index 000000000..3748302c6 Binary files /dev/null and b/docs/content/assets/img/services.png differ diff --git a/docs/content/assets/img/static-dynamic-configuration.png b/docs/content/assets/img/static-dynamic-configuration.png new file mode 100644 index 000000000..a40c7062e Binary files /dev/null and b/docs/content/assets/img/static-dynamic-configuration.png differ diff --git a/docs/content/assets/img/traefik-architecture.png b/docs/content/assets/img/traefik-architecture.png new file mode 100644 index 000000000..f2167bb59 Binary files /dev/null and b/docs/content/assets/img/traefik-architecture.png differ diff --git a/docs/content/assets/img/traefik-concepts-1.png b/docs/content/assets/img/traefik-concepts-1.png new file mode 100644 index 000000000..4a02bb8f2 Binary files /dev/null and b/docs/content/assets/img/traefik-concepts-1.png differ diff --git a/docs/content/assets/img/traefik-concepts-2.png b/docs/content/assets/img/traefik-concepts-2.png new file mode 100644 index 000000000..19dbd3d83 Binary files /dev/null and b/docs/content/assets/img/traefik-concepts-2.png differ diff --git a/docs/img/traefik.icon.png b/docs/content/assets/img/traefik.icon.png similarity index 100% rename from docs/img/traefik.icon.png rename to docs/content/assets/img/traefik.icon.png diff --git a/docs/img/traefik.logo.png b/docs/content/assets/img/traefik.logo.png similarity index 100% rename from docs/img/traefik.logo.png rename to docs/content/assets/img/traefik.logo.png diff --git a/docs/theme/js/extra.js b/docs/content/assets/js/extra.js similarity index 100% rename from docs/theme/js/extra.js rename to docs/content/assets/js/extra.js diff --git a/docs/theme/js/hljs/LICENSE b/docs/content/assets/js/hljs/LICENSE similarity index 100% rename from docs/theme/js/hljs/LICENSE rename to docs/content/assets/js/hljs/LICENSE diff --git a/docs/content/assets/js/hljs/highlight.pack.js b/docs/content/assets/js/hljs/highlight.pack.js new file mode 100644 index 000000000..d939b924d --- /dev/null +++ b/docs/content/assets/js/hljs/highlight.pack.js @@ -0,0 +1,2 @@ +/*! highlight.js v9.14.2 | BSD3 License | git.io/hljslicense */ +!function(e){var n="object"==typeof window&&window||"object"==typeof self&&self;"undefined"!=typeof exports?e(exports):n&&(n.hljs=e({}),"function"==typeof define&&define.amd&&define([],function(){return n.hljs}))}(function(e){function n(e){return e.replace(/&/g,"&").replace(//g,">")}function t(e){return e.nodeName.toLowerCase()}function r(e,n){var t=e&&e.exec(n);return t&&0===t.index}function a(e){return k.test(e)}function i(e){var n,t,r,i,o=e.className+" ";if(o+=e.parentNode?e.parentNode.className:"",t=M.exec(o))return w(t[1])?t[1]:"no-highlight";for(o=o.split(/\s+/),n=0,r=o.length;r>n;n++)if(i=o[n],a(i)||w(i))return i}function o(e){var n,t={},r=Array.prototype.slice.call(arguments,1);for(n in e)t[n]=e[n];return r.forEach(function(e){for(n in e)t[n]=e[n]}),t}function c(e){var n=[];return function r(e,a){for(var i=e.firstChild;i;i=i.nextSibling)3===i.nodeType?a+=i.nodeValue.length:1===i.nodeType&&(n.push({event:"start",offset:a,node:i}),a=r(i,a),t(i).match(/br|hr|img|input/)||n.push({event:"stop",offset:a,node:i}));return a}(e,0),n}function u(e,r,a){function i(){return e.length&&r.length?e[0].offset!==r[0].offset?e[0].offset"}function c(e){l+=""}function u(e){("start"===e.event?o:c)(e.node)}for(var s=0,l="",f=[];e.length||r.length;){var g=i();if(l+=n(a.substring(s,g[0].offset)),s=g[0].offset,g===e){f.reverse().forEach(c);do u(g.splice(0,1)[0]),g=i();while(g===e&&g.length&&g[0].offset===s);f.reverse().forEach(o)}else"start"===g[0].event?f.push(g[0].node):f.pop(),u(g.splice(0,1)[0])}return l+n(a.substr(s))}function s(e){return e.v&&!e.cached_variants&&(e.cached_variants=e.v.map(function(n){return o(e,{v:null},n)})),e.cached_variants||e.eW&&[o(e)]||[e]}function l(e){function n(e){return e&&e.source||e}function t(t,r){return new RegExp(n(t),"m"+(e.cI?"i":"")+(r?"g":""))}function r(a,i){if(!a.compiled){if(a.compiled=!0,a.k=a.k||a.bK,a.k){var o={},c=function(n,t){e.cI&&(t=t.toLowerCase()),t.split(" ").forEach(function(e){var t=e.split("|");o[t[0]]=[n,t[1]?Number(t[1]):1]})};"string"==typeof a.k?c("keyword",a.k):B(a.k).forEach(function(e){c(e,a.k[e])}),a.k=o}a.lR=t(a.l||/\w+/,!0),i&&(a.bK&&(a.b="\\b("+a.bK.split(" ").join("|")+")\\b"),a.b||(a.b=/\B|\b/),a.bR=t(a.b),a.endSameAsBegin&&(a.e=a.b),a.e||a.eW||(a.e=/\B|\b/),a.e&&(a.eR=t(a.e)),a.tE=n(a.e)||"",a.eW&&i.tE&&(a.tE+=(a.e?"|":"")+i.tE)),a.i&&(a.iR=t(a.i)),null==a.r&&(a.r=1),a.c||(a.c=[]),a.c=Array.prototype.concat.apply([],a.c.map(function(e){return s("self"===e?a:e)})),a.c.forEach(function(e){r(e,a)}),a.starts&&r(a.starts,i);var u=a.c.map(function(e){return e.bK?"\\.?("+e.b+")\\.?":e.b}).concat([a.tE,a.i]).map(n).filter(Boolean);a.t=u.length?t(u.join("|"),!0):{exec:function(){return null}}}}r(e)}function f(e,t,a,i){function o(e){return new RegExp(e.replace(/[-\/\\^$*+?.()|[\]{}]/g,"\\$&"),"m")}function c(e,n){var t,a;for(t=0,a=n.c.length;a>t;t++)if(r(n.c[t].bR,e))return n.c[t].endSameAsBegin&&(n.c[t].eR=o(n.c[t].bR.exec(e)[0])),n.c[t]}function u(e,n){if(r(e.eR,n)){for(;e.endsParent&&e.parent;)e=e.parent;return e}return e.eW?u(e.parent,n):void 0}function s(e,n){return!a&&r(n.iR,e)}function p(e,n){var t=R.cI?n[0].toLowerCase():n[0];return e.k.hasOwnProperty(t)&&e.k[t]}function d(e,n,t,r){var a=r?"":j.classPrefix,i='',i+n+o}function h(){var e,t,r,a;if(!E.k)return n(k);for(a="",t=0,E.lR.lastIndex=0,r=E.lR.exec(k);r;)a+=n(k.substring(t,r.index)),e=p(E,r),e?(M+=e[1],a+=d(e[0],n(r[0]))):a+=n(r[0]),t=E.lR.lastIndex,r=E.lR.exec(k);return a+n(k.substr(t))}function b(){var e="string"==typeof E.sL;if(e&&!L[E.sL])return n(k);var t=e?f(E.sL,k,!0,B[E.sL]):g(k,E.sL.length?E.sL:void 0);return E.r>0&&(M+=t.r),e&&(B[E.sL]=t.top),d(t.language,t.value,!1,!0)}function v(){y+=null!=E.sL?b():h(),k=""}function m(e){y+=e.cN?d(e.cN,"",!0):"",E=Object.create(e,{parent:{value:E}})}function N(e,n){if(k+=e,null==n)return v(),0;var t=c(n,E);if(t)return t.skip?k+=n:(t.eB&&(k+=n),v(),t.rB||t.eB||(k=n)),m(t,n),t.rB?0:n.length;var r=u(E,n);if(r){var a=E;a.skip?k+=n:(a.rE||a.eE||(k+=n),v(),a.eE&&(k=n));do E.cN&&(y+=I),E.skip||E.sL||(M+=E.r),E=E.parent;while(E!==r.parent);return r.starts&&(r.endSameAsBegin&&(r.starts.eR=r.eR),m(r.starts,"")),a.rE?0:n.length}if(s(n,E))throw new Error('Illegal lexeme "'+n+'" for mode "'+(E.cN||"")+'"');return k+=n,n.length||1}var R=w(e);if(!R)throw new Error('Unknown language: "'+e+'"');l(R);var x,E=i||R,B={},y="";for(x=E;x!==R;x=x.parent)x.cN&&(y=d(x.cN,"",!0)+y);var k="",M=0;try{for(var C,A,S=0;;){if(E.t.lastIndex=S,C=E.t.exec(t),!C)break;A=N(t.substring(S,C.index),C[0]),S=C.index+A}for(N(t.substr(S)),x=E;x.parent;x=x.parent)x.cN&&(y+=I);return{r:M,value:y,language:e,top:E}}catch(O){if(O.message&&-1!==O.message.indexOf("Illegal"))return{r:0,value:n(t)};throw O}}function g(e,t){t=t||j.languages||B(L);var r={r:0,value:n(e)},a=r;return t.filter(w).filter(x).forEach(function(n){var t=f(n,e,!1);t.language=n,t.r>a.r&&(a=t),t.r>r.r&&(a=r,r=t)}),a.language&&(r.second_best=a),r}function p(e){return j.tabReplace||j.useBR?e.replace(C,function(e,n){return j.useBR&&"\n"===e?"
":j.tabReplace?n.replace(/\t/g,j.tabReplace):""}):e}function d(e,n,t){var r=n?y[n]:t,a=[e.trim()];return e.match(/\bhljs\b/)||a.push("hljs"),-1===e.indexOf(r)&&a.push(r),a.join(" ").trim()}function h(e){var n,t,r,o,s,l=i(e);a(l)||(j.useBR?(n=document.createElementNS("http://www.w3.org/1999/xhtml","div"),n.innerHTML=e.innerHTML.replace(/\n/g,"").replace(//g,"\n")):n=e,s=n.textContent,r=l?f(l,s,!0):g(s),t=c(n),t.length&&(o=document.createElementNS("http://www.w3.org/1999/xhtml","div"),o.innerHTML=r.value,r.value=u(t,c(o),s)),r.value=p(r.value),e.innerHTML=r.value,e.className=d(e.className,l,r.language),e.result={language:r.language,re:r.r},r.second_best&&(e.second_best={language:r.second_best.language,re:r.second_best.r}))}function b(e){j=o(j,e)}function v(){if(!v.called){v.called=!0;var e=document.querySelectorAll("pre code");E.forEach.call(e,h)}}function m(){addEventListener("DOMContentLoaded",v,!1),addEventListener("load",v,!1)}function N(n,t){var r=L[n]=t(e);r.aliases&&r.aliases.forEach(function(e){y[e]=n})}function R(){return B(L)}function w(e){return e=(e||"").toLowerCase(),L[e]||L[y[e]]}function x(e){var n=w(e);return n&&!n.disableAutodetect}var E=[],B=Object.keys,L={},y={},k=/^(no-?highlight|plain|text)$/i,M=/\blang(?:uage)?-([\w-]+)\b/i,C=/((^(<[^>]+>|\t|)+|(?:\n)))/gm,I="",j={classPrefix:"hljs-",tabReplace:null,useBR:!1,languages:void 0};return e.highlight=f,e.highlightAuto=g,e.fixMarkup=p,e.highlightBlock=h,e.configure=b,e.initHighlighting=v,e.initHighlightingOnLoad=m,e.registerLanguage=N,e.listLanguages=R,e.getLanguage=w,e.autoDetection=x,e.inherit=o,e.IR="[a-zA-Z]\\w*",e.UIR="[a-zA-Z_]\\w*",e.NR="\\b\\d+(\\.\\d+)?",e.CNR="(-?)(\\b0[xX][a-fA-F0-9]+|(\\b\\d+(\\.\\d*)?|\\.\\d+)([eE][-+]?\\d+)?)",e.BNR="\\b(0b[01]+)",e.RSR="!|!=|!==|%|%=|&|&&|&=|\\*|\\*=|\\+|\\+=|,|-|-=|/=|/|:|;|<<|<<=|<=|<|===|==|=|>>>=|>>=|>=|>>>|>>|>|\\?|\\[|\\{|\\(|\\^|\\^=|\\||\\|=|\\|\\||~",e.BE={b:"\\\\[\\s\\S]",r:0},e.ASM={cN:"string",b:"'",e:"'",i:"\\n",c:[e.BE]},e.QSM={cN:"string",b:'"',e:'"',i:"\\n",c:[e.BE]},e.PWM={b:/\b(a|an|the|are|I'm|isn't|don't|doesn't|won't|but|just|should|pretty|simply|enough|gonna|going|wtf|so|such|will|you|your|they|like|more)\b/},e.C=function(n,t,r){var a=e.inherit({cN:"comment",b:n,e:t,c:[]},r||{});return a.c.push(e.PWM),a.c.push({cN:"doctag",b:"(?:TODO|FIXME|NOTE|BUG|XXX):",r:0}),a},e.CLCM=e.C("//","$"),e.CBCM=e.C("/\\*","\\*/"),e.HCM=e.C("#","$"),e.NM={cN:"number",b:e.NR,r:0},e.CNM={cN:"number",b:e.CNR,r:0},e.BNM={cN:"number",b:e.BNR,r:0},e.CSSNM={cN:"number",b:e.NR+"(%|em|ex|ch|rem|vw|vh|vmin|vmax|cm|mm|in|pt|pc|px|deg|grad|rad|turn|s|ms|Hz|kHz|dpi|dpcm|dppx)?",r:0},e.RM={cN:"regexp",b:/\//,e:/\/[gimuy]*/,i:/\n/,c:[e.BE,{b:/\[/,e:/\]/,r:0,c:[e.BE]}]},e.TM={cN:"title",b:e.IR,r:0},e.UTM={cN:"title",b:e.UIR,r:0},e.METHOD_GUARD={b:"\\.\\s*"+e.UIR,r:0},e});hljs.registerLanguage("json",function(e){var i={literal:"true false null"},n=[e.QSM,e.CNM],r={e:",",eW:!0,eE:!0,c:n,k:i},t={b:"{",e:"}",c:[{cN:"attr",b:/"/,e:/"/,c:[e.BE],i:"\\n"},e.inherit(r,{b:/:/})],i:"\\S"},c={b:"\\[",e:"\\]",c:[e.inherit(r)],i:"\\S"};return n.splice(n.length,0,t,c),{c:n,k:i,i:"\\S"}});hljs.registerLanguage("coffeescript",function(e){var c={keyword:"in if for while finally new do return else break catch instanceof throw try this switch continue typeof delete debugger super yield import export from as default await then unless until loop of by when and or is isnt not",literal:"true false null undefined yes no on off",built_in:"npm require console print module global window document"},n="[A-Za-z$_][0-9A-Za-z$_]*",r={cN:"subst",b:/#\{/,e:/}/,k:c},i=[e.BNM,e.inherit(e.CNM,{starts:{e:"(\\s*/)?",r:0}}),{cN:"string",v:[{b:/'''/,e:/'''/,c:[e.BE]},{b:/'/,e:/'/,c:[e.BE]},{b:/"""/,e:/"""/,c:[e.BE,r]},{b:/"/,e:/"/,c:[e.BE,r]}]},{cN:"regexp",v:[{b:"///",e:"///",c:[r,e.HCM]},{b:"//[gim]*",r:0},{b:/\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)/}]},{b:"@"+n},{sL:"javascript",eB:!0,eE:!0,v:[{b:"```",e:"```"},{b:"`",e:"`"}]}];r.c=i;var s=e.inherit(e.TM,{b:n}),t="(\\(.*\\))?\\s*\\B[-=]>",o={cN:"params",b:"\\([^\\(]",rB:!0,c:[{b:/\(/,e:/\)/,k:c,c:["self"].concat(i)}]};return{aliases:["coffee","cson","iced"],k:c,i:/\/\*/,c:i.concat([e.C("###","###"),e.HCM,{cN:"function",b:"^\\s*"+n+"\\s*=\\s*"+t,e:"[-=]>",rB:!0,c:[s,o]},{b:/[:\(,=]\s*/,r:0,c:[{cN:"function",b:t,e:"[-=]>",rB:!0,c:[o]}]},{cN:"class",bK:"class",e:"$",i:/[:="\[\]]/,c:[{bK:"extends",eW:!0,i:/[:="\[\]]/,c:[s]},s]},{b:n+":",e:":",rB:!0,rE:!0,r:0}])}});hljs.registerLanguage("properties",function(r){var t="[ \\t\\f]*",e="[ \\t\\f]+",s="("+t+"[:=]"+t+"|"+e+")",n="([^\\\\\\W:= \\t\\f\\n]|\\\\.)+",a="([^\\\\:= \\t\\f\\n]|\\\\.)+",c={e:s,r:0,starts:{cN:"string",e:/$/,r:0,c:[{b:"\\\\\\n"}]}};return{cI:!0,i:/\S/,c:[r.C("^\\s*[!#]","$"),{b:n+s,rB:!0,c:[{cN:"attr",b:n,endsParent:!0,r:0}],starts:c},{b:a+s,rB:!0,r:0,c:[{cN:"meta",b:a,endsParent:!0,r:0}],starts:c},{cN:"attr",r:0,b:a+t+"$"}]}});hljs.registerLanguage("http",function(e){var t="HTTP/[0-9\\.]+";return{aliases:["https"],i:"\\S",c:[{b:"^"+t,e:"$",c:[{cN:"number",b:"\\b\\d{3}\\b"}]},{b:"^[A-Z]+ (.*?) "+t+"$",rB:!0,e:"$",c:[{cN:"string",b:" ",e:" ",eB:!0,eE:!0},{b:t},{cN:"keyword",b:"[A-Z]+"}]},{cN:"attribute",b:"^\\w",e:": ",eE:!0,i:"\\n|\\s|=",starts:{e:"$",r:0}},{b:"\\n\\n",starts:{sL:[],eW:!0}}]}});hljs.registerLanguage("xml",function(s){var e="[A-Za-z0-9\\._:-]+",t={eW:!0,i:/`]+/}]}]}]};return{aliases:["html","xhtml","rss","atom","xjb","xsd","xsl","plist"],cI:!0,c:[{cN:"meta",b:"",r:10,c:[{b:"\\[",e:"\\]"}]},s.C("",{r:10}),{b:"<\\!\\[CDATA\\[",e:"\\]\\]>",r:10},{cN:"meta",b:/<\?xml/,e:/\?>/,r:10},{b:/<\?(php)?/,e:/\?>/,sL:"php",c:[{b:"/\\*",e:"\\*/",skip:!0},{b:'b"',e:'"',skip:!0},{b:"b'",e:"'",skip:!0},s.inherit(s.ASM,{i:null,cN:null,c:null,skip:!0}),s.inherit(s.QSM,{i:null,cN:null,c:null,skip:!0})]},{cN:"tag",b:"|$)",e:">",k:{name:"style"},c:[t],starts:{e:"",rE:!0,sL:["css","xml"]}},{cN:"tag",b:"|$)",e:">",k:{name:"script"},c:[t],starts:{e:"",rE:!0,sL:["actionscript","javascript","handlebars","xml"]}},{cN:"tag",b:"",c:[{cN:"name",b:/[^\/><\s]+/,r:0},t]}]}});hljs.registerLanguage("perl",function(e){var t="getpwent getservent quotemeta msgrcv scalar kill dbmclose undef lc ma syswrite tr send umask sysopen shmwrite vec qx utime local oct semctl localtime readpipe do return format read sprintf dbmopen pop getpgrp not getpwnam rewinddir qqfileno qw endprotoent wait sethostent bless s|0 opendir continue each sleep endgrent shutdown dump chomp connect getsockname die socketpair close flock exists index shmgetsub for endpwent redo lstat msgctl setpgrp abs exit select print ref gethostbyaddr unshift fcntl syscall goto getnetbyaddr join gmtime symlink semget splice x|0 getpeername recv log setsockopt cos last reverse gethostbyname getgrnam study formline endhostent times chop length gethostent getnetent pack getprotoent getservbyname rand mkdir pos chmod y|0 substr endnetent printf next open msgsnd readdir use unlink getsockopt getpriority rindex wantarray hex system getservbyport endservent int chr untie rmdir prototype tell listen fork shmread ucfirst setprotoent else sysseek link getgrgid shmctl waitpid unpack getnetbyname reset chdir grep split require caller lcfirst until warn while values shift telldir getpwuid my getprotobynumber delete and sort uc defined srand accept package seekdir getprotobyname semop our rename seek if q|0 chroot sysread setpwent no crypt getc chown sqrt write setnetent setpriority foreach tie sin msgget map stat getlogin unless elsif truncate exec keys glob tied closedirioctl socket readlink eval xor readline binmode setservent eof ord bind alarm pipe atan2 getgrent exp time push setgrent gt lt or ne m|0 break given say state when",r={cN:"subst",b:"[$@]\\{",e:"\\}",k:t},s={b:"->{",e:"}"},n={v:[{b:/\$\d/},{b:/[\$%@](\^\w\b|#\w+(::\w+)*|{\w+}|\w+(::\w*)*)/},{b:/[\$%@][^\s\w{]/,r:0}]},i=[e.BE,r,n],o=[n,e.HCM,e.C("^\\=\\w","\\=cut",{eW:!0}),s,{cN:"string",c:i,v:[{b:"q[qwxr]?\\s*\\(",e:"\\)",r:5},{b:"q[qwxr]?\\s*\\[",e:"\\]",r:5},{b:"q[qwxr]?\\s*\\{",e:"\\}",r:5},{b:"q[qwxr]?\\s*\\|",e:"\\|",r:5},{b:"q[qwxr]?\\s*\\<",e:"\\>",r:5},{b:"qw\\s+q",e:"q",r:5},{b:"'",e:"'",c:[e.BE]},{b:'"',e:'"'},{b:"`",e:"`",c:[e.BE]},{b:"{\\w+}",c:[],r:0},{b:"-?\\w+\\s*\\=\\>",c:[],r:0}]},{cN:"number",b:"(\\b0[0-7_]+)|(\\b0x[0-9a-fA-F_]+)|(\\b[1-9][0-9_]*(\\.[0-9_]+)?)|[0_]\\b",r:0},{b:"(\\/\\/|"+e.RSR+"|\\b(split|return|print|reverse|grep)\\b)\\s*",k:"split return print reverse grep",r:0,c:[e.HCM,{cN:"regexp",b:"(s|tr|y)/(\\\\.|[^/])*/(\\\\.|[^/])*/[a-z]*",r:10},{cN:"regexp",b:"(m|qr)?/",e:"/[a-z]*",c:[e.BE],r:0}]},{cN:"function",bK:"sub",e:"(\\s*\\(.*?\\))?[;{]",eE:!0,r:5,c:[e.TM]},{b:"-\\w\\b",r:0},{b:"^__DATA__$",e:"^__END__$",sL:"mojolicious",c:[{b:"^@@.*",e:"$",cN:"comment"}]}];return r.c=o,s.c=o,{aliases:["pl","pm"],l:/[\w\.]+/,k:t,c:o}});hljs.registerLanguage("apache",function(e){var r={cN:"number",b:"[\\$%]\\d+"};return{aliases:["apacheconf"],cI:!0,c:[e.HCM,{cN:"section",b:""},{cN:"attribute",b:/\w+/,r:0,k:{nomarkup:"order deny allow setenv rewriterule rewriteengine rewritecond documentroot sethandler errordocument loadmodule options header listen serverroot servername"},starts:{e:/$/,r:0,k:{literal:"on off all"},c:[{cN:"meta",b:"\\s\\[",e:"\\]$"},{cN:"variable",b:"[\\$%]\\{",e:"\\}",c:["self",r]},r,e.QSM]}}],i:/\S/}});hljs.registerLanguage("markdown",function(e){return{aliases:["md","mkdown","mkd"],c:[{cN:"section",v:[{b:"^#{1,6}",e:"$"},{b:"^.+?\\n[=-]{2,}$"}]},{b:"<",e:">",sL:"xml",r:0},{cN:"bullet",b:"^([*+-]|(\\d+\\.))\\s+"},{cN:"strong",b:"[*_]{2}.+?[*_]{2}"},{cN:"emphasis",v:[{b:"\\*.+?\\*"},{b:"_.+?_",r:0}]},{cN:"quote",b:"^>\\s+",e:"$"},{cN:"code",v:[{b:"^```w*s*$",e:"^```s*$"},{b:"`.+?`"},{b:"^( {4}| )",e:"$",r:0}]},{b:"^[-\\*]{3,}",e:"$"},{b:"\\[.+?\\][\\(\\[].*?[\\)\\]]",rB:!0,c:[{cN:"string",b:"\\[",e:"\\]",eB:!0,rE:!0,r:0},{cN:"link",b:"\\]\\(",e:"\\)",eB:!0,eE:!0},{cN:"symbol",b:"\\]\\[",e:"\\]",eB:!0,eE:!0}],r:10},{b:/^\[[^\n]+\]:/,rB:!0,c:[{cN:"symbol",b:/\[/,e:/\]/,eB:!0,eE:!0},{cN:"link",b:/:\s*/,e:/$/,eB:!0}]}]}});hljs.registerLanguage("diff",function(e){return{aliases:["patch"],c:[{cN:"meta",r:10,v:[{b:/^@@ +\-\d+,\d+ +\+\d+,\d+ +@@$/},{b:/^\*\*\* +\d+,\d+ +\*\*\*\*$/},{b:/^\-\-\- +\d+,\d+ +\-\-\-\-$/}]},{cN:"comment",v:[{b:/Index: /,e:/$/},{b:/={3,}/,e:/$/},{b:/^\-{3}/,e:/$/},{b:/^\*{3} /,e:/$/},{b:/^\+{3}/,e:/$/},{b:/\*{5}/,e:/\*{5}$/}]},{cN:"addition",b:"^\\+",e:"$"},{cN:"deletion",b:"^\\-",e:"$"},{cN:"addition",b:"^\\!",e:"$"}]}});hljs.registerLanguage("java",function(e){var a="[À-ʸa-zA-Z_$][À-ʸa-zA-Z_$0-9]*",t=a+"(<"+a+"(\\s*,\\s*"+a+")*>)?",r="false synchronized int abstract float private char boolean var static null if const for true while long strictfp finally protected import native final void enum else break transient catch instanceof byte super volatile case assert short package default double public try this switch continue throws protected public private module requires exports do",s="\\b(0[bB]([01]+[01_]+[01]+|[01]+)|0[xX]([a-fA-F0-9]+[a-fA-F0-9_]+[a-fA-F0-9]+|[a-fA-F0-9]+)|(([\\d]+[\\d_]+[\\d]+|[\\d]+)(\\.([\\d]+[\\d_]+[\\d]+|[\\d]+))?|\\.([\\d]+[\\d_]+[\\d]+|[\\d]+))([eE][-+]?\\d+)?)[lLfF]?",c={cN:"number",b:s,r:0};return{aliases:["jsp"],k:r,i:/<\/|#/,c:[e.C("/\\*\\*","\\*/",{r:0,c:[{b:/\w+@/,r:0},{cN:"doctag",b:"@[A-Za-z]+"}]}),e.CLCM,e.CBCM,e.ASM,e.QSM,{cN:"class",bK:"class interface",e:/[{;=]/,eE:!0,k:"class interface",i:/[:"\[\]]/,c:[{bK:"extends implements"},e.UTM]},{bK:"new throw return else",r:0},{cN:"function",b:"("+t+"\\s+)+"+e.UIR+"\\s*\\(",rB:!0,e:/[{;=]/,eE:!0,k:r,c:[{b:e.UIR+"\\s*\\(",rB:!0,r:0,c:[e.UTM]},{cN:"params",b:/\(/,e:/\)/,k:r,r:0,c:[e.ASM,e.QSM,e.CNM,e.CBCM]},e.CLCM,e.CBCM]},c,{cN:"meta",b:"@[A-Za-z]+"}]}});hljs.registerLanguage("sql",function(e){var t=e.C("--","$");return{cI:!0,i:/[<>{}*]/,c:[{bK:"begin end start commit rollback savepoint lock alter create drop rename call delete do handler insert load replace select truncate update set show pragma grant merge describe use explain help declare prepare execute deallocate release unlock purge reset change stop analyze cache flush optimize repair kill install uninstall checksum restore check backup revoke comment values with",e:/;/,eW:!0,l:/[\w\.]+/,k:{keyword:"as abort abs absolute acc acce accep accept access accessed accessible account acos action activate add addtime admin administer advanced advise aes_decrypt aes_encrypt after agent aggregate ali alia alias all allocate allow alter always analyze ancillary and anti any anydata anydataset anyschema anytype apply archive archived archivelog are as asc ascii asin assembly assertion associate asynchronous at atan atn2 attr attri attrib attribu attribut attribute attributes audit authenticated authentication authid authors auto autoallocate autodblink autoextend automatic availability avg backup badfile basicfile before begin beginning benchmark between bfile bfile_base big bigfile bin binary_double binary_float binlog bit_and bit_count bit_length bit_or bit_xor bitmap blob_base block blocksize body both bound bucket buffer_cache buffer_pool build bulk by byte byteordermark bytes cache caching call calling cancel capacity cascade cascaded case cast catalog category ceil ceiling chain change changed char_base char_length character_length characters characterset charindex charset charsetform charsetid check checksum checksum_agg child choose chr chunk class cleanup clear client clob clob_base clone close cluster_id cluster_probability cluster_set clustering coalesce coercibility col collate collation collect colu colum column column_value columns columns_updated comment commit compact compatibility compiled complete composite_limit compound compress compute concat concat_ws concurrent confirm conn connec connect connect_by_iscycle connect_by_isleaf connect_by_root connect_time connection consider consistent constant constraint constraints constructor container content contents context contributors controlfile conv convert convert_tz corr corr_k corr_s corresponding corruption cos cost count count_big counted covar_pop covar_samp cpu_per_call cpu_per_session crc32 create creation critical cross cube cume_dist curdate current current_date current_time current_timestamp current_user cursor curtime customdatum cycle data database databases datafile datafiles datalength date_add date_cache date_format date_sub dateadd datediff datefromparts datename datepart datetime2fromparts day day_to_second dayname dayofmonth dayofweek dayofyear days db_role_change dbtimezone ddl deallocate declare decode decompose decrement decrypt deduplicate def defa defau defaul default defaults deferred defi defin define degrees delayed delegate delete delete_all delimited demand dense_rank depth dequeue des_decrypt des_encrypt des_key_file desc descr descri describ describe descriptor deterministic diagnostics difference dimension direct_load directory disable disable_all disallow disassociate discardfile disconnect diskgroup distinct distinctrow distribute distributed div do document domain dotnet double downgrade drop dumpfile duplicate duration each edition editionable editions element ellipsis else elsif elt empty enable enable_all enclosed encode encoding encrypt end end-exec endian enforced engine engines enqueue enterprise entityescaping eomonth error errors escaped evalname evaluate event eventdata events except exception exceptions exchange exclude excluding execu execut execute exempt exists exit exp expire explain explode export export_set extended extent external external_1 external_2 externally extract failed failed_login_attempts failover failure far fast feature_set feature_value fetch field fields file file_name_convert filesystem_like_logging final finish first first_value fixed flash_cache flashback floor flush following follows for forall force foreign form forma format found found_rows freelist freelists freepools fresh from from_base64 from_days ftp full function general generated get get_format get_lock getdate getutcdate global global_name globally go goto grant grants greatest group group_concat group_id grouping grouping_id groups gtid_subtract guarantee guard handler hash hashkeys having hea head headi headin heading heap help hex hierarchy high high_priority hosts hour hours http id ident_current ident_incr ident_seed identified identity idle_time if ifnull ignore iif ilike ilm immediate import in include including increment index indexes indexing indextype indicator indices inet6_aton inet6_ntoa inet_aton inet_ntoa infile initial initialized initially initrans inmemory inner innodb input insert install instance instantiable instr interface interleaved intersect into invalidate invisible is is_free_lock is_ipv4 is_ipv4_compat is_not is_not_null is_used_lock isdate isnull isolation iterate java join json json_exists keep keep_duplicates key keys kill language large last last_day last_insert_id last_value lateral lax lcase lead leading least leaves left len lenght length less level levels library like like2 like4 likec limit lines link list listagg little ln load load_file lob lobs local localtime localtimestamp locate locator lock locked log log10 log2 logfile logfiles logging logical logical_reads_per_call logoff logon logs long loop low low_priority lower lpad lrtrim ltrim main make_set makedate maketime managed management manual map mapping mask master master_pos_wait match matched materialized max maxextents maximize maxinstances maxlen maxlogfiles maxloghistory maxlogmembers maxsize maxtrans md5 measures median medium member memcompress memory merge microsecond mid migration min minextents minimum mining minus minute minutes minvalue missing mod mode model modification modify module monitoring month months mount move movement multiset mutex name name_const names nan national native natural nav nchar nclob nested never new newline next nextval no no_write_to_binlog noarchivelog noaudit nobadfile nocheck nocompress nocopy nocycle nodelay nodiscardfile noentityescaping noguarantee nokeep nologfile nomapping nomaxvalue nominimize nominvalue nomonitoring none noneditionable nonschema noorder nopr nopro noprom nopromp noprompt norely noresetlogs noreverse normal norowdependencies noschemacheck noswitch not nothing notice notnull notrim novalidate now nowait nth_value nullif nulls num numb numbe nvarchar nvarchar2 object ocicoll ocidate ocidatetime ociduration ociinterval ociloblocator ocinumber ociref ocirefcursor ocirowid ocistring ocitype oct octet_length of off offline offset oid oidindex old on online only opaque open operations operator optimal optimize option optionally or oracle oracle_date oradata ord ordaudio orddicom orddoc order ordimage ordinality ordvideo organization orlany orlvary out outer outfile outline output over overflow overriding package pad parallel parallel_enable parameters parent parse partial partition partitions pascal passing password password_grace_time password_lock_time password_reuse_max password_reuse_time password_verify_function patch path patindex pctincrease pctthreshold pctused pctversion percent percent_rank percentile_cont percentile_disc performance period period_add period_diff permanent physical pi pipe pipelined pivot pluggable plugin policy position post_transaction pow power pragma prebuilt precedes preceding precision prediction prediction_cost prediction_details prediction_probability prediction_set prepare present preserve prior priority private private_sga privileges procedural procedure procedure_analyze processlist profiles project prompt protection public publishingservername purge quarter query quick quiesce quota quotename radians raise rand range rank raw read reads readsize rebuild record records recover recovery recursive recycle redo reduced ref reference referenced references referencing refresh regexp_like register regr_avgx regr_avgy regr_count regr_intercept regr_r2 regr_slope regr_sxx regr_sxy reject rekey relational relative relaylog release release_lock relies_on relocate rely rem remainder rename repair repeat replace replicate replication required reset resetlogs resize resource respect restore restricted result result_cache resumable resume retention return returning returns reuse reverse revoke right rlike role roles rollback rolling rollup round row row_count rowdependencies rowid rownum rows rtrim rules safe salt sample save savepoint sb1 sb2 sb4 scan schema schemacheck scn scope scroll sdo_georaster sdo_topo_geometry search sec_to_time second seconds section securefile security seed segment select self semi sequence sequential serializable server servererror session session_user sessions_per_user set sets settings sha sha1 sha2 share shared shared_pool short show shrink shutdown si_averagecolor si_colorhistogram si_featurelist si_positionalcolor si_stillimage si_texture siblings sid sign sin size size_t sizes skip slave sleep smalldatetimefromparts smallfile snapshot some soname sort soundex source space sparse spfile split sql sql_big_result sql_buffer_result sql_cache sql_calc_found_rows sql_small_result sql_variant_property sqlcode sqldata sqlerror sqlname sqlstate sqrt square standalone standby start starting startup statement static statistics stats_binomial_test stats_crosstab stats_ks_test stats_mode stats_mw_test stats_one_way_anova stats_t_test_ stats_t_test_indep stats_t_test_one stats_t_test_paired stats_wsr_test status std stddev stddev_pop stddev_samp stdev stop storage store stored str str_to_date straight_join strcmp strict string struct stuff style subdate subpartition subpartitions substitutable substr substring subtime subtring_index subtype success sum suspend switch switchoffset switchover sync synchronous synonym sys sys_xmlagg sysasm sysaux sysdate sysdatetimeoffset sysdba sysoper system system_user sysutcdatetime table tables tablespace tablesample tan tdo template temporary terminated tertiary_weights test than then thread through tier ties time time_format time_zone timediff timefromparts timeout timestamp timestampadd timestampdiff timezone_abbr timezone_minute timezone_region to to_base64 to_date to_days to_seconds todatetimeoffset trace tracking transaction transactional translate translation treat trigger trigger_nestlevel triggers trim truncate try_cast try_convert try_parse type ub1 ub2 ub4 ucase unarchived unbounded uncompress under undo unhex unicode uniform uninstall union unique unix_timestamp unknown unlimited unlock unnest unpivot unrecoverable unsafe unsigned until untrusted unusable unused update updated upgrade upped upper upsert url urowid usable usage use use_stored_outlines user user_data user_resources users using utc_date utc_timestamp uuid uuid_short validate validate_password_strength validation valist value values var var_samp varcharc vari varia variab variabl variable variables variance varp varraw varrawc varray verify version versions view virtual visible void wait wallet warning warnings week weekday weekofyear wellformed when whene whenev wheneve whenever where while whitespace window with within without work wrapped xdb xml xmlagg xmlattributes xmlcast xmlcolattval xmlelement xmlexists xmlforest xmlindex xmlnamespaces xmlpi xmlquery xmlroot xmlschema xmlserialize xmltable xmltype xor year year_to_month years yearweek",literal:"true false null unknown",built_in:"array bigint binary bit blob bool boolean char character date dec decimal float int int8 integer interval number numeric real record serial serial8 smallint text time timestamp tinyint varchar varying void"},c:[{cN:"string",b:"'",e:"'",c:[e.BE,{b:"''"}]},{cN:"string",b:'"',e:'"',c:[e.BE,{b:'""'}]},{cN:"string",b:"`",e:"`",c:[e.BE]},e.CNM,e.CBCM,t,e.HCM]},e.CBCM,t,e.HCM]}});hljs.registerLanguage("php",function(e){var c={b:"\\$+[a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]*"},i={cN:"meta",b:/<\?(php)?|\?>/},t={cN:"string",c:[e.BE,i],v:[{b:'b"',e:'"'},{b:"b'",e:"'"},e.inherit(e.ASM,{i:null}),e.inherit(e.QSM,{i:null})]},a={v:[e.BNM,e.CNM]};return{aliases:["php","php3","php4","php5","php6","php7"],cI:!0,k:"and include_once list abstract global private echo interface as static endswitch array null if endwhile or const for endforeach self var while isset public protected exit foreach throw elseif include __FILE__ empty require_once do xor return parent clone use __CLASS__ __LINE__ else break print eval new catch __METHOD__ case exception default die require __FUNCTION__ enddeclare final try switch continue endfor endif declare unset true false trait goto instanceof insteadof __DIR__ __NAMESPACE__ yield finally",c:[e.HCM,e.C("//","$",{c:[i]}),e.C("/\\*","\\*/",{c:[{cN:"doctag",b:"@[A-Za-z]+"}]}),e.C("__halt_compiler.+?;",!1,{eW:!0,k:"__halt_compiler",l:e.UIR}),{cN:"string",b:/<<<['"]?\w+['"]?$/,e:/^\w+;?$/,c:[e.BE,{cN:"subst",v:[{b:/\$\w+/},{b:/\{\$/,e:/\}/}]}]},i,{cN:"keyword",b:/\$this\b/},c,{b:/(::|->)+[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/},{cN:"function",bK:"function",e:/[;{]/,eE:!0,i:"\\$|\\[|%",c:[e.UTM,{cN:"params",b:"\\(",e:"\\)",c:["self",c,e.CBCM,t,a]}]},{cN:"class",bK:"class interface",e:"{",eE:!0,i:/[:\(\$"]/,c:[{bK:"extends implements"},e.UTM]},{bK:"namespace",e:";",i:/[\.']/,c:[e.UTM]},{bK:"use",e:";",c:[e.UTM]},{b:"=>"},t,a]}});hljs.registerLanguage("bash",function(e){var t={cN:"variable",v:[{b:/\$[\w\d#@][\w\d_]*/},{b:/\$\{(.*?)}/}]},s={cN:"string",b:/"/,e:/"/,c:[e.BE,t,{cN:"variable",b:/\$\(/,e:/\)/,c:[e.BE]}]},a={cN:"string",b:/'/,e:/'/};return{aliases:["sh","zsh"],l:/\b-?[a-z\._]+\b/,k:{keyword:"if then else elif fi for while in do done case esac function",literal:"true false",built_in:"break cd continue eval exec exit export getopts hash pwd readonly return shift test times trap umask unset alias bind builtin caller command declare echo enable help let local logout mapfile printf read readarray source type typeset ulimit unalias set shopt autoload bg bindkey bye cap chdir clone comparguments compcall compctl compdescribe compfiles compgroups compquote comptags comptry compvalues dirs disable disown echotc echoti emulate fc fg float functions getcap getln history integer jobs kill limit log noglob popd print pushd pushln rehash sched setcap setopt stat suspend ttyctl unfunction unhash unlimit unsetopt vared wait whence where which zcompile zformat zftp zle zmodload zparseopts zprof zpty zregexparse zsocket zstyle ztcp",_:"-ne -eq -lt -gt -f -d -e -s -l -a"},c:[{cN:"meta",b:/^#![^\n]+sh\s*$/,r:10},{cN:"function",b:/\w[\w\d_]*\s*\(\s*\)\s*\{/,rB:!0,c:[e.inherit(e.TM,{b:/\w[\w\d_]*/})],r:0},e.HCM,s,a,t]}});hljs.registerLanguage("shell",function(s){return{aliases:["console"],c:[{cN:"meta",b:"^\\s{0,3}[\\w\\d\\[\\]()@-]*[>%$#]",starts:{e:"$",sL:"bash"}}]}});hljs.registerLanguage("css",function(e){var c="[a-zA-Z-][a-zA-Z0-9_-]*",t={b:/[A-Z\_\.\-]+\s*:/,rB:!0,e:";",eW:!0,c:[{cN:"attribute",b:/\S/,e:":",eE:!0,starts:{eW:!0,eE:!0,c:[{b:/[\w-]+\(/,rB:!0,c:[{cN:"built_in",b:/[\w-]+/},{b:/\(/,e:/\)/,c:[e.ASM,e.QSM]}]},e.CSSNM,e.QSM,e.ASM,e.CBCM,{cN:"number",b:"#[0-9A-Fa-f]+"},{cN:"meta",b:"!important"}]}}]};return{cI:!0,i:/[=\/|'\$]/,c:[e.CBCM,{cN:"selector-id",b:/#[A-Za-z0-9_-]+/},{cN:"selector-class",b:/\.[A-Za-z0-9_-]+/},{cN:"selector-attr",b:/\[/,e:/\]/,i:"$"},{cN:"selector-pseudo",b:/:(:)?[a-zA-Z0-9\_\-\+\(\)"'.]+/},{b:"@(font-face|page)",l:"[a-z-]+",k:"font-face page"},{b:"@",e:"[{;]",i:/:/,c:[{cN:"keyword",b:/\w+/},{b:/\s/,eW:!0,eE:!0,r:0,c:[e.ASM,e.QSM,e.CSSNM]}]},{cN:"selector-tag",b:c,r:0},{b:"{",e:"}",i:/\S/,c:[e.CBCM,t]}]}});hljs.registerLanguage("ruby",function(e){var b="[a-zA-Z_]\\w*[!?=]?|[-+~]\\@|<<|>>|=~|===?|<=>|[<>]=?|\\*\\*|[-/+%^&*~`|]|\\[\\]=?",r={keyword:"and then defined module in return redo if BEGIN retry end for self when next until do begin unless END rescue else break undef not super class case require yield alias while ensure elsif or include attr_reader attr_writer attr_accessor",literal:"true false nil"},c={cN:"doctag",b:"@[A-Za-z]+"},a={b:"#<",e:">"},s=[e.C("#","$",{c:[c]}),e.C("^\\=begin","^\\=end",{c:[c],r:10}),e.C("^__END__","\\n$")],n={cN:"subst",b:"#\\{",e:"}",k:r},t={cN:"string",c:[e.BE,n],v:[{b:/'/,e:/'/},{b:/"/,e:/"/},{b:/`/,e:/`/},{b:"%[qQwWx]?\\(",e:"\\)"},{b:"%[qQwWx]?\\[",e:"\\]"},{b:"%[qQwWx]?{",e:"}"},{b:"%[qQwWx]?<",e:">"},{b:"%[qQwWx]?/",e:"/"},{b:"%[qQwWx]?%",e:"%"},{b:"%[qQwWx]?-",e:"-"},{b:"%[qQwWx]?\\|",e:"\\|"},{b:/\B\?(\\\d{1,3}|\\x[A-Fa-f0-9]{1,2}|\\u[A-Fa-f0-9]{4}|\\?\S)\b/},{b:/<<(-?)\w+$/,e:/^\s*\w+$/}]},i={cN:"params",b:"\\(",e:"\\)",endsParent:!0,k:r},d=[t,a,{cN:"class",bK:"class module",e:"$|;",i:/=/,c:[e.inherit(e.TM,{b:"[A-Za-z_]\\w*(::\\w+)*(\\?|\\!)?"}),{b:"<\\s*",c:[{b:"("+e.IR+"::)?"+e.IR}]}].concat(s)},{cN:"function",bK:"def",e:"$|;",c:[e.inherit(e.TM,{b:b}),i].concat(s)},{b:e.IR+"::"},{cN:"symbol",b:e.UIR+"(\\!|\\?)?:",r:0},{cN:"symbol",b:":(?!\\s)",c:[t,{b:b}],r:0},{cN:"number",b:"(\\b0[0-7_]+)|(\\b0x[0-9a-fA-F_]+)|(\\b[1-9][0-9_]*(\\.[0-9_]+)?)|[0_]\\b",r:0},{b:"(\\$\\W)|((\\$|\\@\\@?)(\\w+))"},{cN:"params",b:/\|/,e:/\|/,k:r},{b:"("+e.RSR+"|unless)\\s*",k:"unless",c:[a,{cN:"regexp",c:[e.BE,n],i:/\n/,v:[{b:"/",e:"/[a-z]*"},{b:"%r{",e:"}[a-z]*"},{b:"%r\\(",e:"\\)[a-z]*"},{b:"%r!",e:"![a-z]*"},{b:"%r\\[",e:"\\][a-z]*"}]}].concat(s),r:0}].concat(s);n.c=d,i.c=d;var l="[>?]>",o="[\\w#]+\\(\\w+\\):\\d+:\\d+>",u="(\\w+-)?\\d+\\.\\d+\\.\\d(p\\d+)?[^>]+>",w=[{b:/^\s*=>/,starts:{e:"$",c:d}},{cN:"meta",b:"^("+l+"|"+o+"|"+u+")",starts:{e:"$",c:d}}];return{aliases:["rb","gemspec","podspec","thor","irb"],k:r,i:/\/\*/,c:s.concat(w).concat(d)}});hljs.registerLanguage("yaml",function(e){var b="true false yes no null",a="^[ \\-]*",r="[a-zA-Z_][\\w\\-]*",t={cN:"attr",v:[{b:a+r+":"},{b:a+'"'+r+'":'},{b:a+"'"+r+"':"}]},c={cN:"template-variable",v:[{b:"{{",e:"}}"},{b:"%{",e:"}"}]},l={cN:"string",r:0,v:[{b:/'/,e:/'/},{b:/"/,e:/"/},{b:/\S+/}],c:[e.BE,c]};return{cI:!0,aliases:["yml","YAML","yaml"],c:[t,{cN:"meta",b:"^---s*$",r:10},{cN:"string",b:"[\\|>] *$",rE:!0,c:l.c,e:t.v[0].b},{b:"<%[%=-]?",e:"[%-]?%>",sL:"ruby",eB:!0,eE:!0,r:0},{cN:"type",b:"!"+e.UIR},{cN:"type",b:"!!"+e.UIR},{cN:"meta",b:"&"+e.UIR+"$"},{cN:"meta",b:"\\*"+e.UIR+"$"},{cN:"bullet",b:"^ *-",r:0},e.HCM,{bK:b,k:{literal:b}},e.CNM,l]}});hljs.registerLanguage("nginx",function(e){var r={cN:"variable",v:[{b:/\$\d+/},{b:/\$\{/,e:/}/},{b:"[\\$\\@]"+e.UIR}]},b={eW:!0,l:"[a-z/_]+",k:{literal:"on off yes no true false none blocked debug info notice warn error crit select break last permanent redirect kqueue rtsig epoll poll /dev/poll"},r:0,i:"=>",c:[e.HCM,{cN:"string",c:[e.BE,r],v:[{b:/"/,e:/"/},{b:/'/,e:/'/}]},{b:"([a-z]+):/",e:"\\s",eW:!0,eE:!0,c:[r]},{cN:"regexp",c:[e.BE,r],v:[{b:"\\s\\^",e:"\\s|{|;",rE:!0},{b:"~\\*?\\s+",e:"\\s|{|;",rE:!0},{b:"\\*(\\.[a-z\\-]+)+"},{b:"([a-z\\-]+\\.)+\\*"}]},{cN:"number",b:"\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}(:\\d{1,5})?\\b"},{cN:"number",b:"\\b\\d+[kKmMgGdshdwy]*\\b",r:0},r]};return{aliases:["nginxconf"],c:[e.HCM,{b:e.UIR+"\\s+{",rB:!0,e:"{",c:[{cN:"section",b:e.UIR}],r:0},{b:e.UIR+"\\s",e:";|{",rB:!0,c:[{cN:"attribute",b:e.UIR,starts:b}],r:0}],i:"[^\\s\\}]"}});hljs.registerLanguage("makefile",function(e){var i={cN:"variable",v:[{b:"\\$\\("+e.UIR+"\\)",c:[e.BE]},{b:/\$[@%]*>/,e:/$/,i:"\\n"},t.CLCM,t.CBCM]},a=t.IR+"\\s*\\(",c={keyword:"int float while private char catch import module export virtual operator sizeof dynamic_cast|10 typedef const_cast|10 const for static_cast|10 union namespace unsigned long volatile static protected bool template mutable if public friend do goto auto void enum else break extern using asm case typeid short reinterpret_cast|10 default double register explicit signed typename try this switch continue inline delete alignof constexpr decltype noexcept static_assert thread_local restrict _Bool complex _Complex _Imaginary atomic_bool atomic_char atomic_schar atomic_uchar atomic_short atomic_ushort atomic_int atomic_uint atomic_long atomic_ulong atomic_llong atomic_ullong new throw return and or not",built_in:"std string cin cout cerr clog stdin stdout stderr stringstream istringstream ostringstream auto_ptr deque list queue stack vector map set bitset multiset multimap unordered_set unordered_map unordered_multiset unordered_multimap array shared_ptr abort abs acos asin atan2 atan calloc ceil cosh cos exit exp fabs floor fmod fprintf fputs free frexp fscanf isalnum isalpha iscntrl isdigit isgraph islower isprint ispunct isspace isupper isxdigit tolower toupper labs ldexp log10 log malloc realloc memchr memcmp memcpy memset modf pow printf putchar puts scanf sinh sin snprintf sprintf sqrt sscanf strcat strchr strcmp strcpy strcspn strlen strncat strncmp strncpy strpbrk strrchr strspn strstr tanh tan vfprintf vprintf vsprintf endl initializer_list unique_ptr",literal:"true false nullptr NULL"},n=[e,t.CLCM,t.CBCM,s,r];return{aliases:["c","cc","h","c++","h++","hpp"],k:c,i:"",k:c,c:["self",e]},{b:t.IR+"::",k:c},{v:[{b:/=/,e:/;/},{b:/\(/,e:/\)/},{bK:"new throw return else",e:/;/}],k:c,c:n.concat([{b:/\(/,e:/\)/,k:c,c:n.concat(["self"]),r:0}]),r:0},{cN:"function",b:"("+t.IR+"[\\*&\\s]+)+"+a,rB:!0,e:/[{;=]/,eE:!0,k:c,i:/[^\w\s\*&]/,c:[{b:a,rB:!0,c:[t.TM],r:0},{cN:"params",b:/\(/,e:/\)/,k:c,r:0,c:[t.CLCM,t.CBCM,r,s,e,{b:/\(/,e:/\)/,k:c,r:0,c:["self",t.CLCM,t.CBCM,r,s,e]}]},t.CLCM,t.CBCM,i]},{cN:"class",bK:"class struct",e:/[{;:]/,c:[{b://,c:["self"]},t.TM]}]),exports:{preprocessor:i,strings:r,k:c}}});hljs.registerLanguage("ini",function(e){var b={cN:"string",c:[e.BE],v:[{b:"'''",e:"'''",r:10},{b:'"""',e:'"""',r:10},{b:'"',e:'"'},{b:"'",e:"'"}]};return{aliases:["toml"],cI:!0,i:/\S/,c:[e.C(";","$"),e.HCM,{cN:"section",b:/^\s*\[+/,e:/\]+/},{b:/^[a-z0-9\[\]_-]+\s*=\s*/,e:"$",rB:!0,c:[{cN:"attr",b:/[a-z0-9\[\]_-]+/},{b:/=/,eW:!0,r:0,c:[{cN:"literal",b:/\bon|off|true|false|yes|no\b/},{cN:"variable",v:[{b:/\$[\w\d"][\w\d_]*/},{b:/\$\{(.*?)}/}]},b,{cN:"number",b:/([\+\-]+)?[\d]+_[\d_]+/},e.NM]}]}]}});hljs.registerLanguage("objectivec",function(e){var t={cN:"built_in",b:"\\b(AV|CA|CF|CG|CI|CL|CM|CN|CT|MK|MP|MTK|MTL|NS|SCN|SK|UI|WK|XC)\\w+"},_={keyword:"int float while char export sizeof typedef const struct for union unsigned long volatile static bool mutable if do return goto void enum else break extern asm case short default double register explicit signed typename this switch continue wchar_t inline readonly assign readwrite self @synchronized id typeof nonatomic super unichar IBOutlet IBAction strong weak copy in out inout bycopy byref oneway __strong __weak __block __autoreleasing @private @protected @public @try @property @end @throw @catch @finally @autoreleasepool @synthesize @dynamic @selector @optional @required @encode @package @import @defs @compatibility_alias __bridge __bridge_transfer __bridge_retained __bridge_retain __covariant __contravariant __kindof _Nonnull _Nullable _Null_unspecified __FUNCTION__ __PRETTY_FUNCTION__ __attribute__ getter setter retain unsafe_unretained nonnull nullable null_unspecified null_resettable class instancetype NS_DESIGNATED_INITIALIZER NS_UNAVAILABLE NS_REQUIRES_SUPER NS_RETURNS_INNER_POINTER NS_INLINE NS_AVAILABLE NS_DEPRECATED NS_ENUM NS_OPTIONS NS_SWIFT_UNAVAILABLE NS_ASSUME_NONNULL_BEGIN NS_ASSUME_NONNULL_END NS_REFINED_FOR_SWIFT NS_SWIFT_NAME NS_SWIFT_NOTHROW NS_DURING NS_HANDLER NS_ENDHANDLER NS_VALUERETURN NS_VOIDRETURN",literal:"false true FALSE TRUE nil YES NO NULL",built_in:"BOOL dispatch_once_t dispatch_queue_t dispatch_sync dispatch_async dispatch_once"},i=/[a-zA-Z@][a-zA-Z0-9_]*/,n="@interface @class @protocol @implementation";return{aliases:["mm","objc","obj-c"],k:_,l:i,i:""}]}]},{cN:"class",b:"("+n.split(" ").join("|")+")\\b",e:"({|$)",eE:!0,k:n,l:i,c:[e.UTM]},{b:"\\."+e.UIR,r:0}]}});hljs.registerLanguage("cs",function(e){var i={keyword:"abstract as base bool break byte case catch char checked const continue decimal default delegate do double enum event explicit extern finally fixed float for foreach goto if implicit in int interface internal is lock long nameof object operator out override params private protected public readonly ref sbyte sealed short sizeof stackalloc static string struct switch this try typeof uint ulong unchecked unsafe ushort using virtual void volatile while add alias ascending async await by descending dynamic equals from get global group into join let on orderby partial remove select set value var where yield",literal:"null false true"},r={cN:"number",v:[{b:"\\b(0b[01']+)"},{b:"(-?)\\b([\\d']+(\\.[\\d']*)?|\\.[\\d']+)(u|U|l|L|ul|UL|f|F|b|B)"},{b:"(-?)(\\b0[xX][a-fA-F0-9']+|(\\b[\\d']+(\\.[\\d']*)?|\\.[\\d']+)([eE][-+]?[\\d']+)?)"}],r:0},t={cN:"string",b:'@"',e:'"',c:[{b:'""'}]},a=e.inherit(t,{i:/\n/}),c={cN:"subst",b:"{",e:"}",k:i},n=e.inherit(c,{i:/\n/}),s={cN:"string",b:/\$"/,e:'"',i:/\n/,c:[{b:"{{"},{b:"}}"},e.BE,n]},b={cN:"string",b:/\$@"/,e:'"',c:[{b:"{{"},{b:"}}"},{b:'""'},c]},l=e.inherit(b,{i:/\n/,c:[{b:"{{"},{b:"}}"},{b:'""'},n]});c.c=[b,s,t,e.ASM,e.QSM,r,e.CBCM],n.c=[l,s,a,e.ASM,e.QSM,r,e.inherit(e.CBCM,{i:/\n/})];var o={v:[b,s,t,e.ASM,e.QSM]},d=e.IR+"(<"+e.IR+"(\\s*,\\s*"+e.IR+")*>)?(\\[\\])?";return{aliases:["csharp","c#"],k:i,i:/::/,c:[e.C("///","$",{rB:!0,c:[{cN:"doctag",v:[{b:"///",r:0},{b:""},{b:""}]}]}),e.CLCM,e.CBCM,{cN:"meta",b:"#",e:"$",k:{"meta-keyword":"if else elif endif define undef warning error line region endregion pragma checksum"}},o,r,{bK:"class interface",e:/[{;=]/,i:/[^\s:,]/,c:[e.TM,e.CLCM,e.CBCM]},{bK:"namespace",e:/[{;=]/,i:/[^\s:]/,c:[e.inherit(e.TM,{b:"[a-zA-Z](\\.?\\w)*"}),e.CLCM,e.CBCM]},{cN:"meta",b:"^\\s*\\[",eB:!0,e:"\\]",eE:!0,c:[{cN:"meta-string",b:/"/,e:/"/}]},{bK:"new return throw await else",r:0},{cN:"function",b:"("+d+"\\s+)+"+e.IR+"\\s*\\(",rB:!0,e:/\s*[{;=]/,eE:!0,k:i,c:[{b:e.IR+"\\s*\\(",rB:!0,c:[e.TM],r:0},{cN:"params",b:/\(/,e:/\)/,eB:!0,eE:!0,k:i,r:0,c:[o,r,e.CBCM]},e.CLCM,e.CBCM]}]}});hljs.registerLanguage("python",function(e){var r={keyword:"and elif is global as in if from raise for except finally print import pass return exec else break not with class assert yield try while continue del or def lambda async await nonlocal|10 None True False",built_in:"Ellipsis NotImplemented"},b={cN:"meta",b:/^(>>>|\.\.\.) /},c={cN:"subst",b:/\{/,e:/\}/,k:r,i:/#/},a={cN:"string",c:[e.BE],v:[{b:/(u|b)?r?'''/,e:/'''/,c:[e.BE,b],r:10},{b:/(u|b)?r?"""/,e:/"""/,c:[e.BE,b],r:10},{b:/(fr|rf|f)'''/,e:/'''/,c:[e.BE,b,c]},{b:/(fr|rf|f)"""/,e:/"""/,c:[e.BE,b,c]},{b:/(u|r|ur)'/,e:/'/,r:10},{b:/(u|r|ur)"/,e:/"/,r:10},{b:/(b|br)'/,e:/'/},{b:/(b|br)"/,e:/"/},{b:/(fr|rf|f)'/,e:/'/,c:[e.BE,c]},{b:/(fr|rf|f)"/,e:/"/,c:[e.BE,c]},e.ASM,e.QSM]},i={cN:"number",r:0,v:[{b:e.BNR+"[lLjJ]?"},{b:"\\b(0o[0-7]+)[lLjJ]?"},{b:e.CNR+"[lLjJ]?"}]},n={cN:"params",b:/\(/,e:/\)/,c:["self",b,i,a]};return c.c=[a,i,b],{aliases:["py","gyp","ipython"],k:r,i:/(<\/|->|\?)|=>/,c:[b,i,a,e.HCM,{v:[{cN:"function",bK:"def"},{cN:"class",bK:"class"}],e:/:/,i:/[${=;\n,]/,c:[e.UTM,n,{b:/->/,eW:!0,k:"None"}]},{cN:"meta",b:/^[\t ]*@/,e:/$/},{b:/\b(print|exec)\(/}]}});hljs.registerLanguage("javascript",function(e){var r="[A-Za-z$_][0-9A-Za-z$_]*",t={keyword:"in of if for while finally var new function do return void else break catch instanceof with throw case default try this switch continue typeof delete let yield const export super debugger as async await static import from as",literal:"true false null undefined NaN Infinity",built_in:"eval isFinite isNaN parseFloat parseInt decodeURI decodeURIComponent encodeURI encodeURIComponent escape unescape Object Function Boolean Error EvalError InternalError RangeError ReferenceError StopIteration SyntaxError TypeError URIError Number Math Date String RegExp Array Float32Array Float64Array Int16Array Int32Array Int8Array Uint16Array Uint32Array Uint8Array Uint8ClampedArray ArrayBuffer DataView JSON Intl arguments require module console window document Symbol Set Map WeakSet WeakMap Proxy Reflect Promise"},a={cN:"number",v:[{b:"\\b(0[bB][01]+)"},{b:"\\b(0[oO][0-7]+)"},{b:e.CNR}],r:0},n={cN:"subst",b:"\\$\\{",e:"\\}",k:t,c:[]},c={cN:"string",b:"`",e:"`",c:[e.BE,n]};n.c=[e.ASM,e.QSM,c,a,e.RM];var s=n.c.concat([e.CBCM,e.CLCM]);return{aliases:["js","jsx"],k:t,c:[{cN:"meta",r:10,b:/^\s*['"]use (strict|asm)['"]/},{cN:"meta",b:/^#!/,e:/$/},e.ASM,e.QSM,c,e.CLCM,e.CBCM,a,{b:/[{,]\s*/,r:0,c:[{b:r+"\\s*:",rB:!0,r:0,c:[{cN:"attr",b:r,r:0}]}]},{b:"("+e.RSR+"|\\b(case|return|throw)\\b)\\s*",k:"return throw case",c:[e.CLCM,e.CBCM,e.RM,{cN:"function",b:"(\\(.*?\\)|"+r+")\\s*=>",rB:!0,e:"\\s*=>",c:[{cN:"params",v:[{b:r},{b:/\(\s*\)/},{b:/\(/,e:/\)/,eB:!0,eE:!0,k:t,c:s}]}]},{b://,sL:"xml",c:[{b:/<\w+\s*\/>/,skip:!0},{b:/<\w+/,e:/(\/\w+|\w+\/)>/,skip:!0,c:[{b:/<\w+\s*\/>/,skip:!0},"self"]}]}],r:0},{cN:"function",bK:"function",e:/\{/,eE:!0,c:[e.inherit(e.TM,{b:r}),{cN:"params",b:/\(/,e:/\)/,eB:!0,eE:!0,c:s}],i:/\[|%/},{b:/\$[(.]/},e.METHOD_GUARD,{cN:"class",bK:"class",e:/[{;=]/,eE:!0,i:/[:"\[\]]/,c:[{bK:"extends"},e.UTM]},{bK:"constructor get set",e:/\{/,eE:!0}],i:/#(?!!)/}});hljs.registerLanguage("dockerfile",function(e){return{aliases:["docker"],cI:!0,k:"from maintainer expose env arg user onbuild stopsignal",c:[e.HCM,e.ASM,e.QSM,e.NM,{bK:"run cmd entrypoint volume add copy workdir label healthcheck shell",starts:{e:/[^\\]$/,sL:"bash"}}],i:" 1f6c34f7921c +[...] +Successfully built ce4ff439c06a +Successfully tagged traefik-webui:latest +[...] +docker build -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile . +Sending build context to Docker daemon 279MB +Step 1/10 : FROM golang:1.11-alpine + ---> f4bfb3d22bda +[...] +Successfully built 5c3c1a911277 +Successfully tagged traefik-dev:4475--feature-documentation +docker run -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER -v "/home/ldez/sources/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary +---> Making bundle: generate (in .) +removed 'autogen/gentemplates/gen.go' +removed 'autogen/genstatic/gen.go' + +---> Making bundle: binary (in .) + +$ ls dist/ +traefik* +``` + +### Method 2: Using `go` + +You need `go` v1.9+. + +!!! tip "Source Directory" + + It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory. + This is the official golang workspace hierarchy that will allow dependencies to be properly resolved. + +!!! note "Environment" + + Set your `GOPATH` and `PATH` variable to be set to `~/go` via: + + ```bash + export GOPATH=~/go + export PATH=$PATH:$GOPATH/bin + ``` + + For convenience, add `GOPATH` and `PATH` to your `.bashrc` or `.bash_profile` + + Verify your environment is setup properly by running `$ go env`. + Depending on your OS and environment, you should see an output similar to: + + ```bash + GOARCH="amd64" + GOBIN="" + GOEXE="" + GOHOSTARCH="amd64" + GOHOSTOS="linux" + GOOS="linux" + GOPATH="/home//go" + GORACE="" + ## ... and the list goes on + ``` + +#### Build Traefik + +Once you've set up your go environment and cloned the source repository, you can build Traefik. +Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process). + +```bash +cd ~/go/src/github.com/containous/traefik + +# Get go-bindata. (Important: the ellipses are required.) +go get github.com/containous/go-bindata/... + +# Let's build + +# generate +# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates) +go generate + +# Standard go build +go build ./cmd/traefik +``` + +You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory. + +### Updating the templates + +If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package. + +### Setting up dependency management + +The [dep](https://github.com/golang/dep) command is not required for building; +however, it is necessary if you need to update the dependencies (i.e., add, update, or remove third-party packages). + +You need [dep](https://github.com/golang/dep) >= 0.5.0. + +If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively). + +A following `make dep-prune` run should be triggered to trim down the size of the vendor folder. +The final result must be committed into VCS. + +Here's a full example using dep to add a new dependency: + +```bash +# install the new main dependency github.com/foo/bar and minimize vendor size +$ dep ensure -add github.com/foo/bar +# generate (Only required to integrate other components such as web dashboard) +$ go generate +# Standard go build +$ go build ./cmd/traefik +``` + +## Testing + +### Method 1: `Docker` and `make` + +Run unit tests using the `test-unit` target. +Run integration tests using the `test-integration` target. +Run all tests (unit and integration) using the `test` target. + +```bash +$ make test-unit +docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile . +# […] +docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit +---> Making bundle: generate (in .) +removed 'gen.go' + +---> Making bundle: test-unit (in .) ++ go test -cover -coverprofile=cover.out . +ok github.com/containous/traefik 0.005s coverage: 4.1% of statements + +Test success +``` + +For development purposes, you can specify which tests to run by using (only works the `test-integration` target): + +```bash +# Run every tests in the MyTest suite +TESTFLAGS="-check.f MyTestSuite" make test-integration + +# Run the test "MyTest" in the MyTest suite +TESTFLAGS="-check.f MyTestSuite.MyTest" make test-integration + +# Run every tests starting with "My", in the MyTest suite +TESTFLAGS="-check.f MyTestSuite.My" make test-integration + +# Run every tests ending with "Test", in the MyTest suite +TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration +``` + +More: https://labix.org/gocheck + +### Method 2: `go` + +Unit tests can be run from the cloned directory using `$ go test ./...` which should return `ok`, similar to: + +```test +ok _/home/user/go/src/github/containous/traefik 0.004s +``` + +Integration tests must be run from the `integration/` directory and require the `-integration` switch: `$ cd integration && go test -integration ./...`. diff --git a/docs/content/contributing/data-collection.md b/docs/content/contributing/data-collection.md new file mode 100644 index 000000000..c464e84a9 --- /dev/null +++ b/docs/content/contributing/data-collection.md @@ -0,0 +1,112 @@ +# Data Collection + +Understanding How Traefik is Being Used +{: .subtitle } + +## Configuration Example + +**By default, this feature is disabled;** but to allow us understand better how you use Traefik, please enable the data collection option. + +??? example "Enabling Data Collection with TOML" + + ```toml + [Global] + # Send anonymous usage data + # Default: false + # + sendAnonymousUsage = true + ``` + +??? example "Enabling Data Collection with the CLI" + + ```bash + ./traefik --sendAnonymousUsage=true + ``` + +## Collected Data + +This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369). + +In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances. +Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not). + +### What's collected / when ? + +Once a day (the first call begins 10 minutes after the start of Traefik), we collect: + +- the Traefik version number +- a hash of the configuration +- an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed). + +!!! note + We do not collect the dynamic configuration information (routers & services). + We do not collect these data to run advertising programs. + We do not sell these data to third-parties. + +### Example of Collected Data + +??? example "Original configuration" + + ```toml + [entryPoints] + [entryPoints.http] + address = ":80" + + [api] + + [Docker] + endpoint = "tcp://10.10.10.10:2375" + domain = "foo.bir" + exposedByDefault = true + swarmMode = true + + [Docker.TLS] + ca = "dockerCA" + cert = "dockerCert" + key = "dockerKey" + insecureSkipVerify = true + + [ECS] + domain = "foo.bar" + exposedByDefault = true + clusters = ["foo-bar"] + region = "us-west-2" + accessKeyID = "AccessKeyID" + secretAccessKey = "SecretAccessKey" + ``` + +??? example "Resulting Obfuscated Configuration" + + ```toml + [entryPoints] + [entryPoints.http] + address = ":80" + + [api] + + [Docker] + endpoint = "xxxx" + domain = "xxxx" + exposedByDefault = true + swarmMode = true + + [Docker.TLS] + ca = "xxxx" + cert = "xxxx" + key = "xxxx" + insecureSkipVerify = false + + [ECS] + domain = "xxxx" + exposedByDefault = true + clusters = [] + region = "us-west-2" + accessKeyID = "xxxx" + secretAccessKey = "xxxx" + ``` + +## The Code for Data Collection + +If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/collector/collector.go) + +By default we anonymize all configuration fields, except fields tagged with `export=true`. diff --git a/docs/content/contributing/documentation.md b/docs/content/contributing/documentation.md new file mode 100644 index 000000000..c64ecf6d6 --- /dev/null +++ b/docs/content/contributing/documentation.md @@ -0,0 +1,100 @@ +# Documentation + +Features Are Better When You Know How to Use Them +{: .subtitle } + +You've found something unclear in the documentation and want to give a try at explaining it better? +Let's see how. + +## Building Documentation + +### General + +This [documentation](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/). + +### Method 1: `Docker` and `make` + +You can build the documentation and test it locally (with live reloading), using the `docs` target: + +```bash +$ make docs +docker build -t traefik-docs -f docs.Dockerfile . +# […] +docker run --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve +# […] +[I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000 +[I 170828 20:47:48 handlers:60] Start watching changes +[I 170828 20:47:48 handlers:62] Start detecting changes +``` + +!!! tip "Default URL" + + Your local documentation server will run by default on [http://127.0.0.1:8000](http://127.0.0.1:8000). + +If you only want to build the documentation without serving it locally, you can use the following command: + +```bash +$ make docs-build +... +``` + +### Method 2: `mkdocs` + +First, make sure you have `python` and `pip` installed. + +```bash +$ python --version +Python 2.7.2 +$ pip --version +pip 1.5.2 +``` + +Then, install mkdocs with `pip`. + +```bash +pip install --user -r requirements.txt +``` + +To build the documentation locally and serve it locally, run `mkdocs serve` from the root directory. +This will start a local server. + +```bash +$ mkdocs serve +INFO - Building documentation... +INFO - Cleaning site directory +[I 160505 22:31:24 server:281] Serving on http://127.0.0.1:8000 +[I 160505 22:31:24 handlers:59] Start watching changes +[I 160505 22:31:24 handlers:61] Start detecting changes +``` + +### Check the Documentation + +To check that the documentation meets standard expectations (no dead links, html markup validity, ...), use the `docs-verify` target. + +```bash +$ make docs-verify +docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image +... +docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance +=== Checking HTML content... +Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html... +``` + +!!! note "Clean & Verify" + + If you've made changes to the documentation, it's safter to clean it before verifying it. + + ```bash + $ make docs-clean docs-verify + ... + ``` + +!!! note "Disabling Documentation Verification" + + Verification can be disabled by setting the environment variable `DOCS_VERIFY_SKIP` to `true`: + + ```shell + DOCS_VERIFY_SKIP=true make docs-verify + ... + DOCS_LINT_SKIP is true: no linting done. + ``` diff --git a/docs/content/contributing/submitting-issues.md b/docs/content/contributing/submitting-issues.md new file mode 100644 index 000000000..e9237721e --- /dev/null +++ b/docs/content/contributing/submitting-issues.md @@ -0,0 +1,45 @@ +# Submitting Issues + +Help Us Help You! +{: .subtitle } + +We use the [GitHub issue tracker](https://github.com/containous/traefik/issues) to keep track of issues in Traefik. + +The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting). +To save us some time and get quicker feedback, be sure to follow the guide lines below. + +!!! important "Getting Help Vs Reporting an Issue" + + The issue tracker is not a general support forum, but a place to report bugs and asks for new features. + + For end-user related support questions, try using first: + + - the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io) + - [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag) + +## Issue Title + +The title must be short and descriptive. (~60 characters) + +## Description + +Follow the [issue template](https://github.com/containous/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible, and make use of the `traefik bug` command if you can (see the [video on Youtube](https://www.youtube.com/watch?v=Lyz62L8m93I)). + +Explain us in which conditions you encountered the issue, what is your context. + +Remain as clear and concise as possible + +Take time to polish the format of your message so we'll enjoy reading it and working on it. +Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)). + +## Feature Request + +Traefik is an open-source project and aims to be the best edge router possible. + +Remember when asking for new features that these must be useful to the majority (and not only useful in edge case scenarios, or hack-like setups). + +Do you best to explain what you're looking for, and why it would improve Traefik for everyone. + +## International English + +Every maintainer / Traefik user is not a native English speaker, so if you feel sometimes that some messages sound rude, remember that it probably is a language barrier problem from someone willing to help you. diff --git a/docs/content/contributing/submitting-pull-requests.md b/docs/content/contributing/submitting-pull-requests.md new file mode 100644 index 000000000..c171d9fea --- /dev/null +++ b/docs/content/contributing/submitting-pull-requests.md @@ -0,0 +1,45 @@ +# Submitting Pull Requests + +A Quick Guide for Efficient Contributions +{: .subtitle } + +So you've decide to improve Traefik? +Thank You! +Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves. + +Let's go though the classic pitfalls to make sure everything is right. + +## Title + +The title must be short and descriptive. (~60 characters) + +## Description + +Follow the [pull request template](https://github.com/containous/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible. + +Explain the conditions which led you to write this PR: give us context. +The context should lead to something, an idea or a problem that you’re facing. + +Remain clear and concise. + +Take time to polish the format of your message so we'll enjoy reading it and working on it. +Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)). + +## PR Content + +- Make it small. +- One feature per Pull Request. +- Write useful descriptions and titles. +- Avoid re-formatting code that is not on the path of your PR. +- Make sure the [code builds](building-testing.md). +- Make sure [all tests pass](building-testing.md). +- Add tests. +- Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial). + +!!! note "third-party dependencies" + + If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated. + +!!! tip "10 Tips for Better Pull Requests" + + We enjoyed this article, maybe you will too! [10 tips for better pull requests](http://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/). diff --git a/docs/content/contributing/thank-you.md b/docs/content/contributing/thank-you.md new file mode 100644 index 000000000..ac4a077e3 --- /dev/null +++ b/docs/content/contributing/thank-you.md @@ -0,0 +1,10 @@ +# Thank You! + +_You_ Made It +{: .subtitle} + +Traefik truly is an [open-source project](https://github.com/containous/traefik/), +and wouldn't have become what it is today without the help of our [many contributors](https://github.com/containous/traefik/graphs/contributors) (at the time of writing this), +not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know. + +So once again, thank you for your invaluable help on making Traefik such a good product. diff --git a/docs/content/getting-started/concepts.md b/docs/content/getting-started/concepts.md new file mode 100644 index 000000000..7989e29c3 --- /dev/null +++ b/docs/content/getting-started/concepts.md @@ -0,0 +1,35 @@ +# Concepts + +Everything You Need to Know +{: .subtitle } + +## Edge Router + +Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request: it knows all the logic and every rule that determine which services handle which requests (based on the [path](../../routing/routers/#rule), the [host](../../routing/routers/#rule), [headers](../../routing/routers/#rule), [and so on](../../routing/routers/#rule) ...). + +![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png) + +## Auto Service Discovery + +Where traditionally edge routers (or reverse proxies) need a configuration file that contains every possible route to your services, Traefik gets them from the services themselves. + +Deploying your services, you attach information that tell Traefik the characteristics of the requests the services can handle. + +![Decentralized Configuration](../assets/img/traefik-concepts-2.png) + +It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time. +The opposite is true: when you remove a service from your infrastructure, the route will disapear accordingly. + +You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules. + +!!! note "Many different rules" + + In the example above, we used the request [path](../routing/routers.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers.md#rule). + +!!! note "Updating the requests" + + In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services. + +!!! question "How does Traefik discover the services?" + + Traefik is able to use your cluster API to discover the services and read the attached information. In Traefik, these connectors are called [providers](../providers/overview.md) because they _provide_ the configuration to Traefik. To learn more about them, read the [provider overview](../providers/overview.md) section. diff --git a/docs/content/getting-started/configuration-overview.md b/docs/content/getting-started/configuration-overview.md new file mode 100644 index 000000000..b24e97568 --- /dev/null +++ b/docs/content/getting-started/configuration-overview.md @@ -0,0 +1,81 @@ +# Configuration Overview + +How the Magic Happens +{: .subtitle } + +![Configuration](../assets/img/static-dynamic-configuration.png) + +Configuration in Traefik can refer to two different things: + +- The fully dynamic routing configuration (referred to as the _dynamic configuration_) +- The startup configuration (referred to as the _static configuration_) + +Elements in the _static configuration_ set up connections to [providers](../../providers/overview/) and define the [entrypoints](../../routing/entrypoints/) Traefik will listen to (these elements don't change often). + +The _dynamic configuration_ contains everything that defines how the requests are handled by your system. +This configuration can change and is seamlessly hot-reloaded, without any request interuption or connection loss. + +## The Dynamic Configuration + +Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): wether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md). + +!!! Note + + In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers. + +!!! Note + + HTTPS Certificates also belong to the dynamic configuration. You can add / update / remove them without restarting your Traefik instance. + +## The Static Configuration + +There are three different locations where you can define static configuration options in Traefik: + +- In a key-value store +- In the command-line arguments +- In a configuration file + +If you don't provide a value for a given option, default values apply. + +!!! important "Precedence Order" + + The following precedence order applies for configuration options: key-value > command-line > configuration file. + + It means that arguments override configuration file, and key-value store overrides arguments. + +!!! important "Default Values" + + Some root options are enablers: they set default values for all their children. + + For example, the `--providers.docker` option enables the docker provider. + Once positioned, this option sets (and resets) all the default values under the root `providers.docker`. + If you define child options using a lesser precedence configuration source, they will be overwritten by the default values. + +### Configuration File + +At startup, Traefik searches for a file named `traefik.toml` in `/etc/traefik/`, `$HOME/.traefik/`, and `.` (_the working directory_). + +You can override this using the `configFile` argument. + +```bash +traefik --configFile=foo/bar/myconfigfile.toml +``` + +### Arguments + +Use `traefik --help` to get the list of the available arguments. + +### Key-Value Stores + +Traefik supports several Key-value stores: + +- [Consul](https://consul.io) +- [etcd](https://coreos.com/etcd/) +- [ZooKeeper](https://zookeeper.apache.org/) +- [boltdb](https://github.com/boltdb/bolt) + +## Available Configuration Options + +All the configuration options are documented in their related section. + +You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action. diff --git a/docs/content/getting-started/quick-start.md b/docs/content/getting-started/quick-start.md new file mode 100644 index 000000000..17bec437b --- /dev/null +++ b/docs/content/getting-started/quick-start.md @@ -0,0 +1,109 @@ +# Quick Start + +A Simple Use Case Using Docker +{: .subtitle } + +![quickstart-diagram](../assets/img/quickstart-diagram.png) + +!!! tip + To save some time, you can clone [Traefik's repository](https://github.com/containous/traefik). + The quickstart files are located in the [examples/quickstart](https://github.com/containous/traefik/tree/master/examples/quickstart/) directory. + +## Launch Traefik With the Docker Provider + +Create a `docker-compose.yml` file where you will define a `reverse-proxy` service that uses the official Traefik image: + +```yaml +version: '3' + +services: + reverse-proxy: + image: traefik # The official Traefik docker image + command: --api --docker # Enables the web UI and tells Traefik to listen to docker + ports: + - "80:80" # The HTTP port + - "8080:8080" # The Web UI (enabled by --api) + volumes: + - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events +``` + +**That's it. Now you can launch Traefik!** + +Start your `reverse-proxy` with the following command: + +```shell +docker-compose up -d reverse-proxy +``` + +You can open a browser and go to [http://localhost:8080](http://localhost:8080) to see Traefik's dashboard (we'll go back there once we have launched a service in step 2). + +## Traefik Detects New Services and Creates the Route for You + +Now that we have a Traefik instance up and running, we will deploy new services. + +Edit your `docker-compose.yml` file and add the following at the end of your file. + +```yaml +# ... + whoami: + image: containous/whoami # A container that exposes an API to show its IP address + labels: + - "traefik.router.rule=Host:whoami.docker.localhost" +``` + +The above defines `whoami`: a simple web service that outputs information about the machine it is deployed on (its IP address, host, and so on). + +Start the `whoami` service with the following command: + +```shell +docker-compose up -d whoami +``` + +Go back to your browser ([http://localhost:8080](http://localhost:8080)) and see that Traefik has automatically detected the new container and updated its own configuration. + +When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_ (Here, we're using curl) + +```shell +curl -H Host:whoami.docker.localhost http://127.0.0.1 +``` + +_Shows the following output:_ + +```yaml +Hostname: a656c8ddca6c +IP: 172.27.0.3 +#... +``` + +## More Instances? Traefik Load Balances Them + +Run more instances of your `whoami` service with the following command: + +```shell +docker-compose up -d --scale whoami=2 +``` + +Go back to your browser ([http://localhost:8080](http://localhost:8080)) and see that Traefik has automatically detected the new instance of the container. + +Finally, see that Traefik load-balances between the two instances of your services by running twice the following command: + +```shell +curl -H Host:whoami.docker.localhost http://127.0.0.1 +``` + +The output will show alternatively one of the followings: + +```yaml +Hostname: a656c8ddca6c +IP: 172.27.0.3 +#... +``` + +```yaml +Hostname: s458f154e1f1 +IP: 172.27.0.4 +# ... +``` + +!!! question "Where to Go Next?" + Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you! diff --git a/docs/content/glossary.md b/docs/content/glossary.md new file mode 100644 index 000000000..f18bdcd85 --- /dev/null +++ b/docs/content/glossary.md @@ -0,0 +1,22 @@ +# TODO -- Glossary + +Where Every Technical Word finds its Definition` +{: .subtitle} + +- [ ] Provider + - [ ] Types of providers (KV, annotation based, label based, configuration based) +- [ ] Entrypoint +- [ ] Routers +- [ ] Middleware +- [ ] Service +- [ ] Static Configuration +- [ ] Dynamic Configuration +- [ ] ACME +- [ ] TraefikEE +- [ ] Tracing +- [ ] Metrics +- [ ] Orchestrator +- [ ] Key Value Store +- [ ] Logs +- [ ] Traefiker +- [ ] Traefik (How to pronounce) diff --git a/docs/content/includes/.markdownlint.json b/docs/content/includes/.markdownlint.json new file mode 100644 index 000000000..3ad8a7f24 --- /dev/null +++ b/docs/content/includes/.markdownlint.json @@ -0,0 +1,4 @@ +{ + "extends": "../../.markdownlint.json", + "MD041": false +} diff --git a/docs/content/includes/more-on-command-line.md b/docs/content/includes/more-on-command-line.md new file mode 100644 index 000000000..c7ee03498 --- /dev/null +++ b/docs/content/includes/more-on-command-line.md @@ -0,0 +1 @@ +To learn more about configuration options in the command line, refer to the [configuration overview](../getting-started/configuration-overview.md) diff --git a/docs/content/includes/more-on-configuration-file.md b/docs/content/includes/more-on-configuration-file.md new file mode 100644 index 000000000..746c1608b --- /dev/null +++ b/docs/content/includes/more-on-configuration-file.md @@ -0,0 +1 @@ +To learn more about the configuration file, refer to [configuration overview](../getting-started/configuration-overview.md) diff --git a/docs/content/includes/more-on-entrypoints.md b/docs/content/includes/more-on-entrypoints.md new file mode 100644 index 000000000..65e801bd4 --- /dev/null +++ b/docs/content/includes/more-on-entrypoints.md @@ -0,0 +1,2 @@ +!!! info "More On Entrypoints" + Learn more about entrypoints and their configuration options in the dedicated section. \ No newline at end of file diff --git a/docs/content/includes/more-on-key-value-store.md b/docs/content/includes/more-on-key-value-store.md new file mode 100644 index 000000000..714952afc --- /dev/null +++ b/docs/content/includes/more-on-key-value-store.md @@ -0,0 +1 @@ +To learn more about configuration in key-value stores, refer to the [configuration overview](../getting-started/configuration-overview.md) diff --git a/docs/content/includes/more-on-routers.md b/docs/content/includes/more-on-routers.md new file mode 100644 index 000000000..7111e7385 --- /dev/null +++ b/docs/content/includes/more-on-routers.md @@ -0,0 +1,2 @@ +!!! info "More On Routers" + Learn more about routers and their configuration options in the [dedicated section](../routing/routers.md). \ No newline at end of file diff --git a/docs/content/index.md b/docs/content/index.md new file mode 100644 index 000000000..8202ba071 --- /dev/null +++ b/docs/content/index.md @@ -0,0 +1,23 @@ + +# Welcome + +![Architecture](assets/img/traefik-architecture.png) + +Traefik is an [open-source](https://github.com/containous/traefik) *Edge Router* that makes publishing your services a fun and easy experience. +It receives requests on behalf of your system and finds out which components are responsible for handling them. + +What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. +The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. + +Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.) + +With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions). +With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state. + +Developing Traefik, our main goal is to make it simple to use, and we're sure you'll enjoy it. + +-- The Traefik Maintainer Team + +!!! Note + + If you're a businness running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. diff --git a/docs/content/middlewares/addprefix.md b/docs/content/middlewares/addprefix.md new file mode 100644 index 000000000..6c95e4a38 --- /dev/null +++ b/docs/content/middlewares/addprefix.md @@ -0,0 +1,33 @@ +# Add Prefix + +Prefixing the Path +{: .subtitle } + +![AddPrefix](../assets/img/middleware/addprefix.png) + +The AddPrefix middleware updates the URL Path of the request before forwarding it. + +## Configuration Examples + +??? example "File -- Prefixing with /foo" + + ```toml + [Middlewares] + [Middlewares.add-foo.AddPrefix] + prefix = "/foo" + ``` + +??? example "Docker -- Prefixing with /bar" + + ```yaml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.add-bar.addprefix.prefix=/bar" + ``` + +## Configuration Options + +### prefix + +`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`). diff --git a/docs/content/middlewares/basicauth.md b/docs/content/middlewares/basicauth.md new file mode 100644 index 000000000..824609d39 --- /dev/null +++ b/docs/content/middlewares/basicauth.md @@ -0,0 +1,83 @@ +# BasicAuth + +Adding Basic Authentication +{: .subtitle } + +![BasicAuth](../assets/img/middleware/basicauth.png) + +The BasicAuth middleware is a quick way to restrict access to your services to known users. + +## Configuration Examples + +??? example "File -- Declaring the user list" + + ```toml + [Middlewares] + [Middlewares.test-auth.basicauth] + users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", + "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] + ``` + +??? example "Docker -- Using an external file for the authorized users" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.declared-users-only.basicauth.usersFile=path-to-file.ext", + ``` + +## Configuration Options + +### General + +Passwords must be encoded using MD5, SHA1, or BCrypt. + +!!! tip + + Use `htpasswd` to generate the passwords. + +### users + +The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format. + +!!! Note + + If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`. + +### usersFile + +The `usersFile` option is the path to an external file that contains the authorized users for the middleware. + +The file content is a list of `name:encoded-password`. + +??? example "A file containing test/test and test2/test2" + + ``` + test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/ + test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 + ``` + +!!! Note + + If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`. + +### realm + +You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. + +### headerField + +You can customize the header field for the authenticated user using the `headerField`option. + +??? example "File -- Passing Authenticated Users to Services Via Headers" + + ```toml + [Middlewares.my-auth.basicauth] + usersFile = "path-to-file.ext" + headerField = "X-WebAuth-User" # header for the authenticated user + ``` + +### removeHeader + +Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.) diff --git a/docs/content/middlewares/buffering.md b/docs/content/middlewares/buffering.md new file mode 100644 index 000000000..328b6311a --- /dev/null +++ b/docs/content/middlewares/buffering.md @@ -0,0 +1,69 @@ +# Buffering + +How to Read the Request before Forwarding It +{: .subtitle } + +![Buffering](../assets/img/middleware/buffering.png) + +The Buffering middleware gives you control on how you want to read the requests before sending them to services. + +With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified limit. + +This can help services deal with large data (multipart/form-data for example), and can minimize time spent sending data to a service. + +## Configuration Examples + +??? example "File -- Sets the maximum request body to 2Mb" + + ```toml + [Middlewares] + [Middlewares.2Mb-limit.buffering] + maxRequestBodyBytes = 250000 + ``` + +??? example "Docker -- Buffers 1Mb of the request in memory, then writes to disk" + + ```yaml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.1Mb-memory.buffering.memRequestBodyBytes=125000", + ``` + +## Configuration Options + +### maxRequestBodyBytes + +With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes). + +If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response. + +### memRequestBodyBytes + +You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. + +### maxResponseBodyBytes + +With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes). + +If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead. + +### memResponseBodyBytes + +You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. + +### retryExpression + +You can have the Buffering middleware replay the request with the help of the `retryExpression` option. + +!!! example "Retries once in case of a network error" + + ``` + retryExpression = "IsNetworkError() && Attempts() < 2" + ``` + +Available functions for the retry expression are: + +- `Attempts()` number of attempts (the first one counts) +- `ResponseCode()` response code of the service +- `IsNetworkError()` - if the response code is related to networking error diff --git a/docs/content/middlewares/chain.md b/docs/content/middlewares/chain.md new file mode 100644 index 000000000..e08d4c713 --- /dev/null +++ b/docs/content/middlewares/chain.md @@ -0,0 +1,40 @@ +# Chain + +When One Isn't Enougth +{: .subtitle } + +![Chain](../assets/img/middleware/chain.png) + +The Chain middleware enables you to define reusable combinations of other pieces of middleware. +It makes reusing the same groups easier. + +## Configuration Example + +??? example "A Chain for WhiteList, BasicAuth, and HTTPS" + + ```toml + # ... + [Routers] + [Routers.router1] + service = "service1" + middlewares = ["secured"] + rule = "Host: mydomain" + + [Middlewares] + [Middlewares.secured.Chain] + middlewares = ["https-only", "known-ips", "auth-users"] + + [Middlewares.auth-users.BasicAuth] + users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"] + [Middlewares.https-only.SchemeRedirect] + scheme = "https" + [Middlewares.known-ips.ipWhiteList] + sourceRange = ["192.168.1.7", "x.x.x.x", "x.x.x.x"] + + [Services] + [Services.service1] + [Services.service1.LoadBalancer] + [[Services.service1.LoadBalancer.Servers]] + URL = "http://127.0.0.1:80" + Weight = 1 + ``` diff --git a/docs/content/middlewares/circuitbreaker.md b/docs/content/middlewares/circuitbreaker.md new file mode 100644 index 000000000..61c7bfe52 --- /dev/null +++ b/docs/content/middlewares/circuitbreaker.md @@ -0,0 +1,146 @@ +# CircuitBreaker + +Don't Waste Time Calling Unhealthy Services +{: .subtitle } + +![CircuitBreaker](../assets/img/middleware/circuitbreaker.png) + +The circuit breaker protects your system from stacking requests to unhealthy services (resulting in cascading failures). + +When your system is healthy, the circuit is close (normal operations). +When your system becomes unhealthy, the circuit becomes open and the requests are no longer forwarded (but handled by a fallback mechanism). + +To assess if your system is healthy, the circuit breaker constantly monitors the services. + +!!! Note + + - The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state. + - The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state. + +!!! important + + Each router will eventually gets its own instance of a given circuit breaker. If two different routers refer to the same circuit breaker definition, they will get one instance each. It means that one circuit breaker can be open while the other stays close: their state is not shared. This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route. + +## Configuration Examples + +??? example "Latency Check -- Using Toml" + + ```toml + [middlewares] + [middlewares.latency-check.circuitbreaker] + expression = "LatencyAtQuantileMS(50.0) > 100" + ``` + +??? example "Latency Check -- Using Docker Labels" + + ```yaml + # in a docker compose file + container-definition: + image: image-name + labels: + - "traefik.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100" + ``` + +## Possible States + +There are three possible states for your circuit breaker: + +- Close (your service operates normally) +- Open (the fallback mechanism takes over your service) +- Recovering (the circuit breaker tries to resume normal operations by progressively sending requests to your service) + +### Close + +While close, the circuit breaker only collects metrics to analyze the behavior of the requests. + +At specified intervals (`checkPeriod`), it will evaluate `expression` to decide if its state must change. + +### Open + +While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`. After this duration, it will enter the recovering state. + +### Recovering + +While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`). If your service fails during recovery, the circuit breaker becomes open again. If the service operates normally during the whole recovering duration, then the circuit breaker returns to close. + +## Configuration Options + +### Configuring the Trigger + +You can specify an `expression` that, once matched, will trigger the circuit breaker (and apply the fallback mechanism instead of calling your services). + +The `expression` can check three different metrics: + +- The network error ratio (`NetworkErrorRatio`) +- The status code ratio (`ResponseCodeRatio`) +- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`) + +#### NetworkErrorRatio + +If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30` + +#### ResponseCodeRatio + +You can trigger the circuit breaker based on the ratio of a given range of status codes. + +The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`, `dividedByTo`. + +The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`). + +!!! Note + If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0. + + `from`is inclusive, `to` is exclusive. + +For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX). + +#### LatencyAtQuantileMS + +You can trigger the circuit breaker when a given proportion of your requests become too slow. + +For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median lantency (quantile 50) reaches 100MS. + +!!! Note + + You must provide a float number (with the leading .0) for the quantile value + +#### Using multiple metrics + +You can combine multiple metrics using operators in your expression. + +Supported operators are: + +- AND (`&&`) +- OR (`||) + +For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%. + +#### Operators + +Here is the list of supported operators: + +- Greater than (`>`) +- Greater or equal than (`>=`) +- Lesser than (`<`) +- Lesser or equal than (`<=`) +- Not (`!`) +- Equal (`==`) +- Not Equal (`!=`) + +### Fallback mechanism + +The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured. + +### CheckPeriod + +The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured. + +### FallbackDuration + +By default, `FallbackDuration` is 10 seconds. This value cannot be configured. + +### RecoveringDuration + +The duration of the recovering mode (recovering state). + +By default, `RecoveringDuration` is 10 seconds. This value cannot be configured. diff --git a/docs/content/middlewares/compress.md b/docs/content/middlewares/compress.md new file mode 100644 index 000000000..5de82595c --- /dev/null +++ b/docs/content/middlewares/compress.md @@ -0,0 +1,34 @@ +# Compress + +Compressing the Response before Sending it to the Client +{: .subtitle } + +![Compress](../assets/img/middleware/compress.png) + +The Compress middleware enables the gzip compression. + +## Configuration Examples + +??? example "File -- enable gzip compression" + + ```toml + [Middlewares] + [Middlewares.test-compress.Compress] + ``` + +??? example "Docker -- enable gzip compression" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.test-compress.compress=true", + ``` + +## Notes + +Responses are compressed when: + +* The response body is larger than `512` bytes. +* The `Accept-Encoding` request header contains `gzip`. +* The response is not already compressed, i.e. the `Content-Encoding` response header is not already set. diff --git a/docs/content/middlewares/digestauth.md b/docs/content/middlewares/digestauth.md new file mode 100644 index 000000000..226425331 --- /dev/null +++ b/docs/content/middlewares/digestauth.md @@ -0,0 +1,78 @@ +# DigestAuth + +Adding Digest Authentication +{: .subtitle } + +![BasicAuth](../assets/img/middleware/digestauth.png) + +The DigestAuth middleware is a quick way to restrict access to your services to known users. + +## Configuration Examples + +??? example "File -- Declaring the user list" + + ```toml + [Middlewares] + [Middlewares.test-auth.digestauth] + users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"] + ``` + +??? example "Docker -- Using an external file for the authorized users" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.declared-users-only.digestauth.usersFile=path-to-file.ext", + ``` + +!!! tip + + Use `htdigest` to generate passwords. + +## Configuration Options + +### Users + +The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format. + +!!! Note + + If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`. + +### UsersFile + +The `usersFile` option is the path to an external file that contains the authorized users for the middleware. + +The file content is a list of `name:realm:encoded-password`. + +??? example "A file containing test/test and test2/test2" + + ``` + test:traefik:a2688e031edb4be6a3797f3882655c05 + test2:traefik:518845800f9e2bfb1f1f740ec24f074e + ``` + +!!! Note + + If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`. + +### Realm + +You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. + +### HeaderField + +You can customize the header field for the authenticated user using the `headerField`option. + +??? example "File -- Passing Authenticated Users to Services Via Headers" + + ```toml + [Middlewares.my-auth.digestauth] + usersFile = "path-to-file.ext" + headerField = "X-WebAuth-User" # header for the authenticated user + ``` + +### RemoveHeader + +Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.) diff --git a/docs/content/middlewares/errorpages.md b/docs/content/middlewares/errorpages.md new file mode 100644 index 000000000..bdcc656c8 --- /dev/null +++ b/docs/content/middlewares/errorpages.md @@ -0,0 +1,66 @@ +# ErrorPage + +It Has Never Been Easier to Say That Something Went Wrong +{: .subtitle } + +![ErrorPages](../assets/img/middleware/errorpages.png) + +The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes. + +!!! important + The error page itself is _not_ hosted by Traefik. + +## Configuration Examples + +??? example "File -- Custom Error Page for 5XX" + + ```toml + [Routers] + [Routers.router1] + Service = "my-service" + Rule = Host(`my-domain`) + + [Middlewares] + [Middlewares.5XX-errors.Errors] + status = ["500-599"] + service = "error-handler-service" + query = "/error.html" + + [Services] + # ... definition of error-handler-service and my-service + ``` + +??? example "Docker -- Dynamic Custom Error Page for 5XX Status Code" + + ```yaml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.test-errorpage.errors.status=500-599", + - "traefik.middlewares.test-errorpage.errors.service=serviceError", + - "traefik.middlewares.test-errorpage.errors.query=/{status}.html", + + ``` + + !!! note + In this example, the error page URL is based on the status code (`query=/{status}.html)`. + +## Configuration Options + +### status + +The `status` that will trigger the error page. + +The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included). + +!!! Note + + You can define either a status code like `500` or ranges with a syntax like `500-599`. + +### service + +The service that will serve the new requested error page. + +### query + +The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code. diff --git a/docs/content/middlewares/forwardauth.md b/docs/content/middlewares/forwardauth.md new file mode 100644 index 000000000..af5534721 --- /dev/null +++ b/docs/content/middlewares/forwardauth.md @@ -0,0 +1,63 @@ +# ForwardAuth + +Using an External Service to Ccheck for Credentials +{: .subtitle } + +![AuthForward](../assets/img/middleware/authforward.png) + +The ForwardAuth middleware delegate the authentication to an external service. +If the service response code is 2XX, access is granted and the original request is performed. +Otherwise, the response from the authentication server is returned. + +## Configuration Examples + +??? example "File -- Forward authentication to authserver.com" + + ```toml + [Middlewares] + [Middlewares.test-auth.forwardauth] + address = "https://authserver.com/auth" + trustForwardHeader = true + authResponseHeaders = ["X-Auth-User", "X-Secret"] + + [Middlewares.test-auth.forwardauth.tls] + ca = "path/to/local.crt" + caOptional = true + cert = "path/to/foo.cert" + key = "path/to/foo.key" + ``` + +??? example "Docker -- Forward authentication to authserver.com" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.Middlewares.test-auth.ForwardAuth.Address=https://authserver.com/auth" + - "traefik.Middlewares.test-auth.ForwardAuth.AuthResponseHeaders=X-Auth-User, X-Secret" + - "traefik.Middlewares.test-auth.ForwardAuth.TLS.CA=path/to/local.crt" + - "traefik.Middlewares.test-auth.ForwardAuth.TLS.CAOptional=true" + - "traefik.Middlewares.test-auth.ForwardAuth.TLS.Cert=path/to/foo.cert" + - "traefik.Middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify=true" + - "traefik.Middlewares.test-auth.ForwardAuth.TLS.Key=path/to/foo.key" + - "traefik.Middlewares.test-auth.ForwardAuth.TrustForwardHeader=true" + + ``` + +## Configuration Options + +### address + +The `address` option defines the authentication server address. + +### trustForwardHeader + +Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers. + +### authResponseHeaders + +The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request. + +### tls + +The `tls` option is the tls configuration from Traefik to the authentication server. diff --git a/docs/content/middlewares/headers.md b/docs/content/middlewares/headers.md new file mode 100644 index 000000000..71da50071 --- /dev/null +++ b/docs/content/middlewares/headers.md @@ -0,0 +1,179 @@ +# Headers + +Adding Headers to the Request / Response +{: .subtitle } + +![Headers](../assets/img/middleware/headers.png) + +The Headers middleware can manage the requests/responses headers. + +## Configuration Examples + +### Adding Headers to the Request and the Response + +Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` to the response + +??? example "File" + + ```toml + [Middlewares] + [Middlewares.testHeader.headers] + [Middlewares.testHeader.headers.CustomRequestHeaders] + X-Script-Name = "test" + [Middlewares.testHeader.headers.CustomResponseHeaders] + X-Custom-Response-Header = "True" + ``` + +??? example "Docker" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.Middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test", + - "traefik.Middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True", + ``` + +### Adding and Removing Headers + +`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request, and the `X-Custom-Response-Header` header removed from the response. + +??? example "File" + + ```toml + [Middlewares] + [Middlewares.testHeader.headers] + [Middlewares.testHeader.headers.CustomRequestHeaders] + X-Script-Name = "test" + [Middlewares.testHeader.headers.CustomResponseHeaders] + X-Custom-Response-Header = "True" + ``` + +??? example "Docker" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.Middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test", + - "traefik.Middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True", + ``` + +### Using Security Headers + +Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above. +This functionality allows for some easy security features to quickly be set. + +??? example "File" + + ```toml + [Middlewares] + [Middlewares.testHeader.headers] + FrameDeny = true + SSLRedirect = true + ``` + +??? example "Docker" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.Middlewares.testHeader.Headers.FrameDeny=true", + - "traefik.Middlewares.testHeader.Headers.SSLRedirect=true", + ``` + +## Configuration Options + +### General + +!!! warning + If the custom header name is the same as one header name of the request or response, it will be replaced. + +!!! note + The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options). + +### customRequestHeaders + +The `customRequestHeaders` option lists the Header names and values to apply to the request. + +### allowedHosts + +The `allowedHosts` option lists fully qualified domain names that are allowed. + +### hostsProxyHeaders + +The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request. + +### sslRedirect + +The `sslRedirect` is set to true, then only allow https requests. + +### sslTemporaryRedirect + +Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301). + +### sslHost + +The `SSLHost` option is the host name that is used to redirect http requests to https. + +### sslProxyHeaders + +The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`. + +### sslForceHost + +Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL. + +### stsSeconds + +The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header. + +### stsIncludeSubdomains + +The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header. + +### stsPreload + +Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header. + +### forceSTSHeader + +Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP. + +### frameDeny + +Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`. + +### customFrameOptionsValue + +The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option. + +### contentTypeNosniff + +Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`. + +### browserXssFilter + +Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`. + +### customBrowserXSSValue + +The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option. + +### contentSecurityPolicy + +The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value. + +### publicKey + +The `publicKey` implements HPKP to prevent MITM attacks with forged certificates. + +### referrerPolicy + +The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites. + +### isDevelopment + +Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain. +If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false. diff --git a/docs/content/middlewares/ipwhitelist.md b/docs/content/middlewares/ipwhitelist.md new file mode 100644 index 000000000..5f572262e --- /dev/null +++ b/docs/content/middlewares/ipwhitelist.md @@ -0,0 +1,113 @@ +# IPWhiteList + +Limiting Clients to Specific IPs +{: .subtitle } + +![IpWhiteList](../assets/img/middleware/ipwhitelist.png) + +IPWhitelist accepts / refuses requests based on the client IP. + +## Configuration Examples + +??? example "File -- Accepts request from defined IP" + + ```toml + [Middlewares] + [Middlewares.test-ipwhitelist.ipWhiteList] + sourceRange = ["127.0.0.1/32", "192.168.1.7"] + ``` + +??? example "Docker -- Accepts request from defined IP" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.Middlewares.Middleware9.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7" + ``` + +## Configuration Options + +### sourceRange + +The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs). + +### ipStrategy + +The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`. + +#### ipStrategy.depth + +The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right). + +!!! note "Examples of Depth & X-Forwaded-For" + + If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`). + + ??? note "More examples" + + | `X-Forwarded-For` | `depth` | clientIP | + |-----------------------------------------|---------|--------------| + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` | + +??? example "File -- Whitelisting Based on `X-Forwarded-For` with `depth=2`" + + ```toml + [Middlewares] + [Middlewares.test-ipwhitelist.ipWhiteList] + sourceRange = ["127.0.0.1/32", "192.168.1.7"] + [Middlewares.test-ipwhitelist.ipWhiteList.ipStrategy] + depth = 2 + ``` + +??? example "Docker -- Whitelisting Based on `X-Forwarded-For` with `depth=2`" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.Middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7" + - "traefik.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2" + ``` + +!!! note + + - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty. + - `depth` is ignored if its value is is lesser than or equal to 0. + +#### ipStrategy.excludedIPs + +`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list. + +!!! note "Examples of ExcludedIPs & X-Forwaded-For" + + | `X-Forwarded-For` | `excludedIPs` | clientIP | + |-----------------------------------------|-----------------------|--------------| + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` | + | `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` | + +!!! important + If `depth` is specified, `excludedIPs` is ignored. + +??? example "File -- Exclude from `X-Forwarded-For`" + + ```toml + [Middlewares] + [Middlewares.test-ipwhitelist.ipWhiteList] + [Middlewares.test-ipwhitelist.ipWhiteList.ipStrategy] + excludedIPs = ["127.0.0.1/32", "192.168.1.7"] + ``` + +??? example "Docker -- Exclude from `X-Forwarded-For`" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7" + ``` diff --git a/docs/content/middlewares/maxconnection.md b/docs/content/middlewares/maxconnection.md new file mode 100644 index 000000000..2e999755d --- /dev/null +++ b/docs/content/middlewares/maxconnection.md @@ -0,0 +1,44 @@ +# MaxConnection + +Limiting the Number of Simultaneous Clients +{: .subtitle } + +![MaxConnection](../assets/img/middleware/maxconnection.png) + +To proactively prevent services from being overwhelmed with high load, a maximum connection limit can be applied. + +## Configuration Examples + +??? example "File -- Limiting to 10 simultaneous connections" + + ```toml + [Middlewares] + [Middlewares.test-maxconn.maxconn] + amount = 10 + ``` + +??? example "Docker -- Limiting to 10 simultaneous connections" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.test-maxconn.maxconn.amount=10" + ``` + +## Configuration Options + +### amount + +The `amount` option defines the maximum amount of allowed simultaneous connections. +The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `extractorfunc` strategy). + +### extractorfunc + +The `extractorfunc` defines the strategy used to categorize requests. + +The possible values are: + +- `request.host` categorizes requests based on the request host. +- `client.ip` categorizes requests based on the client ip. +- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value. diff --git a/docs/content/middlewares/overview.md b/docs/content/middlewares/overview.md new file mode 100644 index 000000000..baf64bd48 --- /dev/null +++ b/docs/content/middlewares/overview.md @@ -0,0 +1,106 @@ +# Middlewares + +Tweaking the Request +{: .subtitle } + +![Overview](../assets/img/middleware/overview.png) + +Attached to the routers, pieces of middleware are a mean of tweaking the requests before they are sent to your [service](../routing/services.md) (or before the answer from the services are sent to the clients). + +There are many different available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on. + +Pieces of middleware can be combined in chains to fit every scenario. + +## Configuration Example + +??? example "As Toml Configuration File" + + ```toml + [providers] + [providers.file] + + [Routers] + [Routers.router1] + Service = "myService" + Middlewares = ["foo-add-prefix"] + Rule = "Host: example.com" + + [Middlewares] + [Middlewares.foo-add-prefix.AddPrefix] + prefix = "/foo" + + [Services] + [Services.service1] + [Services.service1.LoadBalancer] + + [[Services.service1.LoadBalancer.Servers]] + URL = "http://127.0.0.1:80" + Weight = 1 + ``` + +??? example "As a Docker Label" + + ```yaml + # A container that exposes a simple API + whoami: + image: containous/whoami # A container that exposes an API to show its IP address + labels: + - "traefik.middlewares.foo-add-prefix.addprefix.prefix=/foo", + ``` + +## Advanced Configuration + +When you declare a middleware, it lives in its `provider` namespace. +For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker `provider` namespace. + +If you use multiple `providers` and wish to reference a middleware declared in another `provider`, then you'll have to prefix the middleware name with the `provider` name. + +??? abstract "Referencing a Middleware from Another Provider" + + Declaring the add-foo-prefix in the file provider. + + ```toml + [providers] + [providers.file] + + [middlewares] + [middlewares.add-foo-prefix.AddPrefix] + prefix = "/foo" + ``` + + Using the add-foo-prefix middleware from docker. + + ```yaml + your-container: # + image: your-docker-image + + labels: + # Attach file.add-foo-prefix middleware (declared in file) + - "traefik.routers.middlewares=file.add-foo-prefix", + ``` + +## Available Middlewares + +| Middleware | Purpose | Area | +|-------------------------------------------|---------------------------------------------------|-----------------------------| +| [AddPrefix](addprefix.md) | Add a Path Prefix | Path Modifier | +| [BasicAuth](basicauth.md) | Basic auth mechanism | Security, Authentication | +| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle | +| [Chain](chain.md) | Combine multiple pieces of middleware | Middleware tool | +| [CircuitBreaker](circuitbreaker.md) | Stop calling unhealthy services | Request Lifecycle | +| [Compress](circuitbreaker.md) | Compress the response | Content Modifier | +| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication | +| [Errors](errorpages.md) | Define custom error pages | Request Lifecycle | +| [ForwardAuth](forwardauth.md) | Authentication delegation | Security, Authentication | +| [Headers](headers.md) | Add / Update headers | Security | +| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle | +| [MaxConnection](maxconnection.md) | Limit the number of simultaneous connections | Security, Request lifecycle | +| [PassTLSClientCert](passtlsclientcert.md) | TODO | Security | +| [RateLimit](ratelimit.md) | Limit the call frequency | Security, Request lifecycle | +| [RedirectScheme](redirectscheme.md) | Redirect easily the client elsewhere | Request lifecycle | +| [RedirectRegex](redirectregex.md) | Redirect the client elsewhere | Request lifecycle | +| [ReplacePath](replacepath.md) | Change the path of the request | Path Modifier | +| [ReplacePathRegex](replacepathregex.md) | Change the path of the request | Path Modifier | +| [Retry](retry.md) | Automatically retry the request in case of errors | Request lifecycle | +| [StripPrefix](stripprefix.md) | Change the path of the request | Path Modifier | +| [StripPrefixRegex](stripprefixregex.md) | Change the path of the request | Path Modifier | diff --git a/docs/content/middlewares/passtlsclientcert.md b/docs/content/middlewares/passtlsclientcert.md new file mode 100644 index 000000000..7c935a985 --- /dev/null +++ b/docs/content/middlewares/passtlsclientcert.md @@ -0,0 +1,499 @@ +# TODO - PassTLSClientCert + +Adding Client Certificates in a Header +{: .subtitle } + +`TODO add schema` + +PassTLSClientCert adds in header the selected data from the passed client tls certificate. + +## Configuration Examples + +??? example "File -- Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header" + + ```toml + [Middlewares] + [Middlewares.test-passtlsclientcert.passtlsclientcert] + pem = true + ``` + +??? example "Docker -- Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.Middleware11.passtlsclientcert.pem=true" + ``` + +??? example "File -- Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header" + + ```toml + [Middlewares] + [Middlewares.test-passtlsclientcert.passtlsclientcert] + [Middlewares.test-passtlsclientcert.passtlsclientcert.info] + notAfter = true + notBefore = true + sans = true + [Middlewares.test-passtlsclientcert.passtlsclientcert.info.subject] + country = true + province = true + locality = true + organization = true + commonName = true + serialNumber = true + domainComponent = true + [Middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer] + country = true + province = true + locality = true + organization = true + commonName = true + serialNumber = true + domainComponent = true + ``` + +??? example "Docker -- Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true" + - "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true" + ``` + +## Configuration Options + +### General + +PassTLSClientCert can add two headers to the request: + +* `X-Forwarded-Tls-Client-Cert` that contains the escaped pem. +* `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string. + +!!! note + The headers are filled with escaped string so it can be safely placed inside a URL query. + +In the following example, you can see a complete certificate. We will use each part of it to explains the middleware options. + +??? example "A complete client tls certificate" + + ``` + Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com + Validity + Not Before: Dec 6 11:10:16 2018 GMT + Not After : Dec 5 11:10:16 2020 GMT + Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:de:77:fa:8d:03:70:30:39:dd:51:1b:cc:60:db: + a9:5a:13:b1:af:fe:2c:c6:38:9b:88:0a:0f:8e:d9: + 1b:a1:1d:af:0d:66:e4:13:5b:bc:5d:36:92:d7:5e: + d0:fa:88:29:d3:78:e1:81:de:98:b2:a9:22:3f:bf: + 8a:af:12:92:63:d4:a9:c3:f2:e4:7e:d2:dc:a2:c5: + 39:1c:7a:eb:d7:12:70:63:2e:41:47:e0:f0:08:e8: + dc:be:09:01:ec:28:09:af:35:d7:79:9c:50:35:d1: + 6b:e5:87:7b:34:f6:d2:31:65:1d:18:42:69:6c:04: + 11:83:fe:44:ae:90:92:2d:0b:75:39:57:62:e6:17: + 2f:47:2b:c7:53:dd:10:2d:c9:e3:06:13:d2:b9:ba: + 63:2e:3c:7d:83:6b:d6:89:c9:cc:9d:4d:bf:9f:e8: + a3:7b:da:c8:99:2b:ba:66:d6:8e:f8:41:41:a0:c9: + d0:5e:c8:11:a4:55:4a:93:83:87:63:04:63:41:9c: + fb:68:04:67:c2:71:2f:f2:65:1d:02:5d:15:db:2c: + d9:04:69:85:c2:7d:0d:ea:3b:ac:85:f8:d4:8f:0f: + c5:70:b2:45:e1:ec:b2:54:0b:e9:f7:82:b4:9b:1b: + 2d:b9:25:d4:ab:ca:8f:5b:44:3e:15:dd:b8:7f:b7: + ee:f9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Key Identifier: + 94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F + X509v3 Authority Key Identifier: + keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03 + + X509v3 Subject Alternative Name: + DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net + Signature Algorithm: sha1WithRSAEncryption + 76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b: + 16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65: + ed:99:ab:f7:cd:fe:38:3f:c3:9a:22:31:1b:ac:8c:1c:c2:f9: + 5d:d4:75:7a:2e:72:c7:85:a9:04:af:9f:2a:cc:d3:96:75:f0: + 8e:c7:c6:76:48:ac:45:a4:b9:02:1e:2f:c0:15:c4:07:08:92: + cb:27:50:67:a1:c8:05:c5:3a:b3:a6:48:be:eb:d5:59:ab:a2: + 1b:95:30:71:13:5b:0a:9a:73:3b:60:cc:10:d0:6a:c7:e5:d7: + 8b:2f:f9:2e:98:f2:ff:81:14:24:09:e3:4b:55:57:09:1a:22: + 74:f1:f6:40:13:31:43:89:71:0a:96:1a:05:82:1f:83:3a:87: + 9b:17:25:ef:5a:55:f2:2d:cd:0d:4d:e4:81:58:b6:e3:8d:09: + 62:9a:0c:bd:e4:e5:5c:f0:95:da:cb:c7:34:2c:34:5f:6d:fc: + 60:7b:12:5b:86:fd:df:21:89:3b:48:08:30:bf:67:ff:8c:e6: + 9b:53:cc:87:36:47:70:40:3b:d9:90:2a:d2:d2:82:c6:9c:f5: + d1:d8:e0:e6:fd:aa:2f:95:7e:39:ac:fc:4e:d4:ce:65:b3:ec: + c6:98:8a:31 + -----BEGIN CERTIFICATE----- + MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is + ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz + ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl + Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE + AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB + IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux + DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM + D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu + Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw + NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn + MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV + BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw + HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl + ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG + A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD + VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl + MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW + EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB + AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6 + iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs + KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt + yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj + BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb + Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG + A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW + BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC + BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM + Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA + Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL + FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f + KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb + CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH + mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI + ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ== + -----END CERTIFICATE----- + ``` + +### pem + +The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate. +In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters : + +??? example "The data used by the pem option" + + ``` + -----BEGIN CERTIFICATE----- + MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is + ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz + ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl + Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE + AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB + IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux + DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM + D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu + Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw + NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn + MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV + BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw + HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl + ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG + A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD + VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl + MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW + EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB + AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6 + iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs + KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt + yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj + BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb + Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG + A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW + BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC + BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM + Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA + Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL + FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f + KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb + CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH + mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI + ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ== + -----END CERTIFICATE----- + ``` + +!!! note "Extracted data" + + The delimiters and `\n` will be removed. + If there are more than one certificate, they are separated by a "`;`". + +### info + +The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header. +The value of the header will be an escaped concatenation of all the selected certificate details. +The following example shows an unescaped result that uses all the available fields: + +```text +Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2 +``` + +!!! note "Multiple certificates" + + If there are more than one certificate, they are separated by a `;`. + +#### info.notafter + +Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part. +The data are taken from the following certificate part: + +```text + Validity + Not After : Dec 5 11:10:16 2020 GMT +``` + +The escape `notafter` info part will be like: + +```text +NA=1607166616 +``` + +#### info.notbefore + +Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part. + +The data are taken from the following certificate part: + +```text +Validity + Not Before: Dec 6 11:10:16 2018 GMT +``` + +The escape `notafter` info part will be like: + +```text +NB=1544094616 +``` + +#### info.sans + +Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part. +The data are taken from the following certificate part: + +```text + X509v3 Subject Alternative Name: + DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net +``` + +The escape SANs info part will be like: + +```text +SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2 +``` + +!!! note "multiple values" + + All the SANs data are separated by a `,`. + +#### info.subject + +The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header. + +The data are taken from the following certificate part : + +```text +Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com +``` + +##### info.subject.country + +Set the `info.subject.country` option to true to add the `country` information into the subject. +The data are taken from the subject part with the `C` key. +The escape country info in the subject part will be like : + +```text +C=FR,C=US +``` + +##### info.subject.province + +Set the `info.subject.province` option to true to add the `province` information into the subject. + +The data are taken from the subject part with the `ST` key. + +The escape province info in the subject part will be like : + +```text +ST=Cheese org state,ST=Cheese com state +``` + +##### info.subject.locality + +Set the `info.subject.locality` option to true to add the `locality` information into the subject. + +The data are taken from the subject part with the `L` key. + +The escape locality info in the subject part will be like : + +```text +L=TOULOUSE,L=LYON +``` + +##### info.subject.organization + +Set the `info.subject.organization` option to true to add the `organization` information into the subject. + +The data are taken from the subject part with the `O` key. + +The escape organization info in the subject part will be like : + +```text +O=Cheese,O=Cheese 2 +``` + +##### info.subject.commonname + +Set the `info.subject.commonname` option to true to add the `commonname` information into the subject. + +The data are taken from the subject part with the `CN` key. + +The escape commonname info in the subject part will be like : + +```text +CN=*.cheese.com +``` + +##### info.subject.serialnumber + +Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject. + +The data are taken from the subject part with the `SN` key. + +The escape serialnumber info in the subject part will be like : + +```text +SN=1234567890 +``` + +##### info.subject.domaincomponent + +Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject. + +The data are taken from the subject part with the `DC` key. + +The escape domaincomponent info in the subject part will be like : + +```text +DC=org,DC=cheese +``` + +#### info.issuer + +The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header. + +The data are taken from the following certificate part : + +```text +Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com +``` + +##### info.issuer.country + +Set the `info.issuer.country` option to true to add the `country` information into the issuer. +The data are taken from the issuer part with the `C` key. +The escape country info in the issuer part will be like : + +```text +C=FR,C=US +``` + +##### info.issuer.province + +Set the `info.issuer.province` option to true to add the `province` information into the issuer. + +The data are taken from the issuer part with the `ST` key. + +The escape province info in the issuer part will be like : + +```text +ST=Signing State,ST=Signing State 2 +``` + +##### info.issuer.locality + +Set the `info.issuer.locality` option to true to add the `locality` information into the issuer. + +The data are taken from the issuer part with the `L` key. + +The escape locality info in the issuer part will be like : + +```text +L=TOULOUSE,L=LYON +``` + +##### info.issuer.organization + +Set the `info.issuer.organization` option to true to add the `organization` information into the issuer. + +The data are taken from the issuer part with the `O` key. + +The escape organization info in the issuer part will be like : + +```text +O=Cheese,O=Cheese 2 +``` + +##### info.issuer.commonname + +Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer. + +The data are taken from the issuer part with the `CN` key. + +The escape commonname info in the issuer part will be like : + +```text +CN=Simple Signing CA 2 +``` + +##### info.issuer.serialnumber + +Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer. + +The data are taken from the issuer part with the `SN` key. + +The escape serialnumber info in the issuer part will be like : + +```text +SN=1234567890 +``` + +##### info.issuer.domaincomponent + +Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer. + +The data are taken from the issuer part with the `DC` key. + +The escape domaincomponent info in the issuer part will be like : + +```text +DC=org,DC=cheese +``` diff --git a/docs/content/middlewares/ratelimit.md b/docs/content/middlewares/ratelimit.md new file mode 100644 index 000000000..9ef2c0b25 --- /dev/null +++ b/docs/content/middlewares/ratelimit.md @@ -0,0 +1,68 @@ +# TODO -- RateLimit + +Protection from Too Many Calls +{: .subtitle } + +![RateLimit](../assets/img/middleware/ratelimit.png) + +The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows you define what is fair. + +## Configuration Example + +??? example "Limit to 100 requests every 10 seconds (with a possible burst of 200)" + + ```toml + [middlewares] + [middlewares.fair-ratelimit.ratelimit] + extractorfunc = "client.ip" + + [middlewares.fair-ratelimit.ratelimit.rateset1] + period = "10s" + average = 100 + burst = 200 + ``` + +??? example "Combine multiple limits" + + ```toml + [middlewares] + [middlewares.fair-ratelimit.ratelimit] + extractorfunc = "client.ip" + + [middlewares.fair-ratelimit.ratelimit.rateset1] + period = "10s" + average = 100 + burst = 200 + + [middlewares.fair-ratelimit.ratelimit.rateset2] + period = "3s" + average = 5 + burst = 10 + ``` + + Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds. These can "burst" up to 10 and 200 in each period, respectively. + +## Configuration Options + +### extractorfunc + +The `extractorfunc` option defines the strategy used to categorize requests. + +The possible values are: + +- `request.host` categorizes requests based on the request host. +- `client.ip` categorizes requests based on the client ip. +- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value. + +### ratelimit (multiple values) + +You can combine multiple ratelimit. +The ratelimit will trigger with the first reached limit. + +Each ratelimit has 3 options, `period`, `average`, and `burst`. + +The rate limit will allow an average of `average` requests every `period`, with a maximum of `burst` request on that period. + +!!! note "Period Format" + + Period is to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). diff --git a/docs/content/middlewares/redirectregex.md b/docs/content/middlewares/redirectregex.md new file mode 100644 index 000000000..592a89506 --- /dev/null +++ b/docs/content/middlewares/redirectregex.md @@ -0,0 +1,52 @@ +# TODO - RedirectRegex + +Redirecting the Client to a Different Location +{: .subtitle } + +`TODO: add schema` + +RegexRedirect redirect a request from an url to another with regex matching and replacement. + +## Configuration Examples + +??? example "File -- Redirect with domain replacement" + + ```toml + [Middlewares] + [Middlewares.test-redirectregex.redirectregex] + regex = "^http://localhost/(.*)" + replacement = "http://mydomain/$1" + ``` + +??? example "Docker -- Redirect with domain replacement" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.Middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)" + - "traefik.Middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1" + ``` + +## Configuration Options + +### permanent + +Set the `permanent` option to `true` to apply a permanent redirection. + +### regex + +The `Regex` option is the regular expression to match and capture elements form the request URL. + +!!! warning + + Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax. + +!!! tip + + Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2). + +### replacement + +The `replacement` option defines how to modify the URl to have the new target URL. + \ No newline at end of file diff --git a/docs/content/middlewares/redirectscheme.md b/docs/content/middlewares/redirectscheme.md new file mode 100644 index 000000000..873c6e7b2 --- /dev/null +++ b/docs/content/middlewares/redirectscheme.md @@ -0,0 +1,41 @@ +# TODO - RedirectScheme + +Redirecting the Client to a Different Scheme/Port +{: .subtitle } + +`TODO: add schema` + +RegexRedirect redirect request from a scheme to another. + +## Configuration Examples + +??? example "File -- Redirect to https" + + ```toml + [Middlewares] + [Middlewares.test-redirectscheme.redirectscheme] + scheme = "https" + ``` + +??? example "Docker -- Redirect to https" + + ```yml + a-container: + image: a-container-image + labels: + - "traefik.Middlewares.test-redirectscheme.redirectscheme.scheme=https" + ``` + +## Configuration Options + +### permanent + +Set the `permanent` option to `true` to apply a permanent redirection. + +### scheme + +The `scheme` option defines the scheme of the new url. + +### port + +The `port` option defines the port of the new url. diff --git a/docs/content/middlewares/replacepath.md b/docs/content/middlewares/replacepath.md new file mode 100644 index 000000000..33584c5b2 --- /dev/null +++ b/docs/content/middlewares/replacepath.md @@ -0,0 +1,40 @@ +# TODO -- ReplacePath + +Updating the Path Before Forwarding the Request +{: .subtitle } + +`TODO: add schema` + +Replace the path of the request url. + +## Configuration Examples + +??? example "File -- Replace the path by /foo" + + ```toml + [Middlewares] + [Middlewares.test-replacepath.ReplacePath] + path = "/foo" + ``` + +??? example "Docker --Replace the path by /foo" + + ```yaml + a-container: + image: a-container-image + labels: + - "traefik.middlewares.test-replacepath.replacepath.path=/foo" + ``` + +## Configuration Options + +### General + +The ReplacePath middleware will: + +* replace the actual path by the specified one. +* store the original path in a `X-Replaced-Path` header. + +### path + +The `path` option defines the path to use as replacement in the request url. diff --git a/docs/content/middlewares/replacepathregex.md b/docs/content/middlewares/replacepathregex.md new file mode 100644 index 000000000..b12becada --- /dev/null +++ b/docs/content/middlewares/replacepathregex.md @@ -0,0 +1,4 @@ +# TODO -- ReplacePathRegex + +Updating the Path Before Forwarding the Request (Using a Regex) +{: .subtitle } \ No newline at end of file diff --git a/docs/content/middlewares/retry.md b/docs/content/middlewares/retry.md new file mode 100644 index 000000000..3fe835ee4 --- /dev/null +++ b/docs/content/middlewares/retry.md @@ -0,0 +1,20 @@ +# TODO -- Retry + +Retrying until it Succeeds +{: .subtitle } + +## Old Content + +## Retry Configuration + +```toml +# Enable retry sending request if network error +[retry] + +# Number of attempts +# +# Optional +# Default: (number servers in backend) -1 +# +# attempts = 3 +``` diff --git a/docs/content/middlewares/stripprefix.md b/docs/content/middlewares/stripprefix.md new file mode 100644 index 000000000..8d82ad0df --- /dev/null +++ b/docs/content/middlewares/stripprefix.md @@ -0,0 +1,13 @@ +# TODO -- StripPrefix + +Removing Prefixes From the Path Before Forwarding the Request +{: .subtitle } + +## OldContent + +Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix. +For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. +Since the path is stripped prior to forwarding, your backend is expected to listen on `/`. +If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs. +Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend). +The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically. diff --git a/docs/content/middlewares/stripprefixregex.md b/docs/content/middlewares/stripprefixregex.md new file mode 100644 index 000000000..4a7ca3ac7 --- /dev/null +++ b/docs/content/middlewares/stripprefixregex.md @@ -0,0 +1,13 @@ +# TODO -- StripPrefix + +Removing Prefixes From the Path Before Forwarding the Request (Using a Regex) +{: .subtitle } + +## OldContent + +Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix. +For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. +Since the path is stripped prior to forwarding, your backend is expected to listen on `/`. +If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs. +Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend). +The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically. diff --git a/docs/content/observability/access-logs.md b/docs/content/observability/access-logs.md new file mode 100644 index 000000000..478b3f35b --- /dev/null +++ b/docs/content/observability/access-logs.md @@ -0,0 +1,152 @@ +# Access Logs + +Who Calls Whom? +{.subtitle} + +By default, logs are written to stdout, in text format. + +## Configuration Examples + +??? example "Enabling Access Logs" + + ```toml + [accessLog] + ``` + +## Configuration Options + +### filePath + +By default access logs are written to the standard output. +To write the logs into a log file, use the `filePath` option. + +in the Common Log Format (CLF), extended with additional fields. + +### format + +By default, logs are written using the Common Log Format (CLF). +To write logs in JSON, use `json` in the `format` option. + +!!! note "Common Log Format" + +#### CLF - Common Log Format + + ```html + - [] " " "" "" "" "" ms + ``` + +#### bufferingSize + +To write the logs in an asynchronous fashion, specify a `bufferingSize` option. +This option represents the number of log lines Traefik will keep in memory before writing them to the selected output. +In some cases, this option can greatly help performances. + +??? example "Configuring a buffer of 100 lines" + + ```toml + [accessLog] + filePath = "/path/to/access.log" + bufferingSize = 100 + ``` + +#### Filtering + +To filter logs, you can specify a set of filters which are logically "OR-connected". +Thus, specifying multiple filters will keep more access logs than specifying only one. + +The available filters are: + +- `statusCodes`, to limit the access logs to requests with a status codes in the specified range +- `retryAttempts`, to keep the access logs when at least one retry has happened +- `minDuration`, to keep access logs when requests take longer than the specified duration + +??? example "Configuring Multiple Filters" + + ```toml + [accessLog] + filePath = "/path/to/access.log" + format = "json" + + [accessLog.filters] + statusCodes = ["200", "300-302"] + retryAttempts = true + minDuration = "10ms" + ``` + +#### Limiting the Fields + +You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.header` options + +Each field can be set to: + +- `keep` to keep the value +- `drop` to drop the value +- `redact` to replace the value with "redacted" + +??? example "Limiting the Logs to Specific Fields" + + ```toml + [accessLog] + filePath = "/path/to/access.log" + format = "json" + + [accessLog.filters] + statusCodes = ["200", "300-302"] + + [accessLog.fields] + defaultMode = "keep" + + [accessLog.fields.names] + "ClientUsername" = "drop" + + [accessLog.fields.headers] + defaultMode = "keep" + + [accessLog.fields.headers.names] + "User-Agent" = "redact" + "Authorization" = "drop" + "Content-Type" = "keep" + ``` + +??? list "Available Fields" + + ```ini + StartUTC + StartLocal + Duration + FrontendName + BackendName + BackendURL + BackendAddr + ClientAddr + ClientHost + ClientPort + ClientUsername + RequestAddr + RequestHost + RequestPort + RequestMethod + RequestPath + RequestProtocol + RequestLine + RequestContentSize + OriginDuration + OriginContentSize + OriginStatus + OriginStatusLine + DownstreamStatus + DownstreamStatusLine + DownstreamContentSize + RequestCount + GzipRatio + Overhead + RetryAttempts + ``` + +## Log Rotation + +Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal. +This allows the logs to be rotated and processed by an external program, such as `logrotate`. + +!!! note + This does not work on Windows due to the lack of USR signals. diff --git a/docs/content/observability/logs.md b/docs/content/observability/logs.md new file mode 100644 index 000000000..2e96b51f9 --- /dev/null +++ b/docs/content/observability/logs.md @@ -0,0 +1,50 @@ +# Logs + +Reading What's Happening +{: .subtitle } + +By default, logs are written to stdout, in text format. + +## Configuration Example + +??? example "Writing Logs in a File" + + ```toml + [log] + filePath = "/path/to/traefik.log" + ``` + +??? example "Writing Logs in a File, in JSON" + + ```toml + [log] + filePath = "/path/to/log-file.log" + format = "json" + ``` + +## Configuration Options + +### General + +Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + +#### filePath + +By default, the logs are written to the standard output. +You can configure a file path instead using the `filePath` option. + +#### format + +By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option. + +#### logLevel + +By default, the `logLevel` is set to `error`, but you can choose amongst `debug`, `panic`, `fatal`, `error`, `warn`, and `info`. + +## Log Rotation + +Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal. +This allows the logs to be rotated and processed by an external program, such as `logrotate`. + +!!! note + This does not work on Windows due to the lack of USR signals. diff --git a/docs/content/observability/tracing.md b/docs/content/observability/tracing.md new file mode 100644 index 000000000..8921ca632 --- /dev/null +++ b/docs/content/observability/tracing.md @@ -0,0 +1,219 @@ +# Tracing + +Visualize the Requests Flow +{: .subtitle } + +The tracing system allows developers to visualize call flows in their infrastructure. + +Traefik uses OpenTracing, an open standard designed for distributed tracing. + +Traefik supports three tracing backends: Jaeger, Zipkin, and DataDog. + +## Configuration Reference + +??? example "With Jaeger" + + ```toml + # Tracing definition + [tracing] + # Backend name used to send tracing data + # + # Default: "jaeger" + # + backend = "jaeger" + + # Service name used in Jaeger backend + # + # Default: "traefik" + # + serviceName = "traefik" + + # Span name limit allows for name truncation in case of very long Frontend/Backend names + # This can prevent certain tracing providers to drop traces that exceed their length limits + # + # Default: 0 - no truncation will occur + # + spanNameLimit = 0 + + [tracing.jaeger] + # Sampling Server URL is the address of jaeger-agent's HTTP sampling server + # + # Default: "http://localhost:5778/sampling" + # + samplingServerURL = "http://localhost:5778/sampling" + + # Sampling Type specifies the type of the sampler: const, probabilistic, rateLimiting + # + # Default: "const" + # + samplingType = "const" + + # Sampling Param is a value passed to the sampler. + # Valid values for Param field are: + # - for "const" sampler, 0 or 1 for always false/true respectively + # - for "probabilistic" sampler, a probability between 0 and 1 + # - for "rateLimiting" sampler, the number of spans per second + # + # Default: 1.0 + # + samplingParam = 1.0 + + # Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address + # + # Default: "127.0.0.1:6831" + # + localAgentHostPort = "127.0.0.1:6831" + + # Generate 128-bit trace IDs, compatible with OpenCensus + # + # Default: false + gen128Bit = true + + # Set the propagation header type. This can be either: + # - "jaeger", jaeger's default trace header. + # - "b3", compatible with OpenZipkin + # + # Default: "jaeger" + propagation = "jaeger" + ``` + + !!! warning + Traefik is only able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent). + +??? example "With Zipkin" + + ```toml + # Tracing definition + [tracing] + # Backend name used to send tracing data + # + # Default: "jaeger" + # + backend = "zipkin" + + # Service name used in Zipkin backend + # + # Default: "traefik" + # + serviceName = "traefik" + + # Span name limit allows for name truncation in case of very long Frontend/Backend names + # This can prevent certain tracing providers to drop traces that exceed their length limits + # + # Default: 0 - no truncation will occur + # + spanNameLimit = 150 + + [tracing.zipkin] + # Zipkin HTTP endpoint used to send data + # + # Default: "http://localhost:9411/api/v1/spans" + # + httpEndpoint = "http://localhost:9411/api/v1/spans" + + # Enable Zipkin debug + # + # Default: false + # + debug = false + + # Use Zipkin SameSpan RPC style traces + # + # Default: false + # + sameSpan = false + + # Use Zipkin 128 bit root span IDs + # + # Default: true + # + id128Bit = true + + # The rate between 0.0 and 1.0 of requests to trace. + # + # Default: 1.0 + # + sampleRate = 0.2 + ``` + +??? example "With DataDog" + + ```toml + # Tracing definition + [tracing] + # Backend name used to send tracing data + # + # Default: "jaeger" + # + backend = "datadog" + + # Service name used in DataDog backend + # + # Default: "traefik" + # + serviceName = "traefik" + + # Span name limit allows for name truncation in case of very long Frontend/Backend names + # This can prevent certain tracing providers to drop traces that exceed their length limits + # + # Default: 0 - no truncation will occur + # + spanNameLimit = 100 + + [tracing.datadog] + # Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address + # + # Default: "127.0.0.1:8126" + # + localAgentHostPort = "127.0.0.1:8126" + + # Enable DataDog debug + # + # Default: false + # + debug = false + + # Apply shared tag in a form of Key:Value to all the traces + # + # Default: "" + # + globalTag = "" + ``` + +??? example "With Instana" + + ```toml + # Tracing definition + [tracing] + # Backend name used to send tracing data + # + # Default: "jaeger" + # + backend = "instana" + # Service name used in Instana backend + # + # Default: "traefik" + # + serviceName = "traefik" + [tracing.instana] + # Local Agent Host instructs reporter to send spans to instana-agent at this address + # + # Default: "127.0.0.1" + # + localAgentHost = "127.0.0.1" + # Local Agent port instructs reporter to send spans to the instana-agent at this port + # + # Default: 42699 + # + localAgentPort = 42699 + # Set Instana tracer log level + # + # Default: info + # Valid values for logLevel field are: + # - error + # - warn + # - debug + # - info + # + logLevel = "info" + ``` diff --git a/docs/content/operations/cli.md b/docs/content/operations/cli.md new file mode 100644 index 000000000..9f9e478c1 --- /dev/null +++ b/docs/content/operations/cli.md @@ -0,0 +1,62 @@ +# CLI + +The Traefik Command Line +{: .subtitle } + +## General + +```bash +traefik [command] [--flag=flag_argument] +``` + +Available commands: + +- `version` : Print version +- `storeconfig` : Store the static Traefik configuration into a Key-value stores. Please refer to the `Store Traefik configuration`(TODO: add doc and link) section to get documentation on it. +- `bug`: The easiest way to submit a pre-filled issue. +- `healthcheck`: Calls Traefik `/ping` to check health. + +Each command can have additional flags. + +All those flags will be displayed with: + +```bash +traefik [command] --help +``` + +Each command is described at the beginning of the help section: + +```bash +traefik --help + +# or + +docker run traefik[:version] --help +# ex: docker run traefik:1.5 --help +``` + +## Command: bug + +The easiest way to submit a pre-filled issue on [Traefik GitHub](https://github.com/containous/traefik)! Watch [this demo](https://www.youtube.com/watch?v=Lyz62L8m93I) for more information. + +```bash +traefik bug +``` + +### Command: healthcheck + +Checks the health of Traefik. +Its exit status is `0` if Traefik is healthy and `1` if it is unhealthy. + +This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism. + +!!! note + The [`ping` endpoint](../ping/) must be enabled to allow the `healthcheck` command to call `/ping`. + +```bash +traefik healthcheck +``` + +```bash +OK: http://:8082/ping +``` diff --git a/docs/content/operations/dashboard.md b/docs/content/operations/dashboard.md new file mode 100644 index 000000000..9e20e6777 --- /dev/null +++ b/docs/content/operations/dashboard.md @@ -0,0 +1,62 @@ +# The Dashboard + +See What's Going On +{: .subtitle } + +The dashboard is the central place that shows you the current active routes handled by Traefik. + +
+ Dashboard - Providers +
The dashboard in action with Traefik listening to 3 different providers
+
+ +
+ Dashboard - Health +
The dashboard shows the health of the system.
+
+ +By default, the dashboard is available on `/` on port `:8080`. + +!!! tip "Did You Know?" + It is possible to customize the dashboard endpoint. + To learn how, refer to the `Traefik's API documentation`(TODO: add doc and link). + +## Enabling the Dashboard + +To enable the dashboard, you need to enable Traefik's API. + +??? example "Using the Command Line" + + Option | Values | Default Value + -- | -- | --: + --api | \[true\|false\] | false + --api.dashboard | \[true\|false\] | true when api is true + + {!more-on-command-line.md!} + +??? example "Using the Configuration File" + + ```toml + [api] + # Dashboard + # + # Optional + # Default: true + # + dashboard = true + ``` + + {!more-on-configuration-file.md!} + +??? example "Using a Key/Value Store" + + Key | Values | Default Value + -- | -- | --: + api | \[true\|false\] | false + api.dashboard | \[true\|false\] | true when api is true + + {!more-on-key-value-store.md!} + +!!! tip "Did You Know?" + The API provides more features than the Dashboard. + To learn more about it, refer to the `Traefik's API documentation`(TODO: add doc and link). diff --git a/docs/content/operations/debug-mode.md b/docs/content/operations/debug-mode.md new file mode 100644 index 000000000..fcda56c5e --- /dev/null +++ b/docs/content/operations/debug-mode.md @@ -0,0 +1,15 @@ +# The Debug Mode + +Getting More Information (Not For Production) +{: .subtitle } + +The debug mode will make Traefik be _extremely_ verbose in its logs, and is NOT intended for production purposes. + +## Configuration Example + +??? example "TOML -- Enabling the Debug Mode" + + ```toml + [Global] + debug = true + ``` \ No newline at end of file diff --git a/docs/content/operations/ping.md b/docs/content/operations/ping.md new file mode 100644 index 000000000..d5cdd42ac --- /dev/null +++ b/docs/content/operations/ping.md @@ -0,0 +1,56 @@ +# Ping + +Checking the Health of Your Traefik Instances +{: .subtitle } + +## Configuration Examples + +??? example "Enabling /ping on the http EntryPoint" + + ```toml + [entryPoints] + [entrypoints.http] + address = ":80" + + [ping] + entryPoint = "http" + ``` + +??? example "Enabling /ping on the https EntryPoint" + + ```toml + [entryPoints] + [entryPoints.http] + address = ":80" + + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + + [ping] + entryPoint = "https" + ``` + +??? example "Enabling /ping on a dedicated EntryPoint" + + ```toml + [entryPoints] + [entryPoints.http] + address = ":80" + + [entryPoints.ping] + address = ":8082" + + [ping] + entryPoint = "ping" + ``` + +| Path | Method | Description | +|---------|---------------|----------------------------------------------------------------------------------------------------| +| `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` | + +## Configuration Options + +The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`. + +You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`) \ No newline at end of file diff --git a/docs/content/providers/docker.md b/docs/content/providers/docker.md new file mode 100644 index 000000000..db1e99dab --- /dev/null +++ b/docs/content/providers/docker.md @@ -0,0 +1,247 @@ +# Traefik & Docker + +A Story of Labels & Containers +{: .subtitle } + +![Docker](../assets/img/providers/docker.png) + +Attach labels to your containers and let Traefik do the rest! + +!!! tip "The Quick Start Uses Docker" + If you haven't already, maybe you'd like to go through the [quick start](../getting-started/quick-start.md) that uses the docker provider! + +## Configuration Examples + +??? example "Configuring Docker & Deploying / Exposing Services" + + Enabling the docker provider + + ```toml + [docker] + endpoint = "unix:///var/run/docker.sock" + ``` + + Attaching labels to containers (in your docker compose file) + + ```yaml + version: "3" + services: + my-container: + # ... + labels: + - traefik.services.my-container.rule=Host(my-domain) + ``` + +??? example "Configuring Docker Swarm & Deploying / Exposing Services" + + Enabling the docker provider (Swarm Mode) + + ```toml + [docker] + endpoint = "tcp://127.0.0.1:2377" + swarmMode = true + ``` + + Attaching labels to containers (in your docker compose file) + + ```yaml + version: "3" + services: + my-container: + deploy: + labels: + - traefik.services.my-container.rule=Host(my-domain) + ``` + + !!! important "Labels in Docker Swarm Mode" + If you use a compose file with the Swarm mode, labels should be defined in the `deploy` part of your service. + This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)). + +## Provider Configuration Options + +!!! tip "Browse the Reference" + If you're in a hurry, maybe you'd rather go through the [Docker Reference](../reference/providers/docker.md). + +### endpoint + +Traefik requires access to the docker socket to get its dynamic configuration. + +??? warning "Security Notes" + + Depending on your context, accessing the Docker API without any restriction can be a security concern: If Traefik is attacked, then the attacker might get access to the Docker (or Swarm Mode) backend. + + As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)): + + `[...] only **trusted** users should be allowed to control your Docker daemon [...]` + + !!! note "Improved Security" + + [TraefikEE](https://containo.us/traefikee) solves this problem by separating the control plane (connected to Docker) and the data plane (handling the requests). + + ??? tip "Resources about Docker's Security" + + - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY) + - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html) + - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623) + - [To Dind or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html) + +??? tip "Security Compensation" + + Expose the Docker socket over TCP, instead of the default Unix socket file. + It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment: + + - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/) + + - Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/) + + - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik. + + - Accounting at container level, by exposing the socket on a another container than Traefik's. + With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes. + + - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process). + + ??? tip "Additional Resources" + + - [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174) + - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/) + - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/) + - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy) + +!!! note "Traefik & Swarm Mode" + To let Traefik access the Docker Socket of the Swarm manager, it is mandatory to schedule Traefik on the Swarm manager nodes. + +??? example "Using the docker.sock" + + The docker-compose file shares the docker sock with the Traefik container + + ```yaml + version: '3' + + services: + + traefik: + image: traefik + ports: + - "80:80" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + ``` + + We specify the docker.sock in traefik's configuration file. + + ```toml + # ... + [providers] + [providers.docker] + endpoint = "unix:///var/run/docker.sock" + ``` + +### usebindportip (_Optional_, _Default=false_) + +Traefik routes requests to the IP/Port of the matching container. +When setting `usebindportip=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port. + +When used in conjunction with the `traefik.port` label (that tells Traefik to route requests to a specific port), Traefik tries to find a binding on port `traefik.port`. +If it can't find such a binding, Traefik falls back on the internal network IP of the container, but still uses the `traefik.port` that is set in the label. + +??? example "Examples of `usebindportip` in different situations." + + | traefik.port label | Container's binding | Routes to | + |--------------------|----------------------------------------------------|----------------| + | - | - | IntIP:IntPort | + | - | ExtPort:IntPort | IntIP:IntPort | + | - | ExtIp:ExtPort:IntPort | ExtIp:ExtPort | + | LblPort | - | IntIp:LblPort | + | LblPort | ExtIp:ExtPort:LblPort | ExtIp:ExtPort | + | LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort | + | LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort | + + !!! note + In the above table, ExtIp stands for "external IP found in the binding", IntIp stands for "internal network container's IP", ExtPort stands for "external Port found in the binding", and IntPort stands for "internal network container's port." + +### exposedByDefault (_Optional_, _Default=true_) + +Expose containers by default through Traefik. +If set to false, containers that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration. + +### network (_Optional_) + +Defines a default docker network to use for connections to all containers. + +This option can be overridden on a container basis with the `traefik.docker.network` label. + +### domain (_Optional_, _Default=docker.localhost_) + +This is the default base domain used for the router rules. + +This option can be overridden on a container basis with the +`traefik.domain` label. + +### swarmMode (_Optional_, _Default=false_) + +Activates the Swarm Mode. + +### swarmModeRefreshSeconds (_Optional_, _Default=15_) + +Defines the polling interval (in seconds) in Swarm Mode. + +## Routing Configuration Options + +### General + +Traefik creates, for each container, a corresponding [service](../routing/services.md) and [router](../routing/routers.md). + +The Service automatically gets a server per instance of the container, and the router gets a default rule attached to it, based on the container name. + +### Routers + +To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change. For example, to change the rule, you could add the label `traefik.routers.my-container.rule=Host(my-domain)`. + +Every [Router](../routing/routers.md) parameter can be updated this way. + +### Services + +To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.services.{name-of-your-choice}.`, followed by the option you want to change. For example, to change the load balancer method, you'd add the label `traefik.services.{name-of-your-choice}.loadbalancer.method=drr`. + +Every [Service](../routing/services.md) parameter can be updated this way. + +### Middleware + +You can declare pieces of middleware using labels starting with `traefik.middlewares.{name-of-your-choice}.`, followed by the middleware type/options. For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.middlewares.my-redirect.schemeredirect.scheme: https`. + +??? example "Declaring and Referencing a Middleware" + + ```yaml + services: + my-container: + # ... + labels: + - traefik.middlewares.my-redirect.schemeredirect.scheme=https + - traefik.routers.middlewares=my-redirect + ``` + +!!! warning "Conflicts in Declaration" + + If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared. + +### Specific Options + +#### traefik.enable + +You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false. + +This option overrides the value of `exposedByDefault`. + +#### traefik.tags + +Sets the tags for [constraints filtering](./overview.md#constraints-configuration). + +#### traefik.docker.network + +Overrides the default docker network to use for connections to the container. + +If a container is linked to several networks, be sure to set the proper network name (you can check this with `docker inspect `), otherwise it will randomly pick one (depending on how docker is returning them). + +!!! warning + When deploying a stack from a compose file `stack`, the networks defined are prefixed with `stack`. diff --git a/docs/content/providers/file.md b/docs/content/providers/file.md new file mode 100644 index 000000000..0b36f2cba --- /dev/null +++ b/docs/content/providers/file.md @@ -0,0 +1,27 @@ +# TODO -- File + +Good Old Configuration File +{: .subtitle } + +## Configuration + +### Full Example in toml + +`TO COMPLETE` + +### In same file + +`TO COMPLETE` + +## In dedicated file + +`TO COMPLETE` + +### Old Content + +Traefik can hot-reload those rules which could be provided by multiple configuration backends. + +We only need to enable `watch` option to make Traefik watch configuration backend changes and generate its configuration automatically. +Routes to services will be created and updated instantly at any changes. + +Please refer to the configuration backends section to get documentation on it. diff --git a/docs/content/providers/overview.md b/docs/content/providers/overview.md new file mode 100644 index 000000000..f0f65c1f8 --- /dev/null +++ b/docs/content/providers/overview.md @@ -0,0 +1,93 @@ +# Overview + +Traefik's Many Friends +{: .subtitle } + +![Providers](../assets/img/providers.png) + +Configuration discovery in Traefik is achieved through _Providers_. + +The _providers_ are existing infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. +The idea is that Traefik will query the providers' API in order to find relevant information about routing, and each time Traefik detects a change, it dynamically updates the routes. + +Deploy and forget is Traefik's credo. + +## Orchestrators + +Even if each provider is different, we can categorize them in four groups: + +- Label based (each deployed container has a set of labels attached to it) +- Key-Value based (each deployed container updates a key-value store with relevant information) +- Annotation based (a separate object, with annotations, defines the characteristics of the container) +- File based (the good old configuration file) + +## Supported Providers + +Below is the list of the currently supported providers in Traefik. + +| Provider | Type | Configuration Type | +|-----------------------------|--------------|--------------------| +| [Docker](./docker.md) | Orchestrator | Label | +| [File](./file.md) | Orchestrator | Custom Annotation | +| Kubernetes (not documented) | Orchestrator | Custom Annotation | +| Marathon (not documented) | Orchestrator | Label | + +!!! note "More Providers" + + The current version of Traefik is in development and doesn't support (yet) every provider. See the previous version (1.7) for more providers. + +## Constraints Configuration + +If you want to limit the scope of Traefik service discovery, you can set constraints. Doing so, Traefik will create routes for containers that match these constraints only. + +??? example "Containers with the api Tag" + + ```toml + constraints = ["tag==api"] + ``` + +??? example "Containers without the api Tag" + + ```toml + constraints = ["tag!=api"] + ``` + +??? example "Containers with tags starting with 'us-'" + + ```toml + constraints = ["tag==us-*"] + ``` + +??? example "Multiple constraints" + + ```toml + # Multiple constraints + # - "tag==" must match with at least one tag + # - "tag!=" must match with none of tags + constraints = ["tag!=us-*", "tag!=asia-*"] + ``` + +??? note "List of Providers that Support Constraints" + + - Docker + - Consul K/V + - BoltDB + - Zookeeper + - ECS + - Etcd + - Consul Catalog + - Rancher + - Marathon + - Kubernetes (using a provider-specific mechanism based on label selectors) + +!!! note + + The constraint option belongs to the provider configuration itself. + + ??? example "Setting the Constraint Options for Docker" + + ```toml + [providers] + [providers.docker] + constraints = ["tag==api"] + ``` diff --git a/docs/content/reference/acme.md b/docs/content/reference/acme.md new file mode 100644 index 000000000..a3574889f --- /dev/null +++ b/docs/content/reference/acme.md @@ -0,0 +1,173 @@ +# ACME - Reference + +Every Options for ACME +{: .subtitle} + +## TOML + +```toml + # Sample entrypoint configuration when using ACME. + [entryPoints] + [entryPoints.http] + address = ":80" + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + + # Enable ACME (Let's Encrypt): automatic SSL. + [acme] + + # Email address used for registration. + # + # Required + # + email = "test@traefik.io" + + # File used for certificates storage. + # + # Optional (Deprecated) + # + #storageFile = "acme.json" + + # File or key used for certificates storage. + # + # Required + # + storage = "acme.json" + # or `storage = "traefik/acme/account"` if using KV store. + + # Entrypoint to proxy acme apply certificates to. + # + # Required + # + entryPoint = "https" + + # Deprecated, replaced by [acme.dnsChallenge]. + # + # Optional. + # + # dnsProvider = "digitalocean" + + # Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck]. + # + # Optional + # Default: 0 + # + # delayDontCheckDNS = 0 + + # If true, display debug log messages from the acme client library. + # + # Optional + # Default: false + # + # acmeLogging = true + + # If true, override certificates in key-value store when using storeconfig. + # + # Optional + # Default: false + # + # overrideCertificates = true + + # Deprecated. Enable on demand certificate generation. + # + # Optional + # Default: false + # + # onDemand = true + + # Enable certificate generation on frontends host rules. + # + # Optional + # Default: false + # + # onHostRule = true + + # CA server to use. + # Uncomment the line to use Let's Encrypt's staging server, + # leave commented to go to prod. + # + # Optional + # Default: "https://acme-v02.api.letsencrypt.org/directory" + # + # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory" + + # KeyType to use. + # + # Optional + # Default: "RSA4096" + # + # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192" + # + # KeyType = "RSA4096" + + # Use a TLS-ALPN-01 ACME challenge. + # + # Optional (but recommended) + # + [acme.tlsChallenge] + + # Use a HTTP-01 ACME challenge. + # + # Optional + # + # [acme.httpChallenge] + + # EntryPoint to use for the HTTP-01 challenges. + # + # Required + # + # entryPoint = "http" + + # Use a DNS-01 ACME challenge rather than HTTP-01 challenge. + # Note: mandatory for wildcard certificate generation. + # + # Optional + # + # [acme.dnsChallenge] + + # DNS provider used. + # + # Required + # + # provider = "digitalocean" + + # By default, the provider will verify the TXT DNS challenge record before letting ACME verify. + # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds. + # Useful if internal networks block external DNS queries. + # + # Optional + # Default: 0 + # + # delayBeforeCheck = 0 + + # Use following DNS servers to resolve the FQDN authority. + # + # Optional + # Default: empty + # + # resolvers = ["1.1.1.1:53", "8.8.8.8:53"] + + # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. + # + # NOT RECOMMENDED: + # Increase the risk of reaching Let's Encrypt's rate limits. + # + # Optional + # Default: false + # + # disablePropagationCheck = true + + # Domains list. + # Only domains defined here can generate wildcard certificates. + # The certificates for these domains are negotiated at traefik startup only. + # + # [[acme.domains]] + # main = "local1.com" + # sans = ["test1.local1.com", "test2.local1.com"] + # [[acme.domains]] + # main = "local2.com" + # [[acme.domains]] + # main = "*.local3.com" + # sans = ["local3.com", "test1.test1.local3.com"] +``` diff --git a/docs/content/reference/entrypoints.md b/docs/content/reference/entrypoints.md new file mode 100644 index 000000000..c29e56780 --- /dev/null +++ b/docs/content/reference/entrypoints.md @@ -0,0 +1,131 @@ +# EntryPoints - Reference + +Every Options for EntryPoints +{: .subtitle} + +## TOML + +```toml +defaultEntryPoints = ["http", "https"] + +# ... +# ... + +[entryPoints] + [entryPoints.http] + address = ":80" + [entryPoints.http.compress] + + [entryPoints.http.clientIPStrategy] + depth = 5 + excludedIPs = ["127.0.0.1/32", "192.168.1.7"] + + [entryPoints.http.whitelist] + sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"] + [entryPoints.http.whitelist.IPStrategy] + depth = 5 + excludedIPs = ["127.0.0.1/32", "192.168.1.7"] + + [entryPoints.http.tls] + minVersion = "VersionTLS12" + cipherSuites = [ + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_GCM_SHA384" + ] + [[entryPoints.http.tls.certificates]] + certFile = "path/to/my.cert" + keyFile = "path/to/my.key" + [[entryPoints.http.tls.certificates]] + certFile = "path/to/other.cert" + keyFile = "path/to/other.key" + # ... + [entryPoints.http.tls.clientCA] + files = ["path/to/ca1.crt", "path/to/ca2.crt"] + optional = false + + [entryPoints.http.redirect] + entryPoint = "https" + regex = "^http://localhost/(.*)" + replacement = "http://mydomain/$1" + permanent = true + + [entryPoints.http.auth] + headerField = "X-WebAuth-User" + [entryPoints.http.auth.basic] + removeHeader = true + realm = "Your realm" + users = [ + "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", + "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0", + ] + usersFile = "/path/to/.htpasswd" + [entryPoints.http.auth.digest] + removeHeader = true + users = [ + "test:traefik:a2688e031edb4be6a3797f3882655c05", + "test2:traefik:518845800f9e2bfb1f1f740ec24f074e", + ] + usersFile = "/path/to/.htdigest" + [entryPoints.http.auth.forward] + address = "https://authserver.com/auth" + trustForwardHeader = true + authResponseHeaders = ["X-Auth-User"] + [entryPoints.http.auth.forward.tls] + ca = "path/to/local.crt" + caOptional = true + cert = "path/to/foo.cert" + key = "path/to/foo.key" + insecureSkipVerify = true + + [entryPoints.http.proxyProtocol] + insecure = true + trustedIPs = ["10.10.10.1", "10.10.10.2"] + + [entryPoints.http.forwardedHeaders] + trustedIPs = ["10.10.10.1", "10.10.10.2"] + insecure = false + + [entryPoints.https] + # ... +``` + +## CLI + +```ini +Name:foo +Address::80 +TLS:/my/path/foo.cert,/my/path/foo.key;/my/path/goo.cert,/my/path/goo.key;/my/path/hoo.cert,/my/path/hoo.key +TLS +TLS.MinVersion:VersionTLS11 +TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384 +TLS.SniStrict:true +TLS.DefaultCertificate.Cert:path/to/foo.cert +TLS.DefaultCertificate.Key:path/to/foo.key +CA:car +CA.Optional:true +Redirect.EntryPoint:https +Redirect.Regex:http://localhost/(.*) +Redirect.Replacement:http://mydomain/$1 +Redirect.Permanent:true +Compress:true +WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 +WhiteList.IPStrategy.depth:3 +WhiteList.IPStrategy.ExcludedIPs:10.0.0.3/24,20.0.0.3/24 +ProxyProtocol.TrustedIPs:192.168.0.1 +ProxyProtocol.Insecure:true +ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 +Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 +Auth.Basic.Removeheader:true +Auth.Basic.Realm:traefik +Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e +Auth.Digest.Removeheader:true +Auth.HeaderField:X-WebAuth-User +Auth.Forward.Address:https://authserver.com/auth +Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret +Auth.Forward.TrustForwardHeader:true +Auth.Forward.TLS.CA:path/to/local.crt +Auth.Forward.TLS.CAOptional:true +Auth.Forward.TLS.Cert:path/to/foo.cert +Auth.Forward.TLS.Key:path/to/foo.key +Auth.Forward.TLS.InsecureSkipVerify:true +``` diff --git a/docs/content/reference/logs.md b/docs/content/reference/logs.md new file mode 100644 index 000000000..3bd91bc21 --- /dev/null +++ b/docs/content/reference/logs.md @@ -0,0 +1,53 @@ +# Logs - Reference + +## TOML + +```toml +logLevel = "INFO" + +[traefikLog] + filePath = "/path/to/traefik.log" + format = "json" + +[accessLog] + filePath = "/path/to/access.log" + format = "json" + + [accessLog.filters] + statusCodes = ["200", "300-302"] + retryAttempts = true + minDuration = "10ms" + + [accessLog.fields] + defaultMode = "keep" + [accessLog.fields.names] + "ClientUsername" = "drop" + # ... + + [accessLog.fields.headers] + defaultMode = "keep" + [accessLog.fields.headers.names] + "User-Agent" = "redact" + "Authorization" = "drop" + "Content-Type" = "keep" + # ... +``` + +## CLI + +For more information about the CLI, see the documentation about [Traefik command](../../operations/cli). + +```shell +--logLevel="DEBUG" +--traefikLog.filePath="/path/to/traefik.log" +--traefikLog.format="json" +--accessLog.filePath="/path/to/access.log" +--accessLog.format="json" +--accessLog.filters.statusCodes="200,300-302" +--accessLog.filters.retryAttempts="true" +--accessLog.filters.minDuration="10ms" +--accessLog.fields.defaultMode="keep" +--accessLog.fields.names="Username=drop Hostname=drop" +--accessLog.fields.headers.defaultMode="keep" +--accessLog.fields.headers.names="User-Agent=redact Authorization=drop Content-Type=keep" +``` diff --git a/docs/content/reference/providers/docker.md b/docs/content/reference/providers/docker.md new file mode 100644 index 000000000..718515625 --- /dev/null +++ b/docs/content/reference/providers/docker.md @@ -0,0 +1,180 @@ +# Docker -- Reference + +## Docker + +```toml +################################################################ +# Docker Provider +################################################################ + +# Enable Docker Provider. +[docker] + +# Docker server endpoint. Can be a tcp or a unix socket endpoint. +# +# Required +# +endpoint = "unix:///var/run/docker.sock" + +# Default base domain used for the frontend rules. +# Can be overridden by setting the "traefik.domain" label on a container. +# +# Optional +# +domain = "docker.localhost" + +# Enable watch docker changes. +# +# Optional +# +watch = true + +# Override default configuration template. +# For advanced users :) +# +# Optional +# +# filename = "docker.tmpl" + +# Override template version +# For advanced users :) +# +# Optional +# - "1": previous template version (must be used only with older custom templates, see "filename") +# - "2": current template version (must be used to force template version when "filename" is used) +# +# templateVersion = 2 + +# Expose containers by default in Traefik. +# If set to false, containers that don't have `traefik.enable=true` will be ignored. +# +# Optional +# Default: true +# +exposedByDefault = true + +# Use the IP address from the binded port instead of the inner network one. +# +# In case no IP address is attached to the binded port (or in case +# there is no bind), the inner network one will be used as a fallback. +# +# Optional +# Default: false +# +usebindportip = true + +# Use Swarm Mode services as data provider. +# +# Optional +# Default: false +# +swarmMode = false + +# Polling interval (in seconds) for Swarm Mode. +# +# Optional +# Default: 15 +# +swarmModeRefreshSeconds = 15 + +# Define a default docker network to use for connections to all containers. +# Can be overridden by the traefik.docker.network label. +# +# Optional +# +network = "web" + +# Enable docker TLS connection. +# +# Optional +# +# [docker.tls] +# ca = "/etc/ssl/ca.crt" +# cert = "/etc/ssl/docker.crt" +# key = "/etc/ssl/docker.key" +# insecureSkipVerify = true +``` + +## Docker Swarm Mode + +```toml +################################################################ +# Docker Swarm Mode Provider +################################################################ + +# Enable Docker Provider. +[docker] + +# Docker server endpoint. +# Can be a tcp or a unix socket endpoint. +# +# Required +# Default: "unix:///var/run/docker.sock" +# +# swarm classic (1.12-) +# endpoint = "tcp://127.0.0.1:2375" +# docker swarm mode (1.12+) +endpoint = "tcp://127.0.0.1:2377" + +# Default base domain used for the frontend rules. +# Can be overridden by setting the "traefik.domain" label on a services. +# +# Optional +# Default: "" +# +domain = "docker.localhost" + +# Enable watch docker changes. +# +# Optional +# Default: true +# +watch = true + +# Use Docker Swarm Mode as data provider. +# +# Optional +# Default: false +# +swarmMode = true + +# Define a default docker network to use for connections to all containers. +# Can be overridden by the traefik.docker.network label. +# +# Optional +# +network = "web" + +# Override default configuration template. +# For advanced users :) +# +# Optional +# +# filename = "docker.tmpl" + +# Override template version +# For advanced users :) +# +# Optional +# - "1": previous template version (must be used only with older custom templates, see "filename") +# - "2": current template version (must be used to force template version when "filename" is used) +# +# templateVersion = 2 + +# Expose services by default in Traefik. +# +# Optional +# Default: true +# +exposedByDefault = false + +# Enable docker TLS connection. +# +# Optional +# +# [docker.tls] +# ca = "/etc/ssl/ca.crt" +# cert = "/etc/ssl/docker.crt" +# key = "/etc/ssl/docker.key" +# insecureSkipVerify = true +``` \ No newline at end of file diff --git a/docs/content/routing/acme.md b/docs/content/routing/acme.md new file mode 100644 index 000000000..57d24358d --- /dev/null +++ b/docs/content/routing/acme.md @@ -0,0 +1,330 @@ +# ACME + +Automatic HTTPS +{: .subtitle } + +Traefik can automatically generate certificates for your domains using an ACME provider (like Let's Encrypt). + +!!! warning "Let's Encrypt and Rate Limiting" + Note that Let's Encrypt has [rate limiting](https://letsencrypt.org/docs/rate-limits). + +## Configuration Examples + +??? example "Configuring ACME on the Https EntryPoint" + + ```toml + [entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.http-tls] + address = ":443" + [entryPoints.http-tls.tls] # enabling TLS + + [acme] + email = "your-email@your-domain.org" + storage = "acme.json" + entryPoint = "http-tls" # acme is enabled on http-tls + onHostRule = true # dynamic generation based on the Host() matcher + [acme.httpChallenge] + entryPoint = "web" # used during the challenge + ``` + +??? example "Configuring Wildcard Certificates" + + ```toml + [entryPoints] + [entryPoints.web] + address = ":80" + + [entryPoints.http-tls] + address = ":443" + [entryPoints.https.tls] # enabling TLS + + [acme] + email = "your-email@your-domain.org" + storage = "acme.json" + entryPoint = "http-tls" # acme is enabled on http-tls + [acme.dnsChallenge] + provider = "xxx" + + [[acme.domains]] + main = "*.mydomain.com" + sans = ["mydomain.com"] + ``` + +!!! note "Configuration Reference" + + There are many available options for ACME. For a quick glance at what's possible, browse the [configuration reference](../reference/acme.md). + +## Configuration Options + +### The Different ACME Challenges + +#### tlsChallenge + +Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate. + +??? example "Using an EntryPoint Called https for the `tlsChallenge`" + + ```toml + [acme] + # ... + entryPoint = "https" + [acme.tlsChallenge] + ``` + + !!! note + As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72), when using the `TLS-ALPN-01` challenge, `acme.entryPoint` must be reachable by Let's Encrypt through port 443. + +#### `httpChallenge` + +Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI. + +??? example "Using an EntryPoint Called http for the `httpChallenge`" + + ```toml + [acme] + # ... + entryPoint = "https" + [acme.httpChallenge] + entryPoint = "http" + ``` + + !!! note + As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72), when using the `HTTP-01` challenge, `acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80. + + !!! note + Redirection is fully compatible with the `HTTP-01` challenge. + +#### `dnsChallenge` + +Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record. + +??? example "Configuring a `dnsChallenge` with the digitalocean Provider" + + ```toml + [acme] + # ... + [acme.dnsChallenge] + provider = "digitalocean" + delayBeforeCheck = 0 + # ... + ``` + + !!! important + A `provider` is mandatory. + +??? list "Supported Providers" + + Here is a list of supported `providers`, that can automate the DNS verification, along with the required environment variables and their [wildcard & root domain support](#wildcard-domains). + + | Provider Name | Provider Code | Environment Variables | Wildcard & Root Domain Support | + |--------------------------------------------------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------| + | [ACME DNS](https://github.com/joohoi/acme-dns) | `acme-dns` | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH` | Not tested yet | + | [Alibaba Cloud](https://www.vultr.com) | `alidns` | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID` | Not tested yet | + | [Auroradns](https://www.pcextreme.com/aurora/dns) | `auroradns` | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT` | Not tested yet | + | [Azure](https://azure.microsoft.com/services/dns/) | `azure` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]` | Not tested yet | + | [Blue Cat](https://www.bluecatnetworks.com/) | `bluecat` | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW` | Not tested yet | + | [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key` | YES | + | [CloudXNS](https://www.cloudxns.net) | `cloudxns` | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY` | Not tested yet | + | [ConoHa](https://www.conoha.jp) | `conoha` | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD` | YES | + | [DigitalOcean](https://www.digitalocean.com) | `digitalocean` | `DO_AUTH_TOKEN` | YES | + | [DNSimple](https://dnsimple.com) | `dnsimple` | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL` | Not tested yet | + | [DNS Made Easy](https://dnsmadeeasy.com) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX` | Not tested yet | + | [DNSPod](https://www.dnspod.com/) | `dnspod` | `DNSPOD_API_KEY` | Not tested yet | + | [DreamHost](https://www.dreamhost.com/) | `dreamhost` | `DREAMHOST_API_KEY` | YES | + | [Duck DNS](https://www.duckdns.org/) | `duckdns` | `DUCKDNS_TOKEN` | No | + | [Dyn](https://dyn.com) | `dyn` | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD` | Not tested yet | + | External Program | `exec` | `EXEC_PATH` | YES | + | [Exoscale](https://www.exoscale.com) | `exoscale` | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT` | YES | + | [Fast DNS](https://www.akamai.com/) | `fastdns` | `AKAMAI_CLIENT_TOKEN`, `AKAMAI_CLIENT_SECRET`, `AKAMAI_ACCESS_TOKEN` | Not tested yet | + | [Gandi](https://www.gandi.net) | `gandi` | `GANDI_API_KEY` | Not tested yet | + | [Gandi v5](http://doc.livedns.gandi.net) | `gandiv5` | `GANDIV5_API_KEY` | YES | + | [Glesys](https://glesys.com/) | `glesys` | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN` | Not tested yet | + | [GoDaddy](https://godaddy.com/domains) | `godaddy` | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | Not tested yet | + | [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud` | `GCE_PROJECT`, `GCE_SERVICE_ACCOUNT_FILE` | YES | + | [hosting.de](https://www.hosting.de) | `hostingde` | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME` | Not tested yet | + | HTTP request | `httpreq` | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` (1) | YES | + | [IIJ](https://www.iij.ad.jp/) | `iij` | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE` | Not tested yet | + | [INWX](https://www.inwx.de/en) | `inwx` | `INWX_USERNAME`, `INWX_PASSWORD` | YES | + | [Lightsail](https://aws.amazon.com/lightsail/) | `lightsail` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE` | Not tested yet | + | [Linode](https://www.linode.com) | `linode` | `LINODE_API_KEY` | Not tested yet | + | [Linode v4](https://www.linode.com) | `linodev4` | `LINODE_TOKEN` | Not tested yet | + | manual | - | none, but you need to run Traefik interactively, turn on `acmeLogging` to see instructions and press Enter. | YES | + | [MyDNS.jp](https://www.mydns.jp/) | `mydnsjp` | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD` | YES | + | [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` | YES | + | [name.com](https://www.name.com/) | `namedotcom` | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER` | Not tested yet | + | [Netcup](https://www.netcup.eu/) | `netcup` | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD` | Not tested yet | + | [NIFCloud](https://cloud.nifty.com/service/dns.htm) | `nifcloud` | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY` | Not tested yet | + | [Ns1](https://ns1.com/) | `ns1` | `NS1_API_KEY` | Not tested yet | + | [Open Telekom Cloud](https://cloud.telekom.de) | `otc` | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT` | Not tested yet | + | [OVH](https://www.ovh.com) | `ovh` | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY` | YES | + | [PowerDNS](https://www.powerdns.com) | `pdns` | `PDNS_API_KEY`, `PDNS_API_URL` | Not tested yet | + | [Rackspace](https://www.rackspace.com/cloud/dns) | `rackspace` | `RACKSPACE_USER`, `RACKSPACE_API_KEY` | Not tested yet | + | [RFC2136](https://tools.ietf.org/html/rfc2136) | `rfc2136` | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER` | Not tested yet | + | [Route 53](https://aws.amazon.com/route53/) | `route53` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile. | YES | + | [Sakura Cloud](https://cloud.sakura.ad.jp/) | `sakuracloud` | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET` | Not tested yet | + | [Selectel](https://selectel.ru/en/) | `selectel` | `SELECTEL_API_TOKEN` | YES | + | [Stackpath](https://www.stackpath.com/) | `stackpath` | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID` | Not tested yet | + | [TransIP](https://www.transip.nl/) | `transip` | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH` | YES | + | [VegaDNS](https://github.com/shupp/VegaDNS-API) | `vegadns` | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL` | Not tested yet | + | [Vscale](https://vscale.io/) | `vscale` | `VSCALE_API_TOKEN` | YES | + | [VULTR](https://www.vultr.com) | `vultr` | `VULTR_API_KEY` | Not tested yet | + + - (1): more information about the HTTP message format can be found [here](https://github.com/xenolf/lego/blob/master/providers/dns/httpreq/readme.md) + +!!! note "`delayBeforeCheck`" + By default, the `provider` verifies the TXT record _before_ letting ACME verify. + You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero). + This option is useful when internal networks block external DNS queries. + +!!! note "`resolvers`" + + Use custom DNS servers to resolve the FQDN authority. + + ```toml + [acme] + # ... + [acme.dnsChallenge] + # ... + resolvers = ["1.1.1.1:53", "8.8.8.8:53"] + ``` + +### Known Domains, SANs, and Wildcards + +You can set SANs (alternative domains) for each main domain. +Every domain must have A/AAAA records pointing to Traefik. +Each domain & SAN will lead to a certificate request. + +```toml +[acme] +# ... +[[acme.domains]] + main = "local1.com" + sans = ["test1.local1.com", "test2.local1.com"] +[[acme.domains]] + main = "local2.com" +[[acme.domains]] + main = "*.local3.com" + sans = ["local3.com", "test1.test1.local3.com"] +# ... +``` + +!!! important + The certificates for the domains listed in `acme.domains` are negotiated at Traefik startup only. + +!!! note + Wildcard certificates can only be verified through a `DNS-01` challenge. + +#### Wildcard Domains + +[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates. +As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge). + +```toml +[acme] +# ... +[[acme.domains]] + main = "*.local1.com" + sans = ["local1.com"] +# ... +``` + +!!! note "Double Wildcard Certificates" + It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`). + +Due to an ACME limitation it is not possible to define wildcards in SANs (alternative domains). +Thus, the wildcard domain has to be defined as a main domain. +Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed. +In this case the generated DNS TXT record for both domains is the same. +Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant, it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail. +The Traefik ACME client library [LEGO](https://github.com/xenolf/lego) supports some but not all DNS providers to work around this issue. +The [Supported `provider` table](#dnschallenge) indicates if they allow generating certificates for a wildcard domain and its root domain. + +### caServer + +??? example "Using the Let's Encrypt staging server" + + ```toml + [acme] + # ... + caServer = "https://acme-staging-v02.api.letsencrypt.org/directory" + # ... + ``` + +### onHostRule + +Enable certificate generation on [routers](routers.md) `Host` rules (for routers active on the `acme.entryPoint`). + +This will request a certificate from Let's Encrypt for each router with a Host rule. + +```toml +[acme] +# ... +onHostRule = true +# ... +``` + +!!! note "Multiple Hosts in a Rule" + The rule `Host(test1.traefik.io,test2.traefik.io)` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`. + +!!! warning + `onHostRule` option can not be used to generate wildcard certificates. Refer to [wildcard generation](#wildcard-domains) for further information. + +### `storage` + +The `storage` option sets the location where your ACME certificates are saved to. + +```toml +[acme] +# ... +storage = "acme.json" +# ... +``` + +The value can refer to two kinds of storage: + +- a JSON file +- a KV store entry + +#### In a File + +ACME certificates can be stored in a JSON file that needs to have a `600` file mode . + +In Docker you can mount either the JSON file, or the folder containing it: + +```bash +docker run -v "/my/host/acme.json:acme.json" traefik +``` + +```bash +docker run -v "/my/host/acme:/etc/traefik/acme" traefik +``` + +!!! warning + For concurrency reason, this file cannot be shared across multiple instances of Traefik. Use a key value store entry instead. + +#### In a a Key Value Store Entry + +ACME certificates can be stored in a key-value store entry. + +```toml +storage = "traefik/acme/account" +``` + +!!! note "Storage Size" + + Because key-value stores have limited entry size, the certificates list is compressed _before_ it is saved. + For example, it is possible to store up to _approximately_ 100 ACME certificates in Consul. + +## Fallbacks + +If Let's Encrypt is not reachable, the following certificates will apply: + + 1. Previously generated ACME certificates (before downtime) + 1. Expired ACME certificates + 1. Provided certificates + +!!! note + For new (sub)domains which need Let's Encrypt authentification, the default Traefik certificate will be used until Traefik is restarted. diff --git a/docs/content/routing/entrypoints.md b/docs/content/routing/entrypoints.md new file mode 100644 index 000000000..1b31ec3f2 --- /dev/null +++ b/docs/content/routing/entrypoints.md @@ -0,0 +1,301 @@ +# EntryPoints + +Opening Connections for Incomming Requests +{: .subtitle } + +![EntryPoints](../assets/img/entrypoints.png) + +Entrypoints are the network entry points into Traefik. +They can be defined using: + +- a port (80, 443, ...) +- SSL (Certificates, Keys, authentication with a client certificate signed by a trusted CA, ...) + +## Configuration Examples + +??? example "HTTP only" + + ```toml + [entryPoints] + [entryPoints.http] + address = ":80" + ``` + + We define an `entrypoint` called `http` that will listen on port `80`. + +??? example "HTTP & HTTPS" + + ```toml + [entryPoints] + [entryPoints.http] + address = ":80" + + [entryPoints.https] + address = ":443" + + [entryPoints.https.tls] + [[entryPoints.https.tls.certificates]] + certFile = "tests/traefik.crt" + keyFile = "tests/traefik.key" + ``` + + - Two entrypoints are defined: one called `http`, and the other called `https`. + - `http` listens on port `80`, and `https` on port `443`. + - We enabled SSL on `https` by giving it a certificate and a key. + + !!! note + + In the example, `http` and `https` are the names for the entrypoints and have nothing to do with the underlying protocol. + We could have written `entryPoints.foo` and `entryPoints.bar` instead. + + !!! tip "Automatic HTTPS with ACME" + + If you don't have certificate files and wish to automatically enable HTTPS, you should have a look at one of Traefik's most praised feature: [ACME & Let's Encrypt integration](./acme.md) + +??? example "Client Certificate Authentication" + + ```toml + [entryPoints] + [entryPoints.https] + address = ":443" + + [entryPoints.https.tls] + [entryPoints.https.tls.ClientCA] + files = ["tests/clientca1.crt", "tests/clientca2.crt"] + optional = false + + [[entryPoints.https.tls.certificates]] + certFile = "tests/traefik.crt" + keyFile = "tests/traefik.key" + ``` + + - We enabled SSL on `https` by giving it a certificate and a key. + - Files containing Certificate Authorities (PEM format) were added. + + !!! note "Multiple CAs" + + It is possible to have multiple CA:s in the same file or keep them in separate files. + +## Configuration + +### General + +Entrypoints are part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration). You can define them using a toml file, CLI arguments, or a key-value store. See the [complete reference](../reference/entrypoints.md) for the list of available options. + +??? example "Using the CLI" + + Here is an example of using the CLI to define `entrypoints`: + + ```shell + --entryPoints='Name:http Address::80' + --entryPoints='Name:https Address::443 TLS' + ``` + + !!! note + The whitespace character (` `) is the option separator, and the comma (`,`) is the value separator for lists. + The option names are case-insensitive. + + !!! warning "Using Docker Compose Files" + + The syntax for passing arguments inside a docker compose file is a little different. Here are two examples. + + ```yaml + traefik: + image: traefik + command: + - --defaultentrypoints=powpow + - "--entryPoints=Name:powpow Address::42 Compress:true" + ``` + + or + + ```yaml + traefik: + image: traefik + command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true' + ``` + +## TLS + +### Static Certificates + +To add SNI support, define `certFile` and `keyFile`. + +```toml +[entryPoints] + [entryPoints.https] + address = ":443" + + [entryPoints.https.tls] + [[entryPoints.https.tls.certificates]] + certFile = "integration/fixtures/https/snitest.com.cert" + keyFile = "integration/fixtures/https/snitest.com.key" +``` + +!!! note + If you provide an empty TLS configuration, default self-signed certificates will be generated. + +### Dynamic Certificates + +To add / remove TLS certificates while Traefik is running, the [file provider](../providers/file.md) supports Dynamic TLS certificates in its `[[tls]]` section. + +### Mutual Authentication + +Traefik supports both optional and non optional (defaut value) mutual authentication. + +- When `optional = false`, Traefik accepts connections only from client presenting a certificate signed by a CA listed in `ClientCA.files`. +- When `optional = true`, Traefik authorizes connections from client presenting a certificate signed by an unknown CA. + +??? example "Non Optional Mutual Authentication" + + In the following example, both `snitest.com` and `snitest.org` will require client certificates. + + ```toml + [entryPoints] + [entryPoints.https] + address = ":443" + + [entryPoints.https.tls] + [entryPoints.https.tls.ClientCA] + files = ["tests/clientca1.crt", "tests/clientca2.crt"] + optional = false + + [[entryPoints.https.tls.certificates]] + certFile = "integration/fixtures/https/snitest.com.cert" + keyFile = "integration/fixtures/https/snitest.com.key" + [[entryPoints.https.tls.certificates]] + certFile = "integration/fixtures/https/snitest.org.cert" + keyFile = "integration/fixtures/https/snitest.org.key" + ``` + + !!! note "ClientCA.files" + + You can use a file per `CA:s`, or a single file containing multiple `CA:s` (in `PEM` format). + + `ClientCA.files` is not optional: every client will have to present a valid certificate. (This requirement will apply to every server certificate declared in the entrypoint.) + +### Minimum TLS Version + +??? example "Min TLS version & [cipherSuites](https://godoc.org/crypto/tls#pkg-constants)" + + ```toml + [entryPoints] + [entryPoints.https] + address = ":443" + + [entryPoints.https.tls] + minVersion = "VersionTLS12" + cipherSuites = [ + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_GCM_SHA384" + ] + + [[entryPoints.https.tls.certificates]] + certFile = "integration/fixtures/https/snitest.com.cert" + keyFile = "integration/fixtures/https/snitest.com.key" + [[entryPoints.https.tls.certificates]] + certFile = "integration/fixtures/https/snitest.org.cert" + keyFile = "integration/fixtures/https/snitest.org.key" + ``` + +### Strict SNI Checking + +With strict SNI checking, Traefik won't allow connections without a matching certificate. + +??? example "Strict SNI" + + ```toml + [entryPoints] + [entryPoints.https] + address = ":443" + + [entryPoints.https.tls] + sniStrict = true + + [[entryPoints.https.tls.certificates]] + certFile = "integration/fixtures/https/snitest.com.cert" + keyFile = "integration/fixtures/https/snitest.com.key" + ``` + +### Default Certificate + +Traefik can use a default certificate for connections without an SNI, or without a matching domain. + +If no default certificate is provided, Traefik generates a self-signed and use it instead. + +??? example "Setting a Default Certificate" + + ```toml + [entryPoints] + [entryPoints.https] + address = ":443" + + [entryPoints.https.tls] + [entryPoints.https.tls.defaultCertificate] + certFile = "integration/fixtures/https/snitest.com.cert" + keyFile = "integration/fixtures/https/snitest.com.key" + ``` + + !!! note "Only One Default Certificate" + There can only be one `defaultCertificate` per entrypoint. + +## ProxyProtocol + +Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). + +??? example "Enabling Proxy Protocol with Trusted IPs" + + ```toml + [entryPoints] + [entryPoints.http] + address = ":80" + + [entryPoints.http.proxyProtocol] + trustedIPs = ["127.0.0.1/32", "192.168.1.7"] + ``` + + IPs in `trustedIPs` only will lead to remote client address replacement: Declare load-balancer IPs or CIDR range here. + +??? example "Insecure Mode -- Testing Environnement Only" + + In a test environments, you can configure Traefik to trust every incomming connection. Doing so, every remote client address will be replaced (`trustedIPs` won't have any effect) + + ```toml + [entryPoints] + [entryPoints.http] + address = ":80" + + [entryPoints.http.proxyProtocol] + insecure = true + ``` + +!!! warning "Queuing Traefik behind Another Load Balancer" + + When queuing Traefik behind another load-balancer, make sure to configure Proxy Protocol on both sides. + Not doing so could introduce a security risk in your system (enabling request forgery). + +## Forwarded Header + +You can configure Traefik to trust the forwarded headers information (`X-Forwarded-*`) + +??? example "Trusting Forwarded Headers from specific IPs" + + ```toml + [entryPoints] + [entryPoints.http] + address = ":80" + + [entryPoints.http.forwardedHeaders] + trustedIPs = ["127.0.0.1/32", "192.168.1.7"] + ``` + +??? example "Insecure Mode -- Always Trusting Forwarded Headers" + + ```toml + [entryPoints] + [entryPoints.http] + address = ":80" + + [entryPoints.http.forwardedHeaders] + insecure = true + ``` diff --git a/docs/content/routing/overview.md b/docs/content/routing/overview.md new file mode 100644 index 000000000..f660f6790 --- /dev/null +++ b/docs/content/routing/overview.md @@ -0,0 +1,55 @@ +# Overview + +What's Happening to the Requests? +{: .subtitle } + +Let's zoom on Traefik's architecture and talk about the components that enable the routes to be created. + +First, when you start Traefik, you define [entrypoints](./entrypoints.md) (in their most basic forms, they are port numbers). +Then, connected to these entrypoints, [routers](./routers.md) analyze the incoming requests to see if they match a set of [rules](../routers#rule). +If they do, the router might transform the request using pieces of [middleware](../middlewares/overview.md) before forwarding them to your [services](./services.md). + +![Architecture](../assets/img/architecture-overview.png) + +## Clear Responsibilities + +- [_Providers_](../providers/overview.md) discover the services that live on your infrastructure (their IP, health, ...) +- [_Entrypoints_](./entrypoints.md) listen for incomming traffic (ports, SSL, ...) +- [_Routers_](./routers.md) analyse the requests (host, path, headers, ...) +- [_Services_](./services.md) forward the request to your services (load balancing, ...) +- [_Middlewares_](../middlewares/overview.md) may update the request or make decisions based on the request (authentication, rate limiting, headers, ...) + +## Example with a File Provider + +Below is an example of a full configuration file for the [file provider](../providers/file.md) that forwards `http://domain/whoami/` requests to a service reachable on `http://private/whoami-service/`. +In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware](../middlewares/basicauth.md)). + +```toml +[EntryPoints] + [EntryPoints.http] + address = ":8081" # Listen on port 8081 for incoming requests + +[Providers] + # Enable the file provider to define routers / middlewares / services in a file + [Providers.file] + +[Routers] + [Routers.to-whoami] # Define a connection between requests and services + rule = "Host(domain) && PathPrefix(/whoami/)" + middlewares = ["test-user"] # If the rule matches, applies the middleware + service = "whoami" # If the rule matches, forward to the whoami service (declared below) + +[Middlewares] + [Middlewares.test-user.basicauth] # Define an authentication mechanism + users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"] + +[Services] + [Services.whoami.loadbalancer] # Define how to reach an existing service on our infrastructure + [[Services.whoami.loadbalancer.servers]] + url = "http://private/whoami-service" +``` + +!!! note "The File Provider" + + In this example, we use the [file provider](../providers/file.md). + Even if it is one of the least magical way of configuring Traefik, it explicitly describes every available notion. diff --git a/docs/content/routing/routers.md b/docs/content/routing/routers.md new file mode 100644 index 000000000..db4646bcc --- /dev/null +++ b/docs/content/routing/routers.md @@ -0,0 +1,134 @@ +# Routers + +Connecting Requests to Services +{: .subtitle } + +![Routers](../assets/img/routers.png) + +A router is in charge of connecting incoming requests to the services that can handle them. +In the process, routers may use pieces of [middleware](../middlewares/overview.md) to update the request, or act before forwarding the request to the service. + +## Configuration Example + +??? example "Requests /foo are Handled by service-foo -- Using the [File Provider](../providers/file.md)" + + ```toml + [Routers] + [Routers.my-router] + rule = "Path(/foo)" + service = "service-foo" + ``` + +??? example "With a [Middleware](../middlewares/overview.md) -- using the [File Provider](../providers/file.md)" + + ```toml + [Routers] + [Routers.my-router] + rule = "Path(/foo)" + middlewares = ["authentication"] # declared elsewhere + service = "service-foo" + ``` + +## Configuration + +### EntryPoints + +If not specified, routers will accept requests from all defined entrypoints. +If you want to limit the router scope to a set of entrypoint, set the entrypoints option. + +??? example "Listens to Every EntryPoint" + + ```toml + [EntryPoints] + [EntryPoint.http] + # ... + [EntryPoint.https] + # ... + [EntryPoint.other] + # ... + + [Routers] + [Routers.Router-1] + # By default, routers listen to every entrypoints + rule = "Host(traefik.io)" + service = "service-1" + ``` + +??? example "Listens to Specific EntryPoints" + + ```toml + [EntryPoints] + [EntryPoint.http] + # ... + [EntryPoint.https] + # ... + [EntryPoint.other] + # ... + + [Routers] + [Routers.Router-1] + entryPoints = ["https", "other"] # won't listen to entrypoint http + rule = "Host(traefik.io)" + service = "service-1" + ``` + +### Rule + +Rules are a set of matchers that determine if a particular request matches specific criteria. +If the rule is verified, then the router becomes active and calls middlewares, then forward the request to the service. + +??? example "Host is traefik.io" + + ``` + rule = "Host(`traefik.io`)" + ``` + +??? example "Host is traefik.io OR Host is containo.us AND path is /traefik" + + ``` + rule = "Host(`traefik.io`) || (Host(`containo.us`) && Path(`/traefik`))" + ``` +The table below lists all the available matchers: + +| Rule | Description | +|--------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------| +| ``Headers(`key`, `value`)`` | Check if there is a key `key`defined in the headers, with the value `value` | +| ``HeadersRegexp(`key`, `regexp`)`` | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp` | +| ``Host(`domain-1`, ...)`` | Check if the request domain targets one of the given `domains`. | +| ``HostRegexp(`traefik.io`, `{subdomain:[a-z]+}.traefik.io`, ...)`` | Check if the request domain matches the given `regexp`. | +| `Method(methods, ...)` | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`) | +| ``Path(`path`, `/articles/{category}/{id:[0-9]+}`, ...)`` | Match exact request path. It accepts a sequence of literal and regular expression paths. | +| ``PathPrefix(`/products/`, `/articles/{category}/{id:[0-9]+}`)`` | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths. | +| ``Query(`foo=bar`, `bar=baz`)`` | Match` Query String parameters. It accepts a sequence of key=value pairs. | + +!!! important "Regexp Syntax" + + In order to use regular expressions with `Host` and `Path` expressions, + you must declare an arbitrarily named variable followed by the colon-separated regular expression, all enclosed in curly braces. + Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `/posts/{id:[0-9]+}`). + +!!! tip "Combining Matchers Using Operators and Parenthesis" + + You can combine multiple matchers using the AND (`&&`) and OR (`||) operators. You can also use parenthesis. + +!!! important "Rule, Middleware, and Services" + + The rule is evaluated "before" any middleware has the opportunity to work, and "before" the request is forwarded to the service. + +!!! tip "Path Vs PathPrefix" + + Use `Path` if your service listens on the exact path only. For instance, `Path: /products` would match `/products` but not `/products/shoes`. + + Use a `*Prefix*` matcher if your service listens on a particular base path but also serves requests on sub-paths. + For instance, `PathPrefix: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. + Since the path is forwarded as-is, your service is expected to listen on `/products`. + +### Middlewares + +You can attach a list of [middlewares](../middlewares/overview.md) to the routers. +The middlewares will take effect only if the rule matches, and before forwarding the request to the service. + +### Service + +You must attach a [service](./services.md) per router. +Services are the target for the router. diff --git a/docs/content/routing/services.md b/docs/content/routing/services.md new file mode 100644 index 000000000..5a54a2874 --- /dev/null +++ b/docs/content/routing/services.md @@ -0,0 +1,190 @@ +# Services + +Configuring How to Reach the Services +{: .subtitle } + +![Services](../assets/img/services.png) + +The `Services` are responsible for configuring how to reach the actual services that will eventually handle the incoming requests. + +## Configuration Example + +??? example "Declaring a Service with Two Servers (with Load Balancing) -- Using the [File Provider](../providers/file.md)" + + ```toml + [Services] + [Services.my-service.LoadBalancer] + method = "wrr" # Load Balancing based on weights + + [[Services.my-service.LoadBalancer.servers]] + url = "http://private-ip-server-1/" + weight = 30 # 30% of the requests will go to that instance + [[Services.my-service.LoadBalancer.servers]] + url = "http://private-ip-server-2/" + weight = 70 # 70% of the requests will go to that instance + ``` + +## Configuration + +### General + +Currently, the `LoadBalancer` service is the only supported kind of `Service` (see below). +However, since Traefik is an ever evolving project, other kind of Services will be available in the future, +reason why you have to specify what kind of service you declare. + +### Load Balancer + +The `LoadBalancer` service is able to load balance the requests between multiple instances of your programs. + +??? example "Declaring a Service with Two Servers (with Load Balancing) -- Using the [File Provider](../providers/file.md)" + + ```toml + [Services] + [Services.my-service.LoadBalancer] + method = "wrr" # Load Balancing based on weights + + [[Services.my-service.LoadBalancer.servers]] + url = "http://private-ip-server-1/" + weight = 50 # 50% of the requests will go to that instance + [[Services.my-service.LoadBalancer.servers]] + url = "http://private-ip-server-2/" + weight = 50 # 50% of the requests will go to that instance + ``` + +#### Servers + +Servers declare a single instance of your program. +The `url` option point to a specific instance. +The `weight` option defines the weight of the server for the load balancing algorithm. + +!!! note + Paths in the servers' `url` have no effet. + If you want the requests to be sent to a specific path on your servers, + configure your [`routers`](./routers.md) to use a corresponding [Middleware](../middlewares/overview.md) (e.g. the [AddPrefix](../middlewares/addprefix.md) or [ReplacePath](../middlewares/replacepath.md)) middlewares. + +??? example "A Service with One Server -- Using the [File Provider](../providers/file.md)" + + ```toml + [Services] + [Services.my-service.LoadBalancer] + [[Services.my-service.LoadBalancer.servers]] + url = "http://private-ip-server-1/" + ``` + +#### Load-balancing + +Various methods of load balancing are supported: + +- `wrr`: Weighted Round Robin. +- `drr`: Dynamic Round Robin: increases weights on servers that perform better than others (rolls back to original weights when the server list is updated) + +??? example "Load Balancing Using DRR -- Using the [File Provider](../providers/file.md)" + + ```toml + [Services] + [Services.my-service.LoadBalancer] + method = "drr" + [[Services.my-service.LoadBalancer.servers]] + url = "http://private-ip-server-1/" + [[Services.my-service.LoadBalancer.servers]] + url = "http://private-ip-server-1/" + ``` + +#### Sticky sessions + +When sticky sessions are enabled, a cookie is set on the initial request to track which server handles the first response. +On subsequent requests, the client is forwarded to the same server. + +!!! note "Stickiness & Unhealthy Servers" + + If the server specified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server). + +!!! note "Cookie Name" + + The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`). + +??? example "Adding Stickiness" + + ```toml + [Services] + [Services.my-service] + [Services.my-service.LoadBalancer.stickiness] + ``` + +??? example "Adding Stickiness with a Custom Cookie Name" + + ```toml + [Services] + [Services.my-service] + [Services.my-service.LoadBalancer.stickiness] + cookieName = "my_stickiness_cookie_name" + ``` + +#### Health Check + +Configure healthcheck to remove unhealthy servers from the load balancing rotation. +Traefik will consider your servers healthy as long as they return status codes between `2XX` and `3XX` to the health check requests (carried out every `interval`). + +Below are the available options for the health check mechanism: + +- `path` is appended to the server URL to set the healcheck endpoint. +- `scheme`, if defined, will replace the server URL `scheme` for the healthcheck endpoint +- `hostname`, if defined, will replace the server URL `hostname` for the healthcheck endpoint. +- `port`, if defined, will replace the server URL `port` for the healthcheck endpoint. +- `interval` defines the frequency of the healthcheck calls. +- `timeout` defines the maximum duration Traefik will wait for a healthcheck request before considering the server failed (unhealthy). +- `headers` defines custom headers to be sent to the healthcheck endpoint. + +!!! note "Interval & Timeout Format" + + Interval and timeout are to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). + The interval must be greater than the timeout. If configuration doesn't reflect this, the interval will be set to timeout + 1 second. + +!!! note "Recovering Servers" + + Traefik keeps monitoring the health of unhealthy servers. + If a server has recovered (returning `2xx` -> `3xx` responses again), it will be added back to the load balacer rotation pool. + +??? example "Custom Interval & Timeout -- Using the File Provider" + + ```toml + [Services] + [Servicess.Service-1] + [Services.Service-1.healthcheck] + path = "/health" + interval = "10s" + timeout = "3s" + ``` + +??? example "Custom Port -- Using the File Provider" + + ```toml + [Services] + [Services.Service-1] + [Services.Service-1.healthcheck] + path = "/health" + port = 8080 + ``` + +??? example "Custom Scheme -- Using the File Provider" + + ```toml + [Services] + [Services.Service-1] + [Services.Service-1.healthcheck] + path = "/health" + scheme = "http" + ``` + +??? example "Additional HTTP Headers -- Using the File Provider" + + ```toml + [Services] + [Services.Service-1] + [Servicess.Service-1.healthcheck] + path = "/health" + + [Service.Service-1.healthcheck.headers] + My-Custom-Header = "foo" + My-Header = "bar" + ``` diff --git a/docs.Dockerfile b/docs/docs.Dockerfile similarity index 58% rename from docs.Dockerfile rename to docs/docs.Dockerfile index 946c26391..7c06736e7 100644 --- a/docs.Dockerfile +++ b/docs/docs.Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.7 +FROM alpine:3.9 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.local/bin @@ -6,5 +6,5 @@ COPY requirements.txt /mkdocs/ WORKDIR /mkdocs VOLUME /mkdocs -RUN apk --no-cache --no-progress add py-pip \ - && pip install --user -r requirements.txt +RUN apk --no-cache --no-progress add py3-pip \ + && pip3 install --user -r requirements.txt diff --git a/docs/index.md b/docs/index.md deleted file mode 100644 index 9fb64ceaa..000000000 --- a/docs/index.md +++ /dev/null @@ -1,221 +0,0 @@ -

-Traefik -

- -[![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik) -[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](/) -[![Go Report Card](https://goreportcard.com/badge/github.com/containous/traefik)](https://goreportcard.com/report/github.com/containous/traefik) -[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md) -[![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io) -[![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik) - - -Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. -Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically. -Pointing Traefik at your orchestrator should be the _only_ configuration step you need. - -## Overview - -Imagine that you have deployed a bunch of microservices with the help of an orchestrator (like Swarm or Kubernetes) or a service registry (like etcd or consul). -Now you want users to access these microservices, and you need a reverse proxy. - -Traditional reverse-proxies require that you configure _each_ route that will connect paths and subdomains to _each_ microservice. -In an environment where you add, remove, kill, upgrade, or scale your services _many_ times a day, the task of keeping the routes up to date becomes tedious. - -**This is when Traefik can help you!** - -Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part. - -**Run Traefik and let it do the work for you!** -_(But if you'd rather configure some of your routes manually, Traefik supports that too!)_ - -![Architecture](img/architecture.png) - -## Features - -- Continuously updates its configuration (No restarts!) -- Supports multiple load balancing algorithms -- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support) -- Circuit breakers, retry -- High Availability with cluster mode (beta) -- See the magic through its clean web UI -- Websocket, HTTP/2, GRPC ready -- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB) -- Keeps access logs (JSON, CLF) -- Fast -- Exposes a Rest API -- Packaged as a single binary file (made with ❤️ with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image - - -## Supported Providers - -- [Docker](/configuration/backends/docker/) / [Swarm mode](/configuration/backends/docker/#docker-swarm-mode) -- [Kubernetes](/configuration/backends/kubernetes/) -- [Mesos](/configuration/backends/mesos/) / [Marathon](/configuration/backends/marathon/) -- [Rancher](/configuration/backends/rancher/) (API, Metadata) -- [Azure Service Fabric](/configuration/backends/servicefabric/) -- [Consul Catalog](/configuration/backends/consulcatalog/) -- [Consul](/configuration/backends/consul/) / [Etcd](/configuration/backends/etcd/) / [Zookeeper](/configuration/backends/zookeeper/) / [BoltDB](/configuration/backends/boltdb/) -- [Eureka](/configuration/backends/eureka/) -- [Amazon ECS](/configuration/backends/ecs/) -- [Amazon DynamoDB](/configuration/backends/dynamodb/) -- [File](/configuration/backends/file/) -- [Rest](/configuration/backends/rest/) - -## The Traefik Quickstart (Using Docker) - -In this quickstart, we'll use [Docker compose](https://docs.docker.com/compose) to create our demo infrastructure. - -To save some time, you can clone [Traefik's repository](https://github.com/containous/traefik) and use the quickstart files located in the [examples/quickstart](https://github.com/containous/traefik/tree/master/examples/quickstart/) directory. - -### 1 — Launch Traefik — Tell It to Listen to Docker - -Create a `docker-compose.yml` file where you will define a `reverse-proxy` service that uses the official Traefik image: - -```yaml -version: '3' - -services: - reverse-proxy: - image: traefik # The official Traefik docker image - command: --api --docker # Enables the web UI and tells Traefik to listen to docker - ports: - - "80:80" # The HTTP port - - "8080:8080" # The Web UI (enabled by --api) - volumes: - - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events -``` - -!!! warning - Enabling the Web UI with the `--api` flag might expose configuration elements. You can read more about this on the [API/Dashboard's Security section](/configuration/api#security). - - -**That's it. Now you can launch Traefik!** - -Start your `reverse-proxy` with the following command: - -```shell -docker-compose up -d reverse-proxy -``` - -You can open a browser and go to [http://localhost:8080](http://localhost:8080) to see Traefik's dashboard (we'll go back there once we have launched a service in step 2). - -### 2 — Launch a Service — Traefik Detects It and Creates a Route for You - -Now that we have a Traefik instance up and running, we will deploy new services. - -Edit your `docker-compose.yml` file and add the following at the end of your file. - -```yaml -# ... - whoami: - image: containous/whoami # A container that exposes an API to show its IP address - labels: - - "traefik.frontend.rule=Host:whoami.docker.localhost" -``` - -The above defines `whoami`: a simple web service that outputs information about the machine it is deployed on (its IP address, host, and so on). - -Start the `whoami` service with the following command: - -```shell -docker-compose up -d whoami -``` - -Go back to your browser ([http://localhost:8080](http://localhost:8080)) and see that Traefik has automatically detected the new container and updated its own configuration. - -When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_ (Here, we're using curl) - -```shell -curl -H Host:whoami.docker.localhost http://127.0.0.1 -``` - -_Shows the following output:_ -```yaml -Hostname: 8656c8ddca6c -IP: 172.27.0.3 -#... -``` - -### 3 — Launch More Instances — Traefik Load Balances Them - -Run more instances of your `whoami` service with the following command: - -```shell -docker-compose scale whoami=2 -``` - -Go back to your browser ([http://localhost:8080](http://localhost:8080)) and see that Traefik has automatically detected the new instance of the container. - -Finally, see that Traefik load-balances between the two instances of your services by running twice the following command: - -```shell -curl -H Host:whoami.docker.localhost http://127.0.0.1 -``` - -The output will show alternatively one of the followings: - -```yaml -Hostname: 8656c8ddca6c -IP: 172.27.0.3 -#... -``` - -```yaml -Hostname: 8458f154e1f1 -IP: 172.27.0.4 -# ... -``` - -### 4 — Enjoy Traefik's Magic - -Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it might be time to dive into [the documentation](/) and let Traefik work for you! -Whatever your infrastructure is, there is probably [an available Traefik provider](/#supported-providers) that will do the job. - -Our recommendation would be to see for yourself how simple it is to enable HTTPS with [Traefik's let's encrypt integration](/user-guide/examples/#lets-encrypt-support) using the dedicated [user guide](/user-guide/docker-and-lets-encrypt/). - -## Resources - -Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at GopherCon 2017. -You will learn Traefik basics in less than 10 minutes. - -[![Traefik GopherCon 2017](https://img.youtube.com/vi/RgudiksfL-k/0.jpg)](https://www.youtube.com/watch?v=RgudiksfL-k) - -Here is a talk given by [Ed Robinson](https://github.com/errm) at [ContainerCamp UK](https://container.camp) conference. -You will learn fundamental Traefik features and see some demos with Kubernetes. - -[![Traefik ContainerCamp UK](https://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I) - -## Downloads - -### The Official Binary File - -You can grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and just run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml): - -```shell -./traefik -c traefik.toml -``` - -### The Official Docker Image - -Using the tiny Docker image: - -```shell -docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik -``` - -## Security - -### Security Advisories - -We strongly advise you to join our mailing list to be aware of the latest announcements from our security team. You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security). - -### CVE - -Reported vulnerabilities can be found on -[cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik). - -### Report a Vulnerability - -We want to keep Traefik safe for everyone. -If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io). diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml new file mode 100644 index 000000000..1b6f46f37 --- /dev/null +++ b/docs/mkdocs.yml @@ -0,0 +1,125 @@ +site_name: Traefik +site_description: Traefik Documentation +site_author: containo.us +site_url: https://docs.traefik.io +dev_addr: 0.0.0.0:8000 + +repo_name: 'GitHub' +repo_url: 'https://github.com/containous/traefik' + +docs_dir: 'content' + +theme: + name: 'material' + custom_dir: 'theme' + language: en + include_sidebar: true + favicon: assets/img/traefik.icon.png + logo: assets/img/traefik.logo.png + palette: + primary: 'blue' + accent: 'light blue' + feature: + tabs: false + palette: + primary: 'cyan' + accent: 'cyan' + i18n: + prev: 'Previous' + next: 'Next' + +copyright: "Copyright © 2016-2019 Containous" + +google_analytics: + - 'UA-51880359-3' + - 'docs.traefik.io' + +extra_css: + - assets/styles/extra.css # Our custom styles + - assets/styles/atom-one-light.css # HightlightJS's CSS theme + +extra_javascript: + - assets/js/hljs/highlight.pack.js # Download from https://highlightjs.org/download/ and enable YAML, TOML and Dockerfile + - assets/js/extra.js + +plugins: + - search + +markdown_extensions: + - attr_list + - admonition + - footnotes + - pymdownx.details + - pymdownx.inlinehilite + - pymdownx.highlight: + use_pygments: false # hljs is used instead of pygment for TOML hihglighting support + - pymdownx.smartsymbols + - pymdownx.superfences + - pymdownx.tasklist + - markdown_include.include: + base_path: content/includes/ + encoding: utf-8 + - toc: + permalink: true + +# Page tree +nav: + - '': 'reference/acme.md' + - '': 'reference/providers/docker.md' + - '': 'reference/entrypoints.md' + - 'Welcome': 'index.md' + - 'Getting Started': + - 'Concepts' : 'getting-started/concepts.md' + - 'Quick Start': 'getting-started/quick-start.md' + - 'Configuration Overview': 'getting-started/configuration-overview.md' + - 'Configuration Discovery': + - 'Overview': 'providers/overview.md' + - 'Docker': 'providers/docker.md' + - 'File': 'providers/file.md' + - 'Routing & Load Balancing': + - 'Overview': 'routing/overview.md' + - 'Entrypoints': 'routing/entrypoints.md' + - 'Routers': 'routing/routers.md' + - 'Services': 'routing/services.md' + - 'ACME': 'routing/acme.md' + - 'Middlewares': + - 'Overview': 'middlewares/overview.md' + - 'AddPrefix': 'middlewares/addprefix.md' + - 'BasicAuth': 'middlewares/basicauth.md' + - 'Buffering': 'middlewares/buffering.md' + - 'Chain': 'middlewares/chain.md' + - 'CircuitBreaker': 'middlewares/circuitbreaker.md' + - 'Compress': 'middlewares/compress.md' + - 'DigestAuth': 'middlewares/digestauth.md' + - 'Errors': 'middlewares/errorpages.md' + - 'ForwardAuth': 'middlewares/forwardauth.md' + - 'Headers': 'middlewares/headers.md' + - 'IpWhitelist': 'middlewares/ipwhitelist.md' + - 'Maxconn': 'middlewares/maxconnection.md' + - 'PassTLSClientCert': 'middlewares/passtlsclientcert.md' + - 'RateLimit': 'middlewares/ratelimit.md' + - 'RedirectRegex': 'middlewares/redirectregex.md' + - 'RedirectScheme': 'middlewares/redirectscheme.md' + - 'ReplacePath': 'middlewares/replacepath.md' + - 'ReplacePathRegex': 'middlewares/replacepathregex.md' + - 'Retry': 'middlewares/retry.md' + - 'StripPrefix': 'middlewares/stripprefix.md' + - 'StripPrefixRegex': 'middlewares/stripprefixregex.md' + - 'Operations': + - 'CLI': 'operations/cli.md' + - 'Dashboard' : 'operations/dashboard.md' + - 'Ping': 'operations/ping.md' + - 'Debug Mode': 'operations/debug-mode.md' + - 'Observability': + - 'Logs': 'observability/logs.md' + - 'Access Logs': 'observability/access-logs.md' + - 'Tracing': 'observability/tracing.md' + - 'Contributing': + - 'Thank You!': 'contributing/thank-you.md' + - 'Submitting Issues': 'contributing/submitting-issues.md' + - 'Submitting PRs': 'contributing/submitting-pull-requests.md' + - 'Building and Testing': 'contributing/building-testing.md' + - 'Documentation': 'contributing/documentation.md' + - 'Data Collection': 'contributing/data-collection.md' + - 'Advocating': 'contributing/advocating.md' + - 'Glossary': 'glossary.md' diff --git a/docs/requirements.txt b/docs/requirements.txt new file mode 100644 index 000000000..4fbf20cb8 --- /dev/null +++ b/docs/requirements.txt @@ -0,0 +1,5 @@ +mkdocs==1.0.4 +pymdown-extensions==6.0 +mkdocs-bootswatch==1.0 +mkdocs-material==3.3.0 +markdown-include==0.5.1 diff --git a/docs/runtime.txt b/docs/runtime.txt new file mode 100644 index 000000000..d70c8f8d8 --- /dev/null +++ b/docs/runtime.txt @@ -0,0 +1 @@ +3.6 diff --git a/docs/scripts/lint.sh b/docs/scripts/lint.sh new file mode 100755 index 000000000..2cf52b6a2 --- /dev/null +++ b/docs/scripts/lint.sh @@ -0,0 +1,16 @@ +#!/bin/sh +# This script will run a couple of linter on the documentation + +set -eu + +# We want to run all linters before returning success (exit 0) or failure (exit 1) +# So this variable holds the global exit code +EXIT_CODE=0 +readonly BASE_DIR=/app + +echo "== Linting Markdown" +# Uses the file ".markdownlint.json" for setup +cd "${BASE_DIR}" || exit 1 +markdownlint --config ${BASE_DIR}/content/includes/.markdownlint.json "${BASE_DIR}/content/**/*.md" || EXIT_CODE=1 + +exit "${EXIT_CODE}" diff --git a/docs/scripts/netlify-run.sh b/docs/scripts/netlify-run.sh new file mode 100755 index 000000000..dac3f97b3 --- /dev/null +++ b/docs/scripts/netlify-run.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# +# This script is run in netlify environment to build and validate +# the website for documentation + +CURRENT_DIR="$(cd "$(dirname "${0}")" && pwd -P)" + +#### Build website +# Provide the URL for this deployment to Mkdocs +echo "${DEPLOY_PRIME_URL}" > "${CURRENT_DIR}/../CNAME" +sed -i "s#site_url:.*#site_url: ${DEPLOY_PRIME_URL}#" "${CURRENT_DIR}/../mkdocs.yml" + +# Build +mkdocs build + +exit 0 diff --git a/script/docs-verify-docker-image/validate.sh b/docs/scripts/verify.sh old mode 100644 new mode 100755 similarity index 85% rename from script/docs-verify-docker-image/validate.sh rename to docs/scripts/verify.sh index 779104111..a50b4ddaa --- a/script/docs-verify-docker-image/validate.sh +++ b/docs/scripts/verify.sh @@ -1,13 +1,13 @@ #!/bin/sh +PATH_TO_SITE="${1:-/app/site}" + set -eu -PATH_TO_SITE="/app/site" [ -d "${PATH_TO_SITE}" ] NUMBER_OF_CPUS="$(grep -c processor /proc/cpuinfo)" - echo "=== Checking HTML content..." # Search for all HTML files except the theme's partials @@ -21,8 +21,8 @@ find "${PATH_TO_SITE}" -type f -not -path "/app/site/theme/*" \ --check_external_hash \ --alt_ignore="/traefik.logo.png/" \ --http_status_ignore="0,500,501,503" \ - --url-ignore "/https://groups.google.com/a/traefik.io/forum/#!forum/security/,/localhost:/,/127.0.0.1:/,/fonts.gstatic.com/,/.minikube/,/github.com\/containous\/traefik\/*edit*/,/github.com\/containous\/traefik\/$/" \ - '{}' + --url-ignore "/https://groups.google.com/a/traefik.io/forum/#!forum/security/,/localhost:/,/127.0.0.1:/,/fonts.gstatic.com/,/.minikube/,/github.com\/containous\/traefik\/*edit*/,/github.com\/containous\/traefik\/$/,/docs.traefik.io/" \ + '{}' 1>/dev/null ## HTML-proofer options at https://github.com/gjtorikian/html-proofer#configuration -echo "= Documentation checked successfuly." +echo "= Documentation checked successfully." diff --git a/examples/quickstart/README.md b/examples/quickstart/README.md index 75c10ad9d..87fe8e0da 100644 --- a/examples/quickstart/README.md +++ b/examples/quickstart/README.md @@ -43,7 +43,7 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil whoami: image: containous/whoami # A container that exposes an API to show its IP address labels: - - "traefik.frontend.rule=Host:whoami.docker.localhost" + - "traefik.router.rule=Host:whoami.docker.localhost" ``` The above defines `whoami`: a simple web service that outputs information about the machine it is deployed on (its IP address, host, and so on). diff --git a/examples/quickstart/docker-compose.yml b/examples/quickstart/docker-compose.yml index 97c609909..0267fa51c 100644 --- a/examples/quickstart/docker-compose.yml +++ b/examples/quickstart/docker-compose.yml @@ -15,4 +15,4 @@ services: whoami: image: containous/whoami # A container that exposes an API to show its IP address labels: - - "traefik.frontend.rule=Host:whoami.docker.localhost" + - "traefik.router.rule=Host:whoami.docker.localhost" diff --git a/middlewares/passtlsclientcert/pass_tls_client_cert.go b/middlewares/passtlsclientcert/pass_tls_client_cert.go index 5bdf9bc8c..d8e0d3ba5 100644 --- a/middlewares/passtlsclientcert/pass_tls_client_cert.go +++ b/middlewares/passtlsclientcert/pass_tls_client_cert.go @@ -19,7 +19,7 @@ import ( const ( xForwardedTLSClientCert = "X-Forwarded-Tls-Client-Cert" - xForwardedTLSClientCertInfo = "X-Forwarded-Tls-Client-Cert-info" + xForwardedTLSClientCertInfo = "X-Forwarded-Tls-Client-Cert-Info" typeName = "PassClientTLSCert" ) diff --git a/mkdocs.yml b/mkdocs.yml deleted file mode 100644 index d0c9a4365..000000000 --- a/mkdocs.yml +++ /dev/null @@ -1,99 +0,0 @@ -site_name: Traefik -site_description: Traefik Documentation -site_author: containo.us -site_url: https://docs.traefik.io -dev_addr: 0.0.0.0:8000 - -repo_name: 'GitHub' -repo_url: 'https://github.com/containous/traefik' - -docs_dir: 'docs' - -theme: - name: 'material' - custom_dir: 'docs/theme' - language: en - include_sidebar: true - favicon: img/traefik.icon.png - logo: img/traefik.logo.png - palette: - primary: 'cyan' - accent: 'cyan' - feature: - tabs: false - i18n: - prev: 'Previous' - next: 'Next' - -copyright: "Copyright © 2016-2019 Containous" - -google_analytics: - - 'UA-51880359-3' - - 'docs.traefik.io' - -# Options -# Comment because the call of the CDN is very slow. -#extra: -# social: -# - type: 'github' -# link: 'https://github.com/containous/traefik' -# - type: 'stack-overflow' -# link: 'https://stackoverflow.com/questions/tagged/traefik' -# - type: 'slack' -# link: 'https://slack.traefik.io' -# - type: 'twitter' -# link: 'https://twitter.com/traefik' - -extra_css: - - theme/styles/extra.css - - theme/styles/atom-one-light.css - -extra_javascript: - - theme/js/hljs/highlight.pack.js - - theme/js/extra.js - -markdown_extensions: - - admonition - - toc: - permalink: true - -# Page tree -pages: - - Getting Started: index.md - - Basics: basics.md - - Configuration: - - 'Commons': 'configuration/commons.md' - - 'Logs': 'configuration/logs.md' - - 'EntryPoints': 'configuration/entrypoints.md' - - 'Let''s Encrypt': 'configuration/acme.md' - - 'API / Dashboard': 'configuration/api.md' - - 'BoltDB': 'configuration/backends/boltdb.md' - - 'Consul': 'configuration/backends/consul.md' - - 'Consul Catalog': 'configuration/backends/consulcatalog.md' - - 'Docker': 'configuration/backends/docker.md' - - 'DynamoDB': 'configuration/backends/dynamodb.md' - - 'ECS': 'configuration/backends/ecs.md' - - 'Etcd': 'configuration/backends/etcd.md' - - 'Eureka': 'configuration/backends/eureka.md' - - 'File': 'configuration/backends/file.md' - - 'Kubernetes Ingress': 'configuration/backends/kubernetes.md' - - 'Marathon': 'configuration/backends/marathon.md' - - 'Mesos': 'configuration/backends/mesos.md' - - 'Rancher': 'configuration/backends/rancher.md' - - 'Rest': 'configuration/backends/rest.md' - - 'Azure Service Fabric': 'configuration/backends/servicefabric.md' - - 'Zookeeper': 'configuration/backends/zookeeper.md' - - 'Ping': 'configuration/ping.md' - - 'Metrics': 'configuration/metrics.md' - - 'Tracing': 'configuration/tracing.md' - - User Guides: - - 'Configuration Examples': 'user-guide/examples.md' - - 'Swarm Mode Cluster': 'user-guide/swarm-mode.md' - - 'Swarm Cluster': 'user-guide/swarm.md' - - 'Let''s Encrypt & Docker': 'user-guide/docker-and-lets-encrypt.md' - - 'Kubernetes': 'user-guide/kubernetes.md' - - 'Marathon': 'user-guide/marathon.md' - - 'Key-value Store Configuration': 'user-guide/kv-config.md' - - 'Clustering/HA': 'user-guide/cluster.md' - - 'gRPC Example': 'user-guide/grpc.md' - - 'Traefik cluster example with Swarm': 'user-guide/cluster-docker-consul.md' diff --git a/netlify.toml b/netlify.toml new file mode 100644 index 000000000..330706385 --- /dev/null +++ b/netlify.toml @@ -0,0 +1,7 @@ +[build] +# Path relative to the root of the repository +publish = "docs/site" +base = "docs" + +# Path relative to the "base" directory +command = "sh -x scripts/netlify-run.sh" diff --git a/old/docs/CNAME b/old/docs/CNAME new file mode 100644 index 000000000..f4446d431 --- /dev/null +++ b/old/docs/CNAME @@ -0,0 +1 @@ +docs.traefik.io \ No newline at end of file diff --git a/docs/benchmarks.md b/old/docs/benchmarks.md similarity index 100% rename from docs/benchmarks.md rename to old/docs/benchmarks.md diff --git a/docs/configuration/api.md b/old/docs/configuration/api.md similarity index 100% rename from docs/configuration/api.md rename to old/docs/configuration/api.md diff --git a/docs/configuration/backends/boltdb.md b/old/docs/configuration/backends/boltdb.md similarity index 100% rename from docs/configuration/backends/boltdb.md rename to old/docs/configuration/backends/boltdb.md diff --git a/docs/configuration/backends/consul.md b/old/docs/configuration/backends/consul.md similarity index 100% rename from docs/configuration/backends/consul.md rename to old/docs/configuration/backends/consul.md diff --git a/docs/configuration/backends/consulcatalog.md b/old/docs/configuration/backends/consulcatalog.md similarity index 100% rename from docs/configuration/backends/consulcatalog.md rename to old/docs/configuration/backends/consulcatalog.md diff --git a/old/docs/configuration/backends/docker.md b/old/docs/configuration/backends/docker.md new file mode 100644 index 000000000..586f612e7 --- /dev/null +++ b/old/docs/configuration/backends/docker.md @@ -0,0 +1,19 @@ +| `traefik.domain` | Sets the default base domain for the frontend rules. For more information, check the [Container Labels section's of the user guide "Let's Encrypt & Docker"](/user-guide/docker-and-lets-encrypt/#container-labels) | +| `traefik.port=80` | Registers this port. Useful when the container exposes multiples ports. | +| `traefik.protocol=https` | Overrides the default `http` protocol | +| `traefik.weight=10` | Assigns this weight to the container + +[2] `traefik.frontend.auth.basic.users=EXPR`: +To create `user:password` pair, it's possible to use this command: +`echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g`. +The result will be `user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/`, note additional symbol `$` makes escaping. + +[3] `traefik.backend.loadbalancer.swarm`: +If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs. +Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm. +It also means that Traefik will manipulate only one backend, not one backend per container. + +!!! warning + When running inside a container, Traefik will need network access through: + + `docker network connect ` \ No newline at end of file diff --git a/docs/configuration/backends/dynamodb.md b/old/docs/configuration/backends/dynamodb.md similarity index 100% rename from docs/configuration/backends/dynamodb.md rename to old/docs/configuration/backends/dynamodb.md diff --git a/docs/configuration/backends/ecs.md b/old/docs/configuration/backends/ecs.md similarity index 100% rename from docs/configuration/backends/ecs.md rename to old/docs/configuration/backends/ecs.md diff --git a/docs/configuration/backends/etcd.md b/old/docs/configuration/backends/etcd.md similarity index 100% rename from docs/configuration/backends/etcd.md rename to old/docs/configuration/backends/etcd.md diff --git a/docs/configuration/backends/eureka.md b/old/docs/configuration/backends/eureka.md similarity index 100% rename from docs/configuration/backends/eureka.md rename to old/docs/configuration/backends/eureka.md diff --git a/docs/configuration/backends/file.md b/old/docs/configuration/backends/file.md similarity index 100% rename from docs/configuration/backends/file.md rename to old/docs/configuration/backends/file.md diff --git a/docs/configuration/backends/kubernetes.md b/old/docs/configuration/backends/kubernetes.md similarity index 100% rename from docs/configuration/backends/kubernetes.md rename to old/docs/configuration/backends/kubernetes.md diff --git a/docs/configuration/backends/marathon.md b/old/docs/configuration/backends/marathon.md similarity index 100% rename from docs/configuration/backends/marathon.md rename to old/docs/configuration/backends/marathon.md diff --git a/docs/configuration/backends/mesos.md b/old/docs/configuration/backends/mesos.md similarity index 100% rename from docs/configuration/backends/mesos.md rename to old/docs/configuration/backends/mesos.md diff --git a/docs/configuration/backends/rancher.md b/old/docs/configuration/backends/rancher.md similarity index 100% rename from docs/configuration/backends/rancher.md rename to old/docs/configuration/backends/rancher.md diff --git a/docs/configuration/backends/rest.md b/old/docs/configuration/backends/rest.md similarity index 100% rename from docs/configuration/backends/rest.md rename to old/docs/configuration/backends/rest.md diff --git a/docs/configuration/backends/servicefabric.md b/old/docs/configuration/backends/servicefabric.md similarity index 100% rename from docs/configuration/backends/servicefabric.md rename to old/docs/configuration/backends/servicefabric.md diff --git a/docs/configuration/backends/zookeeper.md b/old/docs/configuration/backends/zookeeper.md similarity index 100% rename from docs/configuration/backends/zookeeper.md rename to old/docs/configuration/backends/zookeeper.md diff --git a/docs/configuration/commons.md b/old/docs/configuration/commons.md similarity index 59% rename from docs/configuration/commons.md rename to old/docs/configuration/commons.md index 9cdd695db..1826dfd76 100644 --- a/docs/configuration/commons.md +++ b/old/docs/configuration/commons.md @@ -103,193 +103,6 @@ Each frontend can specify its own entrypoints. | http://foo.com/path | true | Path:/path | Proceeds with the request | -## Constraints - -In a micro-service architecture, with a central service discovery, setting constraints limits Traefik scope to a smaller number of routes. - -Traefik filters services according to service attributes/tags set in your providers. - -Supported filters: - -- `tag` - -### Simple - -```toml -# Simple matching constraint -constraints = ["tag==api"] - -# Simple mismatching constraint -constraints = ["tag!=api"] - -# Globbing -constraints = ["tag==us-*"] -``` - -### Multiple - -```toml -# Multiple constraints -# - "tag==" must match with at least one tag -# - "tag!=" must match with none of tags -constraints = ["tag!=us-*", "tag!=asia-*"] -``` - -### provider-specific - -Supported Providers: - -- Docker -- Consul K/V -- BoltDB -- Zookeeper -- ECS -- Etcd -- Consul Catalog -- Rancher -- Marathon -- Kubernetes (using a provider-specific mechanism based on label selectors) - -```toml -# Provider-specific constraint -[consulCatalog] -# ... -constraints = ["tag==api"] - -# Provider-specific constraint -[marathon] -# ... -constraints = ["tag==api", "tag!=v*-beta"] -``` - - -## Custom Error pages - -Custom error pages can be returned, in lieu of the default, according to frontend-configured ranges of HTTP Status codes. - -In the example below, if a 503 status is returned from the frontend "website", the custom error page at http://2.3.4.5/503.html is returned with the actual status code set in the HTTP header. - -!!! note - The `503.html` page itself is not hosted on Traefik, but some other infrastructure. - -```toml -[frontends] - [frontends.website] - backend = "website" - [frontends.website.errors] - [frontends.website.errors.network] - status = ["500-599"] - backend = "error" - query = "/{status}.html" - [frontends.website.routes.website] - rule = "Host: website.mydomain.com" - -[backends] - [backends.website] - [backends.website.servers.website] - url = "https://1.2.3.4" - [backends.error] - [backends.error.servers.error] - url = "http://2.3.4.5" -``` - -In the above example, the error page rendered was based on the status code. -Instead, the query parameter can also be set to some generic error page like so: `query = "/500s.html"` - -Now the `500s.html` error page is returned for the configured code range. -The configured status code ranges are inclusive; that is, in the above example, the `500s.html` page will be returned for status codes `500` through, and including, `599`. - - -## Rate limiting - -Rate limiting can be configured per frontend. -Multiple sets of rates can be added to each frontend, but the time periods must be unique. - -```toml -[frontends] - [frontends.frontend1] - # ... - [frontends.frontend1.ratelimit] - extractorfunc = "client.ip" - [frontends.frontend1.ratelimit.rateset.rateset1] - period = "10s" - average = 100 - burst = 200 - [frontends.frontend1.ratelimit.rateset.rateset2] - period = "3s" - average = 5 - burst = 10 -``` - -In the above example, frontend1 is configured to limit requests by the client's ip address. -An average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds. -These can "burst" up to 10 and 200 in each period respectively. - -Valid values for `extractorfunc` are: - * `client.ip` - * `request.host` - * `request.header.
` - -## Buffering - -In some cases request/buffering can be enabled for a specific backend. -By enabling this, Traefik will read the entire request into memory (possibly buffering large requests into disk) and will reject requests that are over a specified limit. -This may help services deal with large data (multipart/form-data for example) more efficiently and should minimise time spent when sending data to a backend server. - -For more information please check [oxy/buffer](http://godoc.org/github.com/vulcand/oxy/buffer) documentation. - -Example configuration: - -```toml -[backends] - [backends.backend1] - [backends.backend1.buffering] - maxRequestBodyBytes = 10485760 - memRequestBodyBytes = 2097152 - maxResponseBodyBytes = 10485760 - memResponseBodyBytes = 2097152 - retryExpression = "IsNetworkError() && Attempts() <= 2" -``` - -## Retry Configuration - -```toml -# Enable retry sending request if network error -[retry] - -# Number of attempts -# -# Optional -# Default: (number servers in backend) -1 -# -# attempts = 3 -``` - - -## Health Check Configuration - -```toml -# Enable custom health check options. -[healthcheck] - -# Set the default health check interval and timeout. -# -# Optional -# Default: "30s" -# -# interval = "30s" -# timeout = "5s" -``` - -- `interval` sets the default health check interval. -- `timeout` sets the default health check request timeout. - -These options will only be effective if health check paths are defined. -Given provider-specific support, the value may be overridden on a per-backend basis. -Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits). -If no units are provided, the value is parsed assuming seconds. -**Note:** the interval must be greater than the timeout. If configuration doesn't reflect this, the interval will be set to timeout + 1 second. - ## Life Cycle Controls the behavior of Traefik during the shutdown phase. @@ -488,39 +301,6 @@ Example: {{end}} ``` -## Pass TLS Client Cert +### Using ping for an external Load-balancer rotation health check -```toml -# Pass the escaped client cert infos selected below in a `X-Forwarded-Ssl-Client-Cert-Infos` header. -[frontends.frontend1.passTLSClientCert] - pem = true - [frontends.frontend1.passTLSClientCert.infos] - notBefore = true - notAfter = true - [frontends.frontend1.passTLSClientCert.infos.subject] - country = true - domainComponent = true - province = true - locality = true - organization = true - commonName = true - serialNumber = true - [frontends.frontend1.passTLSClientCert.infos.issuer] - country = true - domainComponent = true - province = true - locality = true - organization = true - commonName = true - serialNumber = true -``` - -Pass TLS Client Cert `pem` defines if the escaped pem is added to a `X-Forwarded-Ssl-Client-Cert` header. -Pass TLS Client Cert `infos` defines how the certificate data are added to a `X-Forwarded-Ssl-Client-Cert-Infos` header. - -The following example shows an unescaped result that uses all the available fields: -If there are more than one certificate, they are separated by a `;` - -``` -Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2 -``` +If you are running Traefik behind an external Load-balancer, and want to configure rotation health check on the Load-balancer to take a Traefik instance out of rotation gracefully, you can configure [lifecycle.requestAcceptGraceTimeout](/configuration/commons.md#life-cycle) and the ping endpoint will return `503` response on traefik server termination, so that the Load-balancer can take the terminating traefik instance out of rotation, before it stops responding. diff --git a/docs/img/architecture.png b/old/docs/img/architecture.png similarity index 100% rename from docs/img/architecture.png rename to old/docs/img/architecture.png diff --git a/docs/img/architecture.svg b/old/docs/img/architecture.svg similarity index 100% rename from docs/img/architecture.svg rename to old/docs/img/architecture.svg diff --git a/docs/img/grpc.svg b/old/docs/img/grpc.svg similarity index 100% rename from docs/img/grpc.svg rename to old/docs/img/grpc.svg diff --git a/docs/img/internal.png b/old/docs/img/internal.png similarity index 100% rename from docs/img/internal.png rename to old/docs/img/internal.png diff --git a/docs/img/letsencrypt-logo-horizontal.svg b/old/docs/img/letsencrypt-logo-horizontal.svg similarity index 100% rename from docs/img/letsencrypt-logo-horizontal.svg rename to old/docs/img/letsencrypt-logo-horizontal.svg diff --git a/docs/img/overview.svg b/old/docs/img/overview.svg similarity index 100% rename from docs/img/overview.svg rename to old/docs/img/overview.svg diff --git a/old/docs/img/traefik-health.png b/old/docs/img/traefik-health.png new file mode 100644 index 000000000..cf3160975 Binary files /dev/null and b/old/docs/img/traefik-health.png differ diff --git a/old/docs/img/traefik.icon.png b/old/docs/img/traefik.icon.png new file mode 100644 index 000000000..9708dd0ba Binary files /dev/null and b/old/docs/img/traefik.icon.png differ diff --git a/old/docs/img/traefik.logo.png b/old/docs/img/traefik.logo.png new file mode 100644 index 000000000..4778d0f5b Binary files /dev/null and b/old/docs/img/traefik.logo.png differ diff --git a/old/docs/img/web.frontend.png b/old/docs/img/web.frontend.png new file mode 100644 index 000000000..62a90e5e9 Binary files /dev/null and b/old/docs/img/web.frontend.png differ diff --git a/docs/img/zenika.logo.png b/old/docs/img/zenika.logo.png similarity index 100% rename from docs/img/zenika.logo.png rename to old/docs/img/zenika.logo.png diff --git a/old/docs/index.md b/old/docs/index.md new file mode 100644 index 000000000..d3edd240a --- /dev/null +++ b/old/docs/index.md @@ -0,0 +1,79 @@ +

+Traefik +

+ +[![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik) +[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](/) +[![Go Report Card](https://goreportcard.com/badge/github.com/containous/traefik)](https://goreportcard.com/report/github.com/containous/traefik) +[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md) +[![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io) +[![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik) + + +Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. +Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically. +Pointing Traefik at your orchestrator should be the _only_ configuration step you need. + +## Overview + +Imagine that you have deployed a bunch of microservices with the help of an orchestrator (like Swarm or Kubernetes) or a service registry (like etcd or consul). +Now you want users to access these microservices, and you need a reverse proxy. + +Traditional reverse-proxies require that you configure _each_ route that will connect paths and subdomains to _each_ microservice. +In an environment where you add, remove, kill, upgrade, or scale your services _many_ times a day, the task of keeping the routes up to date becomes tedious. + +**This is when Traefik can help you!** + +Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part. + +**Run Traefik and let it do the work for you!** +_(But if you'd rather configure some of your routes manually, Traefik supports that too!)_ + +![Architecture](img/architecture.png) + +## Features + +- Continuously updates its configuration (No restarts!) +- Supports multiple load balancing algorithms +- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support) +- Circuit breakers, retry +- High Availability with cluster mode (beta) +- See the magic through its clean web UI +- Websocket, HTTP/2, GRPC ready +- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB) +- Keeps access logs (JSON, CLF) +- Fast +- Exposes a Rest API +- Packaged as a single binary file (made with ❤️ with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image + + +## Supported Providers + +- [Docker](/configuration/backends/docker/) / [Swarm mode](/configuration/backends/docker/#docker-swarm-mode) +- [Kubernetes](/configuration/backends/kubernetes/) +- [Mesos](/configuration/backends/mesos/) / [Marathon](/configuration/backends/marathon/) +- [Rancher](/configuration/backends/rancher/) (API, Metadata) +- [Azure Service Fabric](/configuration/backends/servicefabric/) +- [Consul Catalog](/configuration/backends/consulcatalog/) +- [Consul](/configuration/backends/consul/) / [Etcd](/configuration/backends/etcd/) / [Zookeeper](/configuration/backends/zookeeper/) / [BoltDB](/configuration/backends/boltdb/) +- [Eureka](/configuration/backends/eureka/) +- [Amazon ECS](/configuration/backends/ecs/) +- [Amazon DynamoDB](/configuration/backends/dynamodb/) +- [File](/configuration/backends/file/) +- [Rest](/configuration/backends/rest/) + +## Security + +### Security Advisories + +We strongly advise you to join our mailing list to be aware of the latest announcements from our security team. You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security). + +### CVE + +Reported vulnerabilities can be found on +[cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik). + +### Report a Vulnerability + +We want to keep Traefik safe for everyone. +If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io). diff --git a/docs/configuration/metrics.md b/old/docs/metrics.md similarity index 98% rename from docs/configuration/metrics.md rename to old/docs/metrics.md index e62a0a1d7..13747307b 100644 --- a/docs/configuration/metrics.md +++ b/old/docs/metrics.md @@ -1,3 +1,7 @@ +# Metrics + +## Old Content + # Metrics Definition ## Prometheus @@ -141,3 +145,4 @@ # ... ``` + diff --git a/old/docs/theme/js/extra.js b/old/docs/theme/js/extra.js new file mode 100644 index 000000000..eb0cc12ff --- /dev/null +++ b/old/docs/theme/js/extra.js @@ -0,0 +1,4 @@ +/* Highlight */ +(function(hljs) { + hljs.initHighlightingOnLoad(); +})(hljs); \ No newline at end of file diff --git a/old/docs/theme/js/hljs/LICENSE b/old/docs/theme/js/hljs/LICENSE new file mode 100644 index 000000000..422deb735 --- /dev/null +++ b/old/docs/theme/js/hljs/LICENSE @@ -0,0 +1,24 @@ +Copyright (c) 2006, Ivan Sagalaev +All rights reserved. +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of highlight.js nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY +EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE REGENTS AND CONTRIBUTORS BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/docs/theme/js/hljs/highlight.pack.js b/old/docs/theme/js/hljs/highlight.pack.js similarity index 100% rename from docs/theme/js/hljs/highlight.pack.js rename to old/docs/theme/js/hljs/highlight.pack.js diff --git a/old/docs/theme/partials/footer.html b/old/docs/theme/partials/footer.html new file mode 100644 index 000000000..e3b586dbe --- /dev/null +++ b/old/docs/theme/partials/footer.html @@ -0,0 +1,104 @@ + + +{% import "partials/language.html" as lang with context %} + + + diff --git a/old/docs/theme/styles/atom-one-light.css b/old/docs/theme/styles/atom-one-light.css new file mode 100644 index 000000000..d5bd1d2a9 --- /dev/null +++ b/old/docs/theme/styles/atom-one-light.css @@ -0,0 +1,96 @@ +/* + +Atom One Light by Daniel Gamage +Original One Light Syntax theme from https://github.com/atom/one-light-syntax + +base: #fafafa +mono-1: #383a42 +mono-2: #686b77 +mono-3: #a0a1a7 +hue-1: #0184bb +hue-2: #4078f2 +hue-3: #a626a4 +hue-4: #50a14f +hue-5: #e45649 +hue-5-2: #c91243 +hue-6: #986801 +hue-6-2: #c18401 + +*/ + +.hljs { + display: block; + overflow-x: auto; + padding: 0.5em; + color: #383a42; + background: #fafafa; +} + +.hljs-comment, +.hljs-quote { + color: #a0a1a7; + font-style: italic; +} + +.hljs-doctag, +.hljs-keyword, +.hljs-formula { + color: #a626a4; +} + +.hljs-section, +.hljs-name, +.hljs-selector-tag, +.hljs-deletion, +.hljs-subst { + color: #e45649; +} + +.hljs-literal { + color: #0184bb; +} + +.hljs-string, +.hljs-regexp, +.hljs-addition, +.hljs-attribute, +.hljs-meta-string { + color: #50a14f; +} + +.hljs-built_in, +.hljs-class .hljs-title { + color: #c18401; +} + +.hljs-attr, +.hljs-variable, +.hljs-template-variable, +.hljs-type, +.hljs-selector-class, +.hljs-selector-attr, +.hljs-selector-pseudo, +.hljs-number { + color: #986801; +} + +.hljs-symbol, +.hljs-bullet, +.hljs-link, +.hljs-meta, +.hljs-selector-id, +.hljs-title { + color: #4078f2; +} + +.hljs-emphasis { + font-style: italic; +} + +.hljs-strong { + font-weight: bold; +} + +.hljs-link { + text-decoration: underline; +} diff --git a/docs/theme/styles/extra.css b/old/docs/theme/styles/extra.css similarity index 100% rename from docs/theme/styles/extra.css rename to old/docs/theme/styles/extra.css diff --git a/docs/user-guide/cluster-docker-consul.md b/old/docs/user-guide/cluster-docker-consul.md similarity index 100% rename from docs/user-guide/cluster-docker-consul.md rename to old/docs/user-guide/cluster-docker-consul.md diff --git a/docs/user-guide/cluster.md b/old/docs/user-guide/cluster.md similarity index 100% rename from docs/user-guide/cluster.md rename to old/docs/user-guide/cluster.md diff --git a/docs/user-guide/docker-and-lets-encrypt.md b/old/docs/user-guide/docker-and-lets-encrypt.md similarity index 100% rename from docs/user-guide/docker-and-lets-encrypt.md rename to old/docs/user-guide/docker-and-lets-encrypt.md diff --git a/docs/user-guide/examples.md b/old/docs/user-guide/examples.md similarity index 100% rename from docs/user-guide/examples.md rename to old/docs/user-guide/examples.md diff --git a/docs/user-guide/grpc.md b/old/docs/user-guide/grpc.md similarity index 100% rename from docs/user-guide/grpc.md rename to old/docs/user-guide/grpc.md diff --git a/docs/user-guide/kubernetes.md b/old/docs/user-guide/kubernetes.md similarity index 100% rename from docs/user-guide/kubernetes.md rename to old/docs/user-guide/kubernetes.md diff --git a/docs/user-guide/kv-config.md b/old/docs/user-guide/kv-config.md similarity index 100% rename from docs/user-guide/kv-config.md rename to old/docs/user-guide/kv-config.md diff --git a/docs/user-guide/marathon.md b/old/docs/user-guide/marathon.md similarity index 100% rename from docs/user-guide/marathon.md rename to old/docs/user-guide/marathon.md diff --git a/docs/user-guide/swarm-mode.md b/old/docs/user-guide/swarm-mode.md similarity index 100% rename from docs/user-guide/swarm-mode.md rename to old/docs/user-guide/swarm-mode.md diff --git a/docs/user-guide/swarm.md b/old/docs/user-guide/swarm.md similarity index 100% rename from docs/user-guide/swarm.md rename to old/docs/user-guide/swarm.md diff --git a/provider/label/parser_test.go b/provider/label/parser_test.go index bf441a1e8..1f0abccf7 100644 --- a/provider/label/parser_test.go +++ b/provider/label/parser_test.go @@ -82,6 +82,13 @@ func TestDecodeConfiguration(t *testing.T) { "traefik.middlewares.Middleware11.passtlsclientcert.info.subject.organization": "true", "traefik.middlewares.Middleware11.passtlsclientcert.info.subject.province": "true", "traefik.middlewares.Middleware11.passtlsclientcert.info.subject.serialnumber": "true", + "traefik.middlewares.Middleware11.passtlsclientcert.info.issuer.commonname": "true", + "traefik.middlewares.Middleware11.passtlsclientcert.info.issuer.country": "true", + "traefik.middlewares.Middleware11.passtlsclientcert.info.issuer.domaincomponent": "true", + "traefik.middlewares.Middleware11.passtlsclientcert.info.issuer.locality": "true", + "traefik.middlewares.Middleware11.passtlsclientcert.info.issuer.organization": "true", + "traefik.middlewares.Middleware11.passtlsclientcert.info.issuer.province": "true", + "traefik.middlewares.Middleware11.passtlsclientcert.info.issuer.serialnumber": "true", "traefik.middlewares.Middleware11.passtlsclientcert.pem": "true", "traefik.middlewares.Middleware12.ratelimit.extractorfunc": "foobar", "traefik.middlewares.Middleware12.ratelimit.rateset.Rate0.average": "42", @@ -218,6 +225,15 @@ func TestDecodeConfiguration(t *testing.T) { SerialNumber: true, DomainComponent: true, }, + Issuer: &config.TLSCLientCertificateDNInfo{ + Country: true, + Province: true, + Locality: true, + Organization: true, + CommonName: true, + SerialNumber: true, + DomainComponent: true, + }, Sans: true, }, }, @@ -541,6 +557,15 @@ func TestEncodeConfiguration(t *testing.T) { SerialNumber: true, DomainComponent: true, }, + Issuer: &config.TLSCLientCertificateDNInfo{ + Country: true, + Province: true, + Locality: true, + Organization: true, + CommonName: true, + SerialNumber: true, + DomainComponent: true, + }, Sans: true, }, }, @@ -858,13 +883,20 @@ func TestEncodeConfiguration(t *testing.T) { "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.NotAfter": "true", "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.NotBefore": "true", "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Sans": "true", - "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.CommonName": "true", "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Country": "true", - "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.DomainComponent": "true", + "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Province": "true", "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Locality": "true", "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Organization": "true", - "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Province": "true", + "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.CommonName": "true", "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.SerialNumber": "true", + "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.DomainComponent": "true", + "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Country": "true", + "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Province": "true", + "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Locality": "true", + "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Organization": "true", + "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.CommonName": "true", + "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.SerialNumber": "true", + "traefik.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.DomainComponent": "true", "traefik.Middlewares.Middleware11.PassTLSClientCert.PEM": "true", "traefik.Middlewares.Middleware12.RateLimit.ExtractorFunc": "foobar", "traefik.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Average": "42", diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index be343f58a..000000000 --- a/requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -mkdocs==0.17.5 -pymdown-extensions==4.12 -mkdocs-bootswatch==0.5.0 -mkdocs-material==2.9.4 diff --git a/script/docs-verify-docker-image/Dockerfile b/script/docs-verify-docker-image/Dockerfile deleted file mode 100644 index dcf387462..000000000 --- a/script/docs-verify-docker-image/Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -FROM alpine:3.8 - -RUN apk --no-cache --no-progress add \ - ca-certificates \ - curl \ - findutils \ - ruby-bigdecimal \ - ruby-etc \ - ruby-ffi \ - ruby-json \ - ruby-nokogiri=1.8.3-r0 \ - tini \ - && gem install --no-document html-proofer -v 3.9.3 - -COPY ./validate.sh /validate.sh - -WORKDIR /app -VOLUME ["/tmp","/app"] - -ENTRYPOINT ["/sbin/tini","-g","sh"] -CMD ["/validate.sh"]