Documentation Revamp
Co-authored-by: jbdoumenjou <jb.doumenjou@gmail.com>
1
.gitignore
vendored
|
@ -9,6 +9,7 @@
|
||||||
/webui/.tmp/
|
/webui/.tmp/
|
||||||
.vscode/
|
.vscode/
|
||||||
/site/
|
/site/
|
||||||
|
/docs/site/
|
||||||
*.log
|
*.log
|
||||||
*.exe
|
*.exe
|
||||||
.DS_Store
|
.DS_Store
|
||||||
|
|
|
@ -16,7 +16,7 @@ env:
|
||||||
|
|
||||||
script:
|
script:
|
||||||
- echo "Skipping tests... (Tests are executed on SemaphoreCI)"
|
- echo "Skipping tests... (Tests are executed on SemaphoreCI)"
|
||||||
- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs-verify; fi
|
- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs; fi
|
||||||
|
|
||||||
before_deploy:
|
before_deploy:
|
||||||
- >
|
- >
|
||||||
|
|
|
@ -2,17 +2,11 @@
|
||||||
|
|
||||||
## Our Pledge
|
## Our Pledge
|
||||||
|
|
||||||
In the interest of fostering an open and welcoming environment, we as
|
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience,nationality, personal appearance, race, religion, or sexual identity and orientation.
|
||||||
contributors and maintainers pledge to making participation in our project and
|
|
||||||
our community a harassment-free experience for everyone, regardless of age, body
|
|
||||||
size, disability, ethnicity, gender identity and expression, level of experience,
|
|
||||||
nationality, personal appearance, race, religion, or sexual identity and
|
|
||||||
orientation.
|
|
||||||
|
|
||||||
## Our Standards
|
## Our Standards
|
||||||
|
|
||||||
Examples of behavior that contributes to creating a positive environment
|
Examples of behavior that contributes to creating a positive environment include:
|
||||||
include:
|
|
||||||
|
|
||||||
* Using welcoming and inclusive language
|
* Using welcoming and inclusive language
|
||||||
* Being respectful of differing viewpoints and experiences
|
* Being respectful of differing viewpoints and experiences
|
||||||
|
@ -22,53 +16,36 @@ include:
|
||||||
|
|
||||||
Examples of unacceptable behavior by participants include:
|
Examples of unacceptable behavior by participants include:
|
||||||
|
|
||||||
* The use of sexualized language or imagery and unwelcome sexual attention or
|
* The use of sexualized language or imagery and unwelcome sexual attention or advances
|
||||||
advances
|
|
||||||
* Trolling, insulting/derogatory comments, and personal or political attacks
|
* Trolling, insulting/derogatory comments, and personal or political attacks
|
||||||
* Public or private harassment
|
* Public or private harassment
|
||||||
* Publishing others' private information, such as a physical or electronic
|
* Publishing others' private information, such as a physical or electronic address, without explicit permission
|
||||||
address, without explicit permission
|
* Other conduct which could reasonably be considered inappropriate in a professional setting
|
||||||
* Other conduct which could reasonably be considered inappropriate in a
|
|
||||||
professional setting
|
|
||||||
|
|
||||||
## Our Responsibilities
|
## Our Responsibilities
|
||||||
|
|
||||||
Project maintainers are responsible for clarifying the standards of acceptable
|
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
|
||||||
behavior and are expected to take appropriate and fair corrective action in
|
|
||||||
response to any instances of unacceptable behavior.
|
|
||||||
|
|
||||||
Project maintainers have the right and responsibility to remove, edit, or
|
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
|
||||||
reject comments, commits, code, wiki edits, issues, and other contributions
|
|
||||||
that are not aligned to this Code of Conduct, or to ban temporarily or
|
|
||||||
permanently any contributor for other behaviors that they deem inappropriate,
|
|
||||||
threatening, offensive, or harmful.
|
|
||||||
|
|
||||||
## Scope
|
## Scope
|
||||||
|
|
||||||
This Code of Conduct applies both within project spaces and in public spaces
|
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
|
||||||
when an individual is representing the project or its community. Examples of
|
Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
|
||||||
representing a project or community include using an official project e-mail
|
Representation of a project may be further defined and clarified by project maintainers.
|
||||||
address, posting via an official social media account, or acting as an appointed
|
|
||||||
representative at an online or offline event. Representation of a project may be
|
|
||||||
further defined and clarified by project maintainers.
|
|
||||||
|
|
||||||
## Enforcement
|
## Enforcement
|
||||||
|
|
||||||
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@containo.us
|
||||||
reported by contacting the project team at contact@containo.us
|
All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances.
|
||||||
All complaints will be reviewed and investigated and will result in a response that
|
The project team is obligated to maintain confidentiality with regard to the reporter of an incident.
|
||||||
is deemed necessary and appropriate to the circumstances. The project team is
|
|
||||||
obligated to maintain confidentiality with regard to the reporter of an incident.
|
|
||||||
Further details of specific enforcement policies may be posted separately.
|
Further details of specific enforcement policies may be posted separately.
|
||||||
|
|
||||||
Project maintainers who do not follow or enforce the Code of Conduct in good
|
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
|
||||||
faith may face temporary or permanent repercussions as determined by other
|
|
||||||
members of the project's leadership.
|
|
||||||
|
|
||||||
## Attribution
|
## Attribution
|
||||||
|
|
||||||
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
|
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
|
||||||
available at [http://contributor-covenant.org/version/1/4][version]
|
|
||||||
|
|
||||||
[homepage]: http://contributor-covenant.org
|
[homepage]: http://contributor-covenant.org
|
||||||
[version]: http://contributor-covenant.org/version/1/4/
|
[version]: http://contributor-covenant.org/version/1/4/
|
296
CONTRIBUTING.md
|
@ -1,297 +1,3 @@
|
||||||
# Contributing
|
# Contributing
|
||||||
|
|
||||||
## Building
|
See https://docs.traefik.io.
|
||||||
|
|
||||||
You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik.
|
|
||||||
For changes to its dependencies, the `dep` dependency management tool is required.
|
|
||||||
|
|
||||||
### Method 1: Using `Docker` and `Makefile`
|
|
||||||
|
|
||||||
You need to run the `binary` target. This will create binaries for Linux platform in the `dist` folder.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ make binary
|
|
||||||
docker build -t "traefik-dev:no-more-godep-ever" -f build.Dockerfile .
|
|
||||||
Sending build context to Docker daemon 295.3 MB
|
|
||||||
Step 0 : FROM golang:1.11-alpine
|
|
||||||
---> 8c6473912976
|
|
||||||
Step 1 : RUN go get github.com/golang/dep/cmd/dep
|
|
||||||
[...]
|
|
||||||
docker run --rm -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:no-more-godep-ever" ./script/make.sh generate binary
|
|
||||||
---> Making bundle: generate (in .)
|
|
||||||
removed 'gen.go'
|
|
||||||
|
|
||||||
---> Making bundle: binary (in .)
|
|
||||||
|
|
||||||
$ ls dist/
|
|
||||||
traefik*
|
|
||||||
```
|
|
||||||
|
|
||||||
### Method 2: Using `go`
|
|
||||||
|
|
||||||
##### Setting up your `go` environment
|
|
||||||
|
|
||||||
- You need `go` v1.9+
|
|
||||||
- It is recommended you clone Traefik into a directory like `~/go/src/github.com/containous/traefik` (This is the official golang workspace hierarchy, and will allow dependencies to resolve properly)
|
|
||||||
- Set your `GOPATH` and `PATH` variable to be set to `~/go` via:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
export GOPATH=~/go
|
|
||||||
export PATH=$PATH:$GOPATH/bin
|
|
||||||
```
|
|
||||||
|
|
||||||
> Note: You will want to add those 2 export lines to your `.bashrc` or `.bash_profile`
|
|
||||||
|
|
||||||
- Verify your environment is setup properly by running `$ go env`. Depending on your OS and environment you should see output similar to:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
GOARCH="amd64"
|
|
||||||
GOBIN=""
|
|
||||||
GOEXE=""
|
|
||||||
GOHOSTARCH="amd64"
|
|
||||||
GOHOSTOS="linux"
|
|
||||||
GOOS="linux"
|
|
||||||
GOPATH="/home/<yourusername>/go"
|
|
||||||
GORACE=""
|
|
||||||
## more go env's will be listed
|
|
||||||
```
|
|
||||||
|
|
||||||
##### Build Traefik
|
|
||||||
|
|
||||||
Once your environment is set up and the Traefik repository cloned you can build Traefik. You need get `go-bindata` once to be able to use `go generate` command as part of the build. The steps to build are:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
cd ~/go/src/github.com/containous/traefik
|
|
||||||
|
|
||||||
# Get go-bindata. Please note, the ellipses are required
|
|
||||||
go get github.com/containous/go-bindata/...
|
|
||||||
|
|
||||||
# Start build
|
|
||||||
|
|
||||||
# generate
|
|
||||||
# (required to merge non-code components into the final binary, such as the web dashboard and provider's Go templates)
|
|
||||||
go generate
|
|
||||||
|
|
||||||
# Standard go build
|
|
||||||
go build ./cmd/traefik
|
|
||||||
# run other commands like tests
|
|
||||||
```
|
|
||||||
|
|
||||||
You will find the Traefik executable in the `~/go/src/github.com/containous/traefik` folder as `traefik`.
|
|
||||||
|
|
||||||
### Updating the templates
|
|
||||||
|
|
||||||
If you happen to update the provider templates (in `/templates`), you need to run `go generate` to update the `autogen` package.
|
|
||||||
|
|
||||||
### Setting up dependency management
|
|
||||||
|
|
||||||
[dep](https://github.com/golang/dep) is not required for building; however, it is necessary to modify dependencies (i.e., add, update, or remove third-party packages)
|
|
||||||
|
|
||||||
You need to use [dep](https://github.com/golang/dep) >= O.4.1.
|
|
||||||
|
|
||||||
If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).
|
|
||||||
|
|
||||||
A following `make dep-prune` run should be triggered to trim down the size of the vendor folder.
|
|
||||||
The final result must be committed into VCS.
|
|
||||||
|
|
||||||
Here's a full example using dep to add a new dependency:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# install the new main dependency github.com/foo/bar and minimize vendor size
|
|
||||||
$ dep ensure -add github.com/foo/bar
|
|
||||||
# generate (Only required to integrate other components such as web dashboard)
|
|
||||||
$ go generate
|
|
||||||
# Standard go build
|
|
||||||
$ go build ./cmd/traefik
|
|
||||||
# run other commands like tests
|
|
||||||
```
|
|
||||||
|
|
||||||
### Tests
|
|
||||||
|
|
||||||
#### Method 1: `Docker` and `make`
|
|
||||||
|
|
||||||
You can run unit tests using the `test-unit` target and the
|
|
||||||
integration test using the `test-integration` target.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ make test-unit
|
|
||||||
docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
|
|
||||||
# […]
|
|
||||||
docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
|
|
||||||
---> Making bundle: generate (in .)
|
|
||||||
removed 'gen.go'
|
|
||||||
|
|
||||||
---> Making bundle: test-unit (in .)
|
|
||||||
+ go test -cover -coverprofile=cover.out .
|
|
||||||
ok github.com/containous/traefik 0.005s coverage: 4.1% of statements
|
|
||||||
|
|
||||||
Test success
|
|
||||||
```
|
|
||||||
|
|
||||||
For development purposes, you can specify which tests to run by using:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# Run every tests in the MyTest suite
|
|
||||||
TESTFLAGS="-check.f MyTestSuite" make test-integration
|
|
||||||
|
|
||||||
# Run the test "MyTest" in the MyTest suite
|
|
||||||
TESTFLAGS="-check.f MyTestSuite.MyTest" make test-integration
|
|
||||||
|
|
||||||
# Run every tests starting with "My", in the MyTest suite
|
|
||||||
TESTFLAGS="-check.f MyTestSuite.My" make test-integration
|
|
||||||
|
|
||||||
# Run every tests ending with "Test", in the MyTest suite
|
|
||||||
TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
|
|
||||||
```
|
|
||||||
|
|
||||||
More: https://labix.org/gocheck
|
|
||||||
|
|
||||||
#### Method 2: `go`
|
|
||||||
|
|
||||||
Unit tests can be run from the cloned directory by `$ go test ./...` which should return `ok` similar to:
|
|
||||||
|
|
||||||
```
|
|
||||||
ok _/home/user/go/src/github/containous/traefik 0.004s
|
|
||||||
```
|
|
||||||
|
|
||||||
Integration tests must be run from the `integration/` directory and require the `-integration` switch to be passed like this: `$ cd integration && go test -integration ./...`.
|
|
||||||
|
|
||||||
## Documentation
|
|
||||||
|
|
||||||
The [documentation site](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/)
|
|
||||||
|
|
||||||
### Building Documentation
|
|
||||||
|
|
||||||
#### Method 1: `Docker` and `make`
|
|
||||||
|
|
||||||
You can build the documentation and serve it locally with livereloading, using the `docs` target:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ make docs
|
|
||||||
docker build -t traefik-docs -f docs.Dockerfile .
|
|
||||||
# […]
|
|
||||||
docker run --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
|
|
||||||
# […]
|
|
||||||
[I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
|
|
||||||
[I 170828 20:47:48 handlers:60] Start watching changes
|
|
||||||
[I 170828 20:47:48 handlers:62] Start detecting changes
|
|
||||||
```
|
|
||||||
|
|
||||||
And go to [http://127.0.0.1:8000](http://127.0.0.1:8000).
|
|
||||||
|
|
||||||
If you only want to build the documentation without serving it locally, you can use the following command:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ make docs-build
|
|
||||||
...
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Method 2: `mkdocs`
|
|
||||||
|
|
||||||
First make sure you have python and pip installed
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ python --version
|
|
||||||
Python 2.7.2
|
|
||||||
$ pip --version
|
|
||||||
pip 1.5.2
|
|
||||||
```
|
|
||||||
|
|
||||||
Then install mkdocs with pip
|
|
||||||
|
|
||||||
```bash
|
|
||||||
pip install --user -r requirements.txt
|
|
||||||
```
|
|
||||||
|
|
||||||
To build documentation locally and serve it locally,
|
|
||||||
run `mkdocs serve` in the root directory,
|
|
||||||
this should start a server locally to preview your changes.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ mkdocs serve
|
|
||||||
INFO - Building documentation...
|
|
||||||
INFO - Cleaning site directory
|
|
||||||
[I 160505 22:31:24 server:281] Serving on http://127.0.0.1:8000
|
|
||||||
[I 160505 22:31:24 handlers:59] Start watching changes
|
|
||||||
[I 160505 22:31:24 handlers:61] Start detecting changes
|
|
||||||
```
|
|
||||||
|
|
||||||
### Verify Documentation
|
|
||||||
|
|
||||||
You can verify that the documentation meets some expectations, as checking for dead links, html markup validity.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ make docs-verify
|
|
||||||
docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
|
|
||||||
...
|
|
||||||
docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
|
|
||||||
=== Checking HTML content...
|
|
||||||
Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
|
|
||||||
```
|
|
||||||
|
|
||||||
If you recently changed the documentation, do not forget to clean it to have it rebuilt:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ make docs-clean docs-verify
|
|
||||||
...
|
|
||||||
```
|
|
||||||
|
|
||||||
Please note that verification can be disabled by setting the environment variable `DOCS_VERIFY_SKIP` to `true`:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
DOCS_VERIFY_SKIP=true make docs-verify
|
|
||||||
...
|
|
||||||
DOCS_LINT_SKIP is true: no linting done.
|
|
||||||
```
|
|
||||||
|
|
||||||
## How to Write a Good Issue
|
|
||||||
|
|
||||||
Please keep in mind that the GitHub issue tracker is not intended as a general support forum, but for reporting bugs and feature requests.
|
|
||||||
|
|
||||||
For end-user related support questions, refer to one of the following:
|
|
||||||
- the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
|
|
||||||
- [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
|
|
||||||
|
|
||||||
### Title
|
|
||||||
|
|
||||||
The title must be short and descriptive. (~60 characters)
|
|
||||||
|
|
||||||
### Description
|
|
||||||
|
|
||||||
- Respect the issue template as much as possible. [template](.github/ISSUE_TEMPLATE.md)
|
|
||||||
- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
|
|
||||||
- Explain the conditions which led you to write this issue: the context.
|
|
||||||
- The context should lead to something, an idea or a problem that you’re facing.
|
|
||||||
- Remain clear and concise.
|
|
||||||
- Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
|
|
||||||
|
|
||||||
|
|
||||||
## How to Write a Good Pull Request
|
|
||||||
|
|
||||||
### Title
|
|
||||||
|
|
||||||
The title must be short and descriptive. (~60 characters)
|
|
||||||
|
|
||||||
### Description
|
|
||||||
|
|
||||||
- Respect the pull request template as much as possible. [template](.github/PULL_REQUEST_TEMPLATE.md)
|
|
||||||
- Explain the conditions which led you to write this PR: the context.
|
|
||||||
- The context should lead to something, an idea or a problem that you’re facing.
|
|
||||||
- Remain clear and concise.
|
|
||||||
- Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
|
|
||||||
|
|
||||||
### Content
|
|
||||||
|
|
||||||
- Make it small.
|
|
||||||
- Do only one thing.
|
|
||||||
- Write useful descriptions and titles.
|
|
||||||
- Avoid re-formatting.
|
|
||||||
- Make sure the code builds.
|
|
||||||
- Make sure all tests pass.
|
|
||||||
- Add tests.
|
|
||||||
- Address review comments in terms of additional commits.
|
|
||||||
- Do not amend/squash existing ones unless the PR is trivial.
|
|
||||||
- If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
|
|
||||||
|
|
||||||
|
|
||||||
Read [10 tips for better pull requests](http://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).
|
|
||||||
|
|
33
Makefile
|
@ -1,4 +1,4 @@
|
||||||
.PHONY: all docs-verify docs docs-clean docs-build
|
.PHONY: all docs docs-serve
|
||||||
|
|
||||||
TRAEFIK_ENVS := \
|
TRAEFIK_ENVS := \
|
||||||
-e OS_ARCH_ARG \
|
-e OS_ARCH_ARG \
|
||||||
|
@ -21,18 +21,11 @@ TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
|
||||||
REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
|
REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
|
||||||
TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
|
TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
|
||||||
INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
|
INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
|
||||||
TRAEFIK_DOC_IMAGE := traefik-docs
|
|
||||||
TRAEFIK_DOC_VERIFY_IMAGE := $(TRAEFIK_DOC_IMAGE)-verify
|
|
||||||
DOCS_VERIFY_SKIP ?= false
|
|
||||||
|
|
||||||
DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
|
DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
|
||||||
DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
|
DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
|
||||||
DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS)
|
DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS)
|
||||||
DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) -i $(DOCKER_RUN_OPTS)
|
DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) -i $(DOCKER_RUN_OPTS)
|
||||||
DOCKER_RUN_DOC_PORT := 8000
|
|
||||||
DOCKER_RUN_DOC_MOUNT := -v $(CURDIR):/mkdocs
|
|
||||||
DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNT) -p $(DOCKER_RUN_DOC_PORT):8000
|
|
||||||
|
|
||||||
|
|
||||||
print-%: ; @echo $*=$($*)
|
print-%: ; @echo $*=$($*)
|
||||||
|
|
||||||
|
@ -96,27 +89,11 @@ image-dirty: binary ## build a docker traefik image
|
||||||
image: clear-static binary ## clean up static directory and build a docker traefik image
|
image: clear-static binary ## clean up static directory and build a docker traefik image
|
||||||
docker build -t $(TRAEFIK_IMAGE) .
|
docker build -t $(TRAEFIK_IMAGE) .
|
||||||
|
|
||||||
docs-image:
|
docs:
|
||||||
docker build -t $(TRAEFIK_DOC_IMAGE) -f docs.Dockerfile .
|
make -C ./docs docs
|
||||||
|
|
||||||
docs: docs-image
|
docs-serve:
|
||||||
docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOC_IMAGE) mkdocs serve
|
make -C ./docs docs-serve
|
||||||
|
|
||||||
docs-build: site
|
|
||||||
|
|
||||||
docs-verify: site
|
|
||||||
ifeq ($(DOCS_VERIFY_SKIP),false)
|
|
||||||
docker build -t $(TRAEFIK_DOC_VERIFY_IMAGE) ./script/docs-verify-docker-image
|
|
||||||
docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOC_VERIFY_IMAGE)
|
|
||||||
else
|
|
||||||
@echo "DOCS_LINT_SKIP is true: no linting done."
|
|
||||||
endif
|
|
||||||
|
|
||||||
site: docs-image
|
|
||||||
docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOC_IMAGE) mkdocs build
|
|
||||||
|
|
||||||
docs-clean:
|
|
||||||
rm -rf $(CURDIR)/site
|
|
||||||
|
|
||||||
clear-static:
|
clear-static:
|
||||||
rm -rf static
|
rm -rf static
|
||||||
|
|
1
docs/.dockerignore
Normal file
|
@ -0,0 +1 @@
|
||||||
|
site/
|
9
docs/.markdownlint.json
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
"no-hard-tabs": false,
|
||||||
|
"MD007": { "indent": 4 },
|
||||||
|
"MD009": false,
|
||||||
|
"MD013": false,
|
||||||
|
"MD026": false,
|
||||||
|
"MD033": false,
|
||||||
|
"MD034": false
|
||||||
|
}
|
52
docs/Makefile
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
|
||||||
|
#######
|
||||||
|
# This Makefile contains all targets related to the documentation
|
||||||
|
#######
|
||||||
|
|
||||||
|
DOCS_VERIFY_SKIP ?= false
|
||||||
|
DOCS_LINT_SKIP ?= false
|
||||||
|
|
||||||
|
TRAEFIK_DOCS_BUILD_IMAGE ?= traefik-docs
|
||||||
|
TRAEFIK_DOCS_CHECK_IMAGE ?= $(TRAEFIK_DOCS_BUILD_IMAGE)-check
|
||||||
|
|
||||||
|
SITE_DIR := $(CURDIR)/site
|
||||||
|
|
||||||
|
DOCKER_RUN_DOC_PORT := 8000
|
||||||
|
DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs
|
||||||
|
DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNTS) -p $(DOCKER_RUN_DOC_PORT):8000
|
||||||
|
|
||||||
|
# Default: generates the documentation into $(SITE_DIR)
|
||||||
|
docs: docs-clean docs-image docs-lint docs-build docs-verify
|
||||||
|
|
||||||
|
# Writer Mode: build and serve docs on http://localhost:8000 with livereload
|
||||||
|
docs-serve: docs-image
|
||||||
|
docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) mkdocs serve
|
||||||
|
|
||||||
|
# Utilities Targets for each step
|
||||||
|
docs-image:
|
||||||
|
docker build -t $(TRAEFIK_DOCS_BUILD_IMAGE) -f docs.Dockerfile ./
|
||||||
|
|
||||||
|
docs-build: docs-image
|
||||||
|
docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) sh -c "mkdocs build \
|
||||||
|
&& chown -R $(shell id -u):$(shell id -g) ./site"
|
||||||
|
|
||||||
|
docs-verify: docs-build
|
||||||
|
@if [ "$(DOCS_VERIFY_SKIP)" != "true" ]; then \
|
||||||
|
docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./; \
|
||||||
|
docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /verify.sh; \
|
||||||
|
else \
|
||||||
|
@echo "DOCS_VERIFY_SKIP is true: no verification done."; \
|
||||||
|
fi
|
||||||
|
|
||||||
|
docs-lint:
|
||||||
|
@if [ "$(DOCS_LINT_SKIP)" != "true" ]; then \
|
||||||
|
docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./ && \
|
||||||
|
docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /lint.sh; \
|
||||||
|
else \
|
||||||
|
@echo "DOCS_LINT_SKIP is true: no linting done."; \
|
||||||
|
fi
|
||||||
|
|
||||||
|
docs-clean:
|
||||||
|
rm -rf $(SITE_DIR)
|
||||||
|
|
||||||
|
.PHONY: all docs-verify docs docs-clean docs-build docs-lint
|
769
docs/basics.md
|
@ -1,769 +0,0 @@
|
||||||
# Basics
|
|
||||||
|
|
||||||
## Concepts
|
|
||||||
|
|
||||||
Let's take our example from the [overview](/#overview) again:
|
|
||||||
|
|
||||||
|
|
||||||
> Imagine that you have deployed a bunch of microservices on your infrastructure. You probably used a service registry (like etcd or consul) and/or an orchestrator (swarm, Mesos/Marathon) to manage all these services.
|
|
||||||
> If you want your users to access some of your microservices from the Internet, you will have to use a reverse proxy and configure it using virtual hosts or prefix paths:
|
|
||||||
|
|
||||||
> - domain `api.domain.com` will point the microservice `api` in your private network
|
|
||||||
> - path `domain.com/web` will point the microservice `web` in your private network
|
|
||||||
> - domain `backoffice.domain.com` will point the microservices `backoffice` in your private network, load-balancing between your multiple instances
|
|
||||||
|
|
||||||
> ![Architecture](img/architecture.png)
|
|
||||||
|
|
||||||
Let's zoom on Traefik and have an overview of its internal architecture:
|
|
||||||
|
|
||||||
|
|
||||||
![Architecture](img/internal.png)
|
|
||||||
|
|
||||||
- Incoming requests end on [entrypoints](#entrypoints), as the name suggests, they are the network entry points into Traefik (listening port, SSL, traffic redirection...).
|
|
||||||
- Traffic is then forwarded to a matching [frontend](#frontends). A frontend defines routes from [entrypoints](#entrypoints) to [backends](#backends).
|
|
||||||
Routes are created using requests fields (`Host`, `Path`, `Headers`...) and can match or not a request.
|
|
||||||
- The [frontend](#frontends) will then send the request to a [backend](#backends). A backend can be composed by one or more [servers](#servers), and by a load-balancing strategy.
|
|
||||||
- Finally, the [server](#servers) will forward the request to the corresponding microservice in the private network.
|
|
||||||
|
|
||||||
### Entrypoints
|
|
||||||
|
|
||||||
Entrypoints are the network entry points into Traefik.
|
|
||||||
They can be defined using:
|
|
||||||
|
|
||||||
- a port (80, 443...)
|
|
||||||
- SSL (Certificates, Keys, authentication with a client certificate signed by a trusted CA...)
|
|
||||||
- redirection to another entrypoint (redirect `HTTP` to `HTTPS`)
|
|
||||||
|
|
||||||
Here is an example of entrypoints definition:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.redirect]
|
|
||||||
entryPoint = "https"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "tests/traefik.crt"
|
|
||||||
keyFile = "tests/traefik.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
- Two entrypoints are defined `http` and `https`.
|
|
||||||
- `http` listens on port `80` and `https` on port `443`.
|
|
||||||
- We enable SSL on `https` by giving a certificate and a key.
|
|
||||||
- We also redirect all the traffic from entrypoint `http` to `https`.
|
|
||||||
|
|
||||||
And here is another example with client certificate authentication:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
[entryPoints.https.tls.ClientCA]
|
|
||||||
files = ["tests/clientca1.crt", "tests/clientca2.crt"]
|
|
||||||
optional = false
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "tests/traefik.crt"
|
|
||||||
keyFile = "tests/traefik.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
- We enable SSL on `https` by giving a certificate and a key.
|
|
||||||
- One or several files containing Certificate Authorities in PEM format are added.
|
|
||||||
- It is possible to have multiple CA:s in the same file or keep them in separate files.
|
|
||||||
|
|
||||||
### Frontends
|
|
||||||
|
|
||||||
A frontend consists of a set of rules that determine how incoming requests are forwarded from an entrypoint to a backend.
|
|
||||||
|
|
||||||
Rules may be classified in one of two groups: Modifiers and matchers.
|
|
||||||
|
|
||||||
#### Modifiers
|
|
||||||
|
|
||||||
Modifier rules only modify the request. They do not have any impact on routing decisions being made.
|
|
||||||
|
|
||||||
Following is the list of existing modifier rules:
|
|
||||||
|
|
||||||
- `AddPrefix: /products`: Add path prefix to the existing request path prior to forwarding the request to the backend.
|
|
||||||
- `ReplacePath: /serverless-path`: Replaces the path and adds the old path to the `X-Replaced-Path` header. Useful for mapping to AWS Lambda or Google Cloud Functions.
|
|
||||||
- `ReplacePathRegex: ^/api/v2/(.*) /api/$1`: Replaces the path with a regular expression and adds the old path to the `X-Replaced-Path` header. Separate the regular expression and the replacement by a space.
|
|
||||||
|
|
||||||
#### Matchers
|
|
||||||
|
|
||||||
Matcher rules determine if a particular request should be forwarded to a backend.
|
|
||||||
|
|
||||||
The associativity rule is the following:
|
|
||||||
|
|
||||||
- `,` is the `OR` operator (works **only inside a matcher**, ex: `Host:foo.com,bar.com`).
|
|
||||||
- i.e., forward a request if any rule matches.
|
|
||||||
- Does not work for `Headers` and `HeadersRegexp`.
|
|
||||||
- `;` is the `AND` operator (works **only between matchers**, ex: `Host:foo.com;Path:/bar`)
|
|
||||||
- i.e., forward a request if all rules match
|
|
||||||
|
|
||||||
Following is the list of existing matcher rules along with examples:
|
|
||||||
|
|
||||||
| Matcher | Description |
|
|
||||||
|------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `Headers: Content-Type, application/json` | Match HTTP header. It accepts a comma-separated key/value pair where both key and value must be literals. |
|
|
||||||
| `HeadersRegexp: Content-Type, application/(text/json)` | Match HTTP header. It accepts a comma-separated key/value pair where the key must be a literal and the value may be a literal or a regular expression. |
|
|
||||||
| `Host: traefik.io, www.traefik.io` | Match request host. It accepts a sequence of literal hosts. |
|
|
||||||
| `HostRegexp: traefik.io, {subdomain:[a-z]+}.traefik.io` | Match request host. It accepts a sequence of literal and regular expression hosts. |
|
|
||||||
| `Method: GET, POST, PUT` | Match request HTTP method. It accepts a sequence of HTTP methods. |
|
|
||||||
| `Path: /products/, /articles/{category}/{id:[0-9]+}` | Match exact request path. It accepts a sequence of literal and regular expression paths. |
|
|
||||||
| `PathStrip: /products/` | Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal paths. |
|
|
||||||
| `PathStripRegex: /articles/{category}/{id:[0-9]+}` | Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression paths. |
|
|
||||||
| `PathPrefix: /products/, /articles/{category}/{id:[0-9]+}` | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths. |
|
|
||||||
| `PathPrefixStrip: /products/` | Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header. |
|
|
||||||
| `PathPrefixStripRegex: /articles/{category}/{id:[0-9]+}` | Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header. |
|
|
||||||
| `Query: foo=bar, bar=baz` | Match Query String parameters. It accepts a sequence of key=value pairs. |
|
|
||||||
|
|
||||||
In order to use regular expressions with Host and Path matchers, you must declare an arbitrarily named variable followed by the colon-separated regular expression, all enclosed in curly braces. Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `/posts/{id:[0-9]+}`).
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
The variable has no special meaning; however, it is required by the [gorilla/mux](https://github.com/gorilla/mux) dependency which embeds the regular expression and defines the syntax.
|
|
||||||
|
|
||||||
You can optionally enable `passHostHeader` to forward client `Host` header to the backend.
|
|
||||||
You can also optionally configure the `passTLSClientCert` option to pass the Client certificates to the backend in a specific header.
|
|
||||||
|
|
||||||
##### Path Matcher Usage Guidelines
|
|
||||||
|
|
||||||
This section explains when to use the various path matchers.
|
|
||||||
|
|
||||||
Use `Path` if your backend listens on the exact path only. For instance, `Path: /products` would match `/products` but not `/products/shoes`.
|
|
||||||
|
|
||||||
Use a `*Prefix*` matcher if your backend listens on a particular base path but also serves requests on sub-paths.
|
|
||||||
For instance, `PathPrefix: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
|
|
||||||
Since the path is forwarded as-is, your backend is expected to listen on `/products`.
|
|
||||||
|
|
||||||
Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
|
|
||||||
For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
|
|
||||||
Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
|
|
||||||
If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.
|
|
||||||
Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).
|
|
||||||
The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
|
|
||||||
|
|
||||||
Instead of distinguishing your backends by path only, you can add a Host matcher to the mix.
|
|
||||||
That way, namespacing of your backends happens on the basis of hosts in addition to paths.
|
|
||||||
|
|
||||||
#### Examples
|
|
||||||
|
|
||||||
Here is an example of frontends definition:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
backend = "backend2"
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "Host:test.localhost,test2.localhost"
|
|
||||||
[frontends.frontend2]
|
|
||||||
backend = "backend1"
|
|
||||||
passHostHeader = true
|
|
||||||
[frontends.frontend2.passTLSClientCert]
|
|
||||||
pem = true
|
|
||||||
priority = 10
|
|
||||||
entrypoints = ["https"] # overrides defaultEntryPoints
|
|
||||||
[frontends.frontend2.routes.test_1]
|
|
||||||
rule = "HostRegexp:localhost,{subdomain:[a-z]+}.localhost"
|
|
||||||
[frontends.frontend3]
|
|
||||||
backend = "backend2"
|
|
||||||
[frontends.frontend3.routes.test_1]
|
|
||||||
rule = "Host:test3.localhost;Path:/test"
|
|
||||||
```
|
|
||||||
|
|
||||||
- Three frontends are defined: `frontend1`, `frontend2` and `frontend3`
|
|
||||||
- `frontend1` will forward the traffic to the `backend2` if the rule `Host:test.localhost,test2.localhost` is matched
|
|
||||||
- `frontend2` will forward the traffic to the `backend1` if the rule `HostRegexp:localhost,{subdomain:[a-z]+}.localhost` is matched (forwarding client `Host` header to the backend)
|
|
||||||
- `frontend3` will forward the traffic to the `backend2` if the rules `Host:test3.localhost` **AND** `Path:/test` are matched
|
|
||||||
|
|
||||||
#### Combining multiple rules
|
|
||||||
|
|
||||||
As seen in the previous example, you can combine multiple rules.
|
|
||||||
In TOML file, you can use multiple routes:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[frontends.frontend3]
|
|
||||||
backend = "backend2"
|
|
||||||
[frontends.frontend3.routes.test_1]
|
|
||||||
rule = "Host:test3.localhost"
|
|
||||||
[frontends.frontend3.routes.test_2]
|
|
||||||
rule = "Path:/test"
|
|
||||||
```
|
|
||||||
|
|
||||||
Here `frontend3` will forward the traffic to the `backend2` if the rules `Host:test3.localhost` **AND** `Path:/test` are matched.
|
|
||||||
|
|
||||||
You can also use the notation using a `;` separator, same result:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[frontends.frontend3]
|
|
||||||
backend = "backend2"
|
|
||||||
[frontends.frontend3.routes.test_1]
|
|
||||||
rule = "Host:test3.localhost;Path:/test"
|
|
||||||
```
|
|
||||||
|
|
||||||
Finally, you can create a rule to bind multiple domains or Path to a frontend, using the `,` separator:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[frontends.frontend2]
|
|
||||||
[frontends.frontend2.routes.test_1]
|
|
||||||
rule = "Host:test1.localhost,test2.localhost"
|
|
||||||
[frontends.frontend3]
|
|
||||||
backend = "backend2"
|
|
||||||
[frontends.frontend3.routes.test_1]
|
|
||||||
rule = "Path:/test1,/test2"
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Rules Order
|
|
||||||
|
|
||||||
When combining `Modifier` rules with `Matcher` rules, it is important to remember that `Modifier` rules **ALWAYS** apply after the `Matcher` rules.
|
|
||||||
|
|
||||||
The following rules are both `Matchers` and `Modifiers`, so the `Matcher` portion of the rule will apply first, and the `Modifier` will apply later.
|
|
||||||
|
|
||||||
- `PathStrip`
|
|
||||||
- `PathStripRegex`
|
|
||||||
- `PathPrefixStrip`
|
|
||||||
- `PathPrefixStripRegex`
|
|
||||||
|
|
||||||
`Modifiers` will be applied in a pre-determined order regardless of their order in the `rule` configuration section.
|
|
||||||
|
|
||||||
1. `PathStrip`
|
|
||||||
2. `PathPrefixStrip`
|
|
||||||
3. `PathStripRegex`
|
|
||||||
4. `PathPrefixStripRegex`
|
|
||||||
5. `AddPrefix`
|
|
||||||
6. `ReplacePath`
|
|
||||||
|
|
||||||
#### Priorities
|
|
||||||
|
|
||||||
By default, routes will be sorted (in descending order) using rules length (to avoid path overlap):
|
|
||||||
- `PathPrefix:/foo;Host:foo.com` (length == 28) will be matched before `PathPrefixStrip:/foobar` (length == 23) will be matched before `PathPrefix:/foo,/bar` (length == 20).
|
|
||||||
- A priority value of 0 will be ignored, so the default value will be calculated (rules length).
|
|
||||||
|
|
||||||
You can customize priority by frontend. The priority value override the rule length during sorting:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
backend = "backend1"
|
|
||||||
priority = 20
|
|
||||||
passHostHeader = true
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "PathPrefix:/to"
|
|
||||||
[frontends.frontend2]
|
|
||||||
backend = "backend2"
|
|
||||||
passHostHeader = true
|
|
||||||
[frontends.frontend2.routes.test_1]
|
|
||||||
rule = "PathPrefix:/toto"
|
|
||||||
```
|
|
||||||
|
|
||||||
Here, `frontend1` will be matched before `frontend2` (`20 > 16`).
|
|
||||||
|
|
||||||
#### Custom headers
|
|
||||||
|
|
||||||
Custom headers can be configured through the frontends, to add headers to either requests or responses that match the frontend's rules.
|
|
||||||
This allows for setting headers such as `X-Script-Name` to be added to the request, or custom headers to be added to the response.
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
If the custom header name is the same as one header name of the request or response, it will be replaced.
|
|
||||||
|
|
||||||
In this example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request and the `X-Custom-Response-Header` header added to the response.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
backend = "backend1"
|
|
||||||
[frontends.frontend1.headers.customresponseheaders]
|
|
||||||
X-Custom-Response-Header = "True"
|
|
||||||
[frontends.frontend1.headers.customrequestheaders]
|
|
||||||
X-Script-Name = "test"
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "PathPrefixStrip:/cheese"
|
|
||||||
```
|
|
||||||
|
|
||||||
In this second example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request, and the `X-Custom-Response-Header` header removed from the response.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
backend = "backend1"
|
|
||||||
[frontends.frontend1.headers.customresponseheaders]
|
|
||||||
X-Custom-Response-Header = ""
|
|
||||||
[frontends.frontend1.headers.customrequestheaders]
|
|
||||||
X-Script-Name = "test"
|
|
||||||
X-Custom-Request-Header = ""
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "PathPrefixStrip:/cheese"
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Security headers
|
|
||||||
|
|
||||||
Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above.
|
|
||||||
This functionality allows for some easy security features to quickly be set.
|
|
||||||
|
|
||||||
An example of some of the security headers:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
backend = "backend1"
|
|
||||||
[frontends.frontend1.headers]
|
|
||||||
FrameDeny = true
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "PathPrefixStrip:/cheddar"
|
|
||||||
[frontends.frontend2]
|
|
||||||
backend = "backend2"
|
|
||||||
[frontends.frontend2.headers]
|
|
||||||
SSLRedirect = true
|
|
||||||
[frontends.frontend2.routes.test_1]
|
|
||||||
rule = "PathPrefixStrip:/stilton"
|
|
||||||
```
|
|
||||||
|
|
||||||
In this example, traffic routed through the first frontend will have the `X-Frame-Options` header set to `DENY`, and the second will only allow HTTPS request through, otherwise will return a 301 HTTPS redirect.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
The detailed documentation for those security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
|
|
||||||
|
|
||||||
### Backends
|
|
||||||
|
|
||||||
A backend is responsible to load-balance the traffic coming from one or more frontends to a set of http servers.
|
|
||||||
|
|
||||||
#### Servers
|
|
||||||
|
|
||||||
Servers are simply defined using a `url`. You can also apply a custom `weight` to each server (this will be used by load-balancing).
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Paths in `url` are ignored. Use `Modifier` to specify paths instead.
|
|
||||||
|
|
||||||
Here is an example of backends and servers definition:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
# ...
|
|
||||||
[backends.backend1.servers.server1]
|
|
||||||
url = "http://172.17.0.2:80"
|
|
||||||
weight = 10
|
|
||||||
[backends.backend1.servers.server2]
|
|
||||||
url = "http://172.17.0.3:80"
|
|
||||||
weight = 1
|
|
||||||
[backends.backend2]
|
|
||||||
# ...
|
|
||||||
[backends.backend2.servers.server1]
|
|
||||||
url = "https://172.17.0.4:443"
|
|
||||||
weight = 1
|
|
||||||
[backends.backend2.servers.server2]
|
|
||||||
url = "https://172.17.0.5:443"
|
|
||||||
weight = 2
|
|
||||||
[backends.backend3]
|
|
||||||
# ...
|
|
||||||
[backends.backend3.servers.server1]
|
|
||||||
url = "h2c://172.17.0.6:80"
|
|
||||||
weight = 1
|
|
||||||
```
|
|
||||||
|
|
||||||
- Two backends are defined: `backend1` and `backend2`
|
|
||||||
- `backend1` will forward the traffic to two servers: `172.17.0.2:80` with weight `10` and `172.17.0.3:80` with weight `1`.
|
|
||||||
- `backend2` will forward the traffic to two servers: `172.17.0.4:443` with weight `1` and `172.17.0.5:443` with weight `2` both using TLS.
|
|
||||||
- `backend3` will forward the traffic to: `172.17.0.6:80` with weight `1` using HTTP2 without TLS.
|
|
||||||
|
|
||||||
#### Load-balancing
|
|
||||||
|
|
||||||
Various methods of load-balancing are supported:
|
|
||||||
|
|
||||||
- `wrr`: Weighted Round Robin.
|
|
||||||
- `drr`: Dynamic Round Robin: increases weights on servers that perform better than others.
|
|
||||||
It also rolls back to original weights if the servers have changed.
|
|
||||||
|
|
||||||
#### Circuit breakers
|
|
||||||
|
|
||||||
A circuit breaker can also be applied to a backend, preventing high loads on failing servers.
|
|
||||||
Initial state is Standby. CB observes the statistics and does not modify the request.
|
|
||||||
In case the condition matches, CB enters Tripped state, where it responds with predefined code or redirects to another frontend.
|
|
||||||
Once Tripped timer expires, CB enters Recovering state and resets all stats.
|
|
||||||
In case the condition does not match and recovery timer expires, CB enters Standby state.
|
|
||||||
|
|
||||||
It can be configured using:
|
|
||||||
|
|
||||||
- Methods: `LatencyAtQuantileMS`, `NetworkErrorRatio`, `ResponseCodeRatio`
|
|
||||||
- Operators: `AND`, `OR`, `EQ`, `NEQ`, `LT`, `LE`, `GT`, `GE`
|
|
||||||
|
|
||||||
For example:
|
|
||||||
|
|
||||||
- `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window for a frontend.
|
|
||||||
- `LatencyAtQuantileMS(50.0) > 50`: watch latency at quantile in milliseconds.
|
|
||||||
- `ResponseCodeRatio(500, 600, 0, 600) > 0.5`: ratio of response codes in ranges [500-600) and [0-600).
|
|
||||||
|
|
||||||
Here is an example of backends and servers definition:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.circuitbreaker]
|
|
||||||
expression = "NetworkErrorRatio() > 0.5"
|
|
||||||
[backends.backend1.servers.server1]
|
|
||||||
url = "http://172.17.0.2:80"
|
|
||||||
weight = 10
|
|
||||||
[backends.backend1.servers.server2]
|
|
||||||
url = "http://172.17.0.3:80"
|
|
||||||
weight = 1
|
|
||||||
```
|
|
||||||
|
|
||||||
- `backend1` will forward the traffic to two servers: `http://172.17.0.2:80"` with weight `10` and `http://172.17.0.3:80` with weight `1` using default `wrr` load-balancing strategy.
|
|
||||||
- a circuit breaker is added on `backend1` using the expression `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window
|
|
||||||
|
|
||||||
#### Maximum connections
|
|
||||||
|
|
||||||
To proactively prevent backends from being overwhelmed with high load, a maximum connection limit can also be applied to each backend.
|
|
||||||
|
|
||||||
Maximum connections can be configured by specifying an integer value for `maxconn.amount` and `maxconn.extractorfunc` which is a strategy used to determine how to categorize requests in order to evaluate the maximum connections.
|
|
||||||
|
|
||||||
For example:
|
|
||||||
```toml
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.maxconn]
|
|
||||||
amount = 10
|
|
||||||
extractorfunc = "request.host"
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
- `backend1` will return `HTTP code 429 Too Many Requests` if there are already 10 requests in progress for the same Host header.
|
|
||||||
- Another possible value for `extractorfunc` is `client.ip` which will categorize requests based on client source ip.
|
|
||||||
- Lastly `extractorfunc` can take the value of `request.header.ANY_HEADER` which will categorize requests based on `ANY_HEADER` that you provide.
|
|
||||||
|
|
||||||
#### Sticky sessions
|
|
||||||
|
|
||||||
Sticky sessions are supported with both load balancers.
|
|
||||||
When sticky sessions are enabled, a cookie is set on the initial request.
|
|
||||||
The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
|
|
||||||
On subsequent requests, the client will be directed to the backend stored in the cookie if it is still healthy.
|
|
||||||
If not, a new backend will be assigned.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
# Enable sticky session
|
|
||||||
[backends.backend1.loadbalancer.stickiness]
|
|
||||||
|
|
||||||
# Customize the cookie name
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: a sha1 (6 chars)
|
|
||||||
#
|
|
||||||
# cookieName = "my_cookie"
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Health Check
|
|
||||||
|
|
||||||
A health check can be configured in order to remove a backend from LB rotation as long as it keeps returning HTTP status codes other than `2xx` or `3xx` to HTTP GET requests periodically carried out by Traefik.
|
|
||||||
The check is defined by a path appended to the backend URL and an interval specifying how often the health check should be executed (the default being 30 seconds.)
|
|
||||||
Each backend must respond to the health check within a timeout duration (the default being 5 seconds.)
|
|
||||||
Interval and timeout are to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
|
|
||||||
The interval must be greater than the timeout. If configuration doesn't reflect this, the interval will be set to timeout + 1 second.
|
|
||||||
By default, the port of the backend server is used, however, this may be overridden.
|
|
||||||
|
|
||||||
A recovering backend returning `2xx` or `3xx` responses again is being returned to the LB rotation pool.
|
|
||||||
|
|
||||||
For example:
|
|
||||||
```toml
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.healthcheck]
|
|
||||||
path = "/health"
|
|
||||||
interval = "10s"
|
|
||||||
timeout = "3s"
|
|
||||||
```
|
|
||||||
|
|
||||||
To use a different port for the health check:
|
|
||||||
```toml
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.healthcheck]
|
|
||||||
path = "/health"
|
|
||||||
interval = "10s"
|
|
||||||
timeout = "3s"
|
|
||||||
port = 8080
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
To use a different scheme for the health check:
|
|
||||||
```toml
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.healthcheck]
|
|
||||||
path = "/health"
|
|
||||||
interval = "10s"
|
|
||||||
timeout = "3s"
|
|
||||||
scheme = "http"
|
|
||||||
```
|
|
||||||
|
|
||||||
Additional http headers and hostname to health check request can be specified, for instance:
|
|
||||||
```toml
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.healthcheck]
|
|
||||||
path = "/health"
|
|
||||||
interval = "10s"
|
|
||||||
timeout = "3s"
|
|
||||||
hostname = "myhost.com"
|
|
||||||
port = 8080
|
|
||||||
[backends.backend1.healthcheck.headers]
|
|
||||||
My-Custom-Header = "foo"
|
|
||||||
My-Header = "bar"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
Traefik's configuration has two parts:
|
|
||||||
|
|
||||||
- The [static Traefik configuration](/basics#static-traefik-configuration) which is loaded only at the beginning.
|
|
||||||
- The [dynamic Traefik configuration](/basics#dynamic-traefik-configuration) which can be hot-reloaded (no need to restart the process).
|
|
||||||
|
|
||||||
### Static Traefik configuration
|
|
||||||
|
|
||||||
The static configuration is the global configuration which is setting up connections to configuration backends and entrypoints.
|
|
||||||
|
|
||||||
Traefik can be configured using many configuration sources with the following precedence order.
|
|
||||||
Each item takes precedence over the item below it:
|
|
||||||
|
|
||||||
- [Key-value store](/basics/#key-value-stores)
|
|
||||||
- [Arguments](/basics/#arguments)
|
|
||||||
- [Configuration file](/basics/#configuration-file)
|
|
||||||
- Default
|
|
||||||
|
|
||||||
It means that arguments override configuration file, and key-value store overrides arguments.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
the provider-enabling argument parameters (e.g., `--docker`) set all default values for the specific provider.
|
|
||||||
It must not be used if a configuration source with less precedence wants to set a non-default provider value.
|
|
||||||
|
|
||||||
#### Configuration file
|
|
||||||
|
|
||||||
By default, Traefik will try to find a `traefik.toml` in the following places:
|
|
||||||
|
|
||||||
- `/etc/traefik/`
|
|
||||||
- `$HOME/.traefik/`
|
|
||||||
- `.` _the working directory_
|
|
||||||
|
|
||||||
You can override this by setting a `configFile` argument:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
traefik --configFile=foo/bar/myconfigfile.toml
|
|
||||||
```
|
|
||||||
|
|
||||||
Please refer to the [global configuration](/configuration/commons) section to get documentation on it.
|
|
||||||
|
|
||||||
#### Arguments
|
|
||||||
|
|
||||||
Each argument (and command) is described in the help section:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
traefik --help
|
|
||||||
```
|
|
||||||
|
|
||||||
Note that all default values will be displayed as well.
|
|
||||||
|
|
||||||
#### Key-value stores
|
|
||||||
|
|
||||||
Traefik supports several Key-value stores:
|
|
||||||
|
|
||||||
- [Consul](https://consul.io)
|
|
||||||
- [etcd](https://coreos.com/etcd/)
|
|
||||||
- [ZooKeeper](https://zookeeper.apache.org/)
|
|
||||||
- [boltdb](https://github.com/boltdb/bolt)
|
|
||||||
|
|
||||||
Please refer to the [User Guide Key-value store configuration](/user-guide/kv-config/) section to get documentation on it.
|
|
||||||
|
|
||||||
### Dynamic Traefik configuration
|
|
||||||
|
|
||||||
The dynamic configuration concerns :
|
|
||||||
|
|
||||||
- [Frontends](/basics/#frontends)
|
|
||||||
- [Backends](/basics/#backends)
|
|
||||||
- [Servers](/basics/#servers)
|
|
||||||
- HTTPS Certificates
|
|
||||||
|
|
||||||
Traefik can hot-reload those rules which could be provided by [multiple configuration backends](/configuration/commons).
|
|
||||||
|
|
||||||
We only need to enable `watch` option to make Traefik watch configuration backend changes and generate its configuration automatically.
|
|
||||||
Routes to services will be created and updated instantly at any changes.
|
|
||||||
|
|
||||||
Please refer to the [configuration backends](/configuration/commons) section to get documentation on it.
|
|
||||||
|
|
||||||
## Commands
|
|
||||||
|
|
||||||
### traefik
|
|
||||||
|
|
||||||
Usage:
|
|
||||||
```bash
|
|
||||||
traefik [command] [--flag=flag_argument]
|
|
||||||
```
|
|
||||||
|
|
||||||
List of Traefik available commands with description :
|
|
||||||
|
|
||||||
- `version` : Print version
|
|
||||||
- `storeconfig` : Store the static Traefik configuration into a Key-value stores. Please refer to the [Store Traefik configuration](/user-guide/kv-config/#store-configuration-in-key-value-store) section to get documentation on it.
|
|
||||||
- `bug`: The easiest way to submit a pre-filled issue.
|
|
||||||
- `healthcheck`: Calls Traefik `/ping` to check health.
|
|
||||||
|
|
||||||
Each command may have related flags.
|
|
||||||
|
|
||||||
All those related flags will be displayed with :
|
|
||||||
|
|
||||||
```bash
|
|
||||||
traefik [command] --help
|
|
||||||
```
|
|
||||||
|
|
||||||
Each command is described at the beginning of the help section:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
traefik --help
|
|
||||||
|
|
||||||
# or
|
|
||||||
|
|
||||||
docker run traefik[:version] --help
|
|
||||||
# ex: docker run traefik:1.5 --help
|
|
||||||
```
|
|
||||||
|
|
||||||
### Command: bug
|
|
||||||
|
|
||||||
Here is the easiest way to submit a pre-filled issue on [Traefik GitHub](https://github.com/containous/traefik).
|
|
||||||
|
|
||||||
```bash
|
|
||||||
traefik bug
|
|
||||||
```
|
|
||||||
|
|
||||||
Watch [this demo](https://www.youtube.com/watch?v=Lyz62L8m93I).
|
|
||||||
|
|
||||||
### Command: healthcheck
|
|
||||||
|
|
||||||
This command allows to check the health of Traefik. Its exit status is `0` if Traefik is healthy and `1` if it is unhealthy.
|
|
||||||
|
|
||||||
This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
The [`ping`](/configuration/ping) must be enabled to allow the `healthcheck` command to call `/ping`.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
traefik healthcheck
|
|
||||||
```
|
|
||||||
```bash
|
|
||||||
OK: http://:8082/ping
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Collected Data
|
|
||||||
|
|
||||||
**This feature is disabled by default.**
|
|
||||||
|
|
||||||
You can read the public proposal on this topic [here](https://github.com/containous/traefik/issues/2369).
|
|
||||||
|
|
||||||
### Why ?
|
|
||||||
|
|
||||||
In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
|
|
||||||
Those data help us prioritize our developments and focus on what's more important (for example, which configuration backend is used and which is not used).
|
|
||||||
|
|
||||||
### What ?
|
|
||||||
|
|
||||||
Once a day (the first call begins 10 minutes after the start of Traefik), we collect:
|
|
||||||
|
|
||||||
- the Traefik version
|
|
||||||
- a hash of the configuration
|
|
||||||
- an **anonymous version** of the static configuration:
|
|
||||||
- token, user name, password, URL, IP, domain, email, etc, are removed
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
We do not collect the dynamic configuration (frontends & backends).
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
We do not collect data behind the scenes to run advertising programs or to sell such data to third-party.
|
|
||||||
|
|
||||||
#### Here is an example
|
|
||||||
|
|
||||||
- Source configuration:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[api]
|
|
||||||
|
|
||||||
[Docker]
|
|
||||||
endpoint = "tcp://10.10.10.10:2375"
|
|
||||||
domain = "foo.bir"
|
|
||||||
exposedByDefault = true
|
|
||||||
swarmMode = true
|
|
||||||
|
|
||||||
[Docker.TLS]
|
|
||||||
ca = "dockerCA"
|
|
||||||
cert = "dockerCert"
|
|
||||||
key = "dockerKey"
|
|
||||||
insecureSkipVerify = true
|
|
||||||
|
|
||||||
[ECS]
|
|
||||||
domain = "foo.bar"
|
|
||||||
exposedByDefault = true
|
|
||||||
clusters = ["foo-bar"]
|
|
||||||
region = "us-west-2"
|
|
||||||
accessKeyID = "AccessKeyID"
|
|
||||||
secretAccessKey = "SecretAccessKey"
|
|
||||||
```
|
|
||||||
|
|
||||||
- Obfuscated and anonymous configuration:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[api]
|
|
||||||
|
|
||||||
[Docker]
|
|
||||||
endpoint = "xxxx"
|
|
||||||
domain = "xxxx"
|
|
||||||
exposedByDefault = true
|
|
||||||
swarmMode = true
|
|
||||||
|
|
||||||
[Docker.TLS]
|
|
||||||
ca = "xxxx"
|
|
||||||
cert = "xxxx"
|
|
||||||
key = "xxxx"
|
|
||||||
insecureSkipVerify = false
|
|
||||||
|
|
||||||
[ECS]
|
|
||||||
domain = "xxxx"
|
|
||||||
exposedByDefault = true
|
|
||||||
clusters = []
|
|
||||||
region = "us-west-2"
|
|
||||||
accessKeyID = "xxxx"
|
|
||||||
secretAccessKey = "xxxx"
|
|
||||||
```
|
|
||||||
|
|
||||||
### Show me the code !
|
|
||||||
|
|
||||||
If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/collector/collector.go)
|
|
||||||
|
|
||||||
By default we anonymize all configuration fields, except fields tagged with `export=true`.
|
|
||||||
|
|
||||||
### How to enable this ?
|
|
||||||
|
|
||||||
You can enable the collecting system by:
|
|
||||||
|
|
||||||
- adding this line in the configuration TOML file:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Send anonymous usage data
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
sendAnonymousUsage = true
|
|
||||||
```
|
|
||||||
|
|
||||||
- adding this flag in the CLI:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
./traefik --sendAnonymousUsage=true
|
|
||||||
```
|
|
43
docs/check.Dockerfile
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
|
||||||
|
FROM alpine:3.9 as alpine
|
||||||
|
|
||||||
|
# The "build-dependencies" virtual package provides build tools for html-proofer installation.
|
||||||
|
# It compile ruby-nokogiri, because alpine native version is always out of date
|
||||||
|
# This virtual package is cleaned at the end.
|
||||||
|
RUN apk --no-cache --no-progress add \
|
||||||
|
libcurl \
|
||||||
|
ruby \
|
||||||
|
ruby-bigdecimal \
|
||||||
|
ruby-etc \
|
||||||
|
ruby-ffi \
|
||||||
|
ruby-json \
|
||||||
|
&& apk add --no-cache --virtual build-dependencies \
|
||||||
|
build-base \
|
||||||
|
libcurl \
|
||||||
|
libxml2-dev \
|
||||||
|
libxslt-dev \
|
||||||
|
ruby-dev \
|
||||||
|
&& gem install --no-document html-proofer -v 3.10.2 \
|
||||||
|
&& apk del build-dependencies
|
||||||
|
|
||||||
|
# After Ruby, some NodeJS YAY!
|
||||||
|
RUN apk --no-cache --no-progress add \
|
||||||
|
git \
|
||||||
|
nodejs \
|
||||||
|
npm \
|
||||||
|
&& npm install markdownlint@0.12.0 markdownlint-cli@0.13.0 --global
|
||||||
|
|
||||||
|
# Finally the shell tools we need for later
|
||||||
|
# tini helps to terminate properly all the parallelized tasks when sending CTRL-C
|
||||||
|
RUN apk --no-cache --no-progress add \
|
||||||
|
ca-certificates \
|
||||||
|
curl \
|
||||||
|
tini
|
||||||
|
|
||||||
|
COPY ./scripts/verify.sh /verify.sh
|
||||||
|
COPY ./scripts/lint.sh /lint.sh
|
||||||
|
|
||||||
|
WORKDIR /app
|
||||||
|
VOLUME ["/tmp","/app"]
|
||||||
|
|
||||||
|
ENTRYPOINT ["/sbin/tini","-g","sh"]
|
|
@ -1,520 +0,0 @@
|
||||||
# ACME (Let's Encrypt) Configuration
|
|
||||||
|
|
||||||
See [Let's Encrypt examples](/user-guide/examples/#lets-encrypt-support) and [Docker & Let's Encrypt user guide](/user-guide/docker-and-lets-encrypt) as well.
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Sample entrypoint configuration when using ACME.
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
```
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Enable ACME (Let's Encrypt): automatic SSL.
|
|
||||||
[acme]
|
|
||||||
|
|
||||||
# Email address used for registration.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
email = "test@traefik.io"
|
|
||||||
|
|
||||||
# File used for certificates storage.
|
|
||||||
#
|
|
||||||
# Optional (Deprecated)
|
|
||||||
#
|
|
||||||
#storageFile = "acme.json"
|
|
||||||
|
|
||||||
# File or key used for certificates storage.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
storage = "acme.json"
|
|
||||||
# or `storage = "traefik/acme/account"` if using KV store.
|
|
||||||
|
|
||||||
# Entrypoint to proxy acme apply certificates to.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
entryPoint = "https"
|
|
||||||
|
|
||||||
# Deprecated, replaced by [acme.dnsChallenge].
|
|
||||||
#
|
|
||||||
# Optional.
|
|
||||||
#
|
|
||||||
# dnsProvider = "digitalocean"
|
|
||||||
|
|
||||||
# Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 0
|
|
||||||
#
|
|
||||||
# delayDontCheckDNS = 0
|
|
||||||
|
|
||||||
# If true, display debug log messages from the acme client library.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# acmeLogging = true
|
|
||||||
|
|
||||||
# If true, override certificates in key-value store when using storeconfig.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# overrideCertificates = true
|
|
||||||
|
|
||||||
# Deprecated. Enable on demand certificate generation.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# onDemand = true
|
|
||||||
|
|
||||||
# Enable certificate generation on frontends host rules.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# onHostRule = true
|
|
||||||
|
|
||||||
# CA server to use.
|
|
||||||
# Uncomment the line to use Let's Encrypt's staging server,
|
|
||||||
# leave commented to go to prod.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "https://acme-v02.api.letsencrypt.org/directory"
|
|
||||||
#
|
|
||||||
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
||||||
|
|
||||||
# KeyType to use.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "RSA4096"
|
|
||||||
#
|
|
||||||
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
|
|
||||||
#
|
|
||||||
# KeyType = "RSA4096"
|
|
||||||
|
|
||||||
# Use a TLS-ALPN-01 ACME challenge.
|
|
||||||
#
|
|
||||||
# Optional (but recommended)
|
|
||||||
#
|
|
||||||
[acme.tlsChallenge]
|
|
||||||
|
|
||||||
# Use a HTTP-01 ACME challenge.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [acme.httpChallenge]
|
|
||||||
|
|
||||||
# EntryPoint to use for the HTTP-01 challenges.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
# entryPoint = "http"
|
|
||||||
|
|
||||||
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
|
|
||||||
# Note: mandatory for wildcard certificate generation.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [acme.dnsChallenge]
|
|
||||||
|
|
||||||
# DNS provider used.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
# provider = "digitalocean"
|
|
||||||
|
|
||||||
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
|
|
||||||
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
|
|
||||||
# Useful if internal networks block external DNS queries.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 0
|
|
||||||
#
|
|
||||||
# delayBeforeCheck = 0
|
|
||||||
|
|
||||||
# Use following DNS servers to resolve the FQDN authority.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: empty
|
|
||||||
#
|
|
||||||
# resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
|
|
||||||
|
|
||||||
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
|
|
||||||
#
|
|
||||||
# NOT RECOMMENDED:
|
|
||||||
# Increase the risk of reaching Let's Encrypt's rate limits.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# disablePropagationCheck = true
|
|
||||||
|
|
||||||
# Domains list.
|
|
||||||
# Only domains defined here can generate wildcard certificates.
|
|
||||||
# The certificates for these domains are negotiated at traefik startup only.
|
|
||||||
#
|
|
||||||
# [[acme.domains]]
|
|
||||||
# main = "local1.com"
|
|
||||||
# sans = ["test1.local1.com", "test2.local1.com"]
|
|
||||||
# [[acme.domains]]
|
|
||||||
# main = "local2.com"
|
|
||||||
# [[acme.domains]]
|
|
||||||
# main = "*.local3.com"
|
|
||||||
# sans = ["local3.com", "test1.test1.local3.com"]
|
|
||||||
```
|
|
||||||
|
|
||||||
### `caServer`
|
|
||||||
|
|
||||||
The CA server to use.
|
|
||||||
|
|
||||||
This example shows the usage of Let's Encrypt's staging server:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
### ACME Challenge
|
|
||||||
|
|
||||||
#### `tlsChallenge`
|
|
||||||
|
|
||||||
Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
entryPoint = "https"
|
|
||||||
[acme.tlsChallenge]
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
If the `TLS-ALPN-01` challenge is used, `acme.entryPoint` has to be reachable by Let's Encrypt through port 443.
|
|
||||||
This is a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
|
|
||||||
|
|
||||||
#### `httpChallenge`
|
|
||||||
|
|
||||||
Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning a HTTP resource under a well-known URI.
|
|
||||||
|
|
||||||
Redirection is fully compatible with the `HTTP-01` challenge.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
entryPoint = "https"
|
|
||||||
[acme.httpChallenge]
|
|
||||||
entryPoint = "http"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
If the `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through port 80.
|
|
||||||
This is a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
|
|
||||||
|
|
||||||
##### `entryPoint`
|
|
||||||
|
|
||||||
Specify the entryPoint to use during the challenges.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http", "https"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
entryPoint = "https"
|
|
||||||
[acme.httpChallenge]
|
|
||||||
entryPoint = "http"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
`acme.httpChallenge.entryPoint` has to be reachable through port 80. It's a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
|
|
||||||
|
|
||||||
#### `dnsChallenge`
|
|
||||||
|
|
||||||
Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
[acme.dnsChallenge]
|
|
||||||
provider = "digitalocean"
|
|
||||||
delayBeforeCheck = 0
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
##### `delayBeforeCheck`
|
|
||||||
|
|
||||||
By default, the `provider` will verify the TXT DNS challenge record before letting ACME verify.
|
|
||||||
If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds.
|
|
||||||
|
|
||||||
Useful if internal networks block external DNS queries.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
A `provider` is mandatory.
|
|
||||||
|
|
||||||
##### `provider`
|
|
||||||
|
|
||||||
Here is a list of supported `provider`s, that can automate the DNS verification, along with the required environment variables and their [wildcard & root domain support](/configuration/acme/#wildcard-domains) for each.
|
|
||||||
Do not hesitate to complete it.
|
|
||||||
|
|
||||||
| Provider Name | Provider Code | Environment Variables | Wildcard & Root Domain Support |
|
|
||||||
|-------------------------------------------------------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
|
|
||||||
| [ACME DNS](https://github.com/joohoi/acme-dns) | `acme-dns` | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH` | Not tested yet |
|
|
||||||
| [Alibaba Cloud](https://www.vultr.com) | `alidns` | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID` | Not tested yet |
|
|
||||||
| [Auroradns](https://www.pcextreme.com/aurora/dns) | `auroradns` | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT` | Not tested yet |
|
|
||||||
| [Azure](https://azure.microsoft.com/services/dns/) | `azure` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]` | Not tested yet |
|
|
||||||
| [Blue Cat](https://www.bluecatnetworks.com/) | `bluecat` | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW` | Not tested yet |
|
|
||||||
| [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key` | YES |
|
|
||||||
| [CloudXNS](https://www.cloudxns.net) | `cloudxns` | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY` | Not tested yet |
|
|
||||||
| [ConoHa](https://www.conoha.jp) | `conoha` | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD` | YES |
|
|
||||||
| [DigitalOcean](https://www.digitalocean.com) | `digitalocean` | `DO_AUTH_TOKEN` | YES |
|
|
||||||
| [DNSimple](https://dnsimple.com) | `dnsimple` | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL` | YES |
|
|
||||||
| [DNS Made Easy](https://dnsmadeeasy.com) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX` | Not tested yet |
|
|
||||||
| [DNSPod](https://www.dnspod.com/) | `dnspod` | `DNSPOD_API_KEY` | Not tested yet |
|
|
||||||
| [DreamHost](https://www.dreamhost.com/) | `dreamhost` | `DREAMHOST_API_KEY` | YES |
|
|
||||||
| [Duck DNS](https://www.duckdns.org/) | `duckdns` | `DUCKDNS_TOKEN` | YES |
|
|
||||||
| [Dyn](https://dyn.com) | `dyn` | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD` | Not tested yet |
|
|
||||||
| External Program | `exec` | `EXEC_PATH` | YES |
|
|
||||||
| [Exoscale](https://www.exoscale.com) | `exoscale` | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT` | YES |
|
|
||||||
| [Fast DNS](https://www.akamai.com/) | `fastdns` | `AKAMAI_CLIENT_TOKEN`, `AKAMAI_CLIENT_SECRET`, `AKAMAI_ACCESS_TOKEN` | YES |
|
|
||||||
| [Gandi](https://www.gandi.net) | `gandi` | `GANDI_API_KEY` | Not tested yet |
|
|
||||||
| [Gandi v5](http://doc.livedns.gandi.net) | `gandiv5` | `GANDIV5_API_KEY` | YES |
|
|
||||||
| [Glesys](https://glesys.com/) | `glesys` | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN` | Not tested yet |
|
|
||||||
| [GoDaddy](https://godaddy.com/domains) | `godaddy` | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | Not tested yet |
|
|
||||||
| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud` | `GCE_PROJECT`, Application Default Credentials (2) (3), [`GCE_SERVICE_ACCOUNT_FILE`] | YES |
|
|
||||||
| [hosting.de](https://www.hosting.de) | `hostingde` | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME` | Not tested yet |
|
|
||||||
| HTTP request | `httpreq` | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` (1) | YES |
|
|
||||||
| [IIJ](https://www.iij.ad.jp/) | `iij` | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE` | Not tested yet |
|
|
||||||
| [INWX](https://www.inwx.de/en) | `inwx` | `INWX_USERNAME`, `INWX_PASSWORD` | YES |
|
|
||||||
| [Lightsail](https://aws.amazon.com/lightsail/) | `lightsail` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE` | Not tested yet |
|
|
||||||
| [Linode](https://www.linode.com) | `linode` | `LINODE_API_KEY` | Not tested yet |
|
|
||||||
| [Linode v4](https://www.linode.com) | `linodev4` | `LINODE_TOKEN` | Not tested yet |
|
|
||||||
| manual | - | none, but you need to run Traefik interactively, turn on `acmeLogging` to see instructions and press <kbd>Enter</kbd>. | YES |
|
|
||||||
| [MyDNS.jp](https://www.mydns.jp/) | `mydnsjp` | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD` | YES |
|
|
||||||
| [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` | YES |
|
|
||||||
| [name.com](https://www.name.com/) | `namedotcom` | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER` | Not tested yet |
|
|
||||||
| [Netcup](https://www.netcup.eu/) | `netcup` | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD` | Not tested yet |
|
|
||||||
| [NIFCloud](https://cloud.nifty.com/service/dns.htm) | `nifcloud` | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY` | Not tested yet |
|
|
||||||
| [Ns1](https://ns1.com/) | `ns1` | `NS1_API_KEY` | Not tested yet |
|
|
||||||
| [Open Telekom Cloud](https://cloud.telekom.de) | `otc` | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT` | Not tested yet |
|
|
||||||
| [OVH](https://www.ovh.com) | `ovh` | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY` | YES |
|
|
||||||
| [Openstack Designate](https://docs.openstack.org/designate) | `designate` | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME` | YES |
|
|
||||||
| [PowerDNS](https://www.powerdns.com) | `pdns` | `PDNS_API_KEY`, `PDNS_API_URL` | Not tested yet |
|
|
||||||
| [Rackspace](https://www.rackspace.com/cloud/dns) | `rackspace` | `RACKSPACE_USER`, `RACKSPACE_API_KEY` | Not tested yet |
|
|
||||||
| [RFC2136](https://tools.ietf.org/html/rfc2136) | `rfc2136` | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER` | Not tested yet |
|
|
||||||
| [Route 53](https://aws.amazon.com/route53/) | `route53` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile. | YES |
|
|
||||||
| [Sakura Cloud](https://cloud.sakura.ad.jp/) | `sakuracloud` | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET` | Not tested yet |
|
|
||||||
| [Selectel](https://selectel.ru/en/) | `selectel` | `SELECTEL_API_TOKEN` | YES |
|
|
||||||
| [Stackpath](https://www.stackpath.com/) | `stackpath` | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID` | Not tested yet |
|
|
||||||
| [TransIP](https://www.transip.nl/) | `transip` | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH` | YES |
|
|
||||||
| [VegaDNS](https://github.com/shupp/VegaDNS-API) | `vegadns` | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL` | Not tested yet |
|
|
||||||
| [Vscale](https://vscale.io/) | `vscale` | `VSCALE_API_TOKEN` | YES |
|
|
||||||
| [VULTR](https://www.vultr.com) | `vultr` | `VULTR_API_KEY` | Not tested yet |
|
|
||||||
| [Zone.ee](https://www.zone.ee) | `zoneee` | `ZONEEE_API_USER`, `ZONEEE_API_KEY` | YES |
|
|
||||||
|
|
||||||
- (1): more information about the HTTP message format can be found [here](https://github.com/xenolf/lego/blob/master/providers/dns/httpreq/readme.md)
|
|
||||||
- (2): https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
|
|
||||||
- (3): https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76
|
|
||||||
|
|
||||||
#### `resolvers`
|
|
||||||
|
|
||||||
Use custom DNS servers to resolve the FQDN authority.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
[acme.dnsChallenge]
|
|
||||||
# ...
|
|
||||||
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
|
|
||||||
```
|
|
||||||
|
|
||||||
### `domains`
|
|
||||||
|
|
||||||
You can provide SANs (alternative domains) to each main domain.
|
|
||||||
All domains must have A/AAAA records pointing to Traefik.
|
|
||||||
Each domain & SAN will lead to a certificate request.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
The certificates for the domains listed in `acme.domains` are negotiated at traefik startup only.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local1.com"
|
|
||||||
sans = ["test1.local1.com", "test2.local1.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local2.com"
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "*.local3.com"
|
|
||||||
sans = ["local3.com", "test1.test1.local3.com"]
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
Take note that Let's Encrypt applies [rate limiting](https://letsencrypt.org/docs/rate-limits).
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Wildcard certificates can only be verified through a `DNS-01` challenge.
|
|
||||||
|
|
||||||
#### Wildcard Domains
|
|
||||||
|
|
||||||
[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) allows wildcard certificate support.
|
|
||||||
As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](/configuration/acme/#dnschallenge).
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "*.local1.com"
|
|
||||||
sans = ["local1.com"]
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
|
|
||||||
Due to ACME limitation it is not possible to define wildcards in SANs (alternative domains). Thus, the wildcard domain has to be defined as a main domain.
|
|
||||||
Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
|
|
||||||
In this case the generated DNS TXT record for both domains is the same.
|
|
||||||
Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant, it can lead to problems as all DNS providers keep DNS records cached for a certain time (TTL) and this TTL can be superior to the challenge timeout making the `DNS-01` challenge fail.
|
|
||||||
The Traefik ACME client library [LEGO](https://github.com/xenolf/lego) supports some but not all DNS providers to work around this issue.
|
|
||||||
The [`provider` table](/configuration/acme/#provider) indicates if they allow generating certificates for a wildcard domain and its root domain.
|
|
||||||
|
|
||||||
### `onDemand` (Deprecated)
|
|
||||||
|
|
||||||
!!! danger "DEPRECATED"
|
|
||||||
This option is deprecated.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
onDemand = true
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
Enable on demand certificate generation.
|
|
||||||
|
|
||||||
This will request certificates from Let's Encrypt during the first TLS handshake for host names that do not yet have certificates.
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
TLS handshakes are slow when requesting a host name certificate for the first time. This can lead to DoS attacks!
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
Take note that Let's Encrypt applies [rate limiting](https://letsencrypt.org/docs/rate-limits).
|
|
||||||
|
|
||||||
### `onHostRule`
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
onHostRule = true
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
Enable certificate generation on frontend `Host` rules (for frontends wired to the `acme.entryPoint`).
|
|
||||||
|
|
||||||
This will request a certificate from Let's Encrypt for each frontend with a Host rule.
|
|
||||||
|
|
||||||
For example, the rule `Host:test1.traefik.io,test2.traefik.io` will request a certificate with main domain `test1.traefik.io` and SAN `test2.traefik.io`.
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
`onHostRule` option can not be used to generate wildcard certificates.
|
|
||||||
Refer to [wildcard generation](/configuration/acme/#wildcard-domains) for further information.
|
|
||||||
|
|
||||||
### `storage`
|
|
||||||
|
|
||||||
The `storage` option sets the location where your ACME certificates are saved to.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
# ...
|
|
||||||
storage = "acme.json"
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
The value can refer to two kinds of storage:
|
|
||||||
|
|
||||||
- a JSON file
|
|
||||||
- a KV store entry
|
|
||||||
|
|
||||||
!!! danger "DEPRECATED"
|
|
||||||
`storage` replaces `storageFile` which is deprecated.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
During migration to a KV store use both `storageFile` and `storage` to migrate ACME certificates too. See [`storeconfig` subcommand](/user-guide/kv-config/#store-configuration-in-key-value-store) for further information.
|
|
||||||
|
|
||||||
#### As a File
|
|
||||||
|
|
||||||
ACME certificates can be stored in a JSON file that needs to have file mode `600`.
|
|
||||||
|
|
||||||
In Docker you can either mount the JSON file or the folder containing it:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
docker run -v "/my/host/acme.json:acme.json" traefik
|
|
||||||
```
|
|
||||||
```bash
|
|
||||||
docker run -v "/my/host/acme:/etc/traefik/acme" traefik
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
This file cannot be shared across multiple instances of Traefik at the same time. Please use a [KV Store entry](/configuration/acme/#as-a-key-value-store-entry) instead.
|
|
||||||
|
|
||||||
#### As a Key Value Store Entry
|
|
||||||
|
|
||||||
ACME certificates can be stored in a KV Store entry. This kind of storage is **mandatory in cluster mode**.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
storage = "traefik/acme/account"
|
|
||||||
```
|
|
||||||
|
|
||||||
Because KV stores (like Consul) have limited entry size the certificates list is compressed before it is saved as KV store entry.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
It is possible to store up to approximately 100 ACME certificates in Consul.
|
|
||||||
|
|
||||||
#### ACME v2 Migration
|
|
||||||
|
|
||||||
During migration from ACME v1 to ACME v2, using a storage file, a backup of the original file is created in the same place as the latter (with a `.bak` extension).
|
|
||||||
|
|
||||||
For example: if `acme.storage`'s value is `/etc/traefik/acme/acme.json`, the backup file will be `/etc/traefik/acme/acme.json.bak`.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
When Traefik is launched in a container, the storage file's parent directory needs to be mounted to be able to access the backup file on the host.
|
|
||||||
Otherwise the backup file will be deleted when the container is stopped. Traefik will only generate it once!
|
|
||||||
|
|
||||||
### `dnsProvider` (Deprecated)
|
|
||||||
|
|
||||||
!!! danger "DEPRECATED"
|
|
||||||
This option is deprecated. Please use [dnsChallenge.provider](/configuration/acme/#provider) instead.
|
|
||||||
|
|
||||||
### `delayDontCheckDNS` (Deprecated)
|
|
||||||
|
|
||||||
!!! danger "DEPRECATED"
|
|
||||||
This option is deprecated. Please use [dnsChallenge.delayBeforeCheck](/configuration/acme/#dnschallenge) instead.
|
|
||||||
|
|
||||||
## Fallbacks
|
|
||||||
|
|
||||||
If Let's Encrypt is not reachable, these certificates will be used:
|
|
||||||
|
|
||||||
1. ACME certificates already generated before downtime
|
|
||||||
1. Expired ACME certificates
|
|
||||||
1. Provided certificates
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
For new (sub)domains which need Let's Encrypt authentification, the default Traefik certificate will be used until Traefik is restarted.
|
|
|
@ -1,539 +0,0 @@
|
||||||
|
|
||||||
# Docker Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Docker as a provider.
|
|
||||||
|
|
||||||
## Docker
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Docker Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Docker Provider.
|
|
||||||
[docker]
|
|
||||||
|
|
||||||
# Docker server endpoint. Can be a tcp or a unix socket endpoint.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
endpoint = "unix:///var/run/docker.sock"
|
|
||||||
|
|
||||||
# Default base domain used for the frontend rules.
|
|
||||||
# Can be overridden by setting the "traefik.domain" label on a container.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
domain = "docker.localhost"
|
|
||||||
|
|
||||||
# Enable watch docker changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "docker.tmpl"
|
|
||||||
|
|
||||||
# Override template version
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# - "1": previous template version (must be used only with older custom templates, see "filename")
|
|
||||||
# - "2": current template version (must be used to force template version when "filename" is used)
|
|
||||||
#
|
|
||||||
# templateVersion = 2
|
|
||||||
|
|
||||||
# Expose containers by default in Traefik.
|
|
||||||
# If set to false, containers that don't have `traefik.enable=true` will be ignored.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
exposedByDefault = true
|
|
||||||
|
|
||||||
# Use the IP address from the binded port instead of the inner network one.
|
|
||||||
#
|
|
||||||
# In case no IP address is attached to the binded port (or in case
|
|
||||||
# there is no bind), the inner network one will be used as a fallback.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
usebindportip = true
|
|
||||||
|
|
||||||
# Use Swarm Mode services as data provider.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
swarmMode = false
|
|
||||||
|
|
||||||
# Polling interval (in seconds) for Swarm Mode.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 15
|
|
||||||
#
|
|
||||||
swarmModeRefreshSeconds = 15
|
|
||||||
|
|
||||||
# Define a default docker network to use for connections to all containers.
|
|
||||||
# Can be overridden by the traefik.docker.network label.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
network = "web"
|
|
||||||
|
|
||||||
# Enable docker TLS connection.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [docker.tls]
|
|
||||||
# ca = "/etc/ssl/ca.crt"
|
|
||||||
# cert = "/etc/ssl/docker.crt"
|
|
||||||
# key = "/etc/ssl/docker.key"
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
```
|
|
||||||
|
|
||||||
To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
|
|
||||||
|
|
||||||
## Docker Swarm Mode
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Docker Swarm Mode Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Docker Provider.
|
|
||||||
[docker]
|
|
||||||
|
|
||||||
# Docker server endpoint.
|
|
||||||
# Can be a tcp or a unix socket endpoint.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "unix:///var/run/docker.sock"
|
|
||||||
#
|
|
||||||
# swarm classic (1.12-)
|
|
||||||
# endpoint = "tcp://127.0.0.1:2375"
|
|
||||||
# docker swarm mode (1.12+)
|
|
||||||
endpoint = "tcp://127.0.0.1:2377"
|
|
||||||
|
|
||||||
# Default base domain used for the frontend rules.
|
|
||||||
# Can be overridden by setting the "traefik.domain" label on a services.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: ""
|
|
||||||
#
|
|
||||||
domain = "docker.localhost"
|
|
||||||
|
|
||||||
# Enable watch docker changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Use Docker Swarm Mode as data provider.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
swarmMode = true
|
|
||||||
|
|
||||||
# Define a default docker network to use for connections to all containers.
|
|
||||||
# Can be overridden by the traefik.docker.network label.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
network = "web"
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "docker.tmpl"
|
|
||||||
|
|
||||||
# Override template version
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# - "1": previous template version (must be used only with older custom templates, see "filename")
|
|
||||||
# - "2": current template version (must be used to force template version when "filename" is used)
|
|
||||||
#
|
|
||||||
# templateVersion = 2
|
|
||||||
|
|
||||||
# Expose services by default in Traefik.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
exposedByDefault = false
|
|
||||||
|
|
||||||
# Enable docker TLS connection.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [docker.tls]
|
|
||||||
# ca = "/etc/ssl/ca.crt"
|
|
||||||
# cert = "/etc/ssl/docker.crt"
|
|
||||||
# key = "/etc/ssl/docker.key"
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
```
|
|
||||||
|
|
||||||
To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
|
|
||||||
|
|
||||||
## Security Considerations
|
|
||||||
|
|
||||||
### Security Challenge with the Docker Socket
|
|
||||||
|
|
||||||
Traefik requires access to the docker socket to get its dynamic configuration,
|
|
||||||
by watching the Docker API through this socket.
|
|
||||||
|
|
||||||
!!! important
|
|
||||||
Depending on your context and your usage, accessing the Docker API without any restriction might be a security concern.
|
|
||||||
|
|
||||||
As explained on the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
|
|
||||||
|
|
||||||
`[...] only **trusted** users should be allowed to control your Docker daemon [...]`
|
|
||||||
|
|
||||||
If the Traefik processes (handling requests from the outside world) is attacked,
|
|
||||||
then the attacker can access the Docker (or Swarm Mode) backend.
|
|
||||||
|
|
||||||
Also, when using Swarm Mode, it is mandatory to schedule Traefik's containers on the Swarm manager nodes,
|
|
||||||
to let Traefik accessing the Docker Socket of the Swarm manager node.
|
|
||||||
|
|
||||||
More information about Docker's security:
|
|
||||||
|
|
||||||
- [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
|
|
||||||
- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html)
|
|
||||||
- [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
|
|
||||||
- [To Dind or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
|
|
||||||
|
|
||||||
### Security Compensation
|
|
||||||
|
|
||||||
The main security compensation is to expose the Docker socket over TCP, instead of the default Unix socket file.
|
|
||||||
It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
|
|
||||||
|
|
||||||
- Authentication with Client Certificates as described in [the "Protect the Docker daemon socket" page of Docker's documentation](https://docs.docker.com/engine/security/https/)
|
|
||||||
|
|
||||||
- Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
|
|
||||||
|
|
||||||
- Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
|
|
||||||
|
|
||||||
- Accounting at container level, by exposing the socket on a another container than Traefik's.
|
|
||||||
With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
|
|
||||||
|
|
||||||
- Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux),
|
|
||||||
to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
|
|
||||||
|
|
||||||
Use the following ressources to get started:
|
|
||||||
|
|
||||||
- [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
|
|
||||||
- [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
|
|
||||||
- [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
|
|
||||||
- [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
|
|
||||||
|
|
||||||
## Labels: overriding default behavior
|
|
||||||
|
|
||||||
### Using Docker with Swarm Mode
|
|
||||||
|
|
||||||
If you use a compose file with the Swarm mode, labels should be defined in the `deploy` part of your service.
|
|
||||||
This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
version: "3"
|
|
||||||
services:
|
|
||||||
whoami:
|
|
||||||
deploy:
|
|
||||||
labels:
|
|
||||||
traefik.docker.network: traefik
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using Docker Compose
|
|
||||||
|
|
||||||
If you are intending to use only Docker Compose commands (e.g. `docker-compose up --scale whoami=2 -d`), labels should be under your service, otherwise they will be ignored.
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
version: "3"
|
|
||||||
services:
|
|
||||||
whoami:
|
|
||||||
labels:
|
|
||||||
traefik.docker.network: traefik
|
|
||||||
```
|
|
||||||
|
|
||||||
### On Containers
|
|
||||||
|
|
||||||
Labels can be used on containers to override default behavior.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.docker.network` | Overrides the default docker network to use for connections to the container. [1] |
|
|
||||||
| `traefik.domain` | Sets the default base domain for the frontend rules. For more information, check the [Container Labels section's of the user guide "Let's Encrypt & Docker"](/user-guide/docker-and-lets-encrypt/#container-labels) |
|
|
||||||
| `traefik.enable=false` | Disables this container in Traefik. |
|
|
||||||
| `traefik.port=80` | Registers this port. Useful when the container exposes multiples ports. |
|
|
||||||
| `traefik.tags=foo,bar,myTag` | Adds Traefik tags to the Docker container/service to be used in [constraints](/configuration/commons/#constraints). |
|
|
||||||
| `traefik.protocol=https` | Overrides the default `http` protocol |
|
|
||||||
| `traefik.weight=10` | Assigns this weight to the container |
|
|
||||||
| `traefik.backend=foo` | Overrides the container name by `foo` in the generated name of the backend. |
|
|
||||||
| `traefik.backend.buffering.maxRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.maxResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.retryExpression=EXPR` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.circuitbreaker.expression=EXPR` | Creates a [circuit breaker](/basics/#backends) to be used against the backend |
|
|
||||||
| `traefik.backend.responseForwarding.flushInterval=10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
|
|
||||||
| `traefik.backend.healthcheck.path=/health` | Enables health check for the backend, hitting the container at `path`. |
|
|
||||||
| `traefik.backend.healthcheck.interval=5s` | Defines the health check interval. |
|
|
||||||
| `traefik.backend.healthcheck.timeout=3s` | Defines the health check request timeout. |
|
|
||||||
| `traefik.backend.healthcheck.port=8080` | Sets a different port for the health check. |
|
|
||||||
| `traefik.backend.healthcheck.scheme=http` | Overrides the server URL scheme. |
|
|
||||||
| `traefik.backend.healthcheck.hostname=foobar.com` | Defines the health check hostname. |
|
|
||||||
| `traefik.backend.healthcheck.headers=EXPR` | Defines the health check request headers <br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.backend.loadbalancer.method=drr` | Overrides the default `wrr` load balancer algorithm |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness=true` | Enables backend sticky sessions |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Sets the cookie name manually for sticky sessions |
|
|
||||||
| `traefik.backend.loadbalancer.swarm=true` | Uses Swarm's inbuilt load balancer (only relevant under Swarm Mode). [3]. |
|
|
||||||
| `traefik.backend.maxconn.amount=10` | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect. |
|
|
||||||
| `traefik.backend.maxconn.extractorfunc=client.ip` | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect. |
|
|
||||||
| `traefik.frontend.auth.basic=EXPR` | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` [2] (DEPRECATED). |
|
|
||||||
| `traefik.frontend.auth.basic.realm=REALM` | Sets the realm of basic authentication to this frontend. |
|
|
||||||
| `traefik.frontend.auth.basic.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `traefik.frontend.auth.basic.users=EXPR` | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` [2]. |
|
|
||||||
| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd` | Sets the basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `traefik.frontend.auth.digest.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `traefik.frontend.auth.digest.users=EXPR` | Sets the digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. |
|
|
||||||
| `traefik.frontend.auth.digest.usersFile=/path/.htdigest` | Sets the digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `traefik.frontend.auth.forward.address=https://example.com` | Sets the URL of the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.authResponseHeaders=EXPR` | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header` |
|
|
||||||
| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Sets the Certificate Authority (CA) for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.caOptional=true` | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA). |
|
|
||||||
| `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true` | If set to true invalid SSL certificates are accepted. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.key=/path/server.key` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.trustForwardHeader=true` | Trusts X-Forwarded-* headers. |
|
|
||||||
| `traefik.frontend.auth.headerField=X-WebAuth-User` | Sets the header user to pass the authenticated user to the application. |
|
|
||||||
| `traefik.frontend.entryPoints=http,https` | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints` |
|
|
||||||
| `traefik.frontend.errors.<name>.backend=NAME` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.errors.<name>.query=PATH` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.errors.<name>.status=RANGE` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.passHostHeader=true` | Forwards client `Host` header to the backend. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true` | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.country=true` | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true` | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true` | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.province=true` | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.notAfter=true` | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.notBefore=true` | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.sans=true` | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true` | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.country=true` | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.locality=true` | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.organization=true` | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.province=true` | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true` | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.pem=true` | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header. |
|
|
||||||
| `traefik.frontend.passTLSCert=true` | Forwards TLS Client certificates to the backend (DEPRECATED). |
|
|
||||||
| `traefik.frontend.priority=10` | Overrides default frontend priority |
|
|
||||||
| `traefik.frontend.rateLimit.extractorFunc=EXP` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.period=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.average=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.burst=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS) |
|
|
||||||
| `traefik.frontend.redirect.regex=^http://localhost/(.*)` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`. |
|
|
||||||
| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`. |
|
|
||||||
| `traefik.frontend.redirect.permanent=true` | Returns 301 instead of 302. |
|
|
||||||
| `traefik.frontend.rule=EXPR` | Overrides the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`. |
|
|
||||||
| `traefik.frontend.whiteList.sourceRange=RANGE` | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.<br>Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
|
|
||||||
[1] `traefik.docker.network`:
|
|
||||||
If a container is linked to several networks, be sure to set the proper network name (you can check with `docker inspect <container_id>`) otherwise it will randomly pick one (depending on how docker is returning them).
|
|
||||||
For instance when deploying docker `stack` from compose files, the compose defined networks will be prefixed with the `stack` name.
|
|
||||||
Or if your service references external network use it's name instead.
|
|
||||||
|
|
||||||
[2] `traefik.frontend.auth.basic.users=EXPR`:
|
|
||||||
To create `user:password` pair, it's possible to use this command:
|
|
||||||
`echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g`.
|
|
||||||
The result will be `user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/`, note additional symbol `$` makes escaping.
|
|
||||||
|
|
||||||
[3] `traefik.backend.loadbalancer.swarm`:
|
|
||||||
If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs.
|
|
||||||
Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm.
|
|
||||||
It also means that Traefik will manipulate only one backend, not one backend per container.
|
|
||||||
|
|
||||||
#### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.customRequestHeaders=EXPR` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
|
|
||||||
#### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2` |
|
|
||||||
| `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
|
|
||||||
| `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
|
|
||||||
| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
|
|
||||||
| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
|
|
||||||
| `traefik.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
|
|
||||||
| `traefik.frontend.headers.hostsProxyHeaders=EXPR` | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2` |
|
|
||||||
| `traefik.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
|
|
||||||
| `traefik.frontend.headers.publicKey=VALUE` | Adds HPKP header. |
|
|
||||||
| `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
|
|
||||||
| `traefik.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
|
|
||||||
| `traefik.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
|
|
||||||
| `traefik.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
|
|
||||||
| `traefik.frontend.headers.SSLForceHost=true` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
|
|
||||||
| `traefik.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
|
|
||||||
|
|
||||||
### On containers with Multiple Ports (segment labels)
|
|
||||||
|
|
||||||
Segment labels are used to define routes to a container exposing multiple ports.
|
|
||||||
A segment is a group of labels that apply to a port exposed by a container.
|
|
||||||
You can define as many segments as ports exposed in a container.
|
|
||||||
|
|
||||||
Segment labels override the default behavior.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.backend=BACKEND` | Same as `traefik.backend` |
|
|
||||||
| `traefik.<segment_name>.domain=DOMAIN` | Same as `traefik.domain` |
|
|
||||||
| `traefik.<segment_name>.port=PORT` | Same as `traefik.port` |
|
|
||||||
| `traefik.<segment_name>.protocol=http` | Same as `traefik.protocol` |
|
|
||||||
| `traefik.<segment_name>.weight=10` | Same as `traefik.weight` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic=EXPR` | Same as `traefik.frontend.auth.basic` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true` | Same as `traefik.frontend.auth.basic.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.users=EXPR` | Same as `traefik.frontend.auth.basic.users` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd` | Same as `traefik.frontend.auth.basic.usersFile` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true` | Same as `traefik.frontend.auth.digest.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.users=EXPR` | Same as `traefik.frontend.auth.digest.users` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest` | Same as `traefik.frontend.auth.digest.usersFile` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com` | Same as `traefik.frontend.auth.forward.address` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.authResponseHeaders=EXPR` | Same as `traefik.frontend.auth.forward.authResponseHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem` | Same as `traefik.frontend.auth.forward.tls.ca` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true` | Same as `traefik.frontend.auth.forward.tls.caOptional` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem` | Same as `traefik.frontend.auth.forward.tls.cert` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true` | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key` | Same as `traefik.frontend.auth.forward.tls.key` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true` | Same as `traefik.frontend.auth.forward.trustForwardHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User` | Same as `traefik.frontend.auth.headerField` |
|
|
||||||
| `traefik.<segment_name>.frontend.entryPoints=https` | Same as `traefik.frontend.entryPoints` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME` | Same as `traefik.frontend.errors.<name>.backend` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.query=PATH` | Same as `traefik.frontend.errors.<name>.query` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE` | Same as `traefik.frontend.errors.<name>.status` |
|
|
||||||
| `traefik.<segment_name>.frontend.passHostHeader=true` | Same as `traefik.frontend.passHostHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.commonName` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.country` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.locality` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.organization` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.province` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notAfter=true` | Same as `traefik.frontend.passTLSClientCert.infos.notAfter` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notBefore=true` | Same as `traefik.frontend.passTLSClientCert.infos.notBefore` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.sans=true` | Same as `traefik.frontend.passTLSClientCert.infos.sans` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.country` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.domainComponent` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.organization` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.province` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.pem=true` | Same as `traefik.frontend.passTLSClientCert.infos.pem` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSCert=true` | Same as `traefik.frontend.passTLSCert` |
|
|
||||||
| `traefik.<segment_name>.frontend.priority=10` | Same as `traefik.frontend.priority` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP` | Same as `traefik.frontend.rateLimit.extractorFunc` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.period` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.entryPoint=https` | Same as `traefik.frontend.redirect.entryPoint` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)` | Same as `traefik.frontend.redirect.regex` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.permanent=true` | Same as `traefik.frontend.redirect.permanent` |
|
|
||||||
| `traefik.<segment_name>.frontend.rule=EXP` | Same as `traefik.frontend.rule` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE` | Same as `traefik.frontend.whiteList.sourceRange` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy=true` | Same as `traefik.frontend.whiteList.ipStrategy` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy.depth=5` | Same as `traefik.frontend.whiteList.ipStrategy.depth` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | Same as `traefik.frontend.whiteList.ipStrategy.excludedIPs` |
|
|
||||||
|
|
||||||
#### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------------------|----------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR` | Same as `traefik.frontend.headers.customRequestHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
|
|
||||||
|
|
||||||
#### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------------------------|--------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR` | Same as `traefik.frontend.headers.allowedHosts` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true` | Same as `traefik.frontend.headers.browserXSSFilter` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE` | Same as `traefik.frontend.headers.contentSecurityPolicy` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true` | Same as `traefik.frontend.headers.contentTypeNosniff` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE` | Same as `traefik.frontend.headers.customBrowserXSSValue` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false` | Same as `traefik.frontend.headers.forceSTSHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.frameDeny=false` | Same as `traefik.frontend.headers.frameDeny` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR` | Same as `traefik.frontend.headers.hostsProxyHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.isDevelopment=false` | Same as `traefik.frontend.headers.isDevelopment` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.publicKey=VALUE` | Same as `traefik.frontend.headers.publicKey` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE` | Same as `traefik.frontend.headers.referrerPolicy` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLRedirect=true` | Same as `traefik.frontend.headers.SSLRedirect` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true` | Same as `traefik.frontend.headers.SSLTemporaryRedirect` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLHost=HOST` | Same as `traefik.frontend.headers.SSLHost` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLForceHost=true` | Same as `traefik.frontend.headers.SSLForceHost` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR` | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000` | Same as `traefik.frontend.headers.STSSeconds=315360000` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true` | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSPreload=true` | Same as `traefik.frontend.headers.STSPreload=true` |
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
If a label is defined both as a `container label` and a `segment label` (for example `traefik.<segment_name>.port=PORT` and `traefik.port=PORT` ), the `segment label` is used to defined the `<segment_name>` property (`port` in the example).
|
|
||||||
|
|
||||||
It's possible to mix `container labels` and `segment labels`, in this case `container labels` are used as default value for missing `segment labels` but no frontends are going to be created with the `container labels`.
|
|
||||||
|
|
||||||
More details in this [example](/user-guide/docker-and-lets-encrypt/#labels).
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
When running inside a container, Traefik will need network access through:
|
|
||||||
|
|
||||||
`docker network connect <network> <traefik-container>`
|
|
||||||
|
|
||||||
## usebindportip
|
|
||||||
|
|
||||||
The default behavior of Traefik is to route requests to the IP/Port of the matching container.
|
|
||||||
When setting `usebindportip` to true, you tell Traefik to use the IP/Port attached to the container's binding instead of the inner network IP/Port.
|
|
||||||
|
|
||||||
When used in conjunction with the `traefik.port` label (that tells Traefik to route requests to a specific port), Traefik tries to find a binding with `traefik.port` port to select the container. If it can't find such a binding, Traefik falls back on the internal network IP of the container, but still uses the `traefik.port` that is set in the label.
|
|
||||||
|
|
||||||
Below is a recap of the behavior of `usebindportip` in different situations.
|
|
||||||
|
|
||||||
| traefik.port label | Container's binding | Routes to |
|
|
||||||
|--------------------|----------------------------------------------------|----------------|
|
|
||||||
| - | - | IntIP:IntPort |
|
|
||||||
| - | ExtPort:IntPort | IntIP:IntPort |
|
|
||||||
| - | ExtIp:ExtPort:IntPort | ExtIp:ExtPort |
|
|
||||||
| LblPort | - | IntIp:LblPort |
|
|
||||||
| LblPort | ExtIp:ExtPort:LblPort | ExtIp:ExtPort |
|
|
||||||
| LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort |
|
|
||||||
| LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
In the above table, ExtIp stands for "external IP found in the binding", IntIp stands for "internal network container's IP", ExtPort stands for "external Port found in the binding", and IntPort stands for "internal network container's port."
|
|
|
@ -1,647 +0,0 @@
|
||||||
# Entry Points Definition
|
|
||||||
|
|
||||||
## Reference
|
|
||||||
|
|
||||||
### TOML
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http", "https"]
|
|
||||||
|
|
||||||
# ...
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.compress]
|
|
||||||
|
|
||||||
[entryPoints.http.clientIPStrategy]
|
|
||||||
depth = 5
|
|
||||||
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
|
||||||
|
|
||||||
[entryPoints.http.whitelist]
|
|
||||||
sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
|
|
||||||
[entryPoints.http.whitelist.IPStrategy]
|
|
||||||
depth = 5
|
|
||||||
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
|
||||||
|
|
||||||
[entryPoints.http.tls]
|
|
||||||
minVersion = "VersionTLS12"
|
|
||||||
cipherSuites = [
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
||||||
"TLS_RSA_WITH_AES_256_GCM_SHA384"
|
|
||||||
]
|
|
||||||
[[entryPoints.http.tls.certificates]]
|
|
||||||
certFile = "path/to/my.cert"
|
|
||||||
keyFile = "path/to/my.key"
|
|
||||||
[[entryPoints.http.tls.certificates]]
|
|
||||||
certFile = "path/to/other.cert"
|
|
||||||
keyFile = "path/to/other.key"
|
|
||||||
# ...
|
|
||||||
[entryPoints.http.tls.clientCA]
|
|
||||||
files = ["path/to/ca1.crt", "path/to/ca2.crt"]
|
|
||||||
optional = false
|
|
||||||
|
|
||||||
[entryPoints.http.redirect]
|
|
||||||
entryPoint = "https"
|
|
||||||
regex = "^http://localhost/(.*)"
|
|
||||||
replacement = "http://mydomain/$1"
|
|
||||||
permanent = true
|
|
||||||
|
|
||||||
[entryPoints.http.auth]
|
|
||||||
headerField = "X-WebAuth-User"
|
|
||||||
[entryPoints.http.auth.basic]
|
|
||||||
removeHeader = true
|
|
||||||
realm = "Your realm"
|
|
||||||
users = [
|
|
||||||
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
|
||||||
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
|
|
||||||
]
|
|
||||||
usersFile = "/path/to/.htpasswd"
|
|
||||||
[entryPoints.http.auth.digest]
|
|
||||||
removeHeader = true
|
|
||||||
users = [
|
|
||||||
"test:traefik:a2688e031edb4be6a3797f3882655c05",
|
|
||||||
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
|
|
||||||
]
|
|
||||||
usersFile = "/path/to/.htdigest"
|
|
||||||
[entryPoints.http.auth.forward]
|
|
||||||
address = "https://authserver.com/auth"
|
|
||||||
trustForwardHeader = true
|
|
||||||
authResponseHeaders = ["X-Auth-User"]
|
|
||||||
[entryPoints.http.auth.forward.tls]
|
|
||||||
ca = "path/to/local.crt"
|
|
||||||
caOptional = true
|
|
||||||
cert = "path/to/foo.cert"
|
|
||||||
key = "path/to/foo.key"
|
|
||||||
insecureSkipVerify = true
|
|
||||||
|
|
||||||
[entryPoints.http.proxyProtocol]
|
|
||||||
insecure = true
|
|
||||||
trustedIPs = ["10.10.10.1", "10.10.10.2"]
|
|
||||||
|
|
||||||
[entryPoints.http.forwardedHeaders]
|
|
||||||
trustedIPs = ["10.10.10.1", "10.10.10.2"]
|
|
||||||
insecure = false
|
|
||||||
|
|
||||||
[entryPoints.https]
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
### CLI
|
|
||||||
|
|
||||||
For more information about the CLI, see the documentation about [Traefik command](/basics/#traefik).
|
|
||||||
|
|
||||||
```shell
|
|
||||||
--entryPoints='Name:http Address::80'
|
|
||||||
--entryPoints='Name:https Address::443 TLS'
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Whitespace is used as option separator and `,` is used as value separator for the list.
|
|
||||||
The names of the options are case-insensitive.
|
|
||||||
|
|
||||||
In compose file the entrypoint syntax is different. Notice how quotes are used:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
traefik:
|
|
||||||
image: traefik
|
|
||||||
command:
|
|
||||||
- --defaultentrypoints=powpow
|
|
||||||
- "--entryPoints=Name:powpow Address::42 Compress:true"
|
|
||||||
```
|
|
||||||
or
|
|
||||||
```yaml
|
|
||||||
traefik:
|
|
||||||
image: traefik
|
|
||||||
command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'
|
|
||||||
```
|
|
||||||
|
|
||||||
#### All available options:
|
|
||||||
|
|
||||||
```ini
|
|
||||||
Name:foo
|
|
||||||
Address::80
|
|
||||||
TLS:/my/path/foo.cert,/my/path/foo.key;/my/path/goo.cert,/my/path/goo.key;/my/path/hoo.cert,/my/path/hoo.key
|
|
||||||
TLS
|
|
||||||
TLS.MinVersion:VersionTLS11
|
|
||||||
TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384
|
|
||||||
TLS.SniStrict:true
|
|
||||||
TLS.DefaultCertificate.Cert:path/to/foo.cert
|
|
||||||
TLS.DefaultCertificate.Key:path/to/foo.key
|
|
||||||
CA:car
|
|
||||||
CA.Optional:true
|
|
||||||
Redirect.EntryPoint:https
|
|
||||||
Redirect.Regex:http://localhost/(.*)
|
|
||||||
Redirect.Replacement:http://mydomain/$1
|
|
||||||
Redirect.Permanent:true
|
|
||||||
Compress:true
|
|
||||||
WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16
|
|
||||||
WhiteList.IPStrategy.depth:3
|
|
||||||
WhiteList.IPStrategy.ExcludedIPs:10.0.0.3/24,20.0.0.3/24
|
|
||||||
ProxyProtocol.TrustedIPs:192.168.0.1
|
|
||||||
ProxyProtocol.Insecure:true
|
|
||||||
ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
|
|
||||||
Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
|
|
||||||
Auth.Basic.Removeheader:true
|
|
||||||
Auth.Basic.Realm:traefik
|
|
||||||
Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e
|
|
||||||
Auth.Digest.Removeheader:true
|
|
||||||
Auth.HeaderField:X-WebAuth-User
|
|
||||||
Auth.Forward.Address:https://authserver.com/auth
|
|
||||||
Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret
|
|
||||||
Auth.Forward.TrustForwardHeader:true
|
|
||||||
Auth.Forward.TLS.CA:path/to/local.crt
|
|
||||||
Auth.Forward.TLS.CAOptional:true
|
|
||||||
Auth.Forward.TLS.Cert:path/to/foo.cert
|
|
||||||
Auth.Forward.TLS.Key:path/to/foo.key
|
|
||||||
Auth.Forward.TLS.InsecureSkipVerify:true
|
|
||||||
```
|
|
||||||
|
|
||||||
## Basic
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Entrypoints definition
|
|
||||||
#
|
|
||||||
# Default:
|
|
||||||
# [entryPoints]
|
|
||||||
# [entryPoints.http]
|
|
||||||
# address = ":80"
|
|
||||||
#
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Redirect HTTP to HTTPS
|
|
||||||
|
|
||||||
To redirect an http entrypoint to an https entrypoint (with SNI support).
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.redirect]
|
|
||||||
entryPoint = "https"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.com.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.com.key"
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.org.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.org.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case).
|
|
||||||
|
|
||||||
## Rewriting URL
|
|
||||||
|
|
||||||
To redirect an entrypoint rewriting the URL.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.redirect]
|
|
||||||
regex = "^http://localhost/(.*)"
|
|
||||||
replacement = "http://mydomain/$1"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an `entrypoint` is defined for the redirection (they will not be used in this case).
|
|
||||||
|
|
||||||
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
|
|
||||||
|
|
||||||
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
|
|
||||||
|
|
||||||
## TLS
|
|
||||||
|
|
||||||
### Static Certificates
|
|
||||||
|
|
||||||
Define an entrypoint with SNI support.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.com.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.com.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
If an empty TLS configuration is provided, default self-signed certificates are generated.
|
|
||||||
|
|
||||||
|
|
||||||
### Dynamic Certificates
|
|
||||||
|
|
||||||
If you need to add or remove TLS certificates while Traefik is started, Dynamic TLS certificates are supported using the [file provider](/configuration/backends/file).
|
|
||||||
|
|
||||||
|
|
||||||
## TLS Mutual Authentication
|
|
||||||
|
|
||||||
TLS Mutual Authentication can be `optional` or not.
|
|
||||||
If it's `optional`, Traefik will authorize connection with certificates not signed by a specified Certificate Authority (CA).
|
|
||||||
Otherwise, Traefik will only accept clients that present a certificate signed by a specified Certificate Authority (CA).
|
|
||||||
`ClientCA.files` can be configured with multiple `CA:s` in the same file or use multiple files containing one or several `CA:s`.
|
|
||||||
The `CA:s` has to be in PEM format.
|
|
||||||
|
|
||||||
By default, `ClientCA.files` is not optional, all clients will be required to present a valid cert.
|
|
||||||
The requirement will apply to all server certs in the entrypoint.
|
|
||||||
|
|
||||||
In the example below both `snitest.com` and `snitest.org` will require client certs
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
[entryPoints.https.tls.ClientCA]
|
|
||||||
files = ["tests/clientca1.crt", "tests/clientca2.crt"]
|
|
||||||
optional = false
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.com.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.com.key"
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.org.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.org.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Authentication
|
|
||||||
|
|
||||||
### Basic Authentication
|
|
||||||
|
|
||||||
Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate them.
|
|
||||||
|
|
||||||
Users can be specified directly in the TOML file, or indirectly by referencing an external file;
|
|
||||||
if both are provided, the two are merged, with external file contents having precedence.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# To enable basic auth on an entrypoint with 2 user/pass: test:test and test2:test2
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.auth.basic]
|
|
||||||
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
|
|
||||||
usersFile = "/path/to/.htpasswd"
|
|
||||||
```
|
|
||||||
|
|
||||||
Optionally, you can:
|
|
||||||
|
|
||||||
- customize the realm
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.auth]
|
|
||||||
[entryPoints.http.auth.basic]
|
|
||||||
realm = "Your realm"
|
|
||||||
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
|
|
||||||
```
|
|
||||||
|
|
||||||
- pass authenticated user to application via headers
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.auth]
|
|
||||||
headerField = "X-WebAuth-User" # <-- header for the authenticated user
|
|
||||||
[entryPoints.http.auth.basic]
|
|
||||||
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
|
|
||||||
```
|
|
||||||
|
|
||||||
- remove the Authorization header
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.auth]
|
|
||||||
[entryPoints.http.auth.basic]
|
|
||||||
removeHeader = true # <-- remove the Authorization header
|
|
||||||
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
|
|
||||||
```
|
|
||||||
|
|
||||||
### Digest Authentication
|
|
||||||
|
|
||||||
You can use `htdigest` to generate them.
|
|
||||||
|
|
||||||
Users can be specified directly in the TOML file, or indirectly by referencing an external file;
|
|
||||||
if both are provided, the two are merged, with external file contents having precedence
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# To enable digest auth on an entrypoint with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.auth.digest]
|
|
||||||
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
|
|
||||||
usersFile = "/path/to/.htdigest"
|
|
||||||
```
|
|
||||||
|
|
||||||
Optionally, you can!
|
|
||||||
|
|
||||||
- pass authenticated user to application via headers.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.auth]
|
|
||||||
headerField = "X-WebAuth-User" # <-- header for the authenticated user
|
|
||||||
[entryPoints.http.auth.digest]
|
|
||||||
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
|
|
||||||
```
|
|
||||||
|
|
||||||
- remove the Authorization header.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.auth]
|
|
||||||
[entryPoints.http.auth.digest]
|
|
||||||
removeHeader = true # <-- remove the Authorization header
|
|
||||||
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
|
|
||||||
```
|
|
||||||
|
|
||||||
### Forward Authentication
|
|
||||||
|
|
||||||
This configuration will first forward the request to `http://authserver.com/auth`.
|
|
||||||
|
|
||||||
If the response code is 2XX, access is granted and the original request is performed.
|
|
||||||
Otherwise, the response from the authentication server is returned.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
# ...
|
|
||||||
# To enable forward auth on an entrypoint
|
|
||||||
[entryPoints.http.auth.forward]
|
|
||||||
address = "https://authserver.com/auth"
|
|
||||||
|
|
||||||
# Trust existing X-Forwarded-* headers.
|
|
||||||
# Useful with another reverse proxy in front of Traefik.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
trustForwardHeader = true
|
|
||||||
|
|
||||||
# Copy headers from the authentication server to the request.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
authResponseHeaders = ["X-Auth-User", "X-Secret"]
|
|
||||||
|
|
||||||
# Enable forward auth TLS connection.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
[entryPoints.http.auth.forward.tls]
|
|
||||||
ca = "path/to/local.crt"
|
|
||||||
caOptional = true
|
|
||||||
cert = "path/to/foo.cert"
|
|
||||||
key = "path/to/foo.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Specify Minimum TLS Version
|
|
||||||
|
|
||||||
To specify an https entry point with a minimum TLS version, and specifying an array of cipher suites (from [crypto/tls](https://godoc.org/crypto/tls#pkg-constants)).
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
minVersion = "VersionTLS12"
|
|
||||||
cipherSuites = [
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
||||||
"TLS_RSA_WITH_AES_256_GCM_SHA384"
|
|
||||||
]
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.com.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.com.key"
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.org.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.org.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Strict SNI Checking
|
|
||||||
|
|
||||||
To enable strict SNI checking, so that connections cannot be made if a matching certificate does not exist.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
sniStrict = true
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.com.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.com.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Default Certificate
|
|
||||||
|
|
||||||
To enable a default certificate to serve, so that connections without SNI or without a matching domain will be served this certificate.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
[entryPoints.https.tls.defaultCertificate]
|
|
||||||
certFile = "integration/fixtures/https/snitest.com.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.com.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
There can only be one `defaultCertificate` set per entrypoint.
|
|
||||||
Use a single set of square brackets `[ ]`, instead of the two needed for normal certificates.
|
|
||||||
If no default certificate is provided, a self-signed certificate will be generated by Traefik, and used instead.
|
|
||||||
|
|
||||||
## Compression
|
|
||||||
|
|
||||||
To enable compression support using gzip format.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.compress]
|
|
||||||
```
|
|
||||||
|
|
||||||
Responses are compressed when:
|
|
||||||
|
|
||||||
* The response body is larger than `512` bytes
|
|
||||||
* And the `Accept-Encoding` request header contains `gzip`
|
|
||||||
* And the response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
|
|
||||||
|
|
||||||
## White Listing
|
|
||||||
|
|
||||||
Traefik supports whitelisting to accept or refuse requests based on the client IP.
|
|
||||||
|
|
||||||
The following example enables IP white listing and accepts requests from client IPs defined in `sourceRange`.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[entryPoints.http.whiteList]
|
|
||||||
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
|
||||||
# [entryPoints.http.whiteList.IPStrategy]
|
|
||||||
# Override the clientIPStrategy
|
|
||||||
```
|
|
||||||
|
|
||||||
By default, Traefik uses the client IP (see [ClientIPStrategy](/configuration/entrypoints/#clientipstrategy)) for the whitelisting.
|
|
||||||
|
|
||||||
If you want to use another IP than the one determined by `ClientIPStrategy` for the whitelisting, you can define the `IPStrategy` option:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http.clientIPStrategy]
|
|
||||||
depth = 4
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[entryPoints.http.whiteList]
|
|
||||||
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
|
||||||
[entryPoints.http.whiteList.IPStrategy]
|
|
||||||
depth = 2
|
|
||||||
```
|
|
||||||
|
|
||||||
In the above example, if the value of the `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the client IP would be `"10.0.0.1"` (`clientIPStrategy.depth=4`) but the IP used for the whitelisting would be `"12.0.0.1"` (`whitelist.IPStrategy.depth=2`).
|
|
||||||
|
|
||||||
## ClientIPStrategy
|
|
||||||
|
|
||||||
The `clientIPStrategy` defines how you want Traefik to determine the client IP (used for whitelisting for example).
|
|
||||||
|
|
||||||
There are several option available:
|
|
||||||
|
|
||||||
### Depth
|
|
||||||
|
|
||||||
This option uses the `X-Forwarded-For` header and takes the IP located at the `depth` position (starting from the right).
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[entryPoints.http.clientIPStrategy]
|
|
||||||
```
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[entryPoints.http.clientIPStrategy]
|
|
||||||
depth = 5
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then clientIP will be empty.
|
|
||||||
- If `depth` is lesser than or equal to 0, then the option is ignored.
|
|
||||||
|
|
||||||
Examples:
|
|
||||||
|
|
||||||
| `X-Forwarded-For` | `depth` | clientIP |
|
|
||||||
|-----------------------------------------|---------|--------------|
|
|
||||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
|
|
||||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
|
|
||||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
|
|
||||||
|
|
||||||
### Excluded IPs
|
|
||||||
|
|
||||||
Traefik will scan the `X-Forwarded-For` header (from the right) and pick the first IP not in the `excludedIPs` list.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[entryPoints.http.clientIPStrategy]
|
|
||||||
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
If `depth` is specified, `excludedIPs` is ignored.
|
|
||||||
|
|
||||||
Examples:
|
|
||||||
|
|
||||||
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|
|
||||||
|-----------------------------------------|-----------------------|--------------|
|
|
||||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
|
|
||||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
|
|
||||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
|
|
||||||
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
|
|
||||||
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
|
|
||||||
|
|
||||||
### Default
|
|
||||||
|
|
||||||
If there are no `depth` or `excludedIPs`, then the client IP is the IP of the computer that initiated the connection with the Traefik server (the remote address).
|
|
||||||
|
|
||||||
## ProxyProtocol
|
|
||||||
|
|
||||||
To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support.
|
|
||||||
Only IPs in `trustedIPs` will lead to remote client address replacement: you should declare your load-balancer IP or CIDR range here (in testing environment, you can trust everyone using `insecure = true`).
|
|
||||||
|
|
||||||
!!! danger
|
|
||||||
When queuing Traefik behind another load-balancer, be sure to carefully configure Proxy Protocol on both sides.
|
|
||||||
Otherwise, it could introduce a security risk in your system by forging requests.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
# Enable ProxyProtocol
|
|
||||||
[entryPoints.http.proxyProtocol]
|
|
||||||
# List of trusted IPs
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: []
|
|
||||||
#
|
|
||||||
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
|
||||||
|
|
||||||
# Insecure mode FOR TESTING ENVIRONNEMENT ONLY
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# insecure = true
|
|
||||||
```
|
|
||||||
|
|
||||||
## Forwarded Header
|
|
||||||
|
|
||||||
Only IPs in `trustedIPs` will be authorized to trust the client forwarded headers (`X-Forwarded-*`).
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
# Enable Forwarded Headers
|
|
||||||
[entryPoints.http.forwardedHeaders]
|
|
||||||
# List of trusted IPs
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: []
|
|
||||||
#
|
|
||||||
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
|
||||||
|
|
||||||
# Insecure mode
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# insecure = true
|
|
||||||
|
|
||||||
```
|
|
|
@ -1,264 +0,0 @@
|
||||||
# Logs Definition
|
|
||||||
|
|
||||||
## Reference
|
|
||||||
|
|
||||||
### TOML
|
|
||||||
|
|
||||||
```toml
|
|
||||||
logLevel = "INFO"
|
|
||||||
|
|
||||||
[traefikLog]
|
|
||||||
filePath = "/path/to/traefik.log"
|
|
||||||
format = "json"
|
|
||||||
|
|
||||||
[accessLog]
|
|
||||||
filePath = "/path/to/access.log"
|
|
||||||
format = "json"
|
|
||||||
|
|
||||||
[accessLog.filters]
|
|
||||||
statusCodes = ["200", "300-302"]
|
|
||||||
retryAttempts = true
|
|
||||||
minDuration = "10ms"
|
|
||||||
|
|
||||||
[accessLog.fields]
|
|
||||||
defaultMode = "keep"
|
|
||||||
[accessLog.fields.names]
|
|
||||||
"ClientUsername" = "drop"
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[accessLog.fields.headers]
|
|
||||||
defaultMode = "keep"
|
|
||||||
[accessLog.fields.headers.names]
|
|
||||||
"User-Agent" = "redact"
|
|
||||||
"Authorization" = "drop"
|
|
||||||
"Content-Type" = "keep"
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
### CLI
|
|
||||||
|
|
||||||
For more information about the CLI, see the documentation about [Traefik command](/basics/#traefik).
|
|
||||||
|
|
||||||
```shell
|
|
||||||
--logLevel="DEBUG"
|
|
||||||
--traefikLog.filePath="/path/to/traefik.log"
|
|
||||||
--traefikLog.format="json"
|
|
||||||
--accessLog.filePath="/path/to/access.log"
|
|
||||||
--accessLog.format="json"
|
|
||||||
--accessLog.filters.statusCodes="200,300-302"
|
|
||||||
--accessLog.filters.retryAttempts="true"
|
|
||||||
--accessLog.filters.minDuration="10ms"
|
|
||||||
--accessLog.fields.defaultMode="keep"
|
|
||||||
--accessLog.fields.names="Username=drop Hostname=drop"
|
|
||||||
--accessLog.fields.headers.defaultMode="keep"
|
|
||||||
--accessLog.fields.headers.names="User-Agent=redact Authorization=drop Content-Type=keep"
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Traefik Logs
|
|
||||||
|
|
||||||
By default the Traefik log is written to stdout in text format.
|
|
||||||
|
|
||||||
To write the logs into a log file specify the `filePath`:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[traefikLog]
|
|
||||||
filePath = "/path/to/traefik.log"
|
|
||||||
```
|
|
||||||
|
|
||||||
To write JSON format logs, specify `json` as the format:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[traefikLog]
|
|
||||||
filePath = "/path/to/traefik.log"
|
|
||||||
format = "json"
|
|
||||||
```
|
|
||||||
|
|
||||||
To customize the log level:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Log level
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "ERROR"
|
|
||||||
#
|
|
||||||
# Accepted values, in order of severity: "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC"
|
|
||||||
# Messages at and above the selected level will be logged.
|
|
||||||
#
|
|
||||||
logLevel = "ERROR"
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Access Logs
|
|
||||||
|
|
||||||
Access logs are written when `[accessLog]` is defined.
|
|
||||||
By default it will write to stdout and produce logs in the textual Common Log Format (CLF), extended with additional fields.
|
|
||||||
|
|
||||||
To enable access logs using the default settings just add the `[accessLog]` entry:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[accessLog]
|
|
||||||
```
|
|
||||||
|
|
||||||
To write the logs into a log file specify the `filePath`:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[accessLog]
|
|
||||||
filePath = "/path/to/access.log"
|
|
||||||
```
|
|
||||||
|
|
||||||
To write JSON format logs, specify `json` as the format:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[accessLog]
|
|
||||||
filePath = "/path/to/access.log"
|
|
||||||
format = "json"
|
|
||||||
```
|
|
||||||
|
|
||||||
To write the logs in async, specify `bufferingSize` as the format (must be >0):
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[accessLog]
|
|
||||||
filePath = "/path/to/access.log"
|
|
||||||
# Buffering Size
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 0
|
|
||||||
#
|
|
||||||
# Number of access log lines to process in a buffered way.
|
|
||||||
#
|
|
||||||
bufferingSize = 100
|
|
||||||
```
|
|
||||||
|
|
||||||
To filter logs you can specify a set of filters which are logically "OR-connected". Thus, specifying multiple filters will keep more access logs than specifying only one:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[accessLog]
|
|
||||||
filePath = "/path/to/access.log"
|
|
||||||
format = "json"
|
|
||||||
|
|
||||||
[accessLog.filters]
|
|
||||||
|
|
||||||
# statusCodes: keep access logs with status codes in the specified range
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: []
|
|
||||||
#
|
|
||||||
statusCodes = ["200", "300-302"]
|
|
||||||
|
|
||||||
# retryAttempts: keep access logs when at least one retry happened
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
retryAttempts = true
|
|
||||||
|
|
||||||
# minDuration: keep access logs when request took longer than the specified duration
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 0
|
|
||||||
#
|
|
||||||
minDuration = "10ms"
|
|
||||||
```
|
|
||||||
|
|
||||||
To customize logs format:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[accessLog]
|
|
||||||
filePath = "/path/to/access.log"
|
|
||||||
format = "json"
|
|
||||||
|
|
||||||
[accessLog.filters]
|
|
||||||
|
|
||||||
# statusCodes keep only access logs with status codes in the specified range
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: []
|
|
||||||
#
|
|
||||||
statusCodes = ["200", "300-302"]
|
|
||||||
|
|
||||||
[accessLog.fields]
|
|
||||||
|
|
||||||
# defaultMode
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "keep"
|
|
||||||
#
|
|
||||||
# Accepted values "keep", "drop"
|
|
||||||
#
|
|
||||||
defaultMode = "keep"
|
|
||||||
|
|
||||||
# Fields map which is used to override fields defaultMode
|
|
||||||
[accessLog.fields.names]
|
|
||||||
"ClientUsername" = "drop"
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[accessLog.fields.headers]
|
|
||||||
# defaultMode
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "keep"
|
|
||||||
#
|
|
||||||
# Accepted values "keep", "drop", "redact"
|
|
||||||
#
|
|
||||||
defaultMode = "keep"
|
|
||||||
# Fields map which is used to override headers defaultMode
|
|
||||||
[accessLog.fields.headers.names]
|
|
||||||
"User-Agent" = "redact"
|
|
||||||
"Authorization" = "drop"
|
|
||||||
"Content-Type" = "keep"
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
### List of all available fields
|
|
||||||
|
|
||||||
```ini
|
|
||||||
StartUTC
|
|
||||||
StartLocal
|
|
||||||
Duration
|
|
||||||
FrontendName
|
|
||||||
BackendName
|
|
||||||
BackendURL
|
|
||||||
BackendAddr
|
|
||||||
ClientAddr
|
|
||||||
ClientHost
|
|
||||||
ClientPort
|
|
||||||
ClientUsername
|
|
||||||
RequestAddr
|
|
||||||
RequestHost
|
|
||||||
RequestPort
|
|
||||||
RequestMethod
|
|
||||||
RequestPath
|
|
||||||
RequestProtocol
|
|
||||||
RequestLine
|
|
||||||
RequestContentSize
|
|
||||||
OriginDuration
|
|
||||||
OriginContentSize
|
|
||||||
OriginStatus
|
|
||||||
OriginStatusLine
|
|
||||||
DownstreamStatus
|
|
||||||
DownstreamStatusLine
|
|
||||||
DownstreamContentSize
|
|
||||||
RequestCount
|
|
||||||
GzipRatio
|
|
||||||
Overhead
|
|
||||||
RetryAttempts
|
|
||||||
```
|
|
||||||
|
|
||||||
### CLF - Common Log Format
|
|
||||||
|
|
||||||
By default, Traefik use the CLF (`common`) as access log format.
|
|
||||||
|
|
||||||
```html
|
|
||||||
<remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Log Rotation
|
|
||||||
|
|
||||||
Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
|
|
||||||
This allows the logs to be rotated and processed by an external program, such as `logrotate`.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
This does not work on Windows due to the lack of USR signals.
|
|
|
@ -1,91 +0,0 @@
|
||||||
# Ping Definition
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Ping definition
|
|
||||||
[ping]
|
|
||||||
# Name of the related entry point
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
entryPoint = "traefik"
|
|
||||||
```
|
|
||||||
|
|
||||||
| Path | Method | Description |
|
|
||||||
|---------|---------------|----------------------------------------------------------------------------------------------------|
|
|
||||||
| `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
|
|
||||||
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
Even if you have authentication configured on entry point, the `/ping` path of the api is excluded from authentication.
|
|
||||||
|
|
||||||
## Examples
|
|
||||||
|
|
||||||
The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
|
|
||||||
Thus, if you have a regular path for `/foo` and an entrypoint on `:80`, you would access them as follows:
|
|
||||||
|
|
||||||
* Regular path: `http://hostname:80/foo`
|
|
||||||
* Admin panel: `http://hostname:8080/`
|
|
||||||
* Ping URL: `http://hostname:8080/ping`
|
|
||||||
|
|
||||||
However, for security reasons, you may want to be able to expose the `/ping` health-check URL to outside health-checkers, e.g. an Internet service or cloud load-balancer, _without_ exposing your dashboard's port.
|
|
||||||
In many environments, the security staff may not _allow_ you to expose it.
|
|
||||||
|
|
||||||
You have two options:
|
|
||||||
|
|
||||||
* Enable `/ping` on a regular entry point
|
|
||||||
* Enable `/ping` on a dedicated port
|
|
||||||
|
|
||||||
### Ping health check on a regular entry point
|
|
||||||
|
|
||||||
To proxy `/ping` from a regular entry point to the administration one without exposing the dashboard, do the following:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[ping]
|
|
||||||
entryPoint = "http"
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
The above link `ping` on the `http` entry point and then expose it on port `80`
|
|
||||||
|
|
||||||
### Enable ping health check on dedicated port
|
|
||||||
|
|
||||||
If you do not want to or cannot expose the health-check on a regular entry point - e.g. your security rules do not allow it, or you have a conflicting path - then you can enable health-check on its own entry point.
|
|
||||||
Use the following configuration:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.ping]
|
|
||||||
address = ":8082"
|
|
||||||
|
|
||||||
[ping]
|
|
||||||
entryPoint = "ping"
|
|
||||||
```
|
|
||||||
|
|
||||||
The above is similar to the previous example, but instead of enabling `/ping` on the _default_ entry point, we enable it on a _dedicated_ entry point.
|
|
||||||
|
|
||||||
In the above example, you would access a regular path and health-check as follows:
|
|
||||||
|
|
||||||
* Regular path: `http://hostname:80/foo`
|
|
||||||
* Ping URL: `http://hostname:8082/ping`
|
|
||||||
|
|
||||||
Note the dedicated port `:8082` for `/ping`.
|
|
||||||
|
|
||||||
In the above example, it is _very_ important to create a named dedicated entry point, and do **not** include it in `defaultEntryPoints`.
|
|
||||||
Otherwise, you are likely to expose _all_ services via this entry point.
|
|
||||||
|
|
||||||
### Using ping for external Load-balancer rotation health check
|
|
||||||
|
|
||||||
If you are running traefik behind a external Load-balancer, and want to configure rotation health check on the Load-balancer to take a traefik instance out of rotation gracefully, you can configure [lifecycle.requestAcceptGraceTimeout](/configuration/commons.md#life-cycle) and the ping endpoint will return `503` response on traefik server termination, so that the Load-balancer can take the terminating traefik instance out of rotation, before it stops responding.
|
|
|
@ -1,228 +0,0 @@
|
||||||
# Tracing
|
|
||||||
|
|
||||||
The tracing system allows developers to visualize call flows in their infrastructure.
|
|
||||||
|
|
||||||
We use [OpenTracing](http://opentracing.io). It is an open standard designed for distributed tracing.
|
|
||||||
|
|
||||||
Traefik supports four tracing backends: Jaeger, Zipkin, DataDog, and Instana.
|
|
||||||
|
|
||||||
## Jaeger
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Tracing definition
|
|
||||||
[tracing]
|
|
||||||
# Backend name used to send tracing data
|
|
||||||
#
|
|
||||||
# Default: "jaeger"
|
|
||||||
#
|
|
||||||
backend = "jaeger"
|
|
||||||
|
|
||||||
# Service name used in Jaeger backend
|
|
||||||
#
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
serviceName = "traefik"
|
|
||||||
|
|
||||||
# Span name limit allows for name truncation in case of very long Frontend/Backend names
|
|
||||||
# This can prevent certain tracing providers to drop traces that exceed their length limits
|
|
||||||
#
|
|
||||||
# Default: 0 - no truncation will occur
|
|
||||||
#
|
|
||||||
spanNameLimit = 0
|
|
||||||
|
|
||||||
[tracing.jaeger]
|
|
||||||
# Sampling Server URL is the address of jaeger-agent's HTTP sampling server
|
|
||||||
#
|
|
||||||
# Default: "http://localhost:5778/sampling"
|
|
||||||
#
|
|
||||||
samplingServerURL = "http://localhost:5778/sampling"
|
|
||||||
|
|
||||||
# Sampling Type specifies the type of the sampler: const, probabilistic, rateLimiting
|
|
||||||
#
|
|
||||||
# Default: "const"
|
|
||||||
#
|
|
||||||
samplingType = "const"
|
|
||||||
|
|
||||||
# Sampling Param is a value passed to the sampler.
|
|
||||||
# Valid values for Param field are:
|
|
||||||
# - for "const" sampler, 0 or 1 for always false/true respectively
|
|
||||||
# - for "probabilistic" sampler, a probability between 0 and 1
|
|
||||||
# - for "rateLimiting" sampler, the number of spans per second
|
|
||||||
#
|
|
||||||
# Default: 1.0
|
|
||||||
#
|
|
||||||
samplingParam = 1.0
|
|
||||||
|
|
||||||
# Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address
|
|
||||||
#
|
|
||||||
# Default: "127.0.0.1:6831"
|
|
||||||
#
|
|
||||||
localAgentHostPort = "127.0.0.1:6831"
|
|
||||||
|
|
||||||
# Generate 128-bit trace IDs, compatible with OpenCensus
|
|
||||||
#
|
|
||||||
# Default: false
|
|
||||||
gen128Bit = true
|
|
||||||
|
|
||||||
# Set the propagation header type. This can be either:
|
|
||||||
# - "jaeger", jaeger's default trace header.
|
|
||||||
# - "b3", compatible with OpenZipkin
|
|
||||||
#
|
|
||||||
# Default: "jaeger"
|
|
||||||
propagation = "jaeger"
|
|
||||||
|
|
||||||
# Trace Context Header Name is the http header name used to propagate tracing context.
|
|
||||||
# This must be in lower-case to avoid mismatches when decoding incoming headers.
|
|
||||||
#
|
|
||||||
# Default: "uber-trace-id"
|
|
||||||
#
|
|
||||||
traceContextHeaderName = "uber-trace-id"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
Traefik is only able to send data over compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent).
|
|
||||||
|
|
||||||
## Zipkin
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Tracing definition
|
|
||||||
[tracing]
|
|
||||||
# Backend name used to send tracing data
|
|
||||||
#
|
|
||||||
# Default: "jaeger"
|
|
||||||
#
|
|
||||||
backend = "zipkin"
|
|
||||||
|
|
||||||
# Service name used in Zipkin backend
|
|
||||||
#
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
serviceName = "traefik"
|
|
||||||
|
|
||||||
# Span name limit allows for name truncation in case of very long Frontend/Backend names
|
|
||||||
# This can prevent certain tracing providers to drop traces that exceed their length limits
|
|
||||||
#
|
|
||||||
# Default: 0 - no truncation will occur
|
|
||||||
#
|
|
||||||
spanNameLimit = 150
|
|
||||||
|
|
||||||
[tracing.zipkin]
|
|
||||||
# Zipkin HTTP endpoint used to send data
|
|
||||||
#
|
|
||||||
# Default: "http://localhost:9411/api/v1/spans"
|
|
||||||
#
|
|
||||||
httpEndpoint = "http://localhost:9411/api/v1/spans"
|
|
||||||
|
|
||||||
# Enable Zipkin debug
|
|
||||||
#
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
debug = false
|
|
||||||
|
|
||||||
# Use Zipkin SameSpan RPC style traces
|
|
||||||
#
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
sameSpan = false
|
|
||||||
|
|
||||||
# Use Zipkin 128 bit root span IDs
|
|
||||||
#
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
id128Bit = true
|
|
||||||
|
|
||||||
# The rate between 0.0 and 1.0 of requests to trace.
|
|
||||||
#
|
|
||||||
# Default: 1.0
|
|
||||||
#
|
|
||||||
sampleRate = 0.2
|
|
||||||
```
|
|
||||||
|
|
||||||
## DataDog
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Tracing definition
|
|
||||||
[tracing]
|
|
||||||
# Backend name used to send tracing data
|
|
||||||
#
|
|
||||||
# Default: "jaeger"
|
|
||||||
#
|
|
||||||
backend = "datadog"
|
|
||||||
|
|
||||||
# Service name used in DataDog backend
|
|
||||||
#
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
serviceName = "traefik"
|
|
||||||
|
|
||||||
# Span name limit allows for name truncation in case of very long Frontend/Backend names
|
|
||||||
# This can prevent certain tracing providers to drop traces that exceed their length limits
|
|
||||||
#
|
|
||||||
# Default: 0 - no truncation will occur
|
|
||||||
#
|
|
||||||
spanNameLimit = 100
|
|
||||||
|
|
||||||
[tracing.datadog]
|
|
||||||
# Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address
|
|
||||||
#
|
|
||||||
# Default: "127.0.0.1:8126"
|
|
||||||
#
|
|
||||||
localAgentHostPort = "127.0.0.1:8126"
|
|
||||||
|
|
||||||
# Enable DataDog debug
|
|
||||||
#
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
debug = false
|
|
||||||
|
|
||||||
# Apply shared tag in a form of Key:Value to all the traces
|
|
||||||
#
|
|
||||||
# Default: ""
|
|
||||||
#
|
|
||||||
globalTag = ""
|
|
||||||
|
|
||||||
# Enable priority sampling. When using distributed tracing, this option must be enabled in order
|
|
||||||
# to get all the parts of a distributed trace sampled.
|
|
||||||
#
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
prioritySampling = false
|
|
||||||
```
|
|
||||||
|
|
||||||
## Instana
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Tracing definition
|
|
||||||
[tracing]
|
|
||||||
# Backend name used to send tracing data
|
|
||||||
#
|
|
||||||
# Default: "jaeger"
|
|
||||||
#
|
|
||||||
backend = "instana"
|
|
||||||
# Service name used in Instana backend
|
|
||||||
#
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
serviceName = "traefik"
|
|
||||||
[tracing.instana]
|
|
||||||
# Local Agent Host instructs reporter to send spans to instana-agent at this address
|
|
||||||
#
|
|
||||||
# Default: "127.0.0.1"
|
|
||||||
#
|
|
||||||
localAgentHost = "127.0.0.1"
|
|
||||||
# Local Agent port instructs reporter to send spans to the instana-agent at this port
|
|
||||||
#
|
|
||||||
# Default: 42699
|
|
||||||
#
|
|
||||||
localAgentPort = 42699
|
|
||||||
# Set Instana tracer log level
|
|
||||||
#
|
|
||||||
# Default: info
|
|
||||||
# Valid values for logLevel field are:
|
|
||||||
# - error
|
|
||||||
# - warn
|
|
||||||
# - debug
|
|
||||||
# - info
|
|
||||||
#
|
|
||||||
logLevel = "info"
|
|
||||||
```
|
|
BIN
docs/content/assets/img/architecture-overview.png
Normal file
After Width: | Height: | Size: 458 KiB |
Before Width: | Height: | Size: 208 KiB After Width: | Height: | Size: 208 KiB |
Before Width: | Height: | Size: 274 KiB After Width: | Height: | Size: 274 KiB |
BIN
docs/content/assets/img/entrypoints.png
Normal file
After Width: | Height: | Size: 383 KiB |
BIN
docs/content/assets/img/middleware/addprefix.png
Normal file
After Width: | Height: | Size: 42 KiB |
BIN
docs/content/assets/img/middleware/authforward.png
Normal file
After Width: | Height: | Size: 92 KiB |
BIN
docs/content/assets/img/middleware/basicauth.png
Normal file
After Width: | Height: | Size: 71 KiB |
BIN
docs/content/assets/img/middleware/buffering.png
Normal file
After Width: | Height: | Size: 70 KiB |
BIN
docs/content/assets/img/middleware/chain.png
Normal file
After Width: | Height: | Size: 73 KiB |
BIN
docs/content/assets/img/middleware/circuitbreaker.png
Normal file
After Width: | Height: | Size: 64 KiB |
BIN
docs/content/assets/img/middleware/compress.png
Normal file
After Width: | Height: | Size: 62 KiB |
BIN
docs/content/assets/img/middleware/digestauth.png
Normal file
After Width: | Height: | Size: 70 KiB |
BIN
docs/content/assets/img/middleware/errorpages.png
Normal file
After Width: | Height: | Size: 120 KiB |
BIN
docs/content/assets/img/middleware/headers.png
Normal file
After Width: | Height: | Size: 67 KiB |
BIN
docs/content/assets/img/middleware/ipwhitelist.png
Normal file
After Width: | Height: | Size: 58 KiB |
BIN
docs/content/assets/img/middleware/maxconnection.png
Normal file
After Width: | Height: | Size: 63 KiB |
BIN
docs/content/assets/img/middleware/overview.png
Normal file
After Width: | Height: | Size: 307 KiB |
BIN
docs/content/assets/img/middleware/ratelimit.png
Normal file
After Width: | Height: | Size: 68 KiB |
BIN
docs/content/assets/img/providers.png
Normal file
After Width: | Height: | Size: 385 KiB |
BIN
docs/content/assets/img/providers/docker.png
Normal file
After Width: | Height: | Size: 228 KiB |
BIN
docs/content/assets/img/quickstart-diagram.png
Normal file
After Width: | Height: | Size: 289 KiB |
BIN
docs/content/assets/img/routers.png
Normal file
After Width: | Height: | Size: 354 KiB |
BIN
docs/content/assets/img/services.png
Normal file
After Width: | Height: | Size: 339 KiB |
BIN
docs/content/assets/img/static-dynamic-configuration.png
Normal file
After Width: | Height: | Size: 386 KiB |
BIN
docs/content/assets/img/traefik-architecture.png
Normal file
After Width: | Height: | Size: 452 KiB |
BIN
docs/content/assets/img/traefik-concepts-1.png
Normal file
After Width: | Height: | Size: 182 KiB |
BIN
docs/content/assets/img/traefik-concepts-2.png
Normal file
After Width: | Height: | Size: 209 KiB |
Before Width: | Height: | Size: 2 KiB After Width: | Height: | Size: 2 KiB |
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 34 KiB |
2
docs/content/assets/js/hljs/highlight.pack.js
Normal file
59
docs/content/assets/styles/extra.css
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
@import url('https://fonts.googleapis.com/css?family=Noto+Sans|Noto+Serif');
|
||||||
|
|
||||||
|
.md-logo img {
|
||||||
|
background-color: white;
|
||||||
|
border-radius: 50%;
|
||||||
|
width: 30px;
|
||||||
|
height: 30px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Fix for Chrome */
|
||||||
|
.md-typeset__table td code {
|
||||||
|
word-break: unset;
|
||||||
|
}
|
||||||
|
|
||||||
|
.md-typeset__table tr :nth-child(1) {
|
||||||
|
word-wrap: break-word;
|
||||||
|
max-width: 30em;
|
||||||
|
}
|
||||||
|
|
||||||
|
body {
|
||||||
|
font-family: 'Noto Sans', sans-serif;
|
||||||
|
}
|
||||||
|
|
||||||
|
h1 {
|
||||||
|
font-weight: bold !important;
|
||||||
|
color: rgba(0,0,0,.9) !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
h2 {
|
||||||
|
font-weight: bold !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
h3 {
|
||||||
|
font-weight: bold !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
figcaption {
|
||||||
|
text-align: center;
|
||||||
|
font-size: 0.8em;
|
||||||
|
font-style: italic;
|
||||||
|
color: #8D909F;
|
||||||
|
}
|
||||||
|
|
||||||
|
p.subtitle {
|
||||||
|
color: rgba(0,0,0,.54);
|
||||||
|
padding-top: 0;
|
||||||
|
margin-top: -2em;
|
||||||
|
font-weight: bold;
|
||||||
|
font-size: 1.25em;
|
||||||
|
}
|
||||||
|
|
||||||
|
.markdown-body .task-list-item {
|
||||||
|
list-style-type: none !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
.markdown-body .task-list-item input[type="checkbox"] {
|
||||||
|
margin: 0 4px 0.25em -20px;
|
||||||
|
vertical-align: middle;
|
||||||
|
}
|
10
docs/content/contributing/advocating.md
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
# Advocating
|
||||||
|
|
||||||
|
Spread the Love & Tell Us about It
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
There are many ways to contribute to the project, and there is one that always spark joy: when we see/read about users talking about how Traefik helps them solve their problems.
|
||||||
|
|
||||||
|
If you're talking about Traefik, [let us know](https://blog.containo.us/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
|
||||||
|
|
||||||
|
Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/containous/traefik/wiki/Awesome-Traefik).
|
181
docs/content/contributing/building-testing.md
Normal file
|
@ -0,0 +1,181 @@
|
||||||
|
# Building and Testing
|
||||||
|
|
||||||
|
Compile and Test Your Own Traefik!
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
So you want to build your own Traefik binary from the sources?
|
||||||
|
Let's see how.
|
||||||
|
|
||||||
|
## Building
|
||||||
|
|
||||||
|
You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik.
|
||||||
|
For changes to its dependencies, the `dep` dependency management tool is required.
|
||||||
|
|
||||||
|
### Method 1: Using `Docker` and `Makefile`
|
||||||
|
|
||||||
|
Run make with the `binary` target.
|
||||||
|
This will create binaries for the Linux platform in the `dist` folder.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ make binary
|
||||||
|
docker build -t traefik-webui -f webui/Dockerfile webui
|
||||||
|
Sending build context to Docker daemon 2.686MB
|
||||||
|
Step 1/11 : FROM node:8.15.0
|
||||||
|
---> 1f6c34f7921c
|
||||||
|
[...]
|
||||||
|
Successfully built ce4ff439c06a
|
||||||
|
Successfully tagged traefik-webui:latest
|
||||||
|
[...]
|
||||||
|
docker build -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
|
||||||
|
Sending build context to Docker daemon 279MB
|
||||||
|
Step 1/10 : FROM golang:1.11-alpine
|
||||||
|
---> f4bfb3d22bda
|
||||||
|
[...]
|
||||||
|
Successfully built 5c3c1a911277
|
||||||
|
Successfully tagged traefik-dev:4475--feature-documentation
|
||||||
|
docker run -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER -v "/home/ldez/sources/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
|
||||||
|
---> Making bundle: generate (in .)
|
||||||
|
removed 'autogen/gentemplates/gen.go'
|
||||||
|
removed 'autogen/genstatic/gen.go'
|
||||||
|
|
||||||
|
---> Making bundle: binary (in .)
|
||||||
|
|
||||||
|
$ ls dist/
|
||||||
|
traefik*
|
||||||
|
```
|
||||||
|
|
||||||
|
### Method 2: Using `go`
|
||||||
|
|
||||||
|
You need `go` v1.9+.
|
||||||
|
|
||||||
|
!!! tip "Source Directory"
|
||||||
|
|
||||||
|
It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory.
|
||||||
|
This is the official golang workspace hierarchy that will allow dependencies to be properly resolved.
|
||||||
|
|
||||||
|
!!! note "Environment"
|
||||||
|
|
||||||
|
Set your `GOPATH` and `PATH` variable to be set to `~/go` via:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
export GOPATH=~/go
|
||||||
|
export PATH=$PATH:$GOPATH/bin
|
||||||
|
```
|
||||||
|
|
||||||
|
For convenience, add `GOPATH` and `PATH` to your `.bashrc` or `.bash_profile`
|
||||||
|
|
||||||
|
Verify your environment is setup properly by running `$ go env`.
|
||||||
|
Depending on your OS and environment, you should see an output similar to:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
GOARCH="amd64"
|
||||||
|
GOBIN=""
|
||||||
|
GOEXE=""
|
||||||
|
GOHOSTARCH="amd64"
|
||||||
|
GOHOSTOS="linux"
|
||||||
|
GOOS="linux"
|
||||||
|
GOPATH="/home/<yourusername>/go"
|
||||||
|
GORACE=""
|
||||||
|
## ... and the list goes on
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Build Traefik
|
||||||
|
|
||||||
|
Once you've set up your go environment and cloned the source repository, you can build Traefik.
|
||||||
|
Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd ~/go/src/github.com/containous/traefik
|
||||||
|
|
||||||
|
# Get go-bindata. (Important: the ellipses are required.)
|
||||||
|
go get github.com/containous/go-bindata/...
|
||||||
|
|
||||||
|
# Let's build
|
||||||
|
|
||||||
|
# generate
|
||||||
|
# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates)
|
||||||
|
go generate
|
||||||
|
|
||||||
|
# Standard go build
|
||||||
|
go build ./cmd/traefik
|
||||||
|
```
|
||||||
|
|
||||||
|
You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
|
||||||
|
|
||||||
|
### Updating the templates
|
||||||
|
|
||||||
|
If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
|
||||||
|
|
||||||
|
### Setting up dependency management
|
||||||
|
|
||||||
|
The [dep](https://github.com/golang/dep) command is not required for building;
|
||||||
|
however, it is necessary if you need to update the dependencies (i.e., add, update, or remove third-party packages).
|
||||||
|
|
||||||
|
You need [dep](https://github.com/golang/dep) >= 0.5.0.
|
||||||
|
|
||||||
|
If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).
|
||||||
|
|
||||||
|
A following `make dep-prune` run should be triggered to trim down the size of the vendor folder.
|
||||||
|
The final result must be committed into VCS.
|
||||||
|
|
||||||
|
Here's a full example using dep to add a new dependency:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# install the new main dependency github.com/foo/bar and minimize vendor size
|
||||||
|
$ dep ensure -add github.com/foo/bar
|
||||||
|
# generate (Only required to integrate other components such as web dashboard)
|
||||||
|
$ go generate
|
||||||
|
# Standard go build
|
||||||
|
$ go build ./cmd/traefik
|
||||||
|
```
|
||||||
|
|
||||||
|
## Testing
|
||||||
|
|
||||||
|
### Method 1: `Docker` and `make`
|
||||||
|
|
||||||
|
Run unit tests using the `test-unit` target.
|
||||||
|
Run integration tests using the `test-integration` target.
|
||||||
|
Run all tests (unit and integration) using the `test` target.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ make test-unit
|
||||||
|
docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
|
||||||
|
# […]
|
||||||
|
docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
|
||||||
|
---> Making bundle: generate (in .)
|
||||||
|
removed 'gen.go'
|
||||||
|
|
||||||
|
---> Making bundle: test-unit (in .)
|
||||||
|
+ go test -cover -coverprofile=cover.out .
|
||||||
|
ok github.com/containous/traefik 0.005s coverage: 4.1% of statements
|
||||||
|
|
||||||
|
Test success
|
||||||
|
```
|
||||||
|
|
||||||
|
For development purposes, you can specify which tests to run by using (only works the `test-integration` target):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Run every tests in the MyTest suite
|
||||||
|
TESTFLAGS="-check.f MyTestSuite" make test-integration
|
||||||
|
|
||||||
|
# Run the test "MyTest" in the MyTest suite
|
||||||
|
TESTFLAGS="-check.f MyTestSuite.MyTest" make test-integration
|
||||||
|
|
||||||
|
# Run every tests starting with "My", in the MyTest suite
|
||||||
|
TESTFLAGS="-check.f MyTestSuite.My" make test-integration
|
||||||
|
|
||||||
|
# Run every tests ending with "Test", in the MyTest suite
|
||||||
|
TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
|
||||||
|
```
|
||||||
|
|
||||||
|
More: https://labix.org/gocheck
|
||||||
|
|
||||||
|
### Method 2: `go`
|
||||||
|
|
||||||
|
Unit tests can be run from the cloned directory using `$ go test ./...` which should return `ok`, similar to:
|
||||||
|
|
||||||
|
```test
|
||||||
|
ok _/home/user/go/src/github/containous/traefik 0.004s
|
||||||
|
```
|
||||||
|
|
||||||
|
Integration tests must be run from the `integration/` directory and require the `-integration` switch: `$ cd integration && go test -integration ./...`.
|
112
docs/content/contributing/data-collection.md
Normal file
|
@ -0,0 +1,112 @@
|
||||||
|
# Data Collection
|
||||||
|
|
||||||
|
Understanding How Traefik is Being Used
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
## Configuration Example
|
||||||
|
|
||||||
|
**By default, this feature is disabled;** but to allow us understand better how you use Traefik, please enable the data collection option.
|
||||||
|
|
||||||
|
??? example "Enabling Data Collection with TOML"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Global]
|
||||||
|
# Send anonymous usage data
|
||||||
|
# Default: false
|
||||||
|
#
|
||||||
|
sendAnonymousUsage = true
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Enabling Data Collection with the CLI"
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./traefik --sendAnonymousUsage=true
|
||||||
|
```
|
||||||
|
|
||||||
|
## Collected Data
|
||||||
|
|
||||||
|
This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369).
|
||||||
|
|
||||||
|
In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
|
||||||
|
Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
|
||||||
|
|
||||||
|
### What's collected / when ?
|
||||||
|
|
||||||
|
Once a day (the first call begins 10 minutes after the start of Traefik), we collect:
|
||||||
|
|
||||||
|
- the Traefik version number
|
||||||
|
- a hash of the configuration
|
||||||
|
- an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
We do not collect the dynamic configuration information (routers & services).
|
||||||
|
We do not collect these data to run advertising programs.
|
||||||
|
We do not sell these data to third-parties.
|
||||||
|
|
||||||
|
### Example of Collected Data
|
||||||
|
|
||||||
|
??? example "Original configuration"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.http]
|
||||||
|
address = ":80"
|
||||||
|
|
||||||
|
[api]
|
||||||
|
|
||||||
|
[Docker]
|
||||||
|
endpoint = "tcp://10.10.10.10:2375"
|
||||||
|
domain = "foo.bir"
|
||||||
|
exposedByDefault = true
|
||||||
|
swarmMode = true
|
||||||
|
|
||||||
|
[Docker.TLS]
|
||||||
|
ca = "dockerCA"
|
||||||
|
cert = "dockerCert"
|
||||||
|
key = "dockerKey"
|
||||||
|
insecureSkipVerify = true
|
||||||
|
|
||||||
|
[ECS]
|
||||||
|
domain = "foo.bar"
|
||||||
|
exposedByDefault = true
|
||||||
|
clusters = ["foo-bar"]
|
||||||
|
region = "us-west-2"
|
||||||
|
accessKeyID = "AccessKeyID"
|
||||||
|
secretAccessKey = "SecretAccessKey"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Resulting Obfuscated Configuration"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.http]
|
||||||
|
address = ":80"
|
||||||
|
|
||||||
|
[api]
|
||||||
|
|
||||||
|
[Docker]
|
||||||
|
endpoint = "xxxx"
|
||||||
|
domain = "xxxx"
|
||||||
|
exposedByDefault = true
|
||||||
|
swarmMode = true
|
||||||
|
|
||||||
|
[Docker.TLS]
|
||||||
|
ca = "xxxx"
|
||||||
|
cert = "xxxx"
|
||||||
|
key = "xxxx"
|
||||||
|
insecureSkipVerify = false
|
||||||
|
|
||||||
|
[ECS]
|
||||||
|
domain = "xxxx"
|
||||||
|
exposedByDefault = true
|
||||||
|
clusters = []
|
||||||
|
region = "us-west-2"
|
||||||
|
accessKeyID = "xxxx"
|
||||||
|
secretAccessKey = "xxxx"
|
||||||
|
```
|
||||||
|
|
||||||
|
## The Code for Data Collection
|
||||||
|
|
||||||
|
If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/collector/collector.go)
|
||||||
|
|
||||||
|
By default we anonymize all configuration fields, except fields tagged with `export=true`.
|
100
docs/content/contributing/documentation.md
Normal file
|
@ -0,0 +1,100 @@
|
||||||
|
# Documentation
|
||||||
|
|
||||||
|
Features Are Better When You Know How to Use Them
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
You've found something unclear in the documentation and want to give a try at explaining it better?
|
||||||
|
Let's see how.
|
||||||
|
|
||||||
|
## Building Documentation
|
||||||
|
|
||||||
|
### General
|
||||||
|
|
||||||
|
This [documentation](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/).
|
||||||
|
|
||||||
|
### Method 1: `Docker` and `make`
|
||||||
|
|
||||||
|
You can build the documentation and test it locally (with live reloading), using the `docs` target:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ make docs
|
||||||
|
docker build -t traefik-docs -f docs.Dockerfile .
|
||||||
|
# […]
|
||||||
|
docker run --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
|
||||||
|
# […]
|
||||||
|
[I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
|
||||||
|
[I 170828 20:47:48 handlers:60] Start watching changes
|
||||||
|
[I 170828 20:47:48 handlers:62] Start detecting changes
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! tip "Default URL"
|
||||||
|
|
||||||
|
Your local documentation server will run by default on [http://127.0.0.1:8000](http://127.0.0.1:8000).
|
||||||
|
|
||||||
|
If you only want to build the documentation without serving it locally, you can use the following command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ make docs-build
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
### Method 2: `mkdocs`
|
||||||
|
|
||||||
|
First, make sure you have `python` and `pip` installed.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ python --version
|
||||||
|
Python 2.7.2
|
||||||
|
$ pip --version
|
||||||
|
pip 1.5.2
|
||||||
|
```
|
||||||
|
|
||||||
|
Then, install mkdocs with `pip`.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
pip install --user -r requirements.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
To build the documentation locally and serve it locally, run `mkdocs serve` from the root directory.
|
||||||
|
This will start a local server.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ mkdocs serve
|
||||||
|
INFO - Building documentation...
|
||||||
|
INFO - Cleaning site directory
|
||||||
|
[I 160505 22:31:24 server:281] Serving on http://127.0.0.1:8000
|
||||||
|
[I 160505 22:31:24 handlers:59] Start watching changes
|
||||||
|
[I 160505 22:31:24 handlers:61] Start detecting changes
|
||||||
|
```
|
||||||
|
|
||||||
|
### Check the Documentation
|
||||||
|
|
||||||
|
To check that the documentation meets standard expectations (no dead links, html markup validity, ...), use the `docs-verify` target.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ make docs-verify
|
||||||
|
docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
|
||||||
|
...
|
||||||
|
docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
|
||||||
|
=== Checking HTML content...
|
||||||
|
Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! note "Clean & Verify"
|
||||||
|
|
||||||
|
If you've made changes to the documentation, it's safter to clean it before verifying it.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ make docs-clean docs-verify
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! note "Disabling Documentation Verification"
|
||||||
|
|
||||||
|
Verification can be disabled by setting the environment variable `DOCS_VERIFY_SKIP` to `true`:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
DOCS_VERIFY_SKIP=true make docs-verify
|
||||||
|
...
|
||||||
|
DOCS_LINT_SKIP is true: no linting done.
|
||||||
|
```
|
45
docs/content/contributing/submitting-issues.md
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
# Submitting Issues
|
||||||
|
|
||||||
|
Help Us Help You!
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
We use the [GitHub issue tracker](https://github.com/containous/traefik/issues) to keep track of issues in Traefik.
|
||||||
|
|
||||||
|
The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
|
||||||
|
To save us some time and get quicker feedback, be sure to follow the guide lines below.
|
||||||
|
|
||||||
|
!!! important "Getting Help Vs Reporting an Issue"
|
||||||
|
|
||||||
|
The issue tracker is not a general support forum, but a place to report bugs and asks for new features.
|
||||||
|
|
||||||
|
For end-user related support questions, try using first:
|
||||||
|
|
||||||
|
- the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
|
||||||
|
- [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
|
||||||
|
|
||||||
|
## Issue Title
|
||||||
|
|
||||||
|
The title must be short and descriptive. (~60 characters)
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
Follow the [issue template](https://github.com/containous/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible, and make use of the `traefik bug` command if you can (see the [video on Youtube](https://www.youtube.com/watch?v=Lyz62L8m93I)).
|
||||||
|
|
||||||
|
Explain us in which conditions you encountered the issue, what is your context.
|
||||||
|
|
||||||
|
Remain as clear and concise as possible
|
||||||
|
|
||||||
|
Take time to polish the format of your message so we'll enjoy reading it and working on it.
|
||||||
|
Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
|
||||||
|
|
||||||
|
## Feature Request
|
||||||
|
|
||||||
|
Traefik is an open-source project and aims to be the best edge router possible.
|
||||||
|
|
||||||
|
Remember when asking for new features that these must be useful to the majority (and not only useful in edge case scenarios, or hack-like setups).
|
||||||
|
|
||||||
|
Do you best to explain what you're looking for, and why it would improve Traefik for everyone.
|
||||||
|
|
||||||
|
## International English
|
||||||
|
|
||||||
|
Every maintainer / Traefik user is not a native English speaker, so if you feel sometimes that some messages sound rude, remember that it probably is a language barrier problem from someone willing to help you.
|
45
docs/content/contributing/submitting-pull-requests.md
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
# Submitting Pull Requests
|
||||||
|
|
||||||
|
A Quick Guide for Efficient Contributions
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
So you've decide to improve Traefik?
|
||||||
|
Thank You!
|
||||||
|
Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.
|
||||||
|
|
||||||
|
Let's go though the classic pitfalls to make sure everything is right.
|
||||||
|
|
||||||
|
## Title
|
||||||
|
|
||||||
|
The title must be short and descriptive. (~60 characters)
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
Follow the [pull request template](https://github.com/containous/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
|
||||||
|
|
||||||
|
Explain the conditions which led you to write this PR: give us context.
|
||||||
|
The context should lead to something, an idea or a problem that you’re facing.
|
||||||
|
|
||||||
|
Remain clear and concise.
|
||||||
|
|
||||||
|
Take time to polish the format of your message so we'll enjoy reading it and working on it.
|
||||||
|
Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
|
||||||
|
|
||||||
|
## PR Content
|
||||||
|
|
||||||
|
- Make it small.
|
||||||
|
- One feature per Pull Request.
|
||||||
|
- Write useful descriptions and titles.
|
||||||
|
- Avoid re-formatting code that is not on the path of your PR.
|
||||||
|
- Make sure the [code builds](building-testing.md).
|
||||||
|
- Make sure [all tests pass](building-testing.md).
|
||||||
|
- Add tests.
|
||||||
|
- Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
|
||||||
|
|
||||||
|
!!! note "third-party dependencies"
|
||||||
|
|
||||||
|
If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
|
||||||
|
|
||||||
|
!!! tip "10 Tips for Better Pull Requests"
|
||||||
|
|
||||||
|
We enjoyed this article, maybe you will too! [10 tips for better pull requests](http://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).
|
10
docs/content/contributing/thank-you.md
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
# Thank You!
|
||||||
|
|
||||||
|
_You_ Made It
|
||||||
|
{: .subtitle}
|
||||||
|
|
||||||
|
Traefik truly is an [open-source project](https://github.com/containous/traefik/),
|
||||||
|
and wouldn't have become what it is today without the help of our [many contributors](https://github.com/containous/traefik/graphs/contributors) (at the time of writing this),
|
||||||
|
not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.
|
||||||
|
|
||||||
|
So once again, thank you for your invaluable help on making Traefik such a good product.
|
35
docs/content/getting-started/concepts.md
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
# Concepts
|
||||||
|
|
||||||
|
Everything You Need to Know
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
## Edge Router
|
||||||
|
|
||||||
|
Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request: it knows all the logic and every rule that determine which services handle which requests (based on the [path](../../routing/routers/#rule), the [host](../../routing/routers/#rule), [headers](../../routing/routers/#rule), [and so on](../../routing/routers/#rule) ...).
|
||||||
|
|
||||||
|
![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png)
|
||||||
|
|
||||||
|
## Auto Service Discovery
|
||||||
|
|
||||||
|
Where traditionally edge routers (or reverse proxies) need a configuration file that contains every possible route to your services, Traefik gets them from the services themselves.
|
||||||
|
|
||||||
|
Deploying your services, you attach information that tell Traefik the characteristics of the requests the services can handle.
|
||||||
|
|
||||||
|
![Decentralized Configuration](../assets/img/traefik-concepts-2.png)
|
||||||
|
|
||||||
|
It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
|
||||||
|
The opposite is true: when you remove a service from your infrastructure, the route will disapear accordingly.
|
||||||
|
|
||||||
|
You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.
|
||||||
|
|
||||||
|
!!! note "Many different rules"
|
||||||
|
|
||||||
|
In the example above, we used the request [path](../routing/routers.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers.md#rule).
|
||||||
|
|
||||||
|
!!! note "Updating the requests"
|
||||||
|
|
||||||
|
In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services.
|
||||||
|
|
||||||
|
!!! question "How does Traefik discover the services?"
|
||||||
|
|
||||||
|
Traefik is able to use your cluster API to discover the services and read the attached information. In Traefik, these connectors are called [providers](../providers/overview.md) because they _provide_ the configuration to Traefik. To learn more about them, read the [provider overview](../providers/overview.md) section.
|
81
docs/content/getting-started/configuration-overview.md
Normal file
|
@ -0,0 +1,81 @@
|
||||||
|
# Configuration Overview
|
||||||
|
|
||||||
|
How the Magic Happens
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![Configuration](../assets/img/static-dynamic-configuration.png)
|
||||||
|
|
||||||
|
Configuration in Traefik can refer to two different things:
|
||||||
|
|
||||||
|
- The fully dynamic routing configuration (referred to as the _dynamic configuration_)
|
||||||
|
- The startup configuration (referred to as the _static configuration_)
|
||||||
|
|
||||||
|
Elements in the _static configuration_ set up connections to [providers](../../providers/overview/) and define the [entrypoints](../../routing/entrypoints/) Traefik will listen to (these elements don't change often).
|
||||||
|
|
||||||
|
The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
|
||||||
|
This configuration can change and is seamlessly hot-reloaded, without any request interuption or connection loss.
|
||||||
|
|
||||||
|
## The Dynamic Configuration
|
||||||
|
|
||||||
|
Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): wether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
|
||||||
|
In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
|
||||||
|
HTTPS Certificates also belong to the dynamic configuration. You can add / update / remove them without restarting your Traefik instance.
|
||||||
|
|
||||||
|
## The Static Configuration
|
||||||
|
|
||||||
|
There are three different locations where you can define static configuration options in Traefik:
|
||||||
|
|
||||||
|
- In a key-value store
|
||||||
|
- In the command-line arguments
|
||||||
|
- In a configuration file
|
||||||
|
|
||||||
|
If you don't provide a value for a given option, default values apply.
|
||||||
|
|
||||||
|
!!! important "Precedence Order"
|
||||||
|
|
||||||
|
The following precedence order applies for configuration options: key-value > command-line > configuration file.
|
||||||
|
|
||||||
|
It means that arguments override configuration file, and key-value store overrides arguments.
|
||||||
|
|
||||||
|
!!! important "Default Values"
|
||||||
|
|
||||||
|
Some root options are enablers: they set default values for all their children.
|
||||||
|
|
||||||
|
For example, the `--providers.docker` option enables the docker provider.
|
||||||
|
Once positioned, this option sets (and resets) all the default values under the root `providers.docker`.
|
||||||
|
If you define child options using a lesser precedence configuration source, they will be overwritten by the default values.
|
||||||
|
|
||||||
|
### Configuration File
|
||||||
|
|
||||||
|
At startup, Traefik searches for a file named `traefik.toml` in `/etc/traefik/`, `$HOME/.traefik/`, and `.` (_the working directory_).
|
||||||
|
|
||||||
|
You can override this using the `configFile` argument.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
traefik --configFile=foo/bar/myconfigfile.toml
|
||||||
|
```
|
||||||
|
|
||||||
|
### Arguments
|
||||||
|
|
||||||
|
Use `traefik --help` to get the list of the available arguments.
|
||||||
|
|
||||||
|
### Key-Value Stores
|
||||||
|
|
||||||
|
Traefik supports several Key-value stores:
|
||||||
|
|
||||||
|
- [Consul](https://consul.io)
|
||||||
|
- [etcd](https://coreos.com/etcd/)
|
||||||
|
- [ZooKeeper](https://zookeeper.apache.org/)
|
||||||
|
- [boltdb](https://github.com/boltdb/bolt)
|
||||||
|
|
||||||
|
## Available Configuration Options
|
||||||
|
|
||||||
|
All the configuration options are documented in their related section.
|
||||||
|
|
||||||
|
You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.
|
109
docs/content/getting-started/quick-start.md
Normal file
|
@ -0,0 +1,109 @@
|
||||||
|
# Quick Start
|
||||||
|
|
||||||
|
A Simple Use Case Using Docker
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![quickstart-diagram](../assets/img/quickstart-diagram.png)
|
||||||
|
|
||||||
|
!!! tip
|
||||||
|
To save some time, you can clone [Traefik's repository](https://github.com/containous/traefik).
|
||||||
|
The quickstart files are located in the [examples/quickstart](https://github.com/containous/traefik/tree/master/examples/quickstart/) directory.
|
||||||
|
|
||||||
|
## Launch Traefik With the Docker Provider
|
||||||
|
|
||||||
|
Create a `docker-compose.yml` file where you will define a `reverse-proxy` service that uses the official Traefik image:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
reverse-proxy:
|
||||||
|
image: traefik # The official Traefik docker image
|
||||||
|
command: --api --docker # Enables the web UI and tells Traefik to listen to docker
|
||||||
|
ports:
|
||||||
|
- "80:80" # The HTTP port
|
||||||
|
- "8080:8080" # The Web UI (enabled by --api)
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
|
||||||
|
```
|
||||||
|
|
||||||
|
**That's it. Now you can launch Traefik!**
|
||||||
|
|
||||||
|
Start your `reverse-proxy` with the following command:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
docker-compose up -d reverse-proxy
|
||||||
|
```
|
||||||
|
|
||||||
|
You can open a browser and go to [http://localhost:8080](http://localhost:8080) to see Traefik's dashboard (we'll go back there once we have launched a service in step 2).
|
||||||
|
|
||||||
|
## Traefik Detects New Services and Creates the Route for You
|
||||||
|
|
||||||
|
Now that we have a Traefik instance up and running, we will deploy new services.
|
||||||
|
|
||||||
|
Edit your `docker-compose.yml` file and add the following at the end of your file.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
# ...
|
||||||
|
whoami:
|
||||||
|
image: containous/whoami # A container that exposes an API to show its IP address
|
||||||
|
labels:
|
||||||
|
- "traefik.router.rule=Host:whoami.docker.localhost"
|
||||||
|
```
|
||||||
|
|
||||||
|
The above defines `whoami`: a simple web service that outputs information about the machine it is deployed on (its IP address, host, and so on).
|
||||||
|
|
||||||
|
Start the `whoami` service with the following command:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
docker-compose up -d whoami
|
||||||
|
```
|
||||||
|
|
||||||
|
Go back to your browser ([http://localhost:8080](http://localhost:8080)) and see that Traefik has automatically detected the new container and updated its own configuration.
|
||||||
|
|
||||||
|
When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_ (Here, we're using curl)
|
||||||
|
|
||||||
|
```shell
|
||||||
|
curl -H Host:whoami.docker.localhost http://127.0.0.1
|
||||||
|
```
|
||||||
|
|
||||||
|
_Shows the following output:_
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
Hostname: a656c8ddca6c
|
||||||
|
IP: 172.27.0.3
|
||||||
|
#...
|
||||||
|
```
|
||||||
|
|
||||||
|
## More Instances? Traefik Load Balances Them
|
||||||
|
|
||||||
|
Run more instances of your `whoami` service with the following command:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
docker-compose up -d --scale whoami=2
|
||||||
|
```
|
||||||
|
|
||||||
|
Go back to your browser ([http://localhost:8080](http://localhost:8080)) and see that Traefik has automatically detected the new instance of the container.
|
||||||
|
|
||||||
|
Finally, see that Traefik load-balances between the two instances of your services by running twice the following command:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
curl -H Host:whoami.docker.localhost http://127.0.0.1
|
||||||
|
```
|
||||||
|
|
||||||
|
The output will show alternatively one of the followings:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
Hostname: a656c8ddca6c
|
||||||
|
IP: 172.27.0.3
|
||||||
|
#...
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
Hostname: s458f154e1f1
|
||||||
|
IP: 172.27.0.4
|
||||||
|
# ...
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! question "Where to Go Next?"
|
||||||
|
Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you!
|
22
docs/content/glossary.md
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
# TODO -- Glossary
|
||||||
|
|
||||||
|
Where Every Technical Word finds its Definition`
|
||||||
|
{: .subtitle}
|
||||||
|
|
||||||
|
- [ ] Provider
|
||||||
|
- [ ] Types of providers (KV, annotation based, label based, configuration based)
|
||||||
|
- [ ] Entrypoint
|
||||||
|
- [ ] Routers
|
||||||
|
- [ ] Middleware
|
||||||
|
- [ ] Service
|
||||||
|
- [ ] Static Configuration
|
||||||
|
- [ ] Dynamic Configuration
|
||||||
|
- [ ] ACME
|
||||||
|
- [ ] TraefikEE
|
||||||
|
- [ ] Tracing
|
||||||
|
- [ ] Metrics
|
||||||
|
- [ ] Orchestrator
|
||||||
|
- [ ] Key Value Store
|
||||||
|
- [ ] Logs
|
||||||
|
- [ ] Traefiker
|
||||||
|
- [ ] Traefik (How to pronounce)
|
4
docs/content/includes/.markdownlint.json
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
{
|
||||||
|
"extends": "../../.markdownlint.json",
|
||||||
|
"MD041": false
|
||||||
|
}
|
1
docs/content/includes/more-on-command-line.md
Normal file
|
@ -0,0 +1 @@
|
||||||
|
To learn more about configuration options in the command line, refer to the [configuration overview](../getting-started/configuration-overview.md)
|
1
docs/content/includes/more-on-configuration-file.md
Normal file
|
@ -0,0 +1 @@
|
||||||
|
To learn more about the configuration file, refer to [configuration overview](../getting-started/configuration-overview.md)
|
2
docs/content/includes/more-on-entrypoints.md
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
!!! info "More On Entrypoints"
|
||||||
|
Learn more about entrypoints and their configuration options in the dedicated section.
|
1
docs/content/includes/more-on-key-value-store.md
Normal file
|
@ -0,0 +1 @@
|
||||||
|
To learn more about configuration in key-value stores, refer to the [configuration overview](../getting-started/configuration-overview.md)
|
2
docs/content/includes/more-on-routers.md
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
!!! info "More On Routers"
|
||||||
|
Learn more about routers and their configuration options in the [dedicated section](../routing/routers.md).
|
23
docs/content/index.md
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
|
||||||
|
# Welcome
|
||||||
|
|
||||||
|
![Architecture](assets/img/traefik-architecture.png)
|
||||||
|
|
||||||
|
Traefik is an [open-source](https://github.com/containous/traefik) *Edge Router* that makes publishing your services a fun and easy experience.
|
||||||
|
It receives requests on behalf of your system and finds out which components are responsible for handling them.
|
||||||
|
|
||||||
|
What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services.
|
||||||
|
The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request.
|
||||||
|
|
||||||
|
Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
|
||||||
|
|
||||||
|
With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
|
||||||
|
With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.
|
||||||
|
|
||||||
|
Developing Traefik, our main goal is to make it simple to use, and we're sure you'll enjoy it.
|
||||||
|
|
||||||
|
-- The Traefik Maintainer Team
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
|
||||||
|
If you're a businness running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik.
|
33
docs/content/middlewares/addprefix.md
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
# Add Prefix
|
||||||
|
|
||||||
|
Prefixing the Path
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![AddPrefix](../assets/img/middleware/addprefix.png)
|
||||||
|
|
||||||
|
The AddPrefix middleware updates the URL Path of the request before forwarding it.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Prefixing with /foo"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.add-foo.AddPrefix]
|
||||||
|
prefix = "/foo"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Prefixing with /bar"
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.add-bar.addprefix.prefix=/bar"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### prefix
|
||||||
|
|
||||||
|
`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).
|
83
docs/content/middlewares/basicauth.md
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
# BasicAuth
|
||||||
|
|
||||||
|
Adding Basic Authentication
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![BasicAuth](../assets/img/middleware/basicauth.png)
|
||||||
|
|
||||||
|
The BasicAuth middleware is a quick way to restrict access to your services to known users.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Declaring the user list"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-auth.basicauth]
|
||||||
|
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
||||||
|
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Using an external file for the authorized users"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.declared-users-only.basicauth.usersFile=path-to-file.ext",
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### General
|
||||||
|
|
||||||
|
Passwords must be encoded using MD5, SHA1, or BCrypt.
|
||||||
|
|
||||||
|
!!! tip
|
||||||
|
|
||||||
|
Use `htpasswd` to generate the passwords.
|
||||||
|
|
||||||
|
### users
|
||||||
|
|
||||||
|
The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
|
||||||
|
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
||||||
|
|
||||||
|
### usersFile
|
||||||
|
|
||||||
|
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
|
||||||
|
|
||||||
|
The file content is a list of `name:encoded-password`.
|
||||||
|
|
||||||
|
??? example "A file containing test/test and test2/test2"
|
||||||
|
|
||||||
|
```
|
||||||
|
test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
|
||||||
|
test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
|
||||||
|
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
||||||
|
|
||||||
|
### realm
|
||||||
|
|
||||||
|
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
|
||||||
|
|
||||||
|
### headerField
|
||||||
|
|
||||||
|
You can customize the header field for the authenticated user using the `headerField`option.
|
||||||
|
|
||||||
|
??? example "File -- Passing Authenticated Users to Services Via Headers"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares.my-auth.basicauth]
|
||||||
|
usersFile = "path-to-file.ext"
|
||||||
|
headerField = "X-WebAuth-User" # header for the authenticated user
|
||||||
|
```
|
||||||
|
|
||||||
|
### removeHeader
|
||||||
|
|
||||||
|
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
|
69
docs/content/middlewares/buffering.md
Normal file
|
@ -0,0 +1,69 @@
|
||||||
|
# Buffering
|
||||||
|
|
||||||
|
How to Read the Request before Forwarding It
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![Buffering](../assets/img/middleware/buffering.png)
|
||||||
|
|
||||||
|
The Buffering middleware gives you control on how you want to read the requests before sending them to services.
|
||||||
|
|
||||||
|
With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified limit.
|
||||||
|
|
||||||
|
This can help services deal with large data (multipart/form-data for example), and can minimize time spent sending data to a service.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Sets the maximum request body to 2Mb"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.2Mb-limit.buffering]
|
||||||
|
maxRequestBodyBytes = 250000
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Buffers 1Mb of the request in memory, then writes to disk"
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.1Mb-memory.buffering.memRequestBodyBytes=125000",
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### maxRequestBodyBytes
|
||||||
|
|
||||||
|
With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
|
||||||
|
|
||||||
|
If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
|
||||||
|
|
||||||
|
### memRequestBodyBytes
|
||||||
|
|
||||||
|
You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
|
||||||
|
|
||||||
|
### maxResponseBodyBytes
|
||||||
|
|
||||||
|
With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
|
||||||
|
|
||||||
|
If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
|
||||||
|
|
||||||
|
### memResponseBodyBytes
|
||||||
|
|
||||||
|
You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
|
||||||
|
|
||||||
|
### retryExpression
|
||||||
|
|
||||||
|
You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
|
||||||
|
|
||||||
|
!!! example "Retries once in case of a network error"
|
||||||
|
|
||||||
|
```
|
||||||
|
retryExpression = "IsNetworkError() && Attempts() < 2"
|
||||||
|
```
|
||||||
|
|
||||||
|
Available functions for the retry expression are:
|
||||||
|
|
||||||
|
- `Attempts()` number of attempts (the first one counts)
|
||||||
|
- `ResponseCode()` response code of the service
|
||||||
|
- `IsNetworkError()` - if the response code is related to networking error
|
40
docs/content/middlewares/chain.md
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
# Chain
|
||||||
|
|
||||||
|
When One Isn't Enougth
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![Chain](../assets/img/middleware/chain.png)
|
||||||
|
|
||||||
|
The Chain middleware enables you to define reusable combinations of other pieces of middleware.
|
||||||
|
It makes reusing the same groups easier.
|
||||||
|
|
||||||
|
## Configuration Example
|
||||||
|
|
||||||
|
??? example "A Chain for WhiteList, BasicAuth, and HTTPS"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
# ...
|
||||||
|
[Routers]
|
||||||
|
[Routers.router1]
|
||||||
|
service = "service1"
|
||||||
|
middlewares = ["secured"]
|
||||||
|
rule = "Host: mydomain"
|
||||||
|
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.secured.Chain]
|
||||||
|
middlewares = ["https-only", "known-ips", "auth-users"]
|
||||||
|
|
||||||
|
[Middlewares.auth-users.BasicAuth]
|
||||||
|
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
|
||||||
|
[Middlewares.https-only.SchemeRedirect]
|
||||||
|
scheme = "https"
|
||||||
|
[Middlewares.known-ips.ipWhiteList]
|
||||||
|
sourceRange = ["192.168.1.7", "x.x.x.x", "x.x.x.x"]
|
||||||
|
|
||||||
|
[Services]
|
||||||
|
[Services.service1]
|
||||||
|
[Services.service1.LoadBalancer]
|
||||||
|
[[Services.service1.LoadBalancer.Servers]]
|
||||||
|
URL = "http://127.0.0.1:80"
|
||||||
|
Weight = 1
|
||||||
|
```
|
146
docs/content/middlewares/circuitbreaker.md
Normal file
|
@ -0,0 +1,146 @@
|
||||||
|
# CircuitBreaker
|
||||||
|
|
||||||
|
Don't Waste Time Calling Unhealthy Services
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![CircuitBreaker](../assets/img/middleware/circuitbreaker.png)
|
||||||
|
|
||||||
|
The circuit breaker protects your system from stacking requests to unhealthy services (resulting in cascading failures).
|
||||||
|
|
||||||
|
When your system is healthy, the circuit is close (normal operations).
|
||||||
|
When your system becomes unhealthy, the circuit becomes open and the requests are no longer forwarded (but handled by a fallback mechanism).
|
||||||
|
|
||||||
|
To assess if your system is healthy, the circuit breaker constantly monitors the services.
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
|
||||||
|
- The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state.
|
||||||
|
- The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state.
|
||||||
|
|
||||||
|
!!! important
|
||||||
|
|
||||||
|
Each router will eventually gets its own instance of a given circuit breaker. If two different routers refer to the same circuit breaker definition, they will get one instance each. It means that one circuit breaker can be open while the other stays close: their state is not shared. This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "Latency Check -- Using Toml"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[middlewares]
|
||||||
|
[middlewares.latency-check.circuitbreaker]
|
||||||
|
expression = "LatencyAtQuantileMS(50.0) > 100"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Latency Check -- Using Docker Labels"
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
# in a docker compose file
|
||||||
|
container-definition:
|
||||||
|
image: image-name
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Possible States
|
||||||
|
|
||||||
|
There are three possible states for your circuit breaker:
|
||||||
|
|
||||||
|
- Close (your service operates normally)
|
||||||
|
- Open (the fallback mechanism takes over your service)
|
||||||
|
- Recovering (the circuit breaker tries to resume normal operations by progressively sending requests to your service)
|
||||||
|
|
||||||
|
### Close
|
||||||
|
|
||||||
|
While close, the circuit breaker only collects metrics to analyze the behavior of the requests.
|
||||||
|
|
||||||
|
At specified intervals (`checkPeriod`), it will evaluate `expression` to decide if its state must change.
|
||||||
|
|
||||||
|
### Open
|
||||||
|
|
||||||
|
While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`. After this duration, it will enter the recovering state.
|
||||||
|
|
||||||
|
### Recovering
|
||||||
|
|
||||||
|
While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`). If your service fails during recovery, the circuit breaker becomes open again. If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### Configuring the Trigger
|
||||||
|
|
||||||
|
You can specify an `expression` that, once matched, will trigger the circuit breaker (and apply the fallback mechanism instead of calling your services).
|
||||||
|
|
||||||
|
The `expression` can check three different metrics:
|
||||||
|
|
||||||
|
- The network error ratio (`NetworkErrorRatio`)
|
||||||
|
- The status code ratio (`ResponseCodeRatio`)
|
||||||
|
- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
|
||||||
|
|
||||||
|
#### NetworkErrorRatio
|
||||||
|
|
||||||
|
If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
|
||||||
|
|
||||||
|
#### ResponseCodeRatio
|
||||||
|
|
||||||
|
You can trigger the circuit breaker based on the ratio of a given range of status codes.
|
||||||
|
|
||||||
|
The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`, `dividedByTo`.
|
||||||
|
|
||||||
|
The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
|
||||||
|
|
||||||
|
`from`is inclusive, `to` is exclusive.
|
||||||
|
|
||||||
|
For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).
|
||||||
|
|
||||||
|
#### LatencyAtQuantileMS
|
||||||
|
|
||||||
|
You can trigger the circuit breaker when a given proportion of your requests become too slow.
|
||||||
|
|
||||||
|
For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median lantency (quantile 50) reaches 100MS.
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
|
||||||
|
You must provide a float number (with the leading .0) for the quantile value
|
||||||
|
|
||||||
|
#### Using multiple metrics
|
||||||
|
|
||||||
|
You can combine multiple metrics using operators in your expression.
|
||||||
|
|
||||||
|
Supported operators are:
|
||||||
|
|
||||||
|
- AND (`&&`)
|
||||||
|
- OR (`||)
|
||||||
|
|
||||||
|
For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
|
||||||
|
|
||||||
|
#### Operators
|
||||||
|
|
||||||
|
Here is the list of supported operators:
|
||||||
|
|
||||||
|
- Greater than (`>`)
|
||||||
|
- Greater or equal than (`>=`)
|
||||||
|
- Lesser than (`<`)
|
||||||
|
- Lesser or equal than (`<=`)
|
||||||
|
- Not (`!`)
|
||||||
|
- Equal (`==`)
|
||||||
|
- Not Equal (`!=`)
|
||||||
|
|
||||||
|
### Fallback mechanism
|
||||||
|
|
||||||
|
The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured.
|
||||||
|
|
||||||
|
### CheckPeriod
|
||||||
|
|
||||||
|
The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
|
||||||
|
|
||||||
|
### FallbackDuration
|
||||||
|
|
||||||
|
By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
|
||||||
|
|
||||||
|
### RecoveringDuration
|
||||||
|
|
||||||
|
The duration of the recovering mode (recovering state).
|
||||||
|
|
||||||
|
By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.
|
34
docs/content/middlewares/compress.md
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
# Compress
|
||||||
|
|
||||||
|
Compressing the Response before Sending it to the Client
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![Compress](../assets/img/middleware/compress.png)
|
||||||
|
|
||||||
|
The Compress middleware enables the gzip compression.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- enable gzip compression"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-compress.Compress]
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- enable gzip compression"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.test-compress.compress=true",
|
||||||
|
```
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
|
||||||
|
Responses are compressed when:
|
||||||
|
|
||||||
|
* The response body is larger than `512` bytes.
|
||||||
|
* The `Accept-Encoding` request header contains `gzip`.
|
||||||
|
* The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
|
78
docs/content/middlewares/digestauth.md
Normal file
|
@ -0,0 +1,78 @@
|
||||||
|
# DigestAuth
|
||||||
|
|
||||||
|
Adding Digest Authentication
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![BasicAuth](../assets/img/middleware/digestauth.png)
|
||||||
|
|
||||||
|
The DigestAuth middleware is a quick way to restrict access to your services to known users.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Declaring the user list"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-auth.digestauth]
|
||||||
|
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Using an external file for the authorized users"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.declared-users-only.digestauth.usersFile=path-to-file.ext",
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! tip
|
||||||
|
|
||||||
|
Use `htdigest` to generate passwords.
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### Users
|
||||||
|
|
||||||
|
The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
|
||||||
|
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
||||||
|
|
||||||
|
### UsersFile
|
||||||
|
|
||||||
|
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
|
||||||
|
|
||||||
|
The file content is a list of `name:realm:encoded-password`.
|
||||||
|
|
||||||
|
??? example "A file containing test/test and test2/test2"
|
||||||
|
|
||||||
|
```
|
||||||
|
test:traefik:a2688e031edb4be6a3797f3882655c05
|
||||||
|
test2:traefik:518845800f9e2bfb1f1f740ec24f074e
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
|
||||||
|
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
|
||||||
|
|
||||||
|
### Realm
|
||||||
|
|
||||||
|
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
|
||||||
|
|
||||||
|
### HeaderField
|
||||||
|
|
||||||
|
You can customize the header field for the authenticated user using the `headerField`option.
|
||||||
|
|
||||||
|
??? example "File -- Passing Authenticated Users to Services Via Headers"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares.my-auth.digestauth]
|
||||||
|
usersFile = "path-to-file.ext"
|
||||||
|
headerField = "X-WebAuth-User" # header for the authenticated user
|
||||||
|
```
|
||||||
|
|
||||||
|
### RemoveHeader
|
||||||
|
|
||||||
|
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
|
66
docs/content/middlewares/errorpages.md
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
# ErrorPage
|
||||||
|
|
||||||
|
It Has Never Been Easier to Say That Something Went Wrong
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![ErrorPages](../assets/img/middleware/errorpages.png)
|
||||||
|
|
||||||
|
The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
|
||||||
|
|
||||||
|
!!! important
|
||||||
|
The error page itself is _not_ hosted by Traefik.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Custom Error Page for 5XX"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Routers]
|
||||||
|
[Routers.router1]
|
||||||
|
Service = "my-service"
|
||||||
|
Rule = Host(`my-domain`)
|
||||||
|
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.5XX-errors.Errors]
|
||||||
|
status = ["500-599"]
|
||||||
|
service = "error-handler-service"
|
||||||
|
query = "/error.html"
|
||||||
|
|
||||||
|
[Services]
|
||||||
|
# ... definition of error-handler-service and my-service
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Dynamic Custom Error Page for 5XX Status Code"
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.test-errorpage.errors.status=500-599",
|
||||||
|
- "traefik.middlewares.test-errorpage.errors.service=serviceError",
|
||||||
|
- "traefik.middlewares.test-errorpage.errors.query=/{status}.html",
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
In this example, the error page URL is based on the status code (`query=/{status}.html)`.
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### status
|
||||||
|
|
||||||
|
The `status` that will trigger the error page.
|
||||||
|
|
||||||
|
The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
|
||||||
|
|
||||||
|
!!! Note
|
||||||
|
|
||||||
|
You can define either a status code like `500` or ranges with a syntax like `500-599`.
|
||||||
|
|
||||||
|
### service
|
||||||
|
|
||||||
|
The service that will serve the new requested error page.
|
||||||
|
|
||||||
|
### query
|
||||||
|
|
||||||
|
The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.
|
63
docs/content/middlewares/forwardauth.md
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
# ForwardAuth
|
||||||
|
|
||||||
|
Using an External Service to Ccheck for Credentials
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![AuthForward](../assets/img/middleware/authforward.png)
|
||||||
|
|
||||||
|
The ForwardAuth middleware delegate the authentication to an external service.
|
||||||
|
If the service response code is 2XX, access is granted and the original request is performed.
|
||||||
|
Otherwise, the response from the authentication server is returned.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Forward authentication to authserver.com"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-auth.forwardauth]
|
||||||
|
address = "https://authserver.com/auth"
|
||||||
|
trustForwardHeader = true
|
||||||
|
authResponseHeaders = ["X-Auth-User", "X-Secret"]
|
||||||
|
|
||||||
|
[Middlewares.test-auth.forwardauth.tls]
|
||||||
|
ca = "path/to/local.crt"
|
||||||
|
caOptional = true
|
||||||
|
cert = "path/to/foo.cert"
|
||||||
|
key = "path/to/foo.key"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Forward authentication to authserver.com"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.Middlewares.test-auth.ForwardAuth.Address=https://authserver.com/auth"
|
||||||
|
- "traefik.Middlewares.test-auth.ForwardAuth.AuthResponseHeaders=X-Auth-User, X-Secret"
|
||||||
|
- "traefik.Middlewares.test-auth.ForwardAuth.TLS.CA=path/to/local.crt"
|
||||||
|
- "traefik.Middlewares.test-auth.ForwardAuth.TLS.CAOptional=true"
|
||||||
|
- "traefik.Middlewares.test-auth.ForwardAuth.TLS.Cert=path/to/foo.cert"
|
||||||
|
- "traefik.Middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify=true"
|
||||||
|
- "traefik.Middlewares.test-auth.ForwardAuth.TLS.Key=path/to/foo.key"
|
||||||
|
- "traefik.Middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### address
|
||||||
|
|
||||||
|
The `address` option defines the authentication server address.
|
||||||
|
|
||||||
|
### trustForwardHeader
|
||||||
|
|
||||||
|
Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers.
|
||||||
|
|
||||||
|
### authResponseHeaders
|
||||||
|
|
||||||
|
The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
|
||||||
|
|
||||||
|
### tls
|
||||||
|
|
||||||
|
The `tls` option is the tls configuration from Traefik to the authentication server.
|
179
docs/content/middlewares/headers.md
Normal file
|
@ -0,0 +1,179 @@
|
||||||
|
# Headers
|
||||||
|
|
||||||
|
Adding Headers to the Request / Response
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![Headers](../assets/img/middleware/headers.png)
|
||||||
|
|
||||||
|
The Headers middleware can manage the requests/responses headers.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
### Adding Headers to the Request and the Response
|
||||||
|
|
||||||
|
Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` to the response
|
||||||
|
|
||||||
|
??? example "File"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.testHeader.headers]
|
||||||
|
[Middlewares.testHeader.headers.CustomRequestHeaders]
|
||||||
|
X-Script-Name = "test"
|
||||||
|
[Middlewares.testHeader.headers.CustomResponseHeaders]
|
||||||
|
X-Custom-Response-Header = "True"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.Middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test",
|
||||||
|
- "traefik.Middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True",
|
||||||
|
```
|
||||||
|
|
||||||
|
### Adding and Removing Headers
|
||||||
|
|
||||||
|
`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request, and the `X-Custom-Response-Header` header removed from the response.
|
||||||
|
|
||||||
|
??? example "File"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.testHeader.headers]
|
||||||
|
[Middlewares.testHeader.headers.CustomRequestHeaders]
|
||||||
|
X-Script-Name = "test"
|
||||||
|
[Middlewares.testHeader.headers.CustomResponseHeaders]
|
||||||
|
X-Custom-Response-Header = "True"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.Middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test",
|
||||||
|
- "traefik.Middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True",
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using Security Headers
|
||||||
|
|
||||||
|
Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above.
|
||||||
|
This functionality allows for some easy security features to quickly be set.
|
||||||
|
|
||||||
|
??? example "File"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.testHeader.headers]
|
||||||
|
FrameDeny = true
|
||||||
|
SSLRedirect = true
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.Middlewares.testHeader.Headers.FrameDeny=true",
|
||||||
|
- "traefik.Middlewares.testHeader.Headers.SSLRedirect=true",
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### General
|
||||||
|
|
||||||
|
!!! warning
|
||||||
|
If the custom header name is the same as one header name of the request or response, it will be replaced.
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
|
||||||
|
|
||||||
|
### customRequestHeaders
|
||||||
|
|
||||||
|
The `customRequestHeaders` option lists the Header names and values to apply to the request.
|
||||||
|
|
||||||
|
### allowedHosts
|
||||||
|
|
||||||
|
The `allowedHosts` option lists fully qualified domain names that are allowed.
|
||||||
|
|
||||||
|
### hostsProxyHeaders
|
||||||
|
|
||||||
|
The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
|
||||||
|
|
||||||
|
### sslRedirect
|
||||||
|
|
||||||
|
The `sslRedirect` is set to true, then only allow https requests.
|
||||||
|
|
||||||
|
### sslTemporaryRedirect
|
||||||
|
|
||||||
|
Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
|
||||||
|
|
||||||
|
### sslHost
|
||||||
|
|
||||||
|
The `SSLHost` option is the host name that is used to redirect http requests to https.
|
||||||
|
|
||||||
|
### sslProxyHeaders
|
||||||
|
|
||||||
|
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
|
||||||
|
|
||||||
|
### sslForceHost
|
||||||
|
|
||||||
|
Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
|
||||||
|
|
||||||
|
### stsSeconds
|
||||||
|
|
||||||
|
The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
|
||||||
|
|
||||||
|
### stsIncludeSubdomains
|
||||||
|
|
||||||
|
The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header.
|
||||||
|
|
||||||
|
### stsPreload
|
||||||
|
|
||||||
|
Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
|
||||||
|
|
||||||
|
### forceSTSHeader
|
||||||
|
|
||||||
|
Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP.
|
||||||
|
|
||||||
|
### frameDeny
|
||||||
|
|
||||||
|
Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
|
||||||
|
|
||||||
|
### customFrameOptionsValue
|
||||||
|
|
||||||
|
The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option.
|
||||||
|
|
||||||
|
### contentTypeNosniff
|
||||||
|
|
||||||
|
Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.
|
||||||
|
|
||||||
|
### browserXssFilter
|
||||||
|
|
||||||
|
Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
|
||||||
|
|
||||||
|
### customBrowserXSSValue
|
||||||
|
|
||||||
|
The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option.
|
||||||
|
|
||||||
|
### contentSecurityPolicy
|
||||||
|
|
||||||
|
The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
|
||||||
|
|
||||||
|
### publicKey
|
||||||
|
|
||||||
|
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
|
||||||
|
|
||||||
|
### referrerPolicy
|
||||||
|
|
||||||
|
The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
|
||||||
|
|
||||||
|
### isDevelopment
|
||||||
|
|
||||||
|
Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain.
|
||||||
|
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.
|
113
docs/content/middlewares/ipwhitelist.md
Normal file
|
@ -0,0 +1,113 @@
|
||||||
|
# IPWhiteList
|
||||||
|
|
||||||
|
Limiting Clients to Specific IPs
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![IpWhiteList](../assets/img/middleware/ipwhitelist.png)
|
||||||
|
|
||||||
|
IPWhitelist accepts / refuses requests based on the client IP.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Accepts request from defined IP"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-ipwhitelist.ipWhiteList]
|
||||||
|
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Accepts request from defined IP"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.Middlewares.Middleware9.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### sourceRange
|
||||||
|
|
||||||
|
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
|
||||||
|
|
||||||
|
### ipStrategy
|
||||||
|
|
||||||
|
The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
|
||||||
|
|
||||||
|
#### ipStrategy.depth
|
||||||
|
|
||||||
|
The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
|
||||||
|
|
||||||
|
!!! note "Examples of Depth & X-Forwaded-For"
|
||||||
|
|
||||||
|
If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
|
||||||
|
|
||||||
|
??? note "More examples"
|
||||||
|
|
||||||
|
| `X-Forwarded-For` | `depth` | clientIP |
|
||||||
|
|-----------------------------------------|---------|--------------|
|
||||||
|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
|
||||||
|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
|
||||||
|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
|
||||||
|
|
||||||
|
??? example "File -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-ipwhitelist.ipWhiteList]
|
||||||
|
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
|
||||||
|
[Middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
|
||||||
|
depth = 2
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.Middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
|
||||||
|
- "traefik.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
|
||||||
|
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
|
||||||
|
- `depth` is ignored if its value is is lesser than or equal to 0.
|
||||||
|
|
||||||
|
#### ipStrategy.excludedIPs
|
||||||
|
|
||||||
|
`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
|
||||||
|
|
||||||
|
!!! note "Examples of ExcludedIPs & X-Forwaded-For"
|
||||||
|
|
||||||
|
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|
||||||
|
|-----------------------------------------|-----------------------|--------------|
|
||||||
|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
|
||||||
|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
|
||||||
|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
|
||||||
|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
|
||||||
|
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
|
||||||
|
|
||||||
|
!!! important
|
||||||
|
If `depth` is specified, `excludedIPs` is ignored.
|
||||||
|
|
||||||
|
??? example "File -- Exclude from `X-Forwarded-For`"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-ipwhitelist.ipWhiteList]
|
||||||
|
[Middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
|
||||||
|
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Exclude from `X-Forwarded-For`"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
|
||||||
|
```
|
44
docs/content/middlewares/maxconnection.md
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
# MaxConnection
|
||||||
|
|
||||||
|
Limiting the Number of Simultaneous Clients
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![MaxConnection](../assets/img/middleware/maxconnection.png)
|
||||||
|
|
||||||
|
To proactively prevent services from being overwhelmed with high load, a maximum connection limit can be applied.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Limiting to 10 simultaneous connections"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-maxconn.maxconn]
|
||||||
|
amount = 10
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Limiting to 10 simultaneous connections"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.test-maxconn.maxconn.amount=10"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### amount
|
||||||
|
|
||||||
|
The `amount` option defines the maximum amount of allowed simultaneous connections.
|
||||||
|
The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `extractorfunc` strategy).
|
||||||
|
|
||||||
|
### extractorfunc
|
||||||
|
|
||||||
|
The `extractorfunc` defines the strategy used to categorize requests.
|
||||||
|
|
||||||
|
The possible values are:
|
||||||
|
|
||||||
|
- `request.host` categorizes requests based on the request host.
|
||||||
|
- `client.ip` categorizes requests based on the client ip.
|
||||||
|
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
|
106
docs/content/middlewares/overview.md
Normal file
|
@ -0,0 +1,106 @@
|
||||||
|
# Middlewares
|
||||||
|
|
||||||
|
Tweaking the Request
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![Overview](../assets/img/middleware/overview.png)
|
||||||
|
|
||||||
|
Attached to the routers, pieces of middleware are a mean of tweaking the requests before they are sent to your [service](../routing/services.md) (or before the answer from the services are sent to the clients).
|
||||||
|
|
||||||
|
There are many different available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
|
||||||
|
|
||||||
|
Pieces of middleware can be combined in chains to fit every scenario.
|
||||||
|
|
||||||
|
## Configuration Example
|
||||||
|
|
||||||
|
??? example "As Toml Configuration File"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[providers]
|
||||||
|
[providers.file]
|
||||||
|
|
||||||
|
[Routers]
|
||||||
|
[Routers.router1]
|
||||||
|
Service = "myService"
|
||||||
|
Middlewares = ["foo-add-prefix"]
|
||||||
|
Rule = "Host: example.com"
|
||||||
|
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.foo-add-prefix.AddPrefix]
|
||||||
|
prefix = "/foo"
|
||||||
|
|
||||||
|
[Services]
|
||||||
|
[Services.service1]
|
||||||
|
[Services.service1.LoadBalancer]
|
||||||
|
|
||||||
|
[[Services.service1.LoadBalancer.Servers]]
|
||||||
|
URL = "http://127.0.0.1:80"
|
||||||
|
Weight = 1
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "As a Docker Label"
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
# A container that exposes a simple API
|
||||||
|
whoami:
|
||||||
|
image: containous/whoami # A container that exposes an API to show its IP address
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.foo-add-prefix.addprefix.prefix=/foo",
|
||||||
|
```
|
||||||
|
|
||||||
|
## Advanced Configuration
|
||||||
|
|
||||||
|
When you declare a middleware, it lives in its `provider` namespace.
|
||||||
|
For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker `provider` namespace.
|
||||||
|
|
||||||
|
If you use multiple `providers` and wish to reference a middleware declared in another `provider`, then you'll have to prefix the middleware name with the `provider` name.
|
||||||
|
|
||||||
|
??? abstract "Referencing a Middleware from Another Provider"
|
||||||
|
|
||||||
|
Declaring the add-foo-prefix in the file provider.
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[providers]
|
||||||
|
[providers.file]
|
||||||
|
|
||||||
|
[middlewares]
|
||||||
|
[middlewares.add-foo-prefix.AddPrefix]
|
||||||
|
prefix = "/foo"
|
||||||
|
```
|
||||||
|
|
||||||
|
Using the add-foo-prefix middleware from docker.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
your-container: #
|
||||||
|
image: your-docker-image
|
||||||
|
|
||||||
|
labels:
|
||||||
|
# Attach file.add-foo-prefix middleware (declared in file)
|
||||||
|
- "traefik.routers.middlewares=file.add-foo-prefix",
|
||||||
|
```
|
||||||
|
|
||||||
|
## Available Middlewares
|
||||||
|
|
||||||
|
| Middleware | Purpose | Area |
|
||||||
|
|-------------------------------------------|---------------------------------------------------|-----------------------------|
|
||||||
|
| [AddPrefix](addprefix.md) | Add a Path Prefix | Path Modifier |
|
||||||
|
| [BasicAuth](basicauth.md) | Basic auth mechanism | Security, Authentication |
|
||||||
|
| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
|
||||||
|
| [Chain](chain.md) | Combine multiple pieces of middleware | Middleware tool |
|
||||||
|
| [CircuitBreaker](circuitbreaker.md) | Stop calling unhealthy services | Request Lifecycle |
|
||||||
|
| [Compress](circuitbreaker.md) | Compress the response | Content Modifier |
|
||||||
|
| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
|
||||||
|
| [Errors](errorpages.md) | Define custom error pages | Request Lifecycle |
|
||||||
|
| [ForwardAuth](forwardauth.md) | Authentication delegation | Security, Authentication |
|
||||||
|
| [Headers](headers.md) | Add / Update headers | Security |
|
||||||
|
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |
|
||||||
|
| [MaxConnection](maxconnection.md) | Limit the number of simultaneous connections | Security, Request lifecycle |
|
||||||
|
| [PassTLSClientCert](passtlsclientcert.md) | TODO | Security |
|
||||||
|
| [RateLimit](ratelimit.md) | Limit the call frequency | Security, Request lifecycle |
|
||||||
|
| [RedirectScheme](redirectscheme.md) | Redirect easily the client elsewhere | Request lifecycle |
|
||||||
|
| [RedirectRegex](redirectregex.md) | Redirect the client elsewhere | Request lifecycle |
|
||||||
|
| [ReplacePath](replacepath.md) | Change the path of the request | Path Modifier |
|
||||||
|
| [ReplacePathRegex](replacepathregex.md) | Change the path of the request | Path Modifier |
|
||||||
|
| [Retry](retry.md) | Automatically retry the request in case of errors | Request lifecycle |
|
||||||
|
| [StripPrefix](stripprefix.md) | Change the path of the request | Path Modifier |
|
||||||
|
| [StripPrefixRegex](stripprefixregex.md) | Change the path of the request | Path Modifier |
|
499
docs/content/middlewares/passtlsclientcert.md
Normal file
|
@ -0,0 +1,499 @@
|
||||||
|
# TODO - PassTLSClientCert
|
||||||
|
|
||||||
|
Adding Client Certificates in a Header
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
`TODO add schema`
|
||||||
|
|
||||||
|
PassTLSClientCert adds in header the selected data from the passed client tls certificate.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-passtlsclientcert.passtlsclientcert]
|
||||||
|
pem = true
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.Middleware11.passtlsclientcert.pem=true"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "File -- Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-passtlsclientcert.passtlsclientcert]
|
||||||
|
[Middlewares.test-passtlsclientcert.passtlsclientcert.info]
|
||||||
|
notAfter = true
|
||||||
|
notBefore = true
|
||||||
|
sans = true
|
||||||
|
[Middlewares.test-passtlsclientcert.passtlsclientcert.info.subject]
|
||||||
|
country = true
|
||||||
|
province = true
|
||||||
|
locality = true
|
||||||
|
organization = true
|
||||||
|
commonName = true
|
||||||
|
serialNumber = true
|
||||||
|
domainComponent = true
|
||||||
|
[Middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer]
|
||||||
|
country = true
|
||||||
|
province = true
|
||||||
|
locality = true
|
||||||
|
organization = true
|
||||||
|
commonName = true
|
||||||
|
serialNumber = true
|
||||||
|
domainComponent = true
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
|
||||||
|
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### General
|
||||||
|
|
||||||
|
PassTLSClientCert can add two headers to the request:
|
||||||
|
|
||||||
|
* `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
|
||||||
|
* `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
The headers are filled with escaped string so it can be safely placed inside a URL query.
|
||||||
|
|
||||||
|
In the following example, you can see a complete certificate. We will use each part of it to explains the middleware options.
|
||||||
|
|
||||||
|
??? example "A complete client tls certificate"
|
||||||
|
|
||||||
|
```
|
||||||
|
Certificate:
|
||||||
|
Data:
|
||||||
|
Version: 3 (0x2)
|
||||||
|
Serial Number: 1 (0x1)
|
||||||
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
|
Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
|
||||||
|
Validity
|
||||||
|
Not Before: Dec 6 11:10:16 2018 GMT
|
||||||
|
Not After : Dec 5 11:10:16 2020 GMT
|
||||||
|
Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
|
||||||
|
Subject Public Key Info:
|
||||||
|
Public Key Algorithm: rsaEncryption
|
||||||
|
RSA Public-Key: (2048 bit)
|
||||||
|
Modulus:
|
||||||
|
00:de:77:fa:8d:03:70:30:39:dd:51:1b:cc:60:db:
|
||||||
|
a9:5a:13:b1:af:fe:2c:c6:38:9b:88:0a:0f:8e:d9:
|
||||||
|
1b:a1:1d:af:0d:66:e4:13:5b:bc:5d:36:92:d7:5e:
|
||||||
|
d0:fa:88:29:d3:78:e1:81:de:98:b2:a9:22:3f:bf:
|
||||||
|
8a:af:12:92:63:d4:a9:c3:f2:e4:7e:d2:dc:a2:c5:
|
||||||
|
39:1c:7a:eb:d7:12:70:63:2e:41:47:e0:f0:08:e8:
|
||||||
|
dc:be:09:01:ec:28:09:af:35:d7:79:9c:50:35:d1:
|
||||||
|
6b:e5:87:7b:34:f6:d2:31:65:1d:18:42:69:6c:04:
|
||||||
|
11:83:fe:44:ae:90:92:2d:0b:75:39:57:62:e6:17:
|
||||||
|
2f:47:2b:c7:53:dd:10:2d:c9:e3:06:13:d2:b9:ba:
|
||||||
|
63:2e:3c:7d:83:6b:d6:89:c9:cc:9d:4d:bf:9f:e8:
|
||||||
|
a3:7b:da:c8:99:2b:ba:66:d6:8e:f8:41:41:a0:c9:
|
||||||
|
d0:5e:c8:11:a4:55:4a:93:83:87:63:04:63:41:9c:
|
||||||
|
fb:68:04:67:c2:71:2f:f2:65:1d:02:5d:15:db:2c:
|
||||||
|
d9:04:69:85:c2:7d:0d:ea:3b:ac:85:f8:d4:8f:0f:
|
||||||
|
c5:70:b2:45:e1:ec:b2:54:0b:e9:f7:82:b4:9b:1b:
|
||||||
|
2d:b9:25:d4:ab:ca:8f:5b:44:3e:15:dd:b8:7f:b7:
|
||||||
|
ee:f9
|
||||||
|
Exponent: 65537 (0x10001)
|
||||||
|
X509v3 extensions:
|
||||||
|
X509v3 Key Usage: critical
|
||||||
|
Digital Signature, Key Encipherment
|
||||||
|
X509v3 Basic Constraints:
|
||||||
|
CA:FALSE
|
||||||
|
X509v3 Extended Key Usage:
|
||||||
|
TLS Web Server Authentication, TLS Web Client Authentication
|
||||||
|
X509v3 Subject Key Identifier:
|
||||||
|
94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
|
||||||
|
X509v3 Authority Key Identifier:
|
||||||
|
keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
|
||||||
|
|
||||||
|
X509v3 Subject Alternative Name:
|
||||||
|
DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
|
||||||
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
|
76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
|
||||||
|
16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
|
||||||
|
ed:99:ab:f7:cd:fe:38:3f:c3:9a:22:31:1b:ac:8c:1c:c2:f9:
|
||||||
|
5d:d4:75:7a:2e:72:c7:85:a9:04:af:9f:2a:cc:d3:96:75:f0:
|
||||||
|
8e:c7:c6:76:48:ac:45:a4:b9:02:1e:2f:c0:15:c4:07:08:92:
|
||||||
|
cb:27:50:67:a1:c8:05:c5:3a:b3:a6:48:be:eb:d5:59:ab:a2:
|
||||||
|
1b:95:30:71:13:5b:0a:9a:73:3b:60:cc:10:d0:6a:c7:e5:d7:
|
||||||
|
8b:2f:f9:2e:98:f2:ff:81:14:24:09:e3:4b:55:57:09:1a:22:
|
||||||
|
74:f1:f6:40:13:31:43:89:71:0a:96:1a:05:82:1f:83:3a:87:
|
||||||
|
9b:17:25:ef:5a:55:f2:2d:cd:0d:4d:e4:81:58:b6:e3:8d:09:
|
||||||
|
62:9a:0c:bd:e4:e5:5c:f0:95:da:cb:c7:34:2c:34:5f:6d:fc:
|
||||||
|
60:7b:12:5b:86:fd:df:21:89:3b:48:08:30:bf:67:ff:8c:e6:
|
||||||
|
9b:53:cc:87:36:47:70:40:3b:d9:90:2a:d2:d2:82:c6:9c:f5:
|
||||||
|
d1:d8:e0:e6:fd:aa:2f:95:7e:39:ac:fc:4e:d4:ce:65:b3:ec:
|
||||||
|
c6:98:8a:31
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
|
||||||
|
ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
|
||||||
|
ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
|
||||||
|
Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
|
||||||
|
AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
|
||||||
|
IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
|
||||||
|
DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
|
||||||
|
D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
|
||||||
|
Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
|
||||||
|
NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
|
||||||
|
MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
|
||||||
|
BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
|
||||||
|
HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
|
||||||
|
ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
|
||||||
|
A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
|
||||||
|
VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
|
||||||
|
MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
|
||||||
|
EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
|
||||||
|
AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
|
||||||
|
iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
|
||||||
|
KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
|
||||||
|
yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
|
||||||
|
BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
|
||||||
|
Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
|
||||||
|
A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
|
||||||
|
BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
|
||||||
|
BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
|
||||||
|
Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
|
||||||
|
Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
|
||||||
|
FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
|
||||||
|
KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
|
||||||
|
CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
|
||||||
|
mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
|
||||||
|
ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
```
|
||||||
|
|
||||||
|
### pem
|
||||||
|
|
||||||
|
The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
|
||||||
|
In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
|
||||||
|
|
||||||
|
??? example "The data used by the pem option"
|
||||||
|
|
||||||
|
```
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
|
||||||
|
ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
|
||||||
|
ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
|
||||||
|
Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
|
||||||
|
AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
|
||||||
|
IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
|
||||||
|
DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
|
||||||
|
D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
|
||||||
|
Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
|
||||||
|
NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
|
||||||
|
MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
|
||||||
|
BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
|
||||||
|
HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
|
||||||
|
ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
|
||||||
|
A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
|
||||||
|
VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
|
||||||
|
MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
|
||||||
|
EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
|
||||||
|
AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
|
||||||
|
iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
|
||||||
|
KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
|
||||||
|
yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
|
||||||
|
BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
|
||||||
|
Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
|
||||||
|
A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
|
||||||
|
BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
|
||||||
|
BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
|
||||||
|
Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
|
||||||
|
Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
|
||||||
|
FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
|
||||||
|
KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
|
||||||
|
CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
|
||||||
|
mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
|
||||||
|
ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! note "Extracted data"
|
||||||
|
|
||||||
|
The delimiters and `\n` will be removed.
|
||||||
|
If there are more than one certificate, they are separated by a "`;`".
|
||||||
|
|
||||||
|
### info
|
||||||
|
|
||||||
|
The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
|
||||||
|
The value of the header will be an escaped concatenation of all the selected certificate details.
|
||||||
|
The following example shows an unescaped result that uses all the available fields:
|
||||||
|
|
||||||
|
```text
|
||||||
|
Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! note "Multiple certificates"
|
||||||
|
|
||||||
|
If there are more than one certificate, they are separated by a `;`.
|
||||||
|
|
||||||
|
#### info.notafter
|
||||||
|
|
||||||
|
Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
|
||||||
|
The data are taken from the following certificate part:
|
||||||
|
|
||||||
|
```text
|
||||||
|
Validity
|
||||||
|
Not After : Dec 5 11:10:16 2020 GMT
|
||||||
|
```
|
||||||
|
|
||||||
|
The escape `notafter` info part will be like:
|
||||||
|
|
||||||
|
```text
|
||||||
|
NA=1607166616
|
||||||
|
```
|
||||||
|
|
||||||
|
#### info.notbefore
|
||||||
|
|
||||||
|
Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part.
|
||||||
|
|
||||||
|
The data are taken from the following certificate part:
|
||||||
|
|
||||||
|
```text
|
||||||
|
Validity
|
||||||
|
Not Before: Dec 6 11:10:16 2018 GMT
|
||||||
|
```
|
||||||
|
|
||||||
|
The escape `notafter` info part will be like:
|
||||||
|
|
||||||
|
```text
|
||||||
|
NB=1544094616
|
||||||
|
```
|
||||||
|
|
||||||
|
#### info.sans
|
||||||
|
|
||||||
|
Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
|
||||||
|
The data are taken from the following certificate part:
|
||||||
|
|
||||||
|
```text
|
||||||
|
X509v3 Subject Alternative Name:
|
||||||
|
DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
|
||||||
|
```
|
||||||
|
|
||||||
|
The escape SANs info part will be like:
|
||||||
|
|
||||||
|
```text
|
||||||
|
SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! note "multiple values"
|
||||||
|
|
||||||
|
All the SANs data are separated by a `,`.
|
||||||
|
|
||||||
|
#### info.subject
|
||||||
|
|
||||||
|
The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
|
||||||
|
|
||||||
|
The data are taken from the following certificate part :
|
||||||
|
|
||||||
|
```text
|
||||||
|
Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.subject.country
|
||||||
|
|
||||||
|
Set the `info.subject.country` option to true to add the `country` information into the subject.
|
||||||
|
The data are taken from the subject part with the `C` key.
|
||||||
|
The escape country info in the subject part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
C=FR,C=US
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.subject.province
|
||||||
|
|
||||||
|
Set the `info.subject.province` option to true to add the `province` information into the subject.
|
||||||
|
|
||||||
|
The data are taken from the subject part with the `ST` key.
|
||||||
|
|
||||||
|
The escape province info in the subject part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
ST=Cheese org state,ST=Cheese com state
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.subject.locality
|
||||||
|
|
||||||
|
Set the `info.subject.locality` option to true to add the `locality` information into the subject.
|
||||||
|
|
||||||
|
The data are taken from the subject part with the `L` key.
|
||||||
|
|
||||||
|
The escape locality info in the subject part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
L=TOULOUSE,L=LYON
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.subject.organization
|
||||||
|
|
||||||
|
Set the `info.subject.organization` option to true to add the `organization` information into the subject.
|
||||||
|
|
||||||
|
The data are taken from the subject part with the `O` key.
|
||||||
|
|
||||||
|
The escape organization info in the subject part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
O=Cheese,O=Cheese 2
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.subject.commonname
|
||||||
|
|
||||||
|
Set the `info.subject.commonname` option to true to add the `commonname` information into the subject.
|
||||||
|
|
||||||
|
The data are taken from the subject part with the `CN` key.
|
||||||
|
|
||||||
|
The escape commonname info in the subject part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
CN=*.cheese.com
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.subject.serialnumber
|
||||||
|
|
||||||
|
Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject.
|
||||||
|
|
||||||
|
The data are taken from the subject part with the `SN` key.
|
||||||
|
|
||||||
|
The escape serialnumber info in the subject part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
SN=1234567890
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.subject.domaincomponent
|
||||||
|
|
||||||
|
Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject.
|
||||||
|
|
||||||
|
The data are taken from the subject part with the `DC` key.
|
||||||
|
|
||||||
|
The escape domaincomponent info in the subject part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
DC=org,DC=cheese
|
||||||
|
```
|
||||||
|
|
||||||
|
#### info.issuer
|
||||||
|
|
||||||
|
The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
|
||||||
|
|
||||||
|
The data are taken from the following certificate part :
|
||||||
|
|
||||||
|
```text
|
||||||
|
Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.issuer.country
|
||||||
|
|
||||||
|
Set the `info.issuer.country` option to true to add the `country` information into the issuer.
|
||||||
|
The data are taken from the issuer part with the `C` key.
|
||||||
|
The escape country info in the issuer part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
C=FR,C=US
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.issuer.province
|
||||||
|
|
||||||
|
Set the `info.issuer.province` option to true to add the `province` information into the issuer.
|
||||||
|
|
||||||
|
The data are taken from the issuer part with the `ST` key.
|
||||||
|
|
||||||
|
The escape province info in the issuer part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
ST=Signing State,ST=Signing State 2
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.issuer.locality
|
||||||
|
|
||||||
|
Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
|
||||||
|
|
||||||
|
The data are taken from the issuer part with the `L` key.
|
||||||
|
|
||||||
|
The escape locality info in the issuer part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
L=TOULOUSE,L=LYON
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.issuer.organization
|
||||||
|
|
||||||
|
Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
|
||||||
|
|
||||||
|
The data are taken from the issuer part with the `O` key.
|
||||||
|
|
||||||
|
The escape organization info in the issuer part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
O=Cheese,O=Cheese 2
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.issuer.commonname
|
||||||
|
|
||||||
|
Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer.
|
||||||
|
|
||||||
|
The data are taken from the issuer part with the `CN` key.
|
||||||
|
|
||||||
|
The escape commonname info in the issuer part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
CN=Simple Signing CA 2
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.issuer.serialnumber
|
||||||
|
|
||||||
|
Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer.
|
||||||
|
|
||||||
|
The data are taken from the issuer part with the `SN` key.
|
||||||
|
|
||||||
|
The escape serialnumber info in the issuer part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
SN=1234567890
|
||||||
|
```
|
||||||
|
|
||||||
|
##### info.issuer.domaincomponent
|
||||||
|
|
||||||
|
Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer.
|
||||||
|
|
||||||
|
The data are taken from the issuer part with the `DC` key.
|
||||||
|
|
||||||
|
The escape domaincomponent info in the issuer part will be like :
|
||||||
|
|
||||||
|
```text
|
||||||
|
DC=org,DC=cheese
|
||||||
|
```
|
68
docs/content/middlewares/ratelimit.md
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
# TODO -- RateLimit
|
||||||
|
|
||||||
|
Protection from Too Many Calls
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![RateLimit](../assets/img/middleware/ratelimit.png)
|
||||||
|
|
||||||
|
The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows you define what is fair.
|
||||||
|
|
||||||
|
## Configuration Example
|
||||||
|
|
||||||
|
??? example "Limit to 100 requests every 10 seconds (with a possible burst of 200)"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[middlewares]
|
||||||
|
[middlewares.fair-ratelimit.ratelimit]
|
||||||
|
extractorfunc = "client.ip"
|
||||||
|
|
||||||
|
[middlewares.fair-ratelimit.ratelimit.rateset1]
|
||||||
|
period = "10s"
|
||||||
|
average = 100
|
||||||
|
burst = 200
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Combine multiple limits"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[middlewares]
|
||||||
|
[middlewares.fair-ratelimit.ratelimit]
|
||||||
|
extractorfunc = "client.ip"
|
||||||
|
|
||||||
|
[middlewares.fair-ratelimit.ratelimit.rateset1]
|
||||||
|
period = "10s"
|
||||||
|
average = 100
|
||||||
|
burst = 200
|
||||||
|
|
||||||
|
[middlewares.fair-ratelimit.ratelimit.rateset2]
|
||||||
|
period = "3s"
|
||||||
|
average = 5
|
||||||
|
burst = 10
|
||||||
|
```
|
||||||
|
|
||||||
|
Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds. These can "burst" up to 10 and 200 in each period, respectively.
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### extractorfunc
|
||||||
|
|
||||||
|
The `extractorfunc` option defines the strategy used to categorize requests.
|
||||||
|
|
||||||
|
The possible values are:
|
||||||
|
|
||||||
|
- `request.host` categorizes requests based on the request host.
|
||||||
|
- `client.ip` categorizes requests based on the client ip.
|
||||||
|
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
|
||||||
|
|
||||||
|
### ratelimit (multiple values)
|
||||||
|
|
||||||
|
You can combine multiple ratelimit.
|
||||||
|
The ratelimit will trigger with the first reached limit.
|
||||||
|
|
||||||
|
Each ratelimit has 3 options, `period`, `average`, and `burst`.
|
||||||
|
|
||||||
|
The rate limit will allow an average of `average` requests every `period`, with a maximum of `burst` request on that period.
|
||||||
|
|
||||||
|
!!! note "Period Format"
|
||||||
|
|
||||||
|
Period is to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
|
52
docs/content/middlewares/redirectregex.md
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
# TODO - RedirectRegex
|
||||||
|
|
||||||
|
Redirecting the Client to a Different Location
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
`TODO: add schema`
|
||||||
|
|
||||||
|
RegexRedirect redirect a request from an url to another with regex matching and replacement.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Redirect with domain replacement"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-redirectregex.redirectregex]
|
||||||
|
regex = "^http://localhost/(.*)"
|
||||||
|
replacement = "http://mydomain/$1"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Redirect with domain replacement"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.Middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
|
||||||
|
- "traefik.Middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### permanent
|
||||||
|
|
||||||
|
Set the `permanent` option to `true` to apply a permanent redirection.
|
||||||
|
|
||||||
|
### regex
|
||||||
|
|
||||||
|
The `Regex` option is the regular expression to match and capture elements form the request URL.
|
||||||
|
|
||||||
|
!!! warning
|
||||||
|
|
||||||
|
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
|
||||||
|
|
||||||
|
!!! tip
|
||||||
|
|
||||||
|
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
|
||||||
|
|
||||||
|
### replacement
|
||||||
|
|
||||||
|
The `replacement` option defines how to modify the URl to have the new target URL.
|
||||||
|
|
41
docs/content/middlewares/redirectscheme.md
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
# TODO - RedirectScheme
|
||||||
|
|
||||||
|
Redirecting the Client to a Different Scheme/Port
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
`TODO: add schema`
|
||||||
|
|
||||||
|
RegexRedirect redirect request from a scheme to another.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Redirect to https"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-redirectscheme.redirectscheme]
|
||||||
|
scheme = "https"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker -- Redirect to https"
|
||||||
|
|
||||||
|
```yml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.Middlewares.test-redirectscheme.redirectscheme.scheme=https"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### permanent
|
||||||
|
|
||||||
|
Set the `permanent` option to `true` to apply a permanent redirection.
|
||||||
|
|
||||||
|
### scheme
|
||||||
|
|
||||||
|
The `scheme` option defines the scheme of the new url.
|
||||||
|
|
||||||
|
### port
|
||||||
|
|
||||||
|
The `port` option defines the port of the new url.
|
40
docs/content/middlewares/replacepath.md
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
# TODO -- ReplacePath
|
||||||
|
|
||||||
|
Updating the Path Before Forwarding the Request
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
`TODO: add schema`
|
||||||
|
|
||||||
|
Replace the path of the request url.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "File -- Replace the path by /foo"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Middlewares]
|
||||||
|
[Middlewares.test-replacepath.ReplacePath]
|
||||||
|
path = "/foo"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Docker --Replace the path by /foo"
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
a-container:
|
||||||
|
image: a-container-image
|
||||||
|
labels:
|
||||||
|
- "traefik.middlewares.test-replacepath.replacepath.path=/foo"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### General
|
||||||
|
|
||||||
|
The ReplacePath middleware will:
|
||||||
|
|
||||||
|
* replace the actual path by the specified one.
|
||||||
|
* store the original path in a `X-Replaced-Path` header.
|
||||||
|
|
||||||
|
### path
|
||||||
|
|
||||||
|
The `path` option defines the path to use as replacement in the request url.
|
4
docs/content/middlewares/replacepathregex.md
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# TODO -- ReplacePathRegex
|
||||||
|
|
||||||
|
Updating the Path Before Forwarding the Request (Using a Regex)
|
||||||
|
{: .subtitle }
|
20
docs/content/middlewares/retry.md
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
# TODO -- Retry
|
||||||
|
|
||||||
|
Retrying until it Succeeds
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
## Old Content
|
||||||
|
|
||||||
|
## Retry Configuration
|
||||||
|
|
||||||
|
```toml
|
||||||
|
# Enable retry sending request if network error
|
||||||
|
[retry]
|
||||||
|
|
||||||
|
# Number of attempts
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
# Default: (number servers in backend) -1
|
||||||
|
#
|
||||||
|
# attempts = 3
|
||||||
|
```
|
13
docs/content/middlewares/stripprefix.md
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# TODO -- StripPrefix
|
||||||
|
|
||||||
|
Removing Prefixes From the Path Before Forwarding the Request
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
## OldContent
|
||||||
|
|
||||||
|
Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
|
||||||
|
For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
|
||||||
|
Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
|
||||||
|
If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.
|
||||||
|
Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).
|
||||||
|
The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
|
13
docs/content/middlewares/stripprefixregex.md
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# TODO -- StripPrefix
|
||||||
|
|
||||||
|
Removing Prefixes From the Path Before Forwarding the Request (Using a Regex)
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
## OldContent
|
||||||
|
|
||||||
|
Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
|
||||||
|
For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
|
||||||
|
Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
|
||||||
|
If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.
|
||||||
|
Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).
|
||||||
|
The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
|
152
docs/content/observability/access-logs.md
Normal file
|
@ -0,0 +1,152 @@
|
||||||
|
# Access Logs
|
||||||
|
|
||||||
|
Who Calls Whom?
|
||||||
|
{.subtitle}
|
||||||
|
|
||||||
|
By default, logs are written to stdout, in text format.
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "Enabling Access Logs"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[accessLog]
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### filePath
|
||||||
|
|
||||||
|
By default access logs are written to the standard output.
|
||||||
|
To write the logs into a log file, use the `filePath` option.
|
||||||
|
|
||||||
|
in the Common Log Format (CLF), extended with additional fields.
|
||||||
|
|
||||||
|
### format
|
||||||
|
|
||||||
|
By default, logs are written using the Common Log Format (CLF).
|
||||||
|
To write logs in JSON, use `json` in the `format` option.
|
||||||
|
|
||||||
|
!!! note "Common Log Format"
|
||||||
|
|
||||||
|
#### CLF - Common Log Format
|
||||||
|
|
||||||
|
```html
|
||||||
|
<remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms
|
||||||
|
```
|
||||||
|
|
||||||
|
#### bufferingSize
|
||||||
|
|
||||||
|
To write the logs in an asynchronous fashion, specify a `bufferingSize` option.
|
||||||
|
This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.
|
||||||
|
In some cases, this option can greatly help performances.
|
||||||
|
|
||||||
|
??? example "Configuring a buffer of 100 lines"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[accessLog]
|
||||||
|
filePath = "/path/to/access.log"
|
||||||
|
bufferingSize = 100
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Filtering
|
||||||
|
|
||||||
|
To filter logs, you can specify a set of filters which are logically "OR-connected".
|
||||||
|
Thus, specifying multiple filters will keep more access logs than specifying only one.
|
||||||
|
|
||||||
|
The available filters are:
|
||||||
|
|
||||||
|
- `statusCodes`, to limit the access logs to requests with a status codes in the specified range
|
||||||
|
- `retryAttempts`, to keep the access logs when at least one retry has happened
|
||||||
|
- `minDuration`, to keep access logs when requests take longer than the specified duration
|
||||||
|
|
||||||
|
??? example "Configuring Multiple Filters"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[accessLog]
|
||||||
|
filePath = "/path/to/access.log"
|
||||||
|
format = "json"
|
||||||
|
|
||||||
|
[accessLog.filters]
|
||||||
|
statusCodes = ["200", "300-302"]
|
||||||
|
retryAttempts = true
|
||||||
|
minDuration = "10ms"
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Limiting the Fields
|
||||||
|
|
||||||
|
You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.header` options
|
||||||
|
|
||||||
|
Each field can be set to:
|
||||||
|
|
||||||
|
- `keep` to keep the value
|
||||||
|
- `drop` to drop the value
|
||||||
|
- `redact` to replace the value with "redacted"
|
||||||
|
|
||||||
|
??? example "Limiting the Logs to Specific Fields"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[accessLog]
|
||||||
|
filePath = "/path/to/access.log"
|
||||||
|
format = "json"
|
||||||
|
|
||||||
|
[accessLog.filters]
|
||||||
|
statusCodes = ["200", "300-302"]
|
||||||
|
|
||||||
|
[accessLog.fields]
|
||||||
|
defaultMode = "keep"
|
||||||
|
|
||||||
|
[accessLog.fields.names]
|
||||||
|
"ClientUsername" = "drop"
|
||||||
|
|
||||||
|
[accessLog.fields.headers]
|
||||||
|
defaultMode = "keep"
|
||||||
|
|
||||||
|
[accessLog.fields.headers.names]
|
||||||
|
"User-Agent" = "redact"
|
||||||
|
"Authorization" = "drop"
|
||||||
|
"Content-Type" = "keep"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? list "Available Fields"
|
||||||
|
|
||||||
|
```ini
|
||||||
|
StartUTC
|
||||||
|
StartLocal
|
||||||
|
Duration
|
||||||
|
FrontendName
|
||||||
|
BackendName
|
||||||
|
BackendURL
|
||||||
|
BackendAddr
|
||||||
|
ClientAddr
|
||||||
|
ClientHost
|
||||||
|
ClientPort
|
||||||
|
ClientUsername
|
||||||
|
RequestAddr
|
||||||
|
RequestHost
|
||||||
|
RequestPort
|
||||||
|
RequestMethod
|
||||||
|
RequestPath
|
||||||
|
RequestProtocol
|
||||||
|
RequestLine
|
||||||
|
RequestContentSize
|
||||||
|
OriginDuration
|
||||||
|
OriginContentSize
|
||||||
|
OriginStatus
|
||||||
|
OriginStatusLine
|
||||||
|
DownstreamStatus
|
||||||
|
DownstreamStatusLine
|
||||||
|
DownstreamContentSize
|
||||||
|
RequestCount
|
||||||
|
GzipRatio
|
||||||
|
Overhead
|
||||||
|
RetryAttempts
|
||||||
|
```
|
||||||
|
|
||||||
|
## Log Rotation
|
||||||
|
|
||||||
|
Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
|
||||||
|
This allows the logs to be rotated and processed by an external program, such as `logrotate`.
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
This does not work on Windows due to the lack of USR signals.
|
50
docs/content/observability/logs.md
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
# Logs
|
||||||
|
|
||||||
|
Reading What's Happening
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
By default, logs are written to stdout, in text format.
|
||||||
|
|
||||||
|
## Configuration Example
|
||||||
|
|
||||||
|
??? example "Writing Logs in a File"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[log]
|
||||||
|
filePath = "/path/to/traefik.log"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Writing Logs in a File, in JSON"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[log]
|
||||||
|
filePath = "/path/to/log-file.log"
|
||||||
|
format = "json"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
### General
|
||||||
|
|
||||||
|
Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
|
||||||
|
|
||||||
|
#### filePath
|
||||||
|
|
||||||
|
By default, the logs are written to the standard output.
|
||||||
|
You can configure a file path instead using the `filePath` option.
|
||||||
|
|
||||||
|
#### format
|
||||||
|
|
||||||
|
By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.
|
||||||
|
|
||||||
|
#### logLevel
|
||||||
|
|
||||||
|
By default, the `logLevel` is set to `error`, but you can choose amongst `debug`, `panic`, `fatal`, `error`, `warn`, and `info`.
|
||||||
|
|
||||||
|
## Log Rotation
|
||||||
|
|
||||||
|
Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
|
||||||
|
This allows the logs to be rotated and processed by an external program, such as `logrotate`.
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
This does not work on Windows due to the lack of USR signals.
|
219
docs/content/observability/tracing.md
Normal file
|
@ -0,0 +1,219 @@
|
||||||
|
# Tracing
|
||||||
|
|
||||||
|
Visualize the Requests Flow
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
The tracing system allows developers to visualize call flows in their infrastructure.
|
||||||
|
|
||||||
|
Traefik uses OpenTracing, an open standard designed for distributed tracing.
|
||||||
|
|
||||||
|
Traefik supports three tracing backends: Jaeger, Zipkin, and DataDog.
|
||||||
|
|
||||||
|
## Configuration Reference
|
||||||
|
|
||||||
|
??? example "With Jaeger"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
# Tracing definition
|
||||||
|
[tracing]
|
||||||
|
# Backend name used to send tracing data
|
||||||
|
#
|
||||||
|
# Default: "jaeger"
|
||||||
|
#
|
||||||
|
backend = "jaeger"
|
||||||
|
|
||||||
|
# Service name used in Jaeger backend
|
||||||
|
#
|
||||||
|
# Default: "traefik"
|
||||||
|
#
|
||||||
|
serviceName = "traefik"
|
||||||
|
|
||||||
|
# Span name limit allows for name truncation in case of very long Frontend/Backend names
|
||||||
|
# This can prevent certain tracing providers to drop traces that exceed their length limits
|
||||||
|
#
|
||||||
|
# Default: 0 - no truncation will occur
|
||||||
|
#
|
||||||
|
spanNameLimit = 0
|
||||||
|
|
||||||
|
[tracing.jaeger]
|
||||||
|
# Sampling Server URL is the address of jaeger-agent's HTTP sampling server
|
||||||
|
#
|
||||||
|
# Default: "http://localhost:5778/sampling"
|
||||||
|
#
|
||||||
|
samplingServerURL = "http://localhost:5778/sampling"
|
||||||
|
|
||||||
|
# Sampling Type specifies the type of the sampler: const, probabilistic, rateLimiting
|
||||||
|
#
|
||||||
|
# Default: "const"
|
||||||
|
#
|
||||||
|
samplingType = "const"
|
||||||
|
|
||||||
|
# Sampling Param is a value passed to the sampler.
|
||||||
|
# Valid values for Param field are:
|
||||||
|
# - for "const" sampler, 0 or 1 for always false/true respectively
|
||||||
|
# - for "probabilistic" sampler, a probability between 0 and 1
|
||||||
|
# - for "rateLimiting" sampler, the number of spans per second
|
||||||
|
#
|
||||||
|
# Default: 1.0
|
||||||
|
#
|
||||||
|
samplingParam = 1.0
|
||||||
|
|
||||||
|
# Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address
|
||||||
|
#
|
||||||
|
# Default: "127.0.0.1:6831"
|
||||||
|
#
|
||||||
|
localAgentHostPort = "127.0.0.1:6831"
|
||||||
|
|
||||||
|
# Generate 128-bit trace IDs, compatible with OpenCensus
|
||||||
|
#
|
||||||
|
# Default: false
|
||||||
|
gen128Bit = true
|
||||||
|
|
||||||
|
# Set the propagation header type. This can be either:
|
||||||
|
# - "jaeger", jaeger's default trace header.
|
||||||
|
# - "b3", compatible with OpenZipkin
|
||||||
|
#
|
||||||
|
# Default: "jaeger"
|
||||||
|
propagation = "jaeger"
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! warning
|
||||||
|
Traefik is only able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent).
|
||||||
|
|
||||||
|
??? example "With Zipkin"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
# Tracing definition
|
||||||
|
[tracing]
|
||||||
|
# Backend name used to send tracing data
|
||||||
|
#
|
||||||
|
# Default: "jaeger"
|
||||||
|
#
|
||||||
|
backend = "zipkin"
|
||||||
|
|
||||||
|
# Service name used in Zipkin backend
|
||||||
|
#
|
||||||
|
# Default: "traefik"
|
||||||
|
#
|
||||||
|
serviceName = "traefik"
|
||||||
|
|
||||||
|
# Span name limit allows for name truncation in case of very long Frontend/Backend names
|
||||||
|
# This can prevent certain tracing providers to drop traces that exceed their length limits
|
||||||
|
#
|
||||||
|
# Default: 0 - no truncation will occur
|
||||||
|
#
|
||||||
|
spanNameLimit = 150
|
||||||
|
|
||||||
|
[tracing.zipkin]
|
||||||
|
# Zipkin HTTP endpoint used to send data
|
||||||
|
#
|
||||||
|
# Default: "http://localhost:9411/api/v1/spans"
|
||||||
|
#
|
||||||
|
httpEndpoint = "http://localhost:9411/api/v1/spans"
|
||||||
|
|
||||||
|
# Enable Zipkin debug
|
||||||
|
#
|
||||||
|
# Default: false
|
||||||
|
#
|
||||||
|
debug = false
|
||||||
|
|
||||||
|
# Use Zipkin SameSpan RPC style traces
|
||||||
|
#
|
||||||
|
# Default: false
|
||||||
|
#
|
||||||
|
sameSpan = false
|
||||||
|
|
||||||
|
# Use Zipkin 128 bit root span IDs
|
||||||
|
#
|
||||||
|
# Default: true
|
||||||
|
#
|
||||||
|
id128Bit = true
|
||||||
|
|
||||||
|
# The rate between 0.0 and 1.0 of requests to trace.
|
||||||
|
#
|
||||||
|
# Default: 1.0
|
||||||
|
#
|
||||||
|
sampleRate = 0.2
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "With DataDog"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
# Tracing definition
|
||||||
|
[tracing]
|
||||||
|
# Backend name used to send tracing data
|
||||||
|
#
|
||||||
|
# Default: "jaeger"
|
||||||
|
#
|
||||||
|
backend = "datadog"
|
||||||
|
|
||||||
|
# Service name used in DataDog backend
|
||||||
|
#
|
||||||
|
# Default: "traefik"
|
||||||
|
#
|
||||||
|
serviceName = "traefik"
|
||||||
|
|
||||||
|
# Span name limit allows for name truncation in case of very long Frontend/Backend names
|
||||||
|
# This can prevent certain tracing providers to drop traces that exceed their length limits
|
||||||
|
#
|
||||||
|
# Default: 0 - no truncation will occur
|
||||||
|
#
|
||||||
|
spanNameLimit = 100
|
||||||
|
|
||||||
|
[tracing.datadog]
|
||||||
|
# Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address
|
||||||
|
#
|
||||||
|
# Default: "127.0.0.1:8126"
|
||||||
|
#
|
||||||
|
localAgentHostPort = "127.0.0.1:8126"
|
||||||
|
|
||||||
|
# Enable DataDog debug
|
||||||
|
#
|
||||||
|
# Default: false
|
||||||
|
#
|
||||||
|
debug = false
|
||||||
|
|
||||||
|
# Apply shared tag in a form of Key:Value to all the traces
|
||||||
|
#
|
||||||
|
# Default: ""
|
||||||
|
#
|
||||||
|
globalTag = ""
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "With Instana"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
# Tracing definition
|
||||||
|
[tracing]
|
||||||
|
# Backend name used to send tracing data
|
||||||
|
#
|
||||||
|
# Default: "jaeger"
|
||||||
|
#
|
||||||
|
backend = "instana"
|
||||||
|
# Service name used in Instana backend
|
||||||
|
#
|
||||||
|
# Default: "traefik"
|
||||||
|
#
|
||||||
|
serviceName = "traefik"
|
||||||
|
[tracing.instana]
|
||||||
|
# Local Agent Host instructs reporter to send spans to instana-agent at this address
|
||||||
|
#
|
||||||
|
# Default: "127.0.0.1"
|
||||||
|
#
|
||||||
|
localAgentHost = "127.0.0.1"
|
||||||
|
# Local Agent port instructs reporter to send spans to the instana-agent at this port
|
||||||
|
#
|
||||||
|
# Default: 42699
|
||||||
|
#
|
||||||
|
localAgentPort = 42699
|
||||||
|
# Set Instana tracer log level
|
||||||
|
#
|
||||||
|
# Default: info
|
||||||
|
# Valid values for logLevel field are:
|
||||||
|
# - error
|
||||||
|
# - warn
|
||||||
|
# - debug
|
||||||
|
# - info
|
||||||
|
#
|
||||||
|
logLevel = "info"
|
||||||
|
```
|
62
docs/content/operations/cli.md
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
# CLI
|
||||||
|
|
||||||
|
The Traefik Command Line
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
## General
|
||||||
|
|
||||||
|
```bash
|
||||||
|
traefik [command] [--flag=flag_argument]
|
||||||
|
```
|
||||||
|
|
||||||
|
Available commands:
|
||||||
|
|
||||||
|
- `version` : Print version
|
||||||
|
- `storeconfig` : Store the static Traefik configuration into a Key-value stores. Please refer to the `Store Traefik configuration`(TODO: add doc and link) section to get documentation on it.
|
||||||
|
- `bug`: The easiest way to submit a pre-filled issue.
|
||||||
|
- `healthcheck`: Calls Traefik `/ping` to check health.
|
||||||
|
|
||||||
|
Each command can have additional flags.
|
||||||
|
|
||||||
|
All those flags will be displayed with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
traefik [command] --help
|
||||||
|
```
|
||||||
|
|
||||||
|
Each command is described at the beginning of the help section:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
traefik --help
|
||||||
|
|
||||||
|
# or
|
||||||
|
|
||||||
|
docker run traefik[:version] --help
|
||||||
|
# ex: docker run traefik:1.5 --help
|
||||||
|
```
|
||||||
|
|
||||||
|
## Command: bug
|
||||||
|
|
||||||
|
The easiest way to submit a pre-filled issue on [Traefik GitHub](https://github.com/containous/traefik)! Watch [this demo](https://www.youtube.com/watch?v=Lyz62L8m93I) for more information.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
traefik bug
|
||||||
|
```
|
||||||
|
|
||||||
|
### Command: healthcheck
|
||||||
|
|
||||||
|
Checks the health of Traefik.
|
||||||
|
Its exit status is `0` if Traefik is healthy and `1` if it is unhealthy.
|
||||||
|
|
||||||
|
This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism.
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
The [`ping` endpoint](../ping/) must be enabled to allow the `healthcheck` command to call `/ping`.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
traefik healthcheck
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
OK: http://:8082/ping
|
||||||
|
```
|
62
docs/content/operations/dashboard.md
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
# The Dashboard
|
||||||
|
|
||||||
|
See What's Going On
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
The dashboard is the central place that shows you the current active routes handled by Traefik.
|
||||||
|
|
||||||
|
<figure>
|
||||||
|
<img src="../../assets/img/dashboard-main.png" alt="Dashboard - Providers" />
|
||||||
|
<figcaption>The dashboard in action with Traefik listening to 3 different providers</figcaption>
|
||||||
|
</figure>
|
||||||
|
|
||||||
|
<figure>
|
||||||
|
<img src="../../assets/img/dashboard-health.png" alt="Dashboard - Health" />
|
||||||
|
<figcaption>The dashboard shows the health of the system.</figcaption>
|
||||||
|
</figure>
|
||||||
|
|
||||||
|
By default, the dashboard is available on `/` on port `:8080`.
|
||||||
|
|
||||||
|
!!! tip "Did You Know?"
|
||||||
|
It is possible to customize the dashboard endpoint.
|
||||||
|
To learn how, refer to the `Traefik's API documentation`(TODO: add doc and link).
|
||||||
|
|
||||||
|
## Enabling the Dashboard
|
||||||
|
|
||||||
|
To enable the dashboard, you need to enable Traefik's API.
|
||||||
|
|
||||||
|
??? example "Using the Command Line"
|
||||||
|
|
||||||
|
Option | Values | Default Value
|
||||||
|
-- | -- | --:
|
||||||
|
--api | \[true\|false\] | false
|
||||||
|
--api.dashboard | \[true\|false\] | true when api is true
|
||||||
|
|
||||||
|
{!more-on-command-line.md!}
|
||||||
|
|
||||||
|
??? example "Using the Configuration File"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[api]
|
||||||
|
# Dashboard
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
# Default: true
|
||||||
|
#
|
||||||
|
dashboard = true
|
||||||
|
```
|
||||||
|
|
||||||
|
{!more-on-configuration-file.md!}
|
||||||
|
|
||||||
|
??? example "Using a Key/Value Store"
|
||||||
|
|
||||||
|
Key | Values | Default Value
|
||||||
|
-- | -- | --:
|
||||||
|
api | \[true\|false\] | false
|
||||||
|
api.dashboard | \[true\|false\] | true when api is true
|
||||||
|
|
||||||
|
{!more-on-key-value-store.md!}
|
||||||
|
|
||||||
|
!!! tip "Did You Know?"
|
||||||
|
The API provides more features than the Dashboard.
|
||||||
|
To learn more about it, refer to the `Traefik's API documentation`(TODO: add doc and link).
|
15
docs/content/operations/debug-mode.md
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
# The Debug Mode
|
||||||
|
|
||||||
|
Getting More Information (Not For Production)
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
The debug mode will make Traefik be _extremely_ verbose in its logs, and is NOT intended for production purposes.
|
||||||
|
|
||||||
|
## Configuration Example
|
||||||
|
|
||||||
|
??? example "TOML -- Enabling the Debug Mode"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[Global]
|
||||||
|
debug = true
|
||||||
|
```
|
56
docs/content/operations/ping.md
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
# Ping
|
||||||
|
|
||||||
|
Checking the Health of Your Traefik Instances
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "Enabling /ping on the http EntryPoint"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[entryPoints]
|
||||||
|
[entrypoints.http]
|
||||||
|
address = ":80"
|
||||||
|
|
||||||
|
[ping]
|
||||||
|
entryPoint = "http"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Enabling /ping on the https EntryPoint"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.http]
|
||||||
|
address = ":80"
|
||||||
|
|
||||||
|
[entryPoints.https]
|
||||||
|
address = ":443"
|
||||||
|
[entryPoints.https.tls]
|
||||||
|
|
||||||
|
[ping]
|
||||||
|
entryPoint = "https"
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Enabling /ping on a dedicated EntryPoint"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.http]
|
||||||
|
address = ":80"
|
||||||
|
|
||||||
|
[entryPoints.ping]
|
||||||
|
address = ":8082"
|
||||||
|
|
||||||
|
[ping]
|
||||||
|
entryPoint = "ping"
|
||||||
|
```
|
||||||
|
|
||||||
|
| Path | Method | Description |
|
||||||
|
|---------|---------------|----------------------------------------------------------------------------------------------------|
|
||||||
|
| `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
|
||||||
|
|
||||||
|
## Configuration Options
|
||||||
|
|
||||||
|
The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
|
||||||
|
|
||||||
|
You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`)
|
247
docs/content/providers/docker.md
Normal file
|
@ -0,0 +1,247 @@
|
||||||
|
# Traefik & Docker
|
||||||
|
|
||||||
|
A Story of Labels & Containers
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![Docker](../assets/img/providers/docker.png)
|
||||||
|
|
||||||
|
Attach labels to your containers and let Traefik do the rest!
|
||||||
|
|
||||||
|
!!! tip "The Quick Start Uses Docker"
|
||||||
|
If you haven't already, maybe you'd like to go through the [quick start](../getting-started/quick-start.md) that uses the docker provider!
|
||||||
|
|
||||||
|
## Configuration Examples
|
||||||
|
|
||||||
|
??? example "Configuring Docker & Deploying / Exposing Services"
|
||||||
|
|
||||||
|
Enabling the docker provider
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[docker]
|
||||||
|
endpoint = "unix:///var/run/docker.sock"
|
||||||
|
```
|
||||||
|
|
||||||
|
Attaching labels to containers (in your docker compose file)
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
version: "3"
|
||||||
|
services:
|
||||||
|
my-container:
|
||||||
|
# ...
|
||||||
|
labels:
|
||||||
|
- traefik.services.my-container.rule=Host(my-domain)
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Configuring Docker Swarm & Deploying / Exposing Services"
|
||||||
|
|
||||||
|
Enabling the docker provider (Swarm Mode)
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[docker]
|
||||||
|
endpoint = "tcp://127.0.0.1:2377"
|
||||||
|
swarmMode = true
|
||||||
|
```
|
||||||
|
|
||||||
|
Attaching labels to containers (in your docker compose file)
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
version: "3"
|
||||||
|
services:
|
||||||
|
my-container:
|
||||||
|
deploy:
|
||||||
|
labels:
|
||||||
|
- traefik.services.my-container.rule=Host(my-domain)
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! important "Labels in Docker Swarm Mode"
|
||||||
|
If you use a compose file with the Swarm mode, labels should be defined in the `deploy` part of your service.
|
||||||
|
This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
|
||||||
|
|
||||||
|
## Provider Configuration Options
|
||||||
|
|
||||||
|
!!! tip "Browse the Reference"
|
||||||
|
If you're in a hurry, maybe you'd rather go through the [Docker Reference](../reference/providers/docker.md).
|
||||||
|
|
||||||
|
### endpoint
|
||||||
|
|
||||||
|
Traefik requires access to the docker socket to get its dynamic configuration.
|
||||||
|
|
||||||
|
??? warning "Security Notes"
|
||||||
|
|
||||||
|
Depending on your context, accessing the Docker API without any restriction can be a security concern: If Traefik is attacked, then the attacker might get access to the Docker (or Swarm Mode) backend.
|
||||||
|
|
||||||
|
As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
|
||||||
|
|
||||||
|
`[...] only **trusted** users should be allowed to control your Docker daemon [...]`
|
||||||
|
|
||||||
|
!!! note "Improved Security"
|
||||||
|
|
||||||
|
[TraefikEE](https://containo.us/traefikee) solves this problem by separating the control plane (connected to Docker) and the data plane (handling the requests).
|
||||||
|
|
||||||
|
??? tip "Resources about Docker's Security"
|
||||||
|
|
||||||
|
- [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
|
||||||
|
- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html)
|
||||||
|
- [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
|
||||||
|
- [To Dind or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
|
||||||
|
|
||||||
|
??? tip "Security Compensation"
|
||||||
|
|
||||||
|
Expose the Docker socket over TCP, instead of the default Unix socket file.
|
||||||
|
It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
|
||||||
|
|
||||||
|
- Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
|
||||||
|
|
||||||
|
- Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
|
||||||
|
|
||||||
|
- Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
|
||||||
|
|
||||||
|
- Accounting at container level, by exposing the socket on a another container than Traefik's.
|
||||||
|
With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
|
||||||
|
|
||||||
|
- Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
|
||||||
|
|
||||||
|
??? tip "Additional Resources"
|
||||||
|
|
||||||
|
- [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
|
||||||
|
- [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
|
||||||
|
- [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
|
||||||
|
- [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
|
||||||
|
|
||||||
|
!!! note "Traefik & Swarm Mode"
|
||||||
|
To let Traefik access the Docker Socket of the Swarm manager, it is mandatory to schedule Traefik on the Swarm manager nodes.
|
||||||
|
|
||||||
|
??? example "Using the docker.sock"
|
||||||
|
|
||||||
|
The docker-compose file shares the docker sock with the Traefik container
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
|
||||||
|
traefik:
|
||||||
|
image: traefik
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
```
|
||||||
|
|
||||||
|
We specify the docker.sock in traefik's configuration file.
|
||||||
|
|
||||||
|
```toml
|
||||||
|
# ...
|
||||||
|
[providers]
|
||||||
|
[providers.docker]
|
||||||
|
endpoint = "unix:///var/run/docker.sock"
|
||||||
|
```
|
||||||
|
|
||||||
|
### usebindportip (_Optional_, _Default=false_)
|
||||||
|
|
||||||
|
Traefik routes requests to the IP/Port of the matching container.
|
||||||
|
When setting `usebindportip=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
|
||||||
|
|
||||||
|
When used in conjunction with the `traefik.port` label (that tells Traefik to route requests to a specific port), Traefik tries to find a binding on port `traefik.port`.
|
||||||
|
If it can't find such a binding, Traefik falls back on the internal network IP of the container, but still uses the `traefik.port` that is set in the label.
|
||||||
|
|
||||||
|
??? example "Examples of `usebindportip` in different situations."
|
||||||
|
|
||||||
|
| traefik.port label | Container's binding | Routes to |
|
||||||
|
|--------------------|----------------------------------------------------|----------------|
|
||||||
|
| - | - | IntIP:IntPort |
|
||||||
|
| - | ExtPort:IntPort | IntIP:IntPort |
|
||||||
|
| - | ExtIp:ExtPort:IntPort | ExtIp:ExtPort |
|
||||||
|
| LblPort | - | IntIp:LblPort |
|
||||||
|
| LblPort | ExtIp:ExtPort:LblPort | ExtIp:ExtPort |
|
||||||
|
| LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort |
|
||||||
|
| LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
In the above table, ExtIp stands for "external IP found in the binding", IntIp stands for "internal network container's IP", ExtPort stands for "external Port found in the binding", and IntPort stands for "internal network container's port."
|
||||||
|
|
||||||
|
### exposedByDefault (_Optional_, _Default=true_)
|
||||||
|
|
||||||
|
Expose containers by default through Traefik.
|
||||||
|
If set to false, containers that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
|
||||||
|
|
||||||
|
### network (_Optional_)
|
||||||
|
|
||||||
|
Defines a default docker network to use for connections to all containers.
|
||||||
|
|
||||||
|
This option can be overridden on a container basis with the `traefik.docker.network` label.
|
||||||
|
|
||||||
|
### domain (_Optional_, _Default=docker.localhost_)
|
||||||
|
|
||||||
|
This is the default base domain used for the router rules.
|
||||||
|
|
||||||
|
This option can be overridden on a container basis with the
|
||||||
|
`traefik.domain` label.
|
||||||
|
|
||||||
|
### swarmMode (_Optional_, _Default=false_)
|
||||||
|
|
||||||
|
Activates the Swarm Mode.
|
||||||
|
|
||||||
|
### swarmModeRefreshSeconds (_Optional_, _Default=15_)
|
||||||
|
|
||||||
|
Defines the polling interval (in seconds) in Swarm Mode.
|
||||||
|
|
||||||
|
## Routing Configuration Options
|
||||||
|
|
||||||
|
### General
|
||||||
|
|
||||||
|
Traefik creates, for each container, a corresponding [service](../routing/services.md) and [router](../routing/routers.md).
|
||||||
|
|
||||||
|
The Service automatically gets a server per instance of the container, and the router gets a default rule attached to it, based on the container name.
|
||||||
|
|
||||||
|
### Routers
|
||||||
|
|
||||||
|
To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change. For example, to change the rule, you could add the label `traefik.routers.my-container.rule=Host(my-domain)`.
|
||||||
|
|
||||||
|
Every [Router](../routing/routers.md) parameter can be updated this way.
|
||||||
|
|
||||||
|
### Services
|
||||||
|
|
||||||
|
To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.services.{name-of-your-choice}.`, followed by the option you want to change. For example, to change the load balancer method, you'd add the label `traefik.services.{name-of-your-choice}.loadbalancer.method=drr`.
|
||||||
|
|
||||||
|
Every [Service](../routing/services.md) parameter can be updated this way.
|
||||||
|
|
||||||
|
### Middleware
|
||||||
|
|
||||||
|
You can declare pieces of middleware using labels starting with `traefik.middlewares.{name-of-your-choice}.`, followed by the middleware type/options. For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.middlewares.my-redirect.schemeredirect.scheme: https`.
|
||||||
|
|
||||||
|
??? example "Declaring and Referencing a Middleware"
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
my-container:
|
||||||
|
# ...
|
||||||
|
labels:
|
||||||
|
- traefik.middlewares.my-redirect.schemeredirect.scheme=https
|
||||||
|
- traefik.routers.middlewares=my-redirect
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! warning "Conflicts in Declaration"
|
||||||
|
|
||||||
|
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
|
||||||
|
|
||||||
|
### Specific Options
|
||||||
|
|
||||||
|
#### traefik.enable
|
||||||
|
|
||||||
|
You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false.
|
||||||
|
|
||||||
|
This option overrides the value of `exposedByDefault`.
|
||||||
|
|
||||||
|
#### traefik.tags
|
||||||
|
|
||||||
|
Sets the tags for [constraints filtering](./overview.md#constraints-configuration).
|
||||||
|
|
||||||
|
#### traefik.docker.network
|
||||||
|
|
||||||
|
Overrides the default docker network to use for connections to the container.
|
||||||
|
|
||||||
|
If a container is linked to several networks, be sure to set the proper network name (you can check this with `docker inspect <container_id>`), otherwise it will randomly pick one (depending on how docker is returning them).
|
||||||
|
|
||||||
|
!!! warning
|
||||||
|
When deploying a stack from a compose file `stack`, the networks defined are prefixed with `stack`.
|
27
docs/content/providers/file.md
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
# TODO -- File
|
||||||
|
|
||||||
|
Good Old Configuration File
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
### Full Example in toml
|
||||||
|
|
||||||
|
`TO COMPLETE`
|
||||||
|
|
||||||
|
### In same file
|
||||||
|
|
||||||
|
`TO COMPLETE`
|
||||||
|
|
||||||
|
## In dedicated file
|
||||||
|
|
||||||
|
`TO COMPLETE`
|
||||||
|
|
||||||
|
### Old Content
|
||||||
|
|
||||||
|
Traefik can hot-reload those rules which could be provided by multiple configuration backends.
|
||||||
|
|
||||||
|
We only need to enable `watch` option to make Traefik watch configuration backend changes and generate its configuration automatically.
|
||||||
|
Routes to services will be created and updated instantly at any changes.
|
||||||
|
|
||||||
|
Please refer to the configuration backends section to get documentation on it.
|
93
docs/content/providers/overview.md
Normal file
|
@ -0,0 +1,93 @@
|
||||||
|
# Overview
|
||||||
|
|
||||||
|
Traefik's Many Friends
|
||||||
|
{: .subtitle }
|
||||||
|
|
||||||
|
![Providers](../assets/img/providers.png)
|
||||||
|
|
||||||
|
Configuration discovery in Traefik is achieved through _Providers_.
|
||||||
|
|
||||||
|
The _providers_ are existing infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores.
|
||||||
|
The idea is that Traefik will query the providers' API in order to find relevant information about routing, and each time Traefik detects a change, it dynamically updates the routes.
|
||||||
|
|
||||||
|
Deploy and forget is Traefik's credo.
|
||||||
|
|
||||||
|
## Orchestrators
|
||||||
|
|
||||||
|
Even if each provider is different, we can categorize them in four groups:
|
||||||
|
|
||||||
|
- Label based (each deployed container has a set of labels attached to it)
|
||||||
|
- Key-Value based (each deployed container updates a key-value store with relevant information)
|
||||||
|
- Annotation based (a separate object, with annotations, defines the characteristics of the container)
|
||||||
|
- File based (the good old configuration file)
|
||||||
|
|
||||||
|
## Supported Providers
|
||||||
|
|
||||||
|
Below is the list of the currently supported providers in Traefik.
|
||||||
|
|
||||||
|
| Provider | Type | Configuration Type |
|
||||||
|
|-----------------------------|--------------|--------------------|
|
||||||
|
| [Docker](./docker.md) | Orchestrator | Label |
|
||||||
|
| [File](./file.md) | Orchestrator | Custom Annotation |
|
||||||
|
| Kubernetes (not documented) | Orchestrator | Custom Annotation |
|
||||||
|
| Marathon (not documented) | Orchestrator | Label |
|
||||||
|
|
||||||
|
!!! note "More Providers"
|
||||||
|
|
||||||
|
The current version of Traefik is in development and doesn't support (yet) every provider. See the previous version (1.7) for more providers.
|
||||||
|
|
||||||
|
## Constraints Configuration
|
||||||
|
|
||||||
|
If you want to limit the scope of Traefik service discovery, you can set constraints. Doing so, Traefik will create routes for containers that match these constraints only.
|
||||||
|
|
||||||
|
??? example "Containers with the api Tag"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
constraints = ["tag==api"]
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Containers without the api Tag"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
constraints = ["tag!=api"]
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Containers with tags starting with 'us-'"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
constraints = ["tag==us-*"]
|
||||||
|
```
|
||||||
|
|
||||||
|
??? example "Multiple constraints"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
# Multiple constraints
|
||||||
|
# - "tag==" must match with at least one tag
|
||||||
|
# - "tag!=" must match with none of tags
|
||||||
|
constraints = ["tag!=us-*", "tag!=asia-*"]
|
||||||
|
```
|
||||||
|
|
||||||
|
??? note "List of Providers that Support Constraints"
|
||||||
|
|
||||||
|
- Docker
|
||||||
|
- Consul K/V
|
||||||
|
- BoltDB
|
||||||
|
- Zookeeper
|
||||||
|
- ECS
|
||||||
|
- Etcd
|
||||||
|
- Consul Catalog
|
||||||
|
- Rancher
|
||||||
|
- Marathon
|
||||||
|
- Kubernetes (using a provider-specific mechanism based on label selectors)
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
|
||||||
|
The constraint option belongs to the provider configuration itself.
|
||||||
|
|
||||||
|
??? example "Setting the Constraint Options for Docker"
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[providers]
|
||||||
|
[providers.docker]
|
||||||
|
constraints = ["tag==api"]
|
||||||
|
```
|