From b0a0e16136a11cb0dade96f411fa07f4ded54ec2 Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Tue, 5 Sep 2017 15:58:03 +0200 Subject: [PATCH] Enhance documentation. --- docs/basics.md | 87 +++-- docs/configuration/acme.md | 23 +- docs/configuration/backends/dynamodb.md | 4 +- docs/configuration/backends/file.md | 45 +-- docs/configuration/backends/marathon.md | 64 ++-- docs/configuration/backends/rancher.md | 38 +- docs/configuration/backends/web.md | 72 ++-- docs/configuration/commons.md | 344 +++++++----------- docs/configuration/entrypoints.md | 162 +++++++++ docs/index.md | 18 +- docs/{ => theme}/js/extra.js | 0 docs/{ => theme}/js/hljs/LICENSE | 0 docs/{ => theme}/js/hljs/highlight.pack.js | 0 docs/theme/partials/footer.html | 104 ++++++ docs/{ => theme}/styles/atom-one-light.css | 0 docs/{ => theme}/styles/extra.css | 0 ...-encrypt.md => docker-and-lets-encrypt.md} | 20 +- docs/user-guide/kv-config.md | 24 +- docs/user-guide/swarm-mode.md | 41 ++- docs/user-guide/swarm.md | 8 + mkdocs.yml | 56 +-- 21 files changed, 676 insertions(+), 434 deletions(-) create mode 100644 docs/configuration/entrypoints.md rename docs/{ => theme}/js/extra.js (100%) rename docs/{ => theme}/js/hljs/LICENSE (100%) rename docs/{ => theme}/js/hljs/highlight.pack.js (100%) create mode 100644 docs/theme/partials/footer.html rename docs/{ => theme}/styles/atom-one-light.css (100%) rename docs/{ => theme}/styles/extra.css (100%) rename docs/user-guide/{getting-started-with-docker-and-lets-encrypt.md => docker-and-lets-encrypt.md} (96%) diff --git a/docs/basics.md b/docs/basics.md index d5f4cfd07..da89f62bb 100644 --- a/docs/basics.md +++ b/docs/basics.md @@ -91,30 +91,35 @@ Following is the list of existing modifier rules: Matcher rules determine if a particular request should be forwarded to a backend. -Separate multiple rule values by `,` (comma) in order to enable ANY semantics (i.e., forward a request if any rule matches). Does not work for `Headers` and `HeadersRegexp`. +Separate multiple rule values by `,` (comma) in order to enable ANY semantics (i.e., forward a request if any rule matches). +Does not work for `Headers` and `HeadersRegexp`. Separate multiple rule values by `;` (semicolon) in order to enable ALL semantics (i.e., forward a request if all rules match). -You can optionally enable `passHostHeader` to forward client `Host` header to the backend. You can also optionally enable `passTLSCert` to forward TLS Client certificates to the backend. - Following is the list of existing matcher rules along with examples: -- `Headers: Content-Type, application/json`: Match HTTP header. It accepts a comma-separated key/value pair where both key and value must be literals. -- `HeadersRegexp: Content-Type, application/(text|json)`: Match HTTP header. It accepts a comma-separated key/value pair where the key must be a literal and the value may be a literal or a regular expression. -- `Host: traefik.io, www.traefik.io`: Match request host. It accepts a sequence of literal hosts. -- `HostRegexp: traefik.io, {subdomain:[a-z]+}.traefik.io`: Match request host. It accepts a sequence of literal and regular expression hosts. -- `Method: GET, POST, PUT`: Match request HTTP method. It accepts a sequence of HTTP methods. -- `Path: /products/, /articles/{category}/{id:[0-9]+}`: Match exact request path. It accepts a sequence of literal and regular expression paths. -- `PathStrip: /products/`: Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal paths. -- `PathStripRegex: /articles/{category}/{id:[0-9]+}`: Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression paths. -- `PathPrefix: /products/, /articles/{category}/{id:[0-9]+}`: Match request prefix path. It accepts a sequence of literal and regular expression prefix paths. -- `PathPrefixStrip: /products/`: Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header. -- `PathPrefixStripRegex: /articles/{category}/{id:[0-9]+}`: Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header. -- `Query: foo=bar, bar=baz`: Match Query String parameters. It accepts a sequence of key=value pairs. +| Matcher | Description | +|------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `Headers: Content-Type, application/json` | Match HTTP header. It accepts a comma-separated key/value pair where both key and value must be literals. | +| `HeadersRegexp: Content-Type, application/(text/json)` | Match HTTP header. It accepts a comma-separated key/value pair where the key must be a literal and the value may be a literal or a regular expression. | +| `Host: traefik.io, www.traefik.io` | Match request host. It accepts a sequence of literal hosts. | +| `HostRegexp: traefik.io, {subdomain:[a-z]+}.traefik.io` | Match request host. It accepts a sequence of literal and regular expression hosts. | +| `Method: GET, POST, PUT` | Match request HTTP method. It accepts a sequence of HTTP methods. | +| `Path: /products/, /articles/{category}/{id:[0-9]+}` | Match exact request path. It accepts a sequence of literal and regular expression paths. | +| `PathStrip: /products/` | Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal paths. | +| `PathStripRegex: /articles/{category}/{id:[0-9]+}` | Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression paths. | +| `PathPrefix: /products/, /articles/{category}/{id:[0-9]+}` | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths. | +| `PathPrefixStrip: /products/` | Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header. | +| `PathPrefixStripRegex: /articles/{category}/{id:[0-9]+}` | Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header. | +| `Query: foo=bar, bar=baz` | Match Query String parameters. It accepts a sequence of key=value pairs. | -In order to use regular expressions with Host and Path matchers, you must declare an arbitrarily named variable followed by the colon-separated regular expression, all enclosed in curly braces. Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used. Example: `/posts/{id:[0-9]+}`. +In order to use regular expressions with Host and Path matchers, you must declare an arbitrarily named variable followed by the colon-separated regular expression, all enclosed in curly braces. Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `/posts/{id:[0-9]+}`). -(Note that the variable has no special meaning; however, it is required by the gorilla/mux dependency which embeds the regular expression and defines the syntax.) +!!! note + The variable has no special meaning; however, it is required by the [gorilla/mux](https://github.com/gorilla/mux) dependency which embeds the regular expression and defines the syntax. + +You can optionally enable `passHostHeader` to forward client `Host` header to the backend. +You can also optionally enable `passTLSCert` to forward TLS Client certificates to the backend. ##### Path Matcher Usage Guidelines @@ -122,12 +127,19 @@ This section explains when to use the various path matchers. Use `Path` if your backend listens on the exact path only. For instance, `Path: /products` would match `/products` but not `/products/shoes`. -Use a `*Prefix*` matcher if your backend listens on a particular base path but also serves requests on sub-paths. For instance, `PathPrefix: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. Since the path is forwarded as-is, your backend is expected to listen on `/products`. +Use a `*Prefix*` matcher if your backend listens on a particular base path but also serves requests on sub-paths. +For instance, `PathPrefix: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. +Since the path is forwarded as-is, your backend is expected to listen on `/products`. -Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix. For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. Since the path is stripped prior to forwarding, your backend is expected to listen on `/`. -If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs. Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend). The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically. +Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix. +For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. +Since the path is stripped prior to forwarding, your backend is expected to listen on `/`. +If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs. +Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend). +The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically. -Instead of distinguishing your backends by path only, you can add a Host matcher to the mix. That way, namespacing of your backends happens on the basis of hosts in addition to paths. +Instead of distinguishing your backends by path only, you can add a Host matcher to the mix. +That way, namespacing of your backends happens on the basis of hosts in addition to paths. #### Examples @@ -353,8 +365,8 @@ For example: [backends] [backends.backend1] [backends.backend1.healthcheck] - path = "/health" - interval = "10s" + path = "/health" + interval = "10s" ``` To use a different port for the healthcheck: @@ -362,9 +374,9 @@ To use a different port for the healthcheck: [backends] [backends.backend1] [backends.backend1.healthcheck] - path = "/health" - interval = "10s" - port = 8080 + path = "/health" + interval = "10s" + port = 8080 ``` ### Servers @@ -377,7 +389,7 @@ Here is an example of backends and servers definition: [backends] [backends.backend1] [backends.backend1.circuitbreaker] - expression = "NetworkErrorRatio() > 0.5" + expression = "NetworkErrorRatio() > 0.5" [backends.backend1.servers.server1] url = "http://172.17.0.2:80" weight = 10 @@ -386,7 +398,7 @@ Here is an example of backends and servers definition: weight = 1 [backends.backend2] [backends.backend2.LoadBalancer] - method = "drr" + method = "drr" [backends.backend2.servers.server1] url = "http://172.17.0.4:80" weight = 1 @@ -430,12 +442,12 @@ By default, Træfik will try to find a `traefik.toml` in the following places: - `/etc/traefik/` - `$HOME/.traefik/` -- `.` *the working directory* +- `.` _the working directory_ You can override this by setting a `configFile` argument: ```bash -$ traefik --configFile=foo/bar/myconfigfile.toml +traefik --configFile=foo/bar/myconfigfile.toml ``` Please refer to the [global configuration](/configuration/commons) section to get documentation on it. @@ -445,7 +457,7 @@ Please refer to the [global configuration](/configuration/commons) section to ge Each argument (and command) is described in the help section: ```bash -$ traefik --help +traefik --help ``` Note that all default values will be displayed as well. @@ -478,7 +490,12 @@ Please refer to the [configuration backends](/configuration/commons) section to ## Commands -Usage: `traefik [command] [--flag=flag_argument]` +### traefik + +Usage: +```bash +traefik [command] [--flag=flag_argument] +``` List of Træfik available commands with description :                                                              @@ -491,13 +508,13 @@ Each command may have related flags. All those related flags will be displayed with : ```bash -$ traefik [command] --help +traefik [command] --help ``` Note that each command is described at the beginning of the help section: ```bash -$ traefik --help +traefik --help ``` ### Command: bug @@ -505,7 +522,7 @@ $ traefik --help Here is the easiest way to submit a pre-filled issue on [Træfik GitHub](https://github.com/containous/traefik). ```bash -$ traefik bug +traefik bug ``` See https://www.youtube.com/watch?v=Lyz62L8m93I. diff --git a/docs/configuration/acme.md b/docs/configuration/acme.md index 41f9c21a9..5feade558 100644 --- a/docs/configuration/acme.md +++ b/docs/configuration/acme.md @@ -8,9 +8,6 @@ [entryPoints.https.tls] # Enable ACME (Let's Encrypt): automatic SSL -# -# Optional -# [acme] # Email address used for registration @@ -104,22 +101,14 @@ entryPoint = "https" # All domains must have A/AAAA records pointing to Traefik # WARNING, Take note that Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits # Each domain & SANs will lead to a certificate request. -# # [[acme.domains]] -# main = "local1.com" -# sans = ["test1.local1.com", "test2.local1.com"] +# main = "local1.com" +# sans = ["test1.local1.com", "test2.local1.com"] # [[acme.domains]] -# main = "local2.com" -# sans = ["test1.local2.com", "test2x.local2.com"] +# main = "local2.com" +# sans = ["test1.local2.com", "test2.local2.com"] # [[acme.domains]] -# main = "local3.com" +# main = "local3.com" # [[acme.domains]] -# main = "local4.com" -[[acme.domains]] - main = "local1.com" - sans = ["test1.local1.com", "test2.local1.com"] -[[acme.domains]] - main = "local3.com" -[[acme.domains]] - main = "local4.com" +# main = "local4.com" ``` diff --git a/docs/configuration/backends/dynamodb.md b/docs/configuration/backends/dynamodb.md index 65065a33f..44885dd1e 100644 --- a/docs/configuration/backends/dynamodb.md +++ b/docs/configuration/backends/dynamodb.md @@ -57,7 +57,7 @@ Items in the `dynamodb` table must have three attributes: - `id` (string): The id is the primary key. - `name`(string): The name is used as the name of the frontend or backend. -- `frontend` or `backend` (map): This attribute's structure matches exactly the structure of a Frontend or Backend type in traefik. - See `types/types.go` for details. +- `frontend` or `backend` (map): This attribute's structure matches exactly the structure of a Frontend or Backend type in traefik. + See `types/types.go` for details. The presence or absence of this attribute determines its type. So an item should never have both a `frontend` and a `backend` attribute. diff --git a/docs/configuration/backends/file.md b/docs/configuration/backends/file.md index 483e2190a..b6ddcbdf4 100644 --- a/docs/configuration/backends/file.md +++ b/docs/configuration/backends/file.md @@ -7,14 +7,13 @@ Like any other reverse proxy, Træfik can be configured with a file. You have th Add your configuration at the end of the global configuration file `traefik.toml`: ```toml -# traefik.toml -logLevel = "DEBUG" defaultEntryPoints = ["http", "https"] + [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] - entryPoint = "https" + entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] @@ -31,7 +30,7 @@ defaultEntryPoints = ["http", "https"] [backends] [backends.backend1] [backends.backend1.circuitbreaker] - expression = "NetworkErrorRatio() > 0.5" + expression = "NetworkErrorRatio() > 0.5" [backends.backend1.servers.server1] url = "http://172.17.0.2:80" weight = 10 @@ -40,10 +39,10 @@ defaultEntryPoints = ["http", "https"] weight = 1 [backends.backend2] [backends.backend2.maxconn] - amount = 10 - extractorfunc = "request.host" + amount = 10 + extractorfunc = "request.host" [backends.backend2.LoadBalancer] - method = "drr" + method = "drr" [backends.backend2.servers.server1] url = "http://172.17.0.4:80" weight = 1 @@ -56,6 +55,7 @@ defaultEntryPoints = ["http", "https"] backend = "backend2" [frontends.frontend1.routes.test_1] rule = "Host:test.localhost" + [frontends.frontend2] backend = "backend1" passHostHeader = true @@ -70,10 +70,11 @@ defaultEntryPoints = ["http", "https"] entrypoints = ["https"] # overrides defaultEntryPoints [frontends.frontend2.routes.test_1] rule = "Host:{subdomain:[a-z]+}.localhost" + [frontends.frontend3] entrypoints = ["http", "https"] # overrides defaultEntryPoints backend = "backend2" - rule = "Path:/test" + rule = "Path:/test" ``` ## Rules in a Separate File @@ -82,7 +83,6 @@ Put your rules in a separate file, for example `rules.toml`: ```toml # traefik.toml -logLevel = "DEBUG" [entryPoints] [entryPoints.http] address = ":80" @@ -107,7 +107,7 @@ filename = "rules.toml" [backends] [backends.backend1] [backends.backend1.circuitbreaker] - expression = "NetworkErrorRatio() > 0.5" + expression = "NetworkErrorRatio() > 0.5" [backends.backend1.servers.server1] url = "http://172.17.0.2:80" weight = 10 @@ -116,10 +116,10 @@ filename = "rules.toml" weight = 1 [backends.backend2] [backends.backend2.maxconn] - amount = 10 - extractorfunc = "request.host" + amount = 10 + extractorfunc = "request.host" [backends.backend2.LoadBalancer] - method = "drr" + method = "drr" [backends.backend2.servers.server1] url = "http://172.17.0.4:80" weight = 1 @@ -142,7 +142,7 @@ filename = "rules.toml" [frontends.frontend3] entrypoints = ["http", "https"] # overrides defaultEntryPoints backend = "backend2" - rule = "Path:/test" + rule = "Path:/test" ``` ## Multiple .toml Files @@ -160,20 +160,3 @@ If you want Træfik to watch file changes automatically, just add: [file] watch = true ``` - -The configuration files can be also templates written using functions provided by [go template](https://golang.org/pkg/text/template/) as well as functions provided by the [sprig library](https://masterminds.github.io/sprig/), like this: - -```tmpl -[backends] - [backends.backend1] - url = "http://firstserver" - [backends.backend2] - url = "http://secondserver" - -{{$frontends := dict "frontend1" "backend1" "frontend2" "backend2"}} -[frontends] -{{range $frontend, $backend := $frontends}} - [frontends.{{$frontend}}] - backend = "{{$backend}}" -{{end}} -``` \ No newline at end of file diff --git a/docs/configuration/backends/marathon.md b/docs/configuration/backends/marathon.md index 3f0599f99..ce688ce5a 100644 --- a/docs/configuration/backends/marathon.md +++ b/docs/configuration/backends/marathon.md @@ -130,38 +130,38 @@ domain = "marathon.localhost" Labels can be used on containers to override default behaviour: -| Label | Description | -|----------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `traefik.backend=foo` | assign the application to `foo` backend | -| `traefik.backend.maxconn.amount=10` | set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect. | -| `traefik.backend.maxconn.extractorfunc=client.ip` | set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. | -| `traefik.backend.loadbalancer.method=drr` | override the default `wrr` load balancer algorithm | -| `traefik.backend.loadbalancer.sticky=true` | enable backend sticky sessions | -| `traefik.backend.circuitbreaker.expression=NetworkErrorRatio() > 0.5` | create a [circuit breaker](/basics/#backends) to be used against the backend | -| `traefik.backend.healthcheck.path=/health` | set the Traefik health check path [default: no health checks] | -| `traefik.backend.healthcheck.interval=5s` | sets a custom health check interval in Go-parseable (`time.ParseDuration`) format [default: 30s] | -| `traefik.portIndex=1` | register port by index in the application's ports array. Useful when the application exposes multiple ports. | -| `traefik.port=80` | register the explicit application port value. Cannot be used alongside `traefik.portIndex`. | -| `traefik.protocol=https` | override the default `http` protocol | -| `traefik.weight=10` | assign this weight to the application | -| `traefik.enable=false` | disable this application in Træfik | -| `traefik.frontend.rule=Host:test.traefik.io` | override the default frontend rule (Default: `Host:{containerName}.{domain}`). | -| `traefik.frontend.passHostHeader=true` | forward client `Host` header to the backend. | -| `traefik.frontend.priority=10` | override default frontend priority | -| `traefik.frontend.entryPoints=http,https` | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. | -| `traefik.frontend.auth.basic=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0` | Sets basic authentication for that frontend with the usernames and passwords test:test and test2:test2, respectively | +| Label | Description | +|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `traefik.backend=foo` | assign the application to `foo` backend | +| `traefik.backend.maxconn.amount=10` | set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect. | +| `traefik.backend.maxconn.extractorfunc=client.ip` | set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. | +| `traefik.backend.loadbalancer.method=drr` | override the default `wrr` load balancer algorithm | +| `traefik.backend.loadbalancer.sticky=true` | enable backend sticky sessions | +| `traefik.backend.circuitbreaker.expression=NetworkErrorRatio() > 0.5` | create a [circuit breaker](/basics/#backends) to be used against the backend | +| `traefik.backend.healthcheck.path=/health` | set the Traefik health check path [default: no health checks] | +| `traefik.backend.healthcheck.interval=5s` | sets a custom health check interval in Go-parseable (`time.ParseDuration`) format [default: 30s] | +| `traefik.portIndex=1` | register port by index in the application's ports array. Useful when the application exposes multiple ports. | +| `traefik.port=80` | register the explicit application port value. Cannot be used alongside `traefik.portIndex`. | +| `traefik.protocol=https` | override the default `http` protocol | +| `traefik.weight=10` | assign this weight to the application | +| `traefik.enable=false` | disable this application in Træfik | +| `traefik.frontend.rule=Host:test.traefik.io` | override the default frontend rule (Default: `Host:{containerName}.{domain}`). | +| `traefik.frontend.passHostHeader=true` | forward client `Host` header to the backend. | +| `traefik.frontend.priority=10` | override default frontend priority | +| `traefik.frontend.entryPoints=http,https` | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. | +| `traefik.frontend.auth.basic=EXPR` | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`. | If several ports need to be exposed from a container, the services labels can be used: -| Label | Description | -|-------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------| -| `traefik..port=443` | create a service binding with frontend/backend using this port. Overrides `traefik.port`. | -| `traefik..portIndex=1` | create a service binding with frontend/backend using this port index. Overrides `traefik.portIndex`. | -| `traefik..protocol=https` | assign `https` protocol. Overrides `traefik.protocol`. | -| `traefik..weight=10` | assign this service weight. Overrides `traefik.weight`. | -| `traefik..frontend.backend=fooBackend` | assign this service frontend to `foobackend`. Default is to assign to the service backend. | -| `traefik..frontend.entryPoints=http` | assign this service entrypoints. Overrides `traefik.frontend.entrypoints`. | -| `traefik..frontend.auth.basic=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0` | Sets a Basic Auth for that frontend with the users test:test and test2:test2. | -| `traefik..frontend.passHostHeader=true` | Forward client `Host` header to the backend. Overrides `traefik.frontend.passHostHeader`. | -| `traefik..frontend.priority=10` | assign the service frontend priority. Overrides `traefik.frontend.priority`. | -| `traefik..frontend.rule=Path:/foo` | assign the service frontend rule. Overrides `traefik.frontend.rule`. | +| Label | Description | +|--------------------------------------------------------|------------------------------------------------------------------------------------------------------| +| `traefik..port=443` | create a service binding with frontend/backend using this port. Overrides `traefik.port`. | +| `traefik..portIndex=1` | create a service binding with frontend/backend using this port index. Overrides `traefik.portIndex`. | +| `traefik..protocol=https` | assign `https` protocol. Overrides `traefik.protocol`. | +| `traefik..weight=10` | assign this service weight. Overrides `traefik.weight`. | +| `traefik..frontend.backend=fooBackend` | assign this service frontend to `foobackend`. Default is to assign to the service backend. | +| `traefik..frontend.entryPoints=http` | assign this service entrypoints. Overrides `traefik.frontend.entrypoints`. | +| `traefik..frontend.auth.basic=test:EXPR` | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash` | +| `traefik..frontend.passHostHeader=true` | Forward client `Host` header to the backend. Overrides `traefik.frontend.passHostHeader`. | +| `traefik..frontend.priority=10` | assign the service frontend priority. Overrides `traefik.frontend.priority`. | +| `traefik..frontend.rule=Path:/foo` | assign the service frontend rule. Overrides `traefik.frontend.rule`. | diff --git a/docs/configuration/backends/rancher.md b/docs/configuration/backends/rancher.md index 0ec15ed31..f462d548c 100644 --- a/docs/configuration/backends/rancher.md +++ b/docs/configuration/backends/rancher.md @@ -22,27 +22,27 @@ domain = "rancher.localhost" # Optional # Default: true # -Watch = true +watch = true # Polling interval (in seconds) # # Optional # -RefreshSeconds = 15 +refreshSeconds = 15 # Expose Rancher services by default in traefik # # Optional # Default: true # -ExposedByDefault = false +exposedByDefault = false # Filter services with unhealthy states and inactive states # # Optional # Default: false # -EnableServiceHealthFilter = true +enableServiceHealthFilter = true ``` ## Rancher Metadata Service @@ -63,14 +63,14 @@ EnableServiceHealthFilter = true # Optional # Default: false # -IntervalPoll = true +intervalPoll = true # Prefix used for accessing the Rancher metadata service # # Optional # Default: "/latest" # -Prefix = "/2016-07-29" +prefix = "/2016-07-29" ``` ## Rancher API @@ -86,17 +86,17 @@ Prefix = "/2016-07-29" # Endpoint to use when connecting to the Rancher API # # Required -Endpoint = "http://rancherserver.example.com/v1" +endpoint = "http://rancherserver.example.com/v1" # AccessKey to use when connecting to the Rancher API # # Required -AccessKey = "XXXXXXXXXXXXXXXXXXXX" +accessKey = "XXXXXXXXXXXXXXXXXXXX" # SecretKey to use when connecting to the Rancher API # # Required -SecretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ``` !!! note @@ -109,13 +109,13 @@ SecretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" Labels can be used on task containers to override default behaviour: -| Label | Description | -|----------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------| -| `traefik.protocol=https` | override the default `http` protocol | -| `traefik.weight=10` | assign this weight to the container | -| `traefik.enable=false` | disable this container in Træfik | -| `traefik.frontend.rule=Host:test.traefik.io` | override the default frontend rule (Default: `Host:{containerName}.{domain}`). | -| `traefik.frontend.passHostHeader=true` | forward client `Host` header to the backend. | -| `traefik.frontend.priority=10` | override default frontend priority | -| `traefik.frontend.entryPoints=http,https` | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. | -| `traefik.frontend.auth.basic=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0` | Sets basic authentication for that frontend with the usernames and passwords test:test and test2:test2, respectively | +| Label | Description | +|----------------------------------------------|------------------------------------------------------------------------------------------| +| `traefik.protocol=https` | override the default `http` protocol | +| `traefik.weight=10` | assign this weight to the container | +| `traefik.enable=false` | disable this container in Træfik | +| `traefik.frontend.rule=Host:test.traefik.io` | override the default frontend rule (Default: `Host:{containerName}.{domain}`). | +| `traefik.frontend.passHostHeader=true` | forward client `Host` header to the backend. | +| `traefik.frontend.priority=10` | override default frontend priority | +| `traefik.frontend.entryPoints=http,https` | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. | +| `traefik.frontend.auth.basic=EXPR` | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`. | diff --git a/docs/configuration/backends/web.md b/docs/configuration/backends/web.md index 5a7d1d3f0..0989deb7a 100644 --- a/docs/configuration/backends/web.md +++ b/docs/configuration/backends/web.md @@ -32,21 +32,6 @@ address = ":8080" # Enable more detailed statistics # [web.statistics] # RecentErrors = 10 - -# To enable basic auth on the webui -# with 2 user/pass: test:test and test2:test2 -# Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones -# Users can be specified directly in the toml file, or indirectly by referencing an external file; if both are provided, the two are merged, with external file contents having precedence -# [web.auth.basic] -# users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] -# usersFile = "/path/to/.htpasswd" -# To enable digest auth on the webui -# with 2 user/realm/pass: test:traefik:test and test2:traefik:test2 -# You can use htdigest to generate those ones -# Users can be specified directly in the toml file, or indirectly by referencing an external file; if both are provided, the two are merged, with external file contents having precedence -# [web.auth.digest] -# users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"] -# usersFile = "/path/to/.htdigest" ``` ## Web UI @@ -55,24 +40,65 @@ address = ":8080" ![Web UI Health](/img/traefik-health.png) +### Authentication + +- Basic Authentication + +Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate those ones. + +Users can be specified directly in the toml file, or indirectly by referencing an external file; + if both are provided, the two are merged, with external file contents having precedence. + +```toml +# To enable basic auth on the webui with 2 user/pass: test:test and test2:test2 + [web.auth.basic] + users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] + usersFile = "/path/to/.htpasswd" +``` + +- Digest Authentication + +You can use `htdigest` to generate those ones. + +Users can be specified directly in the toml file, or indirectly by referencing an external file; + if both are provided, the two are merged, with external file contents having precedence + +```toml +# To enable digest auth on the webui with 2 user/realm/pass: test:traefik:test and test2:traefik:test2 + [web.auth.digest] + users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"] + usersFile = "/path/to/.htdigest" +``` + + ## Metrics You can enable Traefik to export internal metrics to different monitoring systems. +- Prometheus + ```toml # To enable Traefik to export internal metrics to Prometheus -# [web.metrics.prometheus] -# Buckets=[0.1,0.3,1.2,5.0] +[web.metrics.prometheus] + Buckets=[0.1,0.3,1.2,5.0] +``` +- DataDog + +```toml # DataDog metrics exporter type -# [web.metrics.datadog] -# Address = "localhost:8125" -# Pushinterval = "10s" +[web.metrics.datadog] + Address = "localhost:8125" + Pushinterval = "10s" +``` +- StatsD + +```toml # StatsD metrics exporter type -# [web.metrics.statsd] -# Address = "localhost:8125" -# Pushinterval = "10s" +[web.metrics.statsd] + Address = "localhost:8125" + Pushinterval = "10s" ``` ## API diff --git a/docs/configuration/commons.md b/docs/configuration/commons.md index bc62c315b..900ee6a1e 100644 --- a/docs/configuration/commons.md +++ b/docs/configuration/commons.md @@ -3,10 +3,6 @@ ## Main Section ```toml -################################################################ -# Global configuration -################################################################ - # Duration to give active requests a chance to finish before Traefik stops. # Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits). # If no units are provided, the value is parsed assuming seconds. @@ -43,21 +39,6 @@ # # ProvidersThrottleDuration = "2s" -# IdleTimeout -# -# DEPRECATED - see [respondingTimeouts] section. In the case both settings are configured, the deprecated option will -# be overwritten. -# -# IdleTimeout is the maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. -# This is set to enforce closing of stale client connections. -# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw -# values (digits). If no units are provided, the value is parsed assuming seconds. -# -# Optional -# Default: "180s" -# -# IdleTimeout = "360s" - # Controls the maximum idle (keep-alive) connections to keep per-host. If zero, DefaultMaxIdleConnsPerHost # from the Go standard library net/http module is used. # If you encounter 'too many open files' errors, you can either increase this @@ -70,6 +51,7 @@ # If set to true invalid SSL certificates are accepted for backends. # Note: This disables detection of man-in-the-middle attacks so should only be used on secure backend networks. +# # Optional # Default: false # @@ -91,7 +73,8 @@ # defaultEntryPoints = ["http", "https"] ``` -### Constraints + +## Constraints In a micro-service architecture, with a central service discovery, setting constraints limits Træfik scope to a smaller number of routes. @@ -113,57 +96,63 @@ Supported filters: - `tag` +### Simple + ```toml -# Constraints definition -# -# Optional -# # Simple matching constraint -# constraints = ["tag==api"] +constraints = ["tag==api"] # Simple mismatching constraint -# constraints = ["tag!=api"] +constraints = ["tag!=api"] # Globbing -# constraints = ["tag==us-*"] +constraints = ["tag==us-*"] +``` +### Multiple + +```toml # Multiple constraints # - "tag==" must match with at least one tag # - "tag!=" must match with none of tags -# constraints = ["tag!=us-*", "tag!=asia-*"] - -# Backend-specific constraint -# [consulCatalog] -# endpoint = 127.0.0.1:8500 -# constraints = ["tag==api"] - -# [consulCatalog] -# endpoint = 127.0.0.1:8500 -# constraints = ["tag==api", "tag!=v*-beta"] +constraints = ["tag!=us-*", "tag!=asia-*"] ``` -## Traefik Logs +### Backend-specific + +```toml +# Backend-specific constraint +[consulCatalog] +endpoint = "127.0.0.1:8500" +constraints = ["tag==api"] + +[marathon] +endpoint = "127.0.0.1:8800" +constraints = ["tag==api", "tag!=v*-beta"] +``` + + +## Logs Definition + +### Traefik logs ```toml # Traefik logs file # If not defined, logs to stdout -# -# Optional -# -# traefikLogsFile = "log/traefik.log" +traefikLogsFile = "log/traefik.log" # Log level # # Optional # Default: "ERROR" +# # Accepted values, in order of severity: "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC" # Messages at and above the selected level will be logged. # -# logLevel = "ERROR" +logLevel = "ERROR" ``` - -## Access Log Definition +### Access Logs Access logs are written when `[accessLog]` is defined. By default it will write to stdout and produce logs in the textual Common Log Format (CLF), extended with additional fields. @@ -176,14 +165,14 @@ To enable access logs using the default settings just add the `[accessLog]` entr To write the logs into a logfile specify the `filePath`. ```toml [accessLog] - filePath = "/path/to/access.log" +filePath = "/path/to/access.log" ``` To write JSON format logs, specify `json` as the format: ```toml [accessLog] - filePath = "/path/to/access.log" - format = "json" +filePath = "/path/to/access.log" +format = "json" ``` Deprecated way (before 1.4): @@ -191,12 +180,11 @@ Deprecated way (before 1.4): # Access logs file # # DEPRECATED - see [accessLog] lower down -# Optional # accessLogsFile = "log/access.log" ``` -## Log Rotation +### Log Rotation Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal. This allows the logs to be rotated and processed by an external program, such as `logrotate`. @@ -239,166 +227,10 @@ Now the `500s.html` error page is returned for the configured code range. The configured status code ranges are inclusive; that is, in the above example, the `500s.html` page will be returned for status codes `500` through, and including, `599`. -## Entry Points Definition - -```toml -# Entrypoints definition -# -# Default: -# [entryPoints] -# [entryPoints.http] -# address = ":80" -# -[entryPoints] - [entryPoints.http] - address = ":80" -``` - -### Redirect HTTP to HTTPS - -```toml -# To redirect an http entrypoint to an https entrypoint (with SNI support): -# -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - entryPoint = "https" - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - [[entryPoints.https.tls.certificates]] - CertFile = "integration/fixtures/https/snitest.com.cert" - KeyFile = "integration/fixtures/https/snitest.com.key" - [[entryPoints.https.tls.certificates]] - CertFile = "integration/fixtures/https/snitest.org.cert" - KeyFile = "integration/fixtures/https/snitest.org.key" -``` - -### Rewriting URL - -```toml -# To redirect an entrypoint rewriting the URL: -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - regex = "^http://localhost/(.*)" - replacement = "http://mydomain/$1" -``` - -### TLS Mutual Authentication - -```toml -# Only accept clients that present a certificate signed by a specified -# Certificate Authority (CA) -# ClientCAFiles can be configured with multiple CA:s in the same file or -# use multiple files containing one or several CA:s. The CA:s has to be in PEM format. -# All clients will be required to present a valid cert. -# The requirement will apply to all server certs in the entrypoint -# In the example below both snitest.com and snitest.org will require client certs -# -[entryPoints] - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - ClientCAFiles = ["tests/clientca1.crt", "tests/clientca2.crt"] - [[entryPoints.https.tls.certificates]] - CertFile = "integration/fixtures/https/snitest.com.cert" - KeyFile = "integration/fixtures/https/snitest.com.key" - [[entryPoints.https.tls.certificates]] - CertFile = "integration/fixtures/https/snitest.org.cert" - KeyFile = "integration/fixtures/https/snitest.org.key" -``` - -### Basic & Digest Authentication - -```toml -# To enable basic auth on an entrypoint -# -# with 2 user/pass: test:test and test2:test2 -# Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones. -# Users can be specified directly in the toml file, or indirectly by referencing an external file; -# if both are provided, the two are merged, with external file contents having precedence. -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.auth.basic] - users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] - usersFile = "/path/to/.htpasswd" -``` - -```toml -# To enable digest auth on an entrypoint -# -# with 2 user/realm/pass: test:traefik:test and test2:traefik:test2 -# You can use htdigest to generate those ones -# Users can be specified directly in the toml file, or indirectly by referencing an external file; -# if both are provided, the two are merged, with external file contents having precedence -[entryPoints] - [entryPoints.http] - address = ":80" - [entryPoints.http.auth.basic] - users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"] - usersFile = "/path/to/.htdigest" -``` - -### Specify Minimum TLS Version - -```toml -# To specify an https entrypoint with a minimum TLS version, -# and specifying an array of cipher suites (from crypto/tls): -[entryPoints] - [entryPoints.https] - address = ":443" - [entryPoints.https.tls] - MinVersion = "VersionTLS12" - CipherSuites = ["TLS_RSA_WITH_AES_256_GCM_SHA384"] - [[entryPoints.https.tls.certificates]] - CertFile = "integration/fixtures/https/snitest.com.cert" - KeyFile = "integration/fixtures/https/snitest.com.key" - [[entryPoints.https.tls.certificates]] - CertFile = "integration/fixtures/https/snitest.org.cert" - KeyFile = "integration/fixtures/https/snitest.org.key" -``` - -### Compression - -```toml -# To enable compression support using gzip format: -[entryPoints] - [entryPoints.http] - address = ":80" - compress = true -``` - -### Whitelisting - -```toml -# To enable IP whitelisting at the entrypoint level: -[entryPoints] - [entryPoints.http] - address = ":80" - whiteListSourceRange = ["127.0.0.1/32"] -``` - -### ProxyProtocol Support - -```toml -# To enable ProxyProtocol support (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt): -[entryPoints] - [entryPoints.http] - address = ":80" - proxyprotocol = true -``` - ## Retry Configuration ```toml # Enable retry sending request if network error -# -# Optional -# [retry] # Number of attempts @@ -409,13 +241,11 @@ The configured status code ranges are inclusive; that is, in the above example, # attempts = 3 ``` + ## Health Check Configuration ```toml # Enable custom health check options. -# -# Optional -# [healthcheck] # Set the default health check interval. Will only be effective if health check @@ -431,13 +261,14 @@ The configured status code ranges are inclusive; that is, in the above example, # interval = "30s" ``` -## Responding Timeouts + +## Timeouts + +### Responding Timeouts + +`respondingTimeouts` are timeouts for incoming requests to the Traefik instance. ```toml -# respondingTimeouts are timeouts for incoming requests to the Traefik instance. -# -# Optional -# [respondingTimeouts] # readTimeout is the maximum duration for reading the entire request, including the body. @@ -470,16 +301,13 @@ The configured status code ranges are inclusive; that is, in the above example, # Default: "180s" # # idleTimeout = "360s" - ``` -## Forwarding Timeouts +### Forwarding Timeouts + +`forwardingTimeouts` are timeouts for requests forwarded to the backend servers. ```toml -# forwardingTimeouts are timeouts for requests forwarded to the backend servers. -# -# Optional -# [forwardingTimeouts] # dialTimeout is the amount of time to wait until a connection to a backend server can be established. @@ -503,3 +331,79 @@ The configured status code ranges are inclusive; that is, in the above example, # responseHeaderTimeout = "0s" ``` +### Idle Timeout (deprecated) + +Use [respondingTimeouts](/configuration/commons/#responding-timeouts) instead of `IdleTimeout`. +In the case both settings are configured, the deprecated option will be overwritten. + +`IdleTimeout` is the maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. +This is set to enforce closing of stale client connections. + +Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits). +If no units are provided, the value is parsed assuming seconds. + +```toml +# IdleTimeout +# +# DEPRECATED - see [respondingTimeouts] section. +# +# Optional +# Default: "180s" +# +IdleTimeout = "360s" +``` + + +## Override Default Configuration Template + +!!! warning + For advanced users only. + +Supported by all backends except: File backend, Web backend and DynamoDB backend. + +```toml +[backend_name] + +# Override default configuration template. For advanced users :) +# +# Optional +# Default: "" +# +filename = "custom_config_template.tpml" + +# Enable debug logging of generated configuration template. +# +# Optional +# Default: false +# +debugLogGeneratedTemplate = true +``` + +Example: + +```toml +[marathon] +filename = "my_custom_config_template.tpml" +``` + +The template files can be written using functions provided by: + +- [go template](https://golang.org/pkg/text/template/) +- [sprig library](https://masterminds.github.io/sprig/) + +Example: + +```tmpl +[backends] + [backends.backend1] + url = "http://firstserver" + [backends.backend2] + url = "http://secondserver" + +{{$frontends := dict "frontend1" "backend1" "frontend2" "backend2"}} +[frontends] +{{range $frontend, $backend := $frontends}} + [frontends.{{$frontend}}] + backend = "{{$backend}}" +{{end}} +``` diff --git a/docs/configuration/entrypoints.md b/docs/configuration/entrypoints.md new file mode 100644 index 000000000..dc19b6ef4 --- /dev/null +++ b/docs/configuration/entrypoints.md @@ -0,0 +1,162 @@ +# Entry Points Definition + +```toml +# Entrypoints definition +# +# Default: +# [entryPoints] +# [entryPoints.http] +# address = ":80" +# +[entryPoints] + [entryPoints.http] + address = ":80" +``` + +## Redirect HTTP to HTTPS + +To redirect an http entrypoint to an https entrypoint (with SNI support). + +```toml +[entryPoints] + [entryPoints.http] + address = ":80" + [entryPoints.http.redirect] + entryPoint = "https" + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + [[entryPoints.https.tls.certificates]] + CertFile = "integration/fixtures/https/snitest.com.cert" + KeyFile = "integration/fixtures/https/snitest.com.key" + [[entryPoints.https.tls.certificates]] + CertFile = "integration/fixtures/https/snitest.org.cert" + KeyFile = "integration/fixtures/https/snitest.org.key" +``` + +## Rewriting URL + +To redirect an entrypoint rewriting the URL. + +```toml +[entryPoints] + [entryPoints.http] + address = ":80" + [entryPoints.http.redirect] + regex = "^http://localhost/(.*)" + replacement = "http://mydomain/$1" +``` + +## TLS Mutual Authentication + +Only accept clients that present a certificate signed by a specified Certificate Authority (CA). +`ClientCAFiles` can be configured with multiple `CA:s` in the same file or use multiple files containing one or several `CA:s`. +The `CA:s` has to be in PEM format. + +All clients will be required to present a valid cert. +The requirement will apply to all server certs in the entrypoint. + +In the example below both `snitest.com` and `snitest.org` will require client certs + +```toml +[entryPoints] + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + ClientCAFiles = ["tests/clientca1.crt", "tests/clientca2.crt"] + [[entryPoints.https.tls.certificates]] + CertFile = "integration/fixtures/https/snitest.com.cert" + KeyFile = "integration/fixtures/https/snitest.com.key" + [[entryPoints.https.tls.certificates]] + CertFile = "integration/fixtures/https/snitest.org.cert" + KeyFile = "integration/fixtures/https/snitest.org.key" +``` + + +## Authentication + +### Basic Authentication + +Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate those ones. + +Users can be specified directly in the toml file, or indirectly by referencing an external file; + if both are provided, the two are merged, with external file contents having precedence. + +```toml +# To enable basic auth on an entrypoint with 2 user/pass: test:test and test2:test2 +[entryPoints] + [entryPoints.http] + address = ":80" + [entryPoints.http.auth.basic] + users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] + usersFile = "/path/to/.htpasswd" +``` + +### Digest Authentication + +You can use `htdigest` to generate those ones. + +Users can be specified directly in the toml file, or indirectly by referencing an external file; + if both are provided, the two are merged, with external file contents having precedence + +```toml +# To enable digest auth on an entrypoint with 2 user/realm/pass: test:traefik:test and test2:traefik:test2 +[entryPoints] + [entryPoints.http] + address = ":80" + [entryPoints.http.auth.basic] + users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"] + usersFile = "/path/to/.htdigest" +``` + +## Specify Minimum TLS Version + +To specify an https entrypoint with a minimum TLS version, and specifying an array of cipher suites (from crypto/tls). + +```toml +[entryPoints] + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + MinVersion = "VersionTLS12" + CipherSuites = ["TLS_RSA_WITH_AES_256_GCM_SHA384"] + [[entryPoints.https.tls.certificates]] + CertFile = "integration/fixtures/https/snitest.com.cert" + KeyFile = "integration/fixtures/https/snitest.com.key" + [[entryPoints.https.tls.certificates]] + CertFile = "integration/fixtures/https/snitest.org.cert" + KeyFile = "integration/fixtures/https/snitest.org.key" +``` + +## Compression + +To enable compression support using gzip format. + +```toml +[entryPoints] + [entryPoints.http] + address = ":80" + compress = true +``` + +## Whitelisting + +To enable IP whitelisting at the entrypoint level. + +```toml +[entryPoints] + [entryPoints.http] + address = ":80" + whiteListSourceRange = ["127.0.0.1/32"] +``` + +## ProxyProtocol Support + +To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support. + +```toml +[entryPoints] + [entryPoints.http] + address = ":80" + proxyprotocol = true +``` diff --git a/docs/index.md b/docs/index.md index 4813dc4f0..e91c27659 100644 --- a/docs/index.md +++ b/docs/index.md @@ -125,9 +125,11 @@ networks: Start it from within the `traefik` folder: - docker-compose up -d +```shell +docker-compose up -d +``` -In a browser you may open `http://localhost:8080` to access Træfik's dashboard and observe the following magic. +In a browser you may open [http://localhost:8080](http://localhost:8080) to access Træfik's dashboard and observe the following magic. Now, create a folder named `test` and create a `docker-compose.yml` in it with this content: @@ -159,7 +161,10 @@ docker-compose scale whoami=2 Finally, test load-balancing between the two services `test_whoami_1` and `test_whoami_2`: ```shell -$ curl -H Host:whoami.docker.localhost http://127.0.0.1 +curl -H Host:whoami.docker.localhost http://127.0.0.1 +``` + +```yaml Hostname: ef194d07634a IP: 127.0.0.1 IP: ::1 @@ -174,8 +179,13 @@ X-Forwarded-For: 172.17.0.1 X-Forwarded-Host: 172.17.0.4:80 X-Forwarded-Proto: http X-Forwarded-Server: dbb60406010d +``` -$ curl -H Host:whoami.docker.localhost http://127.0.0.1 +```shell +curl -H Host:whoami.docker.localhost http://127.0.0.1 +``` + +```yaml Hostname: 6c3c5df0c79a IP: 127.0.0.1 IP: ::1 diff --git a/docs/js/extra.js b/docs/theme/js/extra.js similarity index 100% rename from docs/js/extra.js rename to docs/theme/js/extra.js diff --git a/docs/js/hljs/LICENSE b/docs/theme/js/hljs/LICENSE similarity index 100% rename from docs/js/hljs/LICENSE rename to docs/theme/js/hljs/LICENSE diff --git a/docs/js/hljs/highlight.pack.js b/docs/theme/js/hljs/highlight.pack.js similarity index 100% rename from docs/js/hljs/highlight.pack.js rename to docs/theme/js/hljs/highlight.pack.js diff --git a/docs/theme/partials/footer.html b/docs/theme/partials/footer.html new file mode 100644 index 000000000..98cb1e652 --- /dev/null +++ b/docs/theme/partials/footer.html @@ -0,0 +1,104 @@ + + +{% import "partials/language.html" as lang %} + + + diff --git a/docs/styles/atom-one-light.css b/docs/theme/styles/atom-one-light.css similarity index 100% rename from docs/styles/atom-one-light.css rename to docs/theme/styles/atom-one-light.css diff --git a/docs/styles/extra.css b/docs/theme/styles/extra.css similarity index 100% rename from docs/styles/extra.css rename to docs/theme/styles/extra.css diff --git a/docs/user-guide/getting-started-with-docker-and-lets-encrypt.md b/docs/user-guide/docker-and-lets-encrypt.md similarity index 96% rename from docs/user-guide/getting-started-with-docker-and-lets-encrypt.md rename to docs/user-guide/docker-and-lets-encrypt.md index ca57997fe..3582a18a6 100644 --- a/docs/user-guide/getting-started-with-docker-and-lets-encrypt.md +++ b/docs/user-guide/docker-and-lets-encrypt.md @@ -18,18 +18,22 @@ In this example, we're going to use a single network called `web` where all cont On the Docker host, run the following command: -`$ docker network create web` +```shell +docker network create web +``` Now, let's create a directory on the server where we will configure the rest of Traefik: -`$ mkdir -p /opt/traefik` +```shell +mkdir -p /opt/traefik +``` Within this directory, we're going to create 3 empty files: -```sh -$ touch /opt/traefik/docker-compose.yml -$ touch /opt/traefik/acme.json && chmod 600 /opt/traefik/acme.json -$ touch /opt/traefik/traefik.toml +```shell +touch /opt/traefik/docker-compose.yml +touch /opt/traefik/acme.json && chmod 600 /opt/traefik/acme.json +touch /opt/traefik/traefik.toml ``` The `docker-compose.yml` file will provide us with a simple, consistent and more importantly, a deterministic way to create Traefik. @@ -76,7 +80,7 @@ defaultEntryPoints = ["https","http"] [entryPoints.http] address = ":80" [entryPoints.http.redirect] - entryPoint = "https" + entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] @@ -104,7 +108,7 @@ This is the minimum configuration required to do the following: - Enable the Docker configuration backend and listen for container events on the Docker unix socket we've mounted earlier. However, **new containers will not be exposed by Traefik by default, we'll get into this in a bit!** - Enable automatic request and configuration of SSL certificates using Let's Encrypt. These certificates will be stored in the `acme.json` file, which you can back-up yourself and store off-premises. -Alright, let's boot the container. From the `/opt/traefik` directory, run `$ docker-compose up -d` which will create and start the Traefik container. +Alright, let's boot the container. From the `/opt/traefik` directory, run `docker-compose up -d` which will create and start the Traefik container. ## Exposing Web Services to the Outside World diff --git a/docs/user-guide/kv-config.md b/docs/user-guide/kv-config.md index ba05ab32e..de18cd925 100644 --- a/docs/user-guide/kv-config.md +++ b/docs/user-guide/kv-config.md @@ -112,6 +112,7 @@ And there, the same global configuration in the Key-value Store (using `prefix = | `/traefik/web/address` | `:8081` | In case you are setting key values manually: + - Remember to specify the indexes (`0`,`1`, `2`, ... ) under prefixes `/traefik/defaultentrypoints/` and `/traefik/entrypoints/https/tls/certificates/` in order to match the global configuration structure. - Be careful to give the correct IP address and port on the key `/traefik/consul/endpoint`. @@ -190,7 +191,7 @@ Here is the toml configuration we would like to store in the store : [backends] [backends.backend1] [backends.backend1.circuitbreaker] - expression = "NetworkErrorRatio() > 0.5" + expression = "NetworkErrorRatio() > 0.5" [backends.backend1.servers.server1] url = "http://172.17.0.2:80" weight = 10 @@ -199,10 +200,10 @@ Here is the toml configuration we would like to store in the store : weight = 1 [backends.backend2] [backends.backend1.maxconn] - amount = 10 - extractorfunc = "request.host" + amount = 10 + extractorfunc = "request.host" [backends.backend2.LoadBalancer] - method = "drr" + method = "drr" [backends.backend2.servers.server1] url = "http://172.17.0.4:80" weight = 1 @@ -225,7 +226,7 @@ Here is the toml configuration we would like to store in the store : [frontends.frontend3] entrypoints = ["http", "https"] # overrides defaultEntryPoints backend = "backend2" - rule = "Path:/test" + rule = "Path:/test" ``` And there, the same dynamic configuration in a KV Store (using `prefix = "traefik"`): @@ -277,7 +278,10 @@ Træfik can watch the backends/frontends configuration changes and generate its Note that only backends/frontends rules are dynamic, the rest of the Træfik configuration stay static. -The [Etcd](https://github.com/coreos/etcd/issues/860) and [Consul](https://github.com/hashicorp/consul/issues/886) backends do not support updating multiple keys atomically. As a result, it may be possible for Træfik to read an intermediate configuration state despite judicious use of the `--providersThrottleDuration` flag. To solve this problem, Træfik supports a special key called `/traefik/alias`. If set, Træfik use the value as an alternative key prefix. +The [Etcd](https://github.com/coreos/etcd/issues/860) and [Consul](https://github.com/hashicorp/consul/issues/886) backends do not support updating multiple keys atomically. +As a result, it may be possible for Træfik to read an intermediate configuration state despite judicious use of the `--providersThrottleDuration` flag. +To solve this problem, Træfik supports a special key called `/traefik/alias`. +If set, Træfik use the value as an alternative key prefix. Given the key structure below, Træfik will use the `http://172.17.0.2:80` as its only backend (frontend keys have been omitted for brevity). @@ -287,7 +291,8 @@ Given the key structure below, Træfik will use the `http://172.17.0.2:80` as it | `/traefik_configurations/1/backends/backend1/servers/server1/url` | `http://172.17.0.2:80` | | `/traefik_configurations/1/backends/backend1/servers/server1/weight` | `10` | -When an atomic configuration change is required, you may write a new configuration at an alternative prefix. Here, although the `/traefik_configurations/2/...` keys have been set, the old configuration is still active because the `/traefik/alias` key still points to `/traefik_configurations/1`: +When an atomic configuration change is required, you may write a new configuration at an alternative prefix. +Here, although the `/traefik_configurations/2/...` keys have been set, the old configuration is still active because the `/traefik/alias` key still points to `/traefik_configurations/1`: | Key | Value | |-------------------------------------------------------------------------|-----------------------------| @@ -299,7 +304,8 @@ When an atomic configuration change is required, you may write a new configurati | `/traefik_configurations/2/backends/backend1/servers/server2/url` | `http://172.17.0.3:80` | | `/traefik_configurations/2/backends/backend1/servers/server2/weight` | `5` | -Once the `/traefik/alias` key is updated, the new `/traefik_configurations/2` configuration becomes active atomically. Here, we have a 50% balance between the `http://172.17.0.3:80` and the `http://172.17.0.4:80` hosts while no traffic is sent to the `172.17.0.2:80` host: +Once the `/traefik/alias` key is updated, the new `/traefik_configurations/2` configuration becomes active atomically. +Here, we have a 50% balance between the `http://172.17.0.3:80` and the `http://172.17.0.4:80` hosts while no traffic is sent to the `172.17.0.2:80` host: | Key | Value | |-------------------------------------------------------------------------|-----------------------------| @@ -320,7 +326,7 @@ Don't forget to [setup the connection between Træfik and Key-value store](/user The static Træfik configuration in a key-value store can be automatically created and updated, using the [`storeconfig` subcommand](/basics/#commands). ```bash -$ traefik storeconfig [flags] ... +traefik storeconfig [flags] ... ``` This command is here only to automate the [process which upload the configuration into the Key-value store](/user-guide/kv-config/#upload-the-configuration-in-the-key-value-store). Træfik will not start but the [static configuration](/basics/#static-trfk-configuration) will be uploaded into the Key-value store. diff --git a/docs/user-guide/swarm-mode.md b/docs/user-guide/swarm-mode.md index d7f27b9ed..ea77b1a03 100644 --- a/docs/user-guide/swarm-mode.md +++ b/docs/user-guide/swarm-mode.md @@ -1,8 +1,6 @@ # Docker Swarm (mode) cluster -This section explains how to create a multi-host docker cluster with -swarm mode using [docker-machine](https://docs.docker.com/machine) and -how to deploy Træfik on it. +This section explains how to create a multi-host docker cluster with swarm mode using [docker-machine](https://docs.docker.com/machine) and how to deploy Træfik on it. The cluster consists of: @@ -59,6 +57,8 @@ Let's validate the cluster is up and running. ```shell docker-machine ssh manager docker node ls +``` +``` ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS 2a770ov9vixeadep674265u1n worker1 Ready Active dbi3or4q8ii8elbws70g4hkdh * manager Ready Active Leader @@ -129,6 +129,8 @@ Check that everything is scheduled and started: ```shell docker-machine ssh manager "docker service ls" +``` +``` ID NAME REPLICAS IMAGE COMMAND ab046gpaqtln whoami0 1/1 emilevauge/whoami cgfg5ifzrpgm whoami1 1/1 emilevauge/whoami @@ -139,6 +141,8 @@ dtpl249tfghc traefik 1/1 traefik --docker --docker.swarmmode ```shell curl -H Host:whoami0.traefik http://$(docker-machine ip manager) +``` +```yaml Hostname: 8147a7746e7a IP: 127.0.0.1 IP: ::1 @@ -155,8 +159,11 @@ X-Forwarded-For: 192.168.99.1 X-Forwarded-Host: 10.0.9.3:80 X-Forwarded-Proto: http X-Forwarded-Server: 8fbc39271b4c - +``` +```shell curl -H Host:whoami1.traefik http://$(docker-machine ip manager) +``` +```yaml Hostname: ba2c21488299 IP: 127.0.0.1 IP: ::1 @@ -179,6 +186,8 @@ Note that as Træfik is published, you can access it from any machine and not on ```shell curl -H Host:whoami0.traefik http://$(docker-machine ip worker1) +``` +```yaml Hostname: 8147a7746e7a IP: 127.0.0.1 IP: ::1 @@ -195,8 +204,11 @@ X-Forwarded-For: 192.168.99.1 X-Forwarded-Host: 10.0.9.3:80 X-Forwarded-Proto: http X-Forwarded-Server: 8fbc39271b4c - +``` +```shell curl -H Host:whoami1.traefik http://$(docker-machine ip worker2) +``` +```yaml Hostname: ba2c21488299 IP: 127.0.0.1 IP: ::1 @@ -228,6 +240,8 @@ Check that we now have 5 replicas of each `whoami` service: ```shell docker-machine ssh manager "docker service ls" +``` +``` ID NAME REPLICAS IMAGE COMMAND ab046gpaqtln whoami0 5/5 emilevauge/whoami cgfg5ifzrpgm whoami1 5/5 emilevauge/whoami @@ -239,6 +253,9 @@ Repeat the following command multiple times and note that the Hostname changes e ```shell curl -H Host:whoami0.traefik http://$(docker-machine ip manager) +``` + +```yaml Hostname: 8147a7746e7a IP: 127.0.0.1 IP: ::1 @@ -261,6 +278,9 @@ Do the same against whoami1: ```shell curl -H Host:whoami1.traefik http://$(docker-machine ip manager) +``` + +```yaml Hostname: ba2c21488299 IP: 127.0.0.1 IP: ::1 @@ -278,17 +298,16 @@ X-Forwarded-Host: 10.0.9.4:80 X-Forwarded-Proto: http X-Forwarded-Server: 8fbc39271b4c ``` -Wait, I thought we added the sticky flag to whoami1? Traefik relies on a cookie to maintain stickyness so you'll need to test this with a browser. +Wait, I thought we added the sticky flag to `whoami1`? Traefik relies on a cookie to maintain stickyness so you'll need to test this with a browser. -First you need to add whoami1.traefik to your hosts file: +First you need to add `whoami1.traefik` to your hosts file: -```ssh +```shell if [ -n "$(grep whoami1.traefik /etc/hosts)" ]; then -echo "whoami1.traefik already exists (make sure the ip is current)"; + echo "whoami1.traefik already exists (make sure the ip is current)"; else -sudo -- sh -c -e "echo '$(docker-machine ip manager)\twhoami1.traefik' ->> /etc/hosts"; + sudo -- sh -c -e "echo '$(docker-machine ip manager)\twhoami1.traefik' >> /etc/hosts"; fi ``` diff --git a/docs/user-guide/swarm.md b/docs/user-guide/swarm.md index f24b35416..57e85e220 100644 --- a/docs/user-guide/swarm.md +++ b/docs/user-guide/swarm.md @@ -120,6 +120,8 @@ Check that everything is started: ```shell docker ps +``` +``` CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ba2c21488299 emilevauge/whoami "/whoamI" 8 seconds ago Up 9 seconds 80/tcp mhs-demo1/whoami1 8147a7746e7a emilevauge/whoami "/whoamI" 19 seconds ago Up 20 seconds 80/tcp mhs-demo0/whoami0 @@ -130,6 +132,8 @@ ba2c21488299 emilevauge/whoami "/whoamI" 8 seconds ago ```shell curl -H Host:whoami0.traefik http://$(docker-machine ip mhs-demo0) +``` +```yaml Hostname: 8147a7746e7a IP: 127.0.0.1 IP: ::1 @@ -146,8 +150,12 @@ X-Forwarded-For: 192.168.99.1 X-Forwarded-Host: 10.0.9.3:80 X-Forwarded-Proto: http X-Forwarded-Server: 8fbc39271b4c +``` +```shell curl -H Host:whoami1.traefik http://$(docker-machine ip mhs-demo0) +``` +```yaml Hostname: ba2c21488299 IP: 127.0.0.1 IP: ::1 diff --git a/mkdocs.yml b/mkdocs.yml index adee66829..04df35378 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -32,17 +32,26 @@ extra: i18n: prev: 'Previous' next: 'Next' -# version: 0.2.2 -# author: -# twitter: traefikproxy +# Comment because the call of the CDN is very slow. +# social: +# - type: 'github' +# link: 'https://github.com/containous/traefik' +# - type: 'stack-overflow' +# link: 'https://stackoverflow.com/questions/tagged/traefik' +# - type: 'slack' +# link: 'https://traefik.herokuapp.com' +# - type: 'twitter' +# link: 'https://twitter.com/traefikproxy' + +theme_dir: docs/theme/ extra_css: - - styles/extra.css - - styles/atom-one-light.css + - theme/styles/extra.css + - theme/styles/atom-one-light.css extra_javascript: - - js/hljs/highlight.pack.js - - js/extra.js + - theme/js/hljs/highlight.pack.js + - theme/js/extra.js markdown_extensions: - admonition @@ -55,22 +64,23 @@ pages: - Basics: basics.md - Configuration: - 'Commons': 'configuration/commons.md' + - 'EntryPoints': 'configuration/entrypoints.md' - 'Let''s Encrypt': 'configuration/acme.md' - - 'Web Backend': 'configuration/backends/web.md' - - 'BoltDB Backend': 'configuration/backends/boltdb.md' - - 'Consul Backend': 'configuration/backends/consul.md' - - 'Docker Backend': 'configuration/backends/docker.md' - - 'DynamoDB Backend': 'configuration/backends/dynamodb.md' - - 'ECS Backend': 'configuration/backends/ecs.md' - - 'Etcd Backend': 'configuration/backends/etcd.md' - - 'Eureka Backend': 'configuration/backends/eureka.md' - - 'File Backend': 'configuration/backends/file.md' - - 'Kubernetes Ingress Backend': 'configuration/backends/kubernetes.md' - - 'Marathon Backend': 'configuration/backends/marathon.md' - - 'Mesos Backend': 'configuration/backends/mesos.md' - - 'Rancher Backend': 'configuration/backends/rancher.md' - - 'Zookeeper Backend': 'configuration/backends/zookeeper.md' - - User Guide: + - 'Backend: Web': 'configuration/backends/web.md' + - 'Backend: BoltDB': 'configuration/backends/boltdb.md' + - 'Backend: Consul': 'configuration/backends/consul.md' + - 'Backend: Docker': 'configuration/backends/docker.md' + - 'Backend: DynamoDB': 'configuration/backends/dynamodb.md' + - 'Backend: ECS': 'configuration/backends/ecs.md' + - 'Backend: Etcd': 'configuration/backends/etcd.md' + - 'Backend: Eureka': 'configuration/backends/eureka.md' + - 'Backend: File': 'configuration/backends/file.md' + - 'Backend: Kubernetes Ingress': 'configuration/backends/kubernetes.md' + - 'Backend: Marathon': 'configuration/backends/marathon.md' + - 'Backend: Mesos': 'configuration/backends/mesos.md' + - 'Backend: Rancher': 'configuration/backends/rancher.md' + - 'Backend: Zookeeper': 'configuration/backends/zookeeper.md' + - User Guides: - 'Configuration Examples': 'user-guide/examples.md' - 'Swarm Cluster': 'user-guide/swarm.md' - 'Swarm Mode Cluster': 'user-guide/swarm-mode.md' @@ -78,5 +88,5 @@ pages: - 'Marathon': 'user-guide/marathon.md' - 'Key-value Store Configuration': 'user-guide/kv-config.md' - 'Clustering/HA': 'user-guide/cluster.md' - - 'Getting Started with Docker & Lets Encrypt': 'user-guide/getting-started-with-docker-and-lets-encrypt.md' + - 'Let''s Encrypt & Docker': 'user-guide/docker-and-lets-encrypt.md' - Benchmarks: benchmarks.md