7.6 KiB
Examples
You will find here some configuration examples of Træfik.
HTTP only
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":80"
HTTP + HTTPS (with SNI)
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "integration/fixtures/https/snitest.com.cert"
KeyFile = "integration/fixtures/https/snitest.com.key"
[[entryPoints.https.tls.certificates]]
CertFile = "integration/fixtures/https/snitest.org.cert"
KeyFile = "integration/fixtures/https/snitest.org.key"
Note that we can either give path to certificate file or directly the file content itself (like in this TOML example).
HTTP redirect on HTTPS
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "examples/traefik.crt"
KeyFile = "examples/traefik.key"
Let's Encrypt support
Basic example
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
This configuration allows generating Let's Encrypt certificates for the four domains local[1-4].com
with described SANs.
Traefik generates these certificates when it starts and it needs to be restart if new domains are added.
OnHostRule option
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
onHostRule = true
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
This configuration allows generating Let's Encrypt certificates for the four domains local[1-4].com
.
Traefik generates these certificates when it starts.
If a backend is added with a onHost
rule, Traefik will automatically generate the Let's Encrypt certificate for the new domain.
OnDemand option
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
OnDemand = true
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
This configuration allows generating a Let's Encrypt certificate during the first HTTPS request on a new domain.
Note : This option simplifies the configuration but :
- TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DDoS attacks.
- Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits
That's why, it's better to use the
onHostRule
optin if possible.
DNS challenge
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "acme.json"
dnsProvider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
delayDontCheckDNS = 0
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
DNS challenge needs environment variables to be executed. This variables have to be set on the machine/container which host Traefik. These variables has described in this section.
OnHostRule option and provided certificates
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "examples/traefik.crt"
KeyFile = "examples/traefik.key"
[acme]
email = "test@traefik.io"
storage = "acme.json"
onHostRule = true
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
Traefik will only try to generate a Let's encrypt certificate if the domain cannot be checked by the provided certificates.
Cluster mode
Prerequisites
Before to use Let's Encrypt in a Traefik cluster, take a look to the key-value store explanations and more precisely to this section in the way to know how to migrate from a acme local storage (acme.json file) to a key-value store configuration.
Configuration
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "test@traefik.io"
storage = "traefik/acme/account"
caServer = "http://172.18.0.1:4000/directory"
entryPoint = "https"
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
sans = ["test1.local2.com", "test2x.local2.com"]
[[acme.domains]]
main = "local3.com"
[[acme.domains]]
main = "local4.com"
[consul]
endpoint = "127.0.0.1:8500"
watch = true
prefix = "traefik"
This configuration allows to use the key traefik/acme/account
to get/set Let's Encrypt certificates content.
The consul
provider contains the configuration.
Note : It's possible to use others key-value store providers as described here.
Override entrypoints in frontends
[frontends]
[frontends.frontend1]
backend = "backend2"
[frontends.frontend1.routes.test_1]
rule = "Host:test.localhost"
[frontends.frontend2]
backend = "backend1"
passHostHeader = true
passTLSCert = true
entrypoints = ["https"] # overrides defaultEntryPoints
[frontends.frontend2.routes.test_1]
rule = "Host:{subdomain:[a-z]+}.localhost"
[frontends.frontend3]
entrypoints = ["http", "https"] # overrides defaultEntryPoints
backend = "backend2"
rule = "Path:/test"
Enable Basic authentication in an entrypoint
With two user/pass:
test
:test
test2
:test2
Passwords are encoded in MD5: you can use htpasswd to generate those ones.
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth.basic]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
Pass Authenticated user to application via headers
Providing an authentication method as described above, it is possible to pass the user to the application via a configurable header value
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth]
headerField = "X-WebAuth-User"
[entryPoints.http.auth.basic]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
Override the Traefik HTTP server IdleTimeout and/or throttle configurations from re-loading too quickly
IdleTimeout = "360s"
ProvidersThrottleDuration = "5s"