388 lines
11 KiB
Markdown
388 lines
11 KiB
Markdown
# Examples
|
|
|
|
You will find here some configuration examples of Træfik.
|
|
|
|
## HTTP only
|
|
|
|
```toml
|
|
defaultEntryPoints = ["http"]
|
|
[entryPoints]
|
|
[entryPoints.http]
|
|
address = ":80"
|
|
```
|
|
|
|
## HTTP + HTTPS (with SNI)
|
|
|
|
```toml
|
|
defaultEntryPoints = ["http", "https"]
|
|
[entryPoints]
|
|
[entryPoints.http]
|
|
address = ":80"
|
|
[entryPoints.https]
|
|
address = ":443"
|
|
[entryPoints.https.tls]
|
|
[[entryPoints.https.tls.certificates]]
|
|
certFile = "integration/fixtures/https/snitest.com.cert"
|
|
keyFile = "integration/fixtures/https/snitest.com.key"
|
|
[[entryPoints.https.tls.certificates]]
|
|
certFile = "integration/fixtures/https/snitest.org.cert"
|
|
keyFile = "integration/fixtures/https/snitest.org.key"
|
|
```
|
|
Note that we can either give path to certificate file or directly the file content itself ([like in this TOML example](/user-guide/kv-config/#upload-the-configuration-in-the-key-value-store)).
|
|
|
|
## HTTP redirect on HTTPS
|
|
|
|
```toml
|
|
defaultEntryPoints = ["http", "https"]
|
|
[entryPoints]
|
|
[entryPoints.http]
|
|
address = ":80"
|
|
[entryPoints.http.redirect]
|
|
entryPoint = "https"
|
|
[entryPoints.https]
|
|
address = ":443"
|
|
[entryPoints.https.tls]
|
|
[[entryPoints.https.tls.certificates]]
|
|
certFile = "examples/traefik.crt"
|
|
keyFile = "examples/traefik.key"
|
|
```
|
|
|
|
!!! note
|
|
Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case)
|
|
|
|
## Let's Encrypt support
|
|
|
|
### Basic example
|
|
|
|
```toml
|
|
[entryPoints]
|
|
[entryPoints.https]
|
|
address = ":443"
|
|
[entryPoints.https.tls]
|
|
|
|
[acme]
|
|
email = "test@traefik.io"
|
|
storage = "acme.json"
|
|
caServer = "http://172.18.0.1:4000/directory"
|
|
entryPoint = "https"
|
|
|
|
[[acme.domains]]
|
|
main = "local1.com"
|
|
sans = ["test1.local1.com", "test2.local1.com"]
|
|
[[acme.domains]]
|
|
main = "local2.com"
|
|
sans = ["test1.local2.com", "test2x.local2.com"]
|
|
[[acme.domains]]
|
|
main = "local3.com"
|
|
[[acme.domains]]
|
|
main = "local4.com"
|
|
```
|
|
|
|
This configuration allows generating Let's Encrypt certificates for the four domains `local[1-4].com` with described SANs.
|
|
|
|
Traefik generates these certificates when it starts and it needs to be restart if new domains are added.
|
|
|
|
### OnHostRule option
|
|
|
|
```toml
|
|
[entryPoints]
|
|
[entryPoints.https]
|
|
address = ":443"
|
|
[entryPoints.https.tls]
|
|
|
|
[acme]
|
|
email = "test@traefik.io"
|
|
storage = "acme.json"
|
|
onHostRule = true
|
|
caServer = "http://172.18.0.1:4000/directory"
|
|
entryPoint = "https"
|
|
|
|
[[acme.domains]]
|
|
main = "local1.com"
|
|
sans = ["test1.local1.com", "test2.local1.com"]
|
|
[[acme.domains]]
|
|
main = "local2.com"
|
|
sans = ["test1.local2.com", "test2x.local2.com"]
|
|
[[acme.domains]]
|
|
main = "local3.com"
|
|
[[acme.domains]]
|
|
main = "local4.com"
|
|
```
|
|
|
|
This configuration allows generating Let's Encrypt certificates for the four domains `local[1-4].com`.
|
|
|
|
Traefik generates these certificates when it starts.
|
|
|
|
If a backend is added with a `onHost` rule, Traefik will automatically generate the Let's Encrypt certificate for the new domain.
|
|
|
|
### OnDemand option
|
|
|
|
```toml
|
|
[entryPoints]
|
|
[entryPoints.https]
|
|
address = ":443"
|
|
[entryPoints.https.tls]
|
|
|
|
[acme]
|
|
email = "test@traefik.io"
|
|
storage = "acme.json"
|
|
onDemand = true
|
|
caServer = "http://172.18.0.1:4000/directory"
|
|
entryPoint = "https"
|
|
```
|
|
|
|
This configuration allows generating a Let's Encrypt certificate during the first HTTPS request on a new domain.
|
|
|
|
|
|
!!! note
|
|
This option simplifies the configuration but :
|
|
|
|
* TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DDoS attacks.
|
|
* Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits
|
|
|
|
That's why, it's better to use the `onHostRule` option if possible.
|
|
|
|
### DNS challenge
|
|
|
|
```toml
|
|
[entryPoints]
|
|
[entryPoints.https]
|
|
address = ":443"
|
|
[entryPoints.https.tls]
|
|
|
|
[acme]
|
|
email = "test@traefik.io"
|
|
storage = "acme.json"
|
|
dnsProvider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
|
|
delayDontCheckDNS = 0
|
|
caServer = "http://172.18.0.1:4000/directory"
|
|
entryPoint = "https"
|
|
|
|
[[acme.domains]]
|
|
main = "local1.com"
|
|
sans = ["test1.local1.com", "test2.local1.com"]
|
|
[[acme.domains]]
|
|
main = "local2.com"
|
|
sans = ["test1.local2.com", "test2x.local2.com"]
|
|
[[acme.domains]]
|
|
main = "local3.com"
|
|
[[acme.domains]]
|
|
main = "local4.com"
|
|
```
|
|
|
|
DNS challenge needs environment variables to be executed.
|
|
This variables have to be set on the machine/container which host Traefik.
|
|
|
|
These variables are described [in this section](/configuration/acme/#dnsprovider).
|
|
|
|
### OnHostRule option and provided certificates
|
|
|
|
```toml
|
|
[entryPoints]
|
|
[entryPoints.https]
|
|
address = ":443"
|
|
[entryPoints.https.tls]
|
|
[[entryPoints.https.tls.certificates]]
|
|
certFile = "examples/traefik.crt"
|
|
keyFile = "examples/traefik.key"
|
|
|
|
[acme]
|
|
email = "test@traefik.io"
|
|
storage = "acme.json"
|
|
onHostRule = true
|
|
caServer = "http://172.18.0.1:4000/directory"
|
|
entryPoint = "https"
|
|
|
|
```
|
|
|
|
Traefik will only try to generate a Let's encrypt certificate if the domain cannot be checked by the provided certificates.
|
|
|
|
### Cluster mode
|
|
|
|
#### Prerequisites
|
|
|
|
Before you use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely at [this section](/user-guide/kv-config/#store-configuration-in-key-value-store), which will describe how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.
|
|
|
|
#### Configuration
|
|
|
|
```toml
|
|
[entryPoints]
|
|
[entryPoints.https]
|
|
address = ":443"
|
|
[entryPoints.https.tls]
|
|
|
|
[acme]
|
|
email = "test@traefik.io"
|
|
storage = "traefik/acme/account"
|
|
caServer = "http://172.18.0.1:4000/directory"
|
|
entryPoint = "https"
|
|
|
|
[[acme.domains]]
|
|
main = "local1.com"
|
|
sans = ["test1.local1.com", "test2.local1.com"]
|
|
[[acme.domains]]
|
|
main = "local2.com"
|
|
sans = ["test1.local2.com", "test2x.local2.com"]
|
|
[[acme.domains]]
|
|
main = "local3.com"
|
|
[[acme.domains]]
|
|
main = "local4.com"
|
|
|
|
[consul]
|
|
endpoint = "127.0.0.1:8500"
|
|
watch = true
|
|
prefix = "traefik"
|
|
```
|
|
|
|
This configuration allows to use the key `traefik/acme/account` to get/set Let's Encrypt certificates content.
|
|
The `consul` provider contains the configuration.
|
|
|
|
!!! note
|
|
It's possible to use others key-value store providers as described [here](/user-guide/kv-config/#key-value-store-configuration).
|
|
|
|
## Override entrypoints in frontends
|
|
|
|
```toml
|
|
[frontends]
|
|
[frontends.frontend1]
|
|
backend = "backend2"
|
|
[frontends.frontend1.routes.test_1]
|
|
rule = "Host:test.localhost"
|
|
[frontends.frontend2]
|
|
backend = "backend1"
|
|
passHostHeader = true
|
|
passTLSCert = true
|
|
entrypoints = ["https"] # overrides defaultEntryPoints
|
|
[frontends.frontend2.routes.test_1]
|
|
rule = "Host:{subdomain:[a-z]+}.localhost"
|
|
[frontends.frontend3]
|
|
entrypoints = ["http", "https"] # overrides defaultEntryPoints
|
|
backend = "backend2"
|
|
rule = "Path:/test"
|
|
```
|
|
|
|
## Enable Basic authentication in an entrypoint
|
|
|
|
With two user/pass:
|
|
|
|
- `test`:`test`
|
|
- `test2`:`test2`
|
|
|
|
Passwords are encoded in MD5: you can use htpasswd to generate those ones.
|
|
|
|
```toml
|
|
defaultEntryPoints = ["http"]
|
|
[entryPoints]
|
|
[entryPoints.http]
|
|
address = ":80"
|
|
[entryPoints.http.auth.basic]
|
|
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
|
|
```
|
|
|
|
## Pass Authenticated user to application via headers
|
|
|
|
Providing an authentication method as described above, it is possible to pass the user to the application
|
|
via a configurable header value.
|
|
|
|
```toml
|
|
defaultEntryPoints = ["http"]
|
|
[entryPoints]
|
|
[entryPoints.http]
|
|
address = ":80"
|
|
[entryPoints.http.auth]
|
|
headerField = "X-WebAuth-User"
|
|
[entryPoints.http.auth.basic]
|
|
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
|
|
```
|
|
|
|
## Override the Traefik HTTP server IdleTimeout and/or throttle configurations from re-loading too quickly
|
|
|
|
```toml
|
|
providersThrottleDuration = "5s"
|
|
|
|
[respondingTimeouts]
|
|
idleTimeout = "360s"
|
|
```
|
|
|
|
## Securing Ping Health Check
|
|
|
|
The `/ping` health-check URL is enabled together with the web admin panel, enabled with the command-line `--web` or config file option `[web]`.
|
|
Thus, if you have a regular path for `/foo` and an entrypoint on `:80`, you would access them as follows:
|
|
|
|
* Regular path: `http://hostname:80/foo`
|
|
* Admin panel: `http://hostname:8080/`
|
|
* Ping URL: `http://hostname:8080/ping`
|
|
|
|
However, for security reasons, you may want to be able to expose the `/ping` health-check URL to outside health-checkers, e.g. an Internet service or cloud load-balancer, _without_ exposing your admin panel's port.
|
|
In many environments, the security staff may not _allow_ you to expose it.
|
|
|
|
You have two options:
|
|
|
|
* Enable `/ping` on a regular entrypoint
|
|
* Enable `/ping` on a dedicated port
|
|
|
|
### Enable ping health check on a regular entrypoint
|
|
|
|
To proxy `/ping` from a regular entrypoint to the admin one without exposing the panel, do the following:
|
|
|
|
```toml
|
|
[backends]
|
|
[backends.traefik]
|
|
[backends.traefik.servers.server1]
|
|
url = "http://localhost:8080"
|
|
weight = 10
|
|
|
|
[frontends]
|
|
[frontends.traefikadmin]
|
|
backend = "traefik"
|
|
[frontends.traefikadmin.routes.ping]
|
|
rule = "Path:/ping"
|
|
```
|
|
|
|
The above creates a new backend called `traefik`, listening on `http://localhost:8080`, i.e. the local admin port.
|
|
We only expose the admin panel via the `frontend` named `traefikadmin`, and only expose the `/ping` Path.
|
|
Be careful with the `traefikadmin` frontend. If you do _not_ specify a `Path:` rule, you would expose the entire dashboard.
|
|
|
|
### Enable ping health check on dedicated port
|
|
|
|
If you do not want to or cannot expose the health-check on a regular entrypoint - e.g. your security rules do not allow it, or you have a conflicting path - then you can enable health-check on its own entrypoint.
|
|
Use the following config:
|
|
|
|
```toml
|
|
defaultEntryPoints = ["http"]
|
|
|
|
[entryPoints]
|
|
[entryPoints.http]
|
|
address = ":80"
|
|
[entryPoints.ping]
|
|
address = ":8082"
|
|
|
|
[backends]
|
|
[backends.traefik]
|
|
[backends.traefik.servers.server1]
|
|
url = "http://localhost:8080"
|
|
weight = 10
|
|
|
|
[frontends]
|
|
[frontends.traefikadmin]
|
|
backend = "traefik"
|
|
entrypoints = ["ping"]
|
|
[frontends.traefikadmin.routes.ping]
|
|
rule = "Path:/ping"
|
|
```
|
|
|
|
The above is similar to the previous example, but instead of enabling `/ping` on the _default_ entrypoint, we enable it on a _dedicated_ entrypoint.
|
|
|
|
In the above example, you would access a regular path, admin panel and health-check as follows:
|
|
|
|
* Regular path: `http://hostname:80/foo`
|
|
* Admin panel: `http://hostname:8080/`
|
|
* Ping URL: `http://hostname:8082/ping`
|
|
|
|
Note the dedicated port `:8082` for `/ping`.
|
|
|
|
In the above example, it is _very_ important to create a named dedicated entrypoint, and do **not** include it in `defaultEntryPoints`.
|
|
Otherwise, you are likely to expose _all_ services via that entrypoint.
|
|
|
|
In the above example, we have two entrypoints, `http` and `ping`, but we only included `http` in `defaultEntryPoints`, while explicitly tying `frontend.traefikadmin` to the `ping` entrypoint.
|
|
This ensures that all the "normal" frontends will be exposed via entrypoint `http` and _not_ via entrypoint `ping`.
|