36 KiB
Access log settings. (Default: false
Number of access log lines to process in a buffered way. (Default: 0
Default mode for fields: keep | drop (Default: keep
Default mode for fields: keep | drop | redact (Default: drop
Override mode for headers
Override mode for fields
Access log file path. Stdout is used when omitted or empty.
Keep access logs when request took longer than the specified duration. (Default: 0
Keep access logs when at least one retry happened. (Default: false
Keep access logs with status codes in the specified range.
Access log format: json | common (Default: common
Enable api/dashboard. (Default: false
Activate dashboard. (Default: true
Enable additional endpoints for debugging and profiling. (Default: false
Disable ad in the dashboard. (Default: false
Activate API directly on the entryPoint named traefik. (Default: false
Certificates resolvers configuration. (Default: false
CA server to use. (Default: https://acme-v02.api.letsencrypt.org/directory
Certificates' duration in hours. (Default: 2160
Activate DNS-01 Challenge. (Default: false
Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: 0
Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: false
Use a DNS-01 based challenge provider rather than HTTPS.
Use following DNS servers to resolve the FQDN authority.
Base64 encoded HMAC key from External CA.
Key identifier from External CA.
Email address used for registration.
Activate HTTP-01 Challenge. (Default: false
HTTP challenge EntryPoint
KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: RSA4096
Preferred chain to use.
Storage to use. (Default: acme.json
Activate TLS-ALPN-01 Challenge. (Default: true
Entry points definition. (Default: false
Entry point address.
Trust all forwarded headers. (Default: false
Trust only forwarded headers from selected IPs.
HTTP configuration.
Defines whether request query semicolons should be URLEncoded. (Default: false
Default middlewares for the routers linked to the entry point.
Applies a permanent redirection. (Default: true
Priority of the generated router. (Default: 2147483646
Scheme used for the redirection. (Default: https
Targeted entry point of the redirection.
Default TLS configuration for the routers linked to the entry point. (Default: false
Default certificate resolver for the routers linked to the entry point.
Default TLS domains for the routers linked to the entry point.
Default subject name.
Subject alternative names.
Default TLS options for the routers linked to the entry point.
Specifies the number of concurrent streams per connection that each client is allowed to initiate. (Default: 250
HTTP/3 configuration. (Default: false
UDP port to advertise, on which HTTP/3 is available. (Default: 0
Proxy-Protocol configuration. (Default: false
Trust all. (Default: false
Trust only selected IPs.
Maximum number of requests before closing a keep-alive connection. (Default: 0
Maximum duration before closing a keep-alive connection. (Default: 0
Duration to give active requests a chance to finish before Traefik stops. (Default: 10
Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. (Default: 0
IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: 180
ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: 0
WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: 0
Timeout defines how long to wait on an idle session before releasing the related resources. (Default: 3
Enable HTTP3. (Default: false
Allow the Kubernetes gateway api provider usage. (Default: false
Local plugins configuration. (Default: false
plugin's module name.
plugin's module name.
plugin's version.
Periodically check if a new version has been released. (Default: true
Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: false
Enable CNAME Flattening. (Default: false
A flag to enable/disable CNAME flattening (Default: false
resolv.conf used for DNS resolving (Default: /etc/resolv.conf
The maximal depth of DNS recursive resolving (Default: 5
Traefik log settings. (Default: false
Traefik log file path. Stdout is used when omitted or empty.
Traefik log format: json | common (Default: common
Log level set to traefik logs. (Default: ERROR
Datadog metrics exporter type. (Default: false
Enable metrics on entry points. (Default: true
Datadog's address. (Default: localhost:8125
Enable metrics on routers. (Default: false
Enable metrics on services. (Default: true
Prefix to use for metrics collection. (Default: traefik
Datadog push interval. (Default: 10
InfluxDB metrics exporter type. (Default: false
Enable metrics on entry points. (Default: true
Additional labels (influxdb tags) on all metrics
InfluxDB address. (Default: localhost:8089
Enable metrics on routers. (Default: false
Enable metrics on services. (Default: true
InfluxDB database used when protocol is http.
InfluxDB password (only with http).
InfluxDB address protocol (udp or http). (Default: udp
InfluxDB push interval. (Default: 10
InfluxDB retention policy used when protocol is http.
InfluxDB username (only with http).
InfluxDB v2 metrics exporter type. (Default: false
Enable metrics on entry points. (Default: true
Additional labels (influxdb tags) on all metrics
InfluxDB v2 address. (Default: http://localhost:8086
Enable metrics on routers. (Default: false
Enable metrics on services. (Default: true
InfluxDB v2 bucket ID.
InfluxDB v2 org ID.
InfluxDB v2 push interval. (Default: 10
InfluxDB v2 access token.
Prometheus metrics exporter type. (Default: false
Enable metrics on entry points. (Default: true
Enable metrics on routers. (Default: false
Enable metrics on services. (Default: true
Buckets for latency metrics. (Default: 0.100000, 0.300000, 1.200000, 5.000000
EntryPoint (Default: traefik
Defines the extra labels for the requests_total metrics, and for each of them, the request header containing the value for this label.
Manual routing (Default: false
StatsD metrics exporter type. (Default: false
Enable metrics on entry points. (Default: true
StatsD address. (Default: localhost:8125
Enable metrics on routers. (Default: false
Enable metrics on services. (Default: true
Prefix to use for metrics collection. (Default: traefik
StatsD push interval. (Default: 10
Enable ping. (Default: false
EntryPoint (Default: traefik
Manual routing (Default: false
Terminating status code (Default: 503
Enable Consul backend with default settings. (Default: false
KV store endpoints. (Default:
Sets the namespace used to discover the configuration (Consul Enterprise only).
Sets the namespaces used to discover the configuration (Consul Enterprise only).
Root key used for KV store. (Default: traefik
TLS CA.Optional (Default: false
TLS cert
TLS insecure skip verify (Default: false
TLS key
Per-request ACL token.
Enable ConsulCatalog backend with default settings. (Default: false
Use local agent caching for catalog reads. (Default: false
Enable Consul Connect support. (Default: false
Consider every service as Connect capable by default. (Default: false
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
Default rule. (Default: Host(`{{ normalize .Name }}`)
The address of the Consul server
Data center to use. If not provided, the default agent data center is used
WaitTime limits how long a Watch will block. If not provided, the agent default values will be used (Default: 0
Basic Auth password
Basic Auth username
The URI scheme for the Consul server
TLS CA.Optional (Default: false
TLS cert
TLS insecure skip verify (Default: false
TLS key
Token is used to provide a per-request ACL token which overrides the agent's default token
Expose containers by default. (Default: true
Sets the namespace used to discover services (Consul Enterprise only).
Sets the namespaces used to discover services (Consul Enterprise only).
Prefix for consul service tags. (Default: traefik
Interval for check Consul API. (Default: 15
Forces the read to be fully consistent. (Default: false
Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). (Default: traefik
Use stale consistency for catalog reads. (Default: false
Watch Consul API events. (Default: false
Enable Docker backend with default settings. (Default: false
Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. (Default: false
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
Default rule. (Default: Host(`{{ normalize .Name }}`)
Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: unix:///var/run/docker.sock
Expose containers by default. (Default: true
Client timeout for HTTP connections. (Default: 0
Default Docker network used.
Use Docker on Swarm Mode. (Default: false
Polling interval for swarm mode. (Default: 15
TLS CA.Optional (Default: false
TLS cert
TLS insecure skip verify (Default: false
TLS key
Use the ip address from the bound port, rather than from the inner network. (Default: false
Watch Docker events. (Default: true
Enable AWS ECS backend with default settings. (Default: false
The AWS credentials access key to use for making requests
Auto discover cluster (Default: false
ECS Clusters name (Default: default
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
Default rule. (Default: Host(`{{ normalize .Name }}`)
Enable ECS Anywhere support (Default: false
Expose services by default (Default: true
Polling interval (in seconds) (Default: 15
The AWS region to use for requests
The AWS credentials access key to use for making requests
Enable Etcd backend with default settings. (Default: false
KV store endpoints. (Default:
Password for authentication.
Root key used for KV store. (Default: traefik
TLS CA.Optional (Default: false
TLS cert
TLS insecure skip verify (Default: false
TLS key
Username for authentication.
Enable debug logging of generated configuration template. (Default: false
Load dynamic configuration from one or more .yml or .toml files in a directory.
Load dynamic configuration from a file.
Watch provider. (Default: true
Enable HTTP backend with default settings. (Default: false
Load configuration from this endpoint.
Polling interval for endpoint. (Default: 5
Polling timeout for endpoint. (Default: 5
TLS CA.Optional (Default: false
TLS cert
TLS insecure skip verify (Default: false
TLS key
Enable Kubernetes backend with default settings. (Default: false
Allow cross namespace resource reference. (Default: false
Allow the creation of services without endpoints. (Default: false
Allow ExternalName services. (Default: false
Kubernetes certificate authority file path (not needed for in-cluster client).
Kubernetes server endpoint (required for external cluster client).
Value of kubernetes.io/ingress.class annotation to watch for.
Kubernetes label selector to use.
Kubernetes namespaces.
Ingress refresh throttle duration (Default: 0
Kubernetes bearer token (not needed for in-cluster client).
Enable Kubernetes gateway api provider with default settings. (Default: false
Kubernetes certificate authority file path (not needed for in-cluster client).
Kubernetes server endpoint (required for external cluster client).
Kubernetes label selector to select specific GatewayClasses.
Kubernetes namespaces.
Kubernetes refresh throttle duration (Default: 0
Kubernetes bearer token (not needed for in-cluster client).
Enable Kubernetes backend with default settings. (Default: false
Allow creation of services without endpoints. (Default: false
Allow ExternalName services. (Default: false
Kubernetes certificate authority file path (not needed for in-cluster client).
Kubernetes server endpoint (required for external cluster client).
Value of kubernetes.io/ingress.class annotation or IngressClass name to watch for.
Hostname used for Kubernetes Ingress endpoints.
IP used for Kubernetes Ingress endpoints.
Published Kubernetes Service to copy status from.
Kubernetes Ingress label selector to use.
Kubernetes namespaces.
Ingress refresh throttle duration (Default: 0
Kubernetes bearer token (not needed for in-cluster client).
Enable Marathon backend with default settings. (Default: false
Basic authentication User.
Basic authentication Password.
Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
DCOSToken for DCOS environment, This will override the Authorization header.
Default rule. (Default: Host(`{{ normalize .Name }}`)
Set a dialer timeout for Marathon. (Default: 5
Marathon server endpoint. You can also specify multiple endpoint for Marathon. (Default:
Expose Marathon apps by default. (Default: true
Force to use the task's hostname. (Default: false
Set a TCP Keep Alive time. (Default: 10
Filter out tasks with non-successful readiness checks during deployments. (Default: false
Set a response header timeout for Marathon. (Default: 60
TLS CA.Optional (Default: false
TLS cert
TLS insecure skip verify (Default: false
TLS key
Set a TLS handshake timeout for Marathon. (Default: 5
Display additional provider logs. (Default: false
Watch provider. (Default: true
Enable Nomad backend with default settings. (Default: false
Constraints is an expression that Traefik matches against the Nomad service's tags to determine whether to create route(s) for that service.
Default rule. (Default: Host(`{{ normalize .Name }}`)
The address of the Nomad server, including scheme and port. (Default:
WaitTime limits how long a Watch will block. If not provided, the agent default values will be used (Default: 0
Nomad region to use. If not provided, the local agent region is used.
TLS CA.Optional (Default: false
TLS cert
TLS insecure skip verify (Default: false
TLS key
Token is used to provide a per-request ACL token.
Expose Nomad services by default. (Default: true
Sets the Nomad namespace used to discover services.
Sets the Nomad namespaces used to discover services.
Prefix for nomad service tags. (Default: traefik
Interval for polling Nomad API. (Default: 15
Use stale consistency for catalog reads. (Default: false
Plugins configuration.
Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. (Default: 2
Enable Rancher backend with default settings. (Default: false
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
Default rule. (Default: Host(`{{ normalize .Name }}`)
Filter services with unhealthy states and inactive states. (Default: true
Expose containers by default. (Default: true
Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate). (Default: false
Prefix used for accessing the Rancher metadata service. (Default: latest
Defines the polling interval in seconds. (Default: 15
Watch provider. (Default: true
Enable Redis backend with default settings. (Default: false
Database to be selected after connecting to the server. (Default: 0
KV store endpoints. (Default:
Password for authentication.
Root key used for KV store. (Default: traefik
Defines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy). (Default: false
Name of the master.
Password for Sentinel authentication.
Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). (Default: false
Defines whether to route all commands to replica nodes (mutually exclusive with LatencyStrategy and RandomStrategy). (Default: false
Use replicas disconnected with master when cannot get connected replicas. (Default: false
Username for Sentinel authentication.
TLS CA.Optional (Default: false
TLS cert
TLS insecure skip verify (Default: false
TLS key
Username for authentication.
Enable Rest backend with default settings. (Default: false
Activate REST Provider directly on the entryPoint named traefik. (Default: false
Enable ZooKeeper backend with default settings. (Default: false
KV store endpoints. (Default:
Password for authentication.
Root key used for KV store. (Default: traefik
Username for authentication.
The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: 30
The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself (Default: 90
The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: 0
Disable SSL certificate verification. (Default: false
If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used (Default: 200
Add cert file for self-signed certificate.
OpenTracing configuration. (Default: false
Settings for Datadog. (Default: false
Sets the header name prefix used to store baggage items in a map.
Enables Datadog debug. (Default: false
Sets a key:value tag on all spans.
Sets a list of key:value tags on all spans.
Sets the Datadog Agent host:port. (Default: localhost:8126
Sets the socket for the Datadog Agent.
Sets the header name used to store the parent ID.
Enables priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: false
Sets the header name used to store the sampling priority.
Sets the header name used to store the trace ID.
Settings for Elastic. (Default: false
Sets the token used to connect to Elastic APM Server.
Sets the URL of the Elastic APM server.
Sets the name of the environment Traefik is deployed in, e.g. 'production' or 'staging'.
Settings for Haystack. (Default: false
Sets the header name prefix used to store baggage items in a map.
Sets a key:value tag on all spans.
Sets the Haystack Agent host. (Default:
Sets the Haystack Agent port. (Default: 35000
Sets the header name used to store the parent ID.
Sets the header name used to store the span ID.
Sets the header name used to store the trace ID.
Settings for Instana. (Default: false
Enables automatic profiling for the Traefik process. (Default: false
Sets the Instana Agent host.
Sets the Instana Agent port. (Default: 42699
Sets the log level for the Instana tracer. ('error','warn','info','debug') (Default: info
Settings for Jaeger. (Default: false
Instructs reporter to send spans to jaeger-collector at this URL.
Password for basic http authentication when sending spans to jaeger-collector.
User for basic http authentication when sending spans to jaeger-collector.
Disables the periodic re-resolution of the agent's hostname and reconnection if there was a change. (Default: true
Generates 128 bits span IDs. (Default: false
Sets the Jaeger Agent host:port. (Default:
Sets the propagation format (jaeger/b3). (Default: jaeger
Sets the sampling parameter. (Default: 1.000000
Sets the sampling server URL. (Default: http://localhost:5778/sampling
Sets the sampling type. (Default: const
Sets the header name used to store the trace ID. (Default: uber-trace-id
Set the name for this service. (Default: traefik
Set the maximum character limit for Span names (default 0 = no limit). (Default: 0
Settings for Zipkin. (Default: false
Sets the HTTP Endpoint to report traces to. (Default: http://localhost:9411/api/v2/spans
Uses 128 bits root span IDs. (Default: true
Uses SameSpan RPC style traces. (Default: false
Sets the rate between 0.0 and 1.0 of requests to trace. (Default: 1.000000