Remove old docs folder.
@ -1 +0,0 @@
|
|||||||
docs.traefik.io
|
|
@ -1,214 +0,0 @@
|
|||||||
# Benchmarks
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
I would like to thanks [vincentbernat](https://github.com/vincentbernat) from [exoscale.ch](https://www.exoscale.ch) who kindly provided the infrastructure needed for the benchmarks.
|
|
||||||
|
|
||||||
I used 4 VMs for the tests with the following configuration:
|
|
||||||
|
|
||||||
- 32 GB RAM
|
|
||||||
- 8 CPU Cores
|
|
||||||
- 10 GB SSD
|
|
||||||
- Ubuntu 14.04 LTS 64-bit
|
|
||||||
|
|
||||||
## Setup
|
|
||||||
|
|
||||||
1. One VM used to launch the benchmarking tool [wrk](https://github.com/wg/wrk)
|
|
||||||
2. One VM for Traefik (v1.0.0-beta.416) / nginx (v1.4.6)
|
|
||||||
3. Two VMs for 2 backend servers in go [whoami](https://github.com/containous/whoami/)
|
|
||||||
|
|
||||||
Each VM has been tuned using the following limits:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sysctl -w fs.file-max="9999999"
|
|
||||||
sysctl -w fs.nr_open="9999999"
|
|
||||||
sysctl -w net.core.netdev_max_backlog="4096"
|
|
||||||
sysctl -w net.core.rmem_max="16777216"
|
|
||||||
sysctl -w net.core.somaxconn="65535"
|
|
||||||
sysctl -w net.core.wmem_max="16777216"
|
|
||||||
sysctl -w net.ipv4.ip_local_port_range="1025 65535"
|
|
||||||
sysctl -w net.ipv4.tcp_fin_timeout="30"
|
|
||||||
sysctl -w net.ipv4.tcp_keepalive_time="30"
|
|
||||||
sysctl -w net.ipv4.tcp_max_syn_backlog="20480"
|
|
||||||
sysctl -w net.ipv4.tcp_max_tw_buckets="400000"
|
|
||||||
sysctl -w net.ipv4.tcp_no_metrics_save="1"
|
|
||||||
sysctl -w net.ipv4.tcp_syn_retries="2"
|
|
||||||
sysctl -w net.ipv4.tcp_synack_retries="2"
|
|
||||||
sysctl -w net.ipv4.tcp_tw_recycle="1"
|
|
||||||
sysctl -w net.ipv4.tcp_tw_reuse="1"
|
|
||||||
sysctl -w vm.min_free_kbytes="65536"
|
|
||||||
sysctl -w vm.overcommit_memory="1"
|
|
||||||
ulimit -n 9999999
|
|
||||||
```
|
|
||||||
|
|
||||||
### Nginx
|
|
||||||
|
|
||||||
Here is the config Nginx file use `/etc/nginx/nginx.conf`:
|
|
||||||
|
|
||||||
```
|
|
||||||
user www-data;
|
|
||||||
worker_processes auto;
|
|
||||||
worker_rlimit_nofile 200000;
|
|
||||||
pid /var/run/nginx.pid;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 10000;
|
|
||||||
use epoll;
|
|
||||||
multi_accept on;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
sendfile on;
|
|
||||||
tcp_nopush on;
|
|
||||||
tcp_nodelay on;
|
|
||||||
keepalive_timeout 300;
|
|
||||||
keepalive_requests 10000;
|
|
||||||
types_hash_max_size 2048;
|
|
||||||
|
|
||||||
open_file_cache max=200000 inactive=300s;
|
|
||||||
open_file_cache_valid 300s;
|
|
||||||
open_file_cache_min_uses 2;
|
|
||||||
open_file_cache_errors on;
|
|
||||||
|
|
||||||
server_tokens off;
|
|
||||||
dav_methods off;
|
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log combined;
|
|
||||||
error_log /var/log/nginx/error.log warn;
|
|
||||||
|
|
||||||
gzip off;
|
|
||||||
gzip_vary off;
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
|
||||||
include /etc/nginx/sites-enabled/*.conf;
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
Here is the Nginx vhost file used:
|
|
||||||
|
|
||||||
```
|
|
||||||
upstream whoami {
|
|
||||||
server IP-whoami1:80;
|
|
||||||
server IP-whoami2:80;
|
|
||||||
keepalive 300;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 8001;
|
|
||||||
server_name test.traefik;
|
|
||||||
access_log off;
|
|
||||||
error_log /dev/null crit;
|
|
||||||
if ($host != "test.traefik") {
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
location / {
|
|
||||||
proxy_pass http://whoami;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Connection "";
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
### Traefik
|
|
||||||
|
|
||||||
Here is the `traefik.toml` file used:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
maxIdleConnsPerHost = 100000
|
|
||||||
defaultEntryPoints = ["http"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":8000"
|
|
||||||
|
|
||||||
[file]
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.servers.server1]
|
|
||||||
url = "http://IP-whoami1:80"
|
|
||||||
weight = 1
|
|
||||||
[backends.backend1.servers.server2]
|
|
||||||
url = "http://IP-whoami2:80"
|
|
||||||
weight = 1
|
|
||||||
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
backend = "backend1"
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "Host: test.traefik"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Results
|
|
||||||
|
|
||||||
### whoami:
|
|
||||||
```shell
|
|
||||||
wrk -t20 -c1000 -d60s -H "Host: test.traefik" --latency http://IP-whoami:80/bench
|
|
||||||
Running 1m test @ http://IP-whoami:80/bench
|
|
||||||
20 threads and 1000 connections
|
|
||||||
Thread Stats Avg Stdev Max +/- Stdev
|
|
||||||
Latency 70.28ms 134.72ms 1.91s 89.94%
|
|
||||||
Req/Sec 2.92k 742.42 8.78k 68.80%
|
|
||||||
Latency Distribution
|
|
||||||
50% 10.63ms
|
|
||||||
75% 75.64ms
|
|
||||||
90% 205.65ms
|
|
||||||
99% 668.28ms
|
|
||||||
3476705 requests in 1.00m, 384.61MB read
|
|
||||||
Socket errors: connect 0, read 0, write 0, timeout 103
|
|
||||||
Requests/sec: 57894.35
|
|
||||||
Transfer/sec: 6.40MB
|
|
||||||
```
|
|
||||||
|
|
||||||
### nginx:
|
|
||||||
```shell
|
|
||||||
wrk -t20 -c1000 -d60s -H "Host: test.traefik" --latency http://IP-nginx:8001/bench
|
|
||||||
Running 1m test @ http://IP-nginx:8001/bench
|
|
||||||
20 threads and 1000 connections
|
|
||||||
Thread Stats Avg Stdev Max +/- Stdev
|
|
||||||
Latency 101.25ms 180.09ms 1.99s 89.34%
|
|
||||||
Req/Sec 1.69k 567.69 9.39k 72.62%
|
|
||||||
Latency Distribution
|
|
||||||
50% 15.46ms
|
|
||||||
75% 129.11ms
|
|
||||||
90% 302.44ms
|
|
||||||
99% 846.59ms
|
|
||||||
2018427 requests in 1.00m, 298.36MB read
|
|
||||||
Socket errors: connect 0, read 0, write 0, timeout 90
|
|
||||||
Requests/sec: 33591.67
|
|
||||||
Transfer/sec: 4.97MB
|
|
||||||
```
|
|
||||||
|
|
||||||
### Traefik:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
wrk -t20 -c1000 -d60s -H "Host: test.traefik" --latency http://IP-traefik:8000/bench
|
|
||||||
Running 1m test @ http://IP-traefik:8000/bench
|
|
||||||
20 threads and 1000 connections
|
|
||||||
Thread Stats Avg Stdev Max +/- Stdev
|
|
||||||
Latency 91.72ms 150.43ms 2.00s 90.50%
|
|
||||||
Req/Sec 1.43k 266.37 2.97k 69.77%
|
|
||||||
Latency Distribution
|
|
||||||
50% 19.74ms
|
|
||||||
75% 121.98ms
|
|
||||||
90% 237.39ms
|
|
||||||
99% 687.49ms
|
|
||||||
1705073 requests in 1.00m, 188.63MB read
|
|
||||||
Socket errors: connect 0, read 0, write 0, timeout 7
|
|
||||||
Requests/sec: 28392.44
|
|
||||||
Transfer/sec: 3.14MB
|
|
||||||
```
|
|
||||||
|
|
||||||
## Conclusion
|
|
||||||
|
|
||||||
Traefik is obviously slower than Nginx, but not so much: Traefik can serve 28392 requests/sec and Nginx 33591 requests/sec which gives a ratio of 85%.
|
|
||||||
Not bad for young project :) !
|
|
||||||
|
|
||||||
Some areas of possible improvements:
|
|
||||||
|
|
||||||
- Use [GO_REUSEPORT](https://github.com/kavu/go_reuseport) listener
|
|
||||||
- Run a separate server instance per CPU core with `GOMAXPROCS=1` (it appears during benchmarks that there is a lot more context switches with Traefik than with nginx)
|
|
||||||
|
|
@ -1,347 +0,0 @@
|
|||||||
# API Definition
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# API definition
|
|
||||||
# Warning: Enabling API will expose Traefik's configuration.
|
|
||||||
# It is not recommended in production,
|
|
||||||
# unless secured by authentication and authorizations
|
|
||||||
[api]
|
|
||||||
# Name of the related entry point
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
entryPoint = "traefik"
|
|
||||||
|
|
||||||
# Enable Dashboard
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
dashboard = true
|
|
||||||
|
|
||||||
# Enable debug mode.
|
|
||||||
# This will install HTTP handlers to expose Go expvars under /debug/vars and
|
|
||||||
# pprof profiling data under /debug/pprof/.
|
|
||||||
# Additionally, the log level will be set to DEBUG.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
debug = true
|
|
||||||
```
|
|
||||||
|
|
||||||
For more customization, see [entry points](/configuration/entrypoints/) documentation and the examples below.
|
|
||||||
|
|
||||||
## Web UI
|
|
||||||
|
|
||||||
![Web UI Providers](/img/web.frontend.png)
|
|
||||||
|
|
||||||
![Web UI Health](/img/traefik-health.png)
|
|
||||||
|
|
||||||
## Security
|
|
||||||
|
|
||||||
Enabling the API will expose all configuration elements,
|
|
||||||
including sensitive data.
|
|
||||||
|
|
||||||
It is not recommended in production,
|
|
||||||
unless secured by authentication and authorizations.
|
|
||||||
|
|
||||||
A good sane default (but not exhaustive) set of recommendations
|
|
||||||
would be to apply the following protection mechanism:
|
|
||||||
|
|
||||||
* _At application level:_ enabling HTTP [Basic Authentication](#authentication)
|
|
||||||
* _At transport level:_ NOT exposing publicly the API's port,
|
|
||||||
keeping it restricted over internal networks
|
|
||||||
(restricted networks as in https://en.wikipedia.org/wiki/Principle_of_least_privilege).
|
|
||||||
|
|
||||||
## API
|
|
||||||
|
|
||||||
| Path | Method | Description |
|
|
||||||
|-----------------------------------------------------------------|------------------|-------------------------------------------|
|
|
||||||
| `/` | `GET` | Provides a simple HTML frontend of Traefik |
|
|
||||||
| `/cluster/leader` | `GET` | JSON leader true/false response |
|
|
||||||
| `/health` | `GET` | JSON health metrics |
|
|
||||||
| `/api` | `GET` | Configuration for all providers |
|
|
||||||
| `/api/providers` | `GET` | Providers |
|
|
||||||
| `/api/providers/{provider}` | `GET`, `PUT` | Get or update provider (1) |
|
|
||||||
| `/api/providers/{provider}/backends` | `GET` | List backends |
|
|
||||||
| `/api/providers/{provider}/backends/{backend}` | `GET` | Get backend |
|
|
||||||
| `/api/providers/{provider}/backends/{backend}/servers` | `GET` | List servers in backend |
|
|
||||||
| `/api/providers/{provider}/backends/{backend}/servers/{server}` | `GET` | Get a server in a backend |
|
|
||||||
| `/api/providers/{provider}/frontends` | `GET` | List frontends |
|
|
||||||
| `/api/providers/{provider}/frontends/{frontend}` | `GET` | Get a frontend |
|
|
||||||
| `/api/providers/{provider}/frontends/{frontend}/routes` | `GET` | List routes in a frontend |
|
|
||||||
| `/api/providers/{provider}/frontends/{frontend}/routes/{route}` | `GET` | Get a route in a frontend |
|
|
||||||
|
|
||||||
<1> See [Rest](/configuration/backends/rest/#api) for more information.
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
For compatibility reason, when you activate the rest provider, you can use `web` or `rest` as `provider` value.
|
|
||||||
But be careful, in the configuration for all providers the key is still `web`.
|
|
||||||
|
|
||||||
### Address / Port
|
|
||||||
|
|
||||||
You can define a custom address/port like this:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[entryPoints.foo]
|
|
||||||
address = ":8082"
|
|
||||||
|
|
||||||
[entryPoints.bar]
|
|
||||||
address = ":8083"
|
|
||||||
|
|
||||||
[ping]
|
|
||||||
entryPoint = "foo"
|
|
||||||
|
|
||||||
[api]
|
|
||||||
entryPoint = "bar"
|
|
||||||
```
|
|
||||||
|
|
||||||
In the above example, you would access a regular path, dashboard, and health-check as follows:
|
|
||||||
|
|
||||||
* Regular path: `http://hostname:80/path`
|
|
||||||
* Dashboard: `http://hostname:8083/`
|
|
||||||
* Ping URL: `http://hostname:8082/ping`
|
|
||||||
|
|
||||||
In the above example, it is _very_ important to create a named dedicated entry point, and do **not** include it in `defaultEntryPoints`.
|
|
||||||
Otherwise, you are likely to expose _all_ services via that entry point.
|
|
||||||
|
|
||||||
### Custom Path
|
|
||||||
|
|
||||||
You can define a custom path like this:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[entryPoints.foo]
|
|
||||||
address = ":8080"
|
|
||||||
|
|
||||||
[entryPoints.bar]
|
|
||||||
address = ":8081"
|
|
||||||
|
|
||||||
# Activate API and Dashboard
|
|
||||||
[api]
|
|
||||||
entryPoint = "bar"
|
|
||||||
dashboard = true
|
|
||||||
|
|
||||||
[file]
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.servers.server1]
|
|
||||||
url = "http://127.0.0.1:8081"
|
|
||||||
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
entryPoints = ["foo"]
|
|
||||||
backend = "backend1"
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "PathPrefixStrip:/yourprefix;PathPrefix:/yourprefix"
|
|
||||||
```
|
|
||||||
|
|
||||||
### Authentication
|
|
||||||
|
|
||||||
You can define the authentication like this:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
|
|
||||||
[entryPoints.foo]
|
|
||||||
address=":8080"
|
|
||||||
[entryPoints.foo.auth]
|
|
||||||
[entryPoints.foo.auth.basic]
|
|
||||||
users = [
|
|
||||||
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
|
||||||
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
|
|
||||||
]
|
|
||||||
|
|
||||||
[api]
|
|
||||||
entrypoint="foo"
|
|
||||||
```
|
|
||||||
|
|
||||||
For more information, see [entry points](/configuration/entrypoints/) .
|
|
||||||
|
|
||||||
### Provider call example
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -s "http://localhost:8080/api" | jq .
|
|
||||||
```
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"file": {
|
|
||||||
"frontends": {
|
|
||||||
"frontend2": {
|
|
||||||
"routes": {
|
|
||||||
"test_2": {
|
|
||||||
"rule": "Path:/test"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"backend": "backend1"
|
|
||||||
},
|
|
||||||
"frontend1": {
|
|
||||||
"routes": {
|
|
||||||
"test_1": {
|
|
||||||
"rule": "Host:test.localhost"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"backend": "backend2"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"backends": {
|
|
||||||
"backend2": {
|
|
||||||
"loadBalancer": {
|
|
||||||
"method": "drr"
|
|
||||||
},
|
|
||||||
"servers": {
|
|
||||||
"server2": {
|
|
||||||
"weight": 2,
|
|
||||||
"URL": "http://172.17.0.5:80"
|
|
||||||
},
|
|
||||||
"server1": {
|
|
||||||
"weight": 1,
|
|
||||||
"url": "http://172.17.0.4:80"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"backend1": {
|
|
||||||
"loadBalancer": {
|
|
||||||
"method": "wrr"
|
|
||||||
},
|
|
||||||
"circuitBreaker": {
|
|
||||||
"expression": "NetworkErrorRatio() > 0.5"
|
|
||||||
},
|
|
||||||
"servers": {
|
|
||||||
"server2": {
|
|
||||||
"weight": 1,
|
|
||||||
"url": "http://172.17.0.3:80"
|
|
||||||
},
|
|
||||||
"server1": {
|
|
||||||
"weight": 10,
|
|
||||||
"url": "http://172.17.0.2:80"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
### Cluster Leadership
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -s "http://localhost:8080/cluster/leader" | jq .
|
|
||||||
```
|
|
||||||
```shell
|
|
||||||
< HTTP/1.1 200 OK
|
|
||||||
< Content-Type: application/json; charset=UTF-8
|
|
||||||
< Date: xxx
|
|
||||||
< Content-Length: 15
|
|
||||||
```
|
|
||||||
If the given node is not a cluster leader, an HTTP status of `429-Too-Many-Requests` will be returned.
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
// current leadership status of the queried node
|
|
||||||
"leader": true
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
### Health
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -s "http://localhost:8080/health" | jq .
|
|
||||||
```
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
// Traefik PID
|
|
||||||
"pid": 2458,
|
|
||||||
// Traefik server uptime (formated time)
|
|
||||||
"uptime": "39m6.885931127s",
|
|
||||||
// Traefik server uptime in seconds
|
|
||||||
"uptime_sec": 2346.885931127,
|
|
||||||
// current server date
|
|
||||||
"time": "2015-10-07 18:32:24.362238909 +0200 CEST",
|
|
||||||
// current server date in seconds
|
|
||||||
"unixtime": 1444235544,
|
|
||||||
// count HTTP response status code in realtime
|
|
||||||
"status_code_count": {
|
|
||||||
"502": 1
|
|
||||||
},
|
|
||||||
// count HTTP response status code since Traefik started
|
|
||||||
"total_status_code_count": {
|
|
||||||
"200": 7,
|
|
||||||
"404": 21,
|
|
||||||
"502": 13
|
|
||||||
},
|
|
||||||
// count HTTP response
|
|
||||||
"count": 1,
|
|
||||||
// count HTTP response
|
|
||||||
"total_count": 41,
|
|
||||||
// sum of all response time (formated time)
|
|
||||||
"total_response_time": "35.456865605s",
|
|
||||||
// sum of all response time in seconds
|
|
||||||
"total_response_time_sec": 35.456865605,
|
|
||||||
// average response time (formated time)
|
|
||||||
"average_response_time": "864.8016ms",
|
|
||||||
// average response time in seconds
|
|
||||||
"average_response_time_sec": 0.8648016000000001,
|
|
||||||
|
|
||||||
// request statistics [requires --api.statistics to be set]
|
|
||||||
// ten most recent requests with 4xx and 5xx status codes
|
|
||||||
"recent_errors": [
|
|
||||||
{
|
|
||||||
// status code
|
|
||||||
"status_code": 500,
|
|
||||||
// description of status code
|
|
||||||
"status": "Internal Server Error",
|
|
||||||
// request HTTP method
|
|
||||||
"method": "GET",
|
|
||||||
// request hostname
|
|
||||||
"host": "localhost",
|
|
||||||
// request path
|
|
||||||
"path": "/path",
|
|
||||||
// RFC 3339 formatted date/time
|
|
||||||
"time": "2016-10-21T16:59:15.418495872-07:00"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
## Metrics
|
|
||||||
|
|
||||||
You can enable Traefik to export internal metrics to different monitoring systems.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[api]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
# Enable more detailed statistics.
|
|
||||||
[api.statistics]
|
|
||||||
|
|
||||||
# Number of recent errors logged.
|
|
||||||
#
|
|
||||||
# Default: 10
|
|
||||||
#
|
|
||||||
recentErrors = 10
|
|
||||||
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
| Path | Method | Description |
|
|
||||||
|------------|---------------|-------------------------|
|
|
||||||
| `/metrics` | `GET` | Export internal metrics |
|
|
@ -1,59 +0,0 @@
|
|||||||
# BoltDB Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use BoltDB as a provider.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# BoltDB Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable BoltDB Provider.
|
|
||||||
[boltdb]
|
|
||||||
|
|
||||||
# BoltDB file.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "127.0.0.1:4001"
|
|
||||||
#
|
|
||||||
endpoint = "/my.db"
|
|
||||||
|
|
||||||
# Enable watch BoltDB changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Prefix used for KV store.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "/traefik"
|
|
||||||
#
|
|
||||||
prefix = "/traefik"
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
filename = "boltdb.tmpl"
|
|
||||||
|
|
||||||
# Use BoltDB user/pass authentication.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# username = foo
|
|
||||||
# password = bar
|
|
||||||
|
|
||||||
# Enable BoltDB TLS connection.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [boltdb.tls]
|
|
||||||
# ca = "/etc/ssl/ca.crt"
|
|
||||||
# cert = "/etc/ssl/boltdb.crt"
|
|
||||||
# key = "/etc/ssl/boltdb.key"
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
```
|
|
||||||
|
|
||||||
To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
|
|
@ -1,61 +0,0 @@
|
|||||||
# Consul Key-Value Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Consul as a provider.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Consul KV Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Consul KV Provider.
|
|
||||||
[consul]
|
|
||||||
|
|
||||||
# Consul server endpoint.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "127.0.0.1:8500"
|
|
||||||
#
|
|
||||||
endpoint = "127.0.0.1:8500"
|
|
||||||
|
|
||||||
# Enable watch Consul changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Prefix used for KV store.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: traefik
|
|
||||||
#
|
|
||||||
prefix = "traefik"
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "consul.tmpl"
|
|
||||||
|
|
||||||
# Use Consul user/pass authentication.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# username = foo
|
|
||||||
# password = bar
|
|
||||||
|
|
||||||
# Enable Consul TLS connection.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [consul.tls]
|
|
||||||
# ca = "/etc/ssl/ca.crt"
|
|
||||||
# cert = "/etc/ssl/consul.crt"
|
|
||||||
# key = "/etc/ssl/consul.key"
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
```
|
|
||||||
|
|
||||||
To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
|
|
||||||
|
|
||||||
Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on Traefik KV structure.
|
|
@ -1,242 +0,0 @@
|
|||||||
# Consul Catalog Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use service discovery catalog of Consul as a provider.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Consul Catalog Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Consul Catalog Provider.
|
|
||||||
[consulCatalog]
|
|
||||||
|
|
||||||
# Consul server endpoint.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "127.0.0.1:8500"
|
|
||||||
#
|
|
||||||
endpoint = "127.0.0.1:8500"
|
|
||||||
|
|
||||||
# Expose Consul catalog services by default in Traefik.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
exposedByDefault = false
|
|
||||||
|
|
||||||
# Allow Consul server to serve the catalog reads regardless of whether it is the leader.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
stale = false
|
|
||||||
|
|
||||||
# Default base domain used for the frontend rules.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
domain = "consul.localhost"
|
|
||||||
|
|
||||||
# Prefix for Consul catalog tags.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
prefix = "traefik"
|
|
||||||
|
|
||||||
# Default frontEnd Rule for Consul services.
|
|
||||||
#
|
|
||||||
# The format is a Go Template with:
|
|
||||||
# - ".ServiceName", ".Domain" and ".Attributes" available
|
|
||||||
# - "getTag(name, tags, defaultValue)", "hasTag(name, tags)" and "getAttribute(name, tags, defaultValue)" functions are available
|
|
||||||
# - "getAttribute(...)" function uses prefixed tag names based on "prefix" value
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "Host:{{.ServiceName}}.{{.Domain}}"
|
|
||||||
#
|
|
||||||
#frontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
|
|
||||||
|
|
||||||
# Enable Consul catalog TLS connection.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [consulCatalog.tls]
|
|
||||||
# ca = "/etc/ssl/ca.crt"
|
|
||||||
# cert = "/etc/ssl/consul.crt"
|
|
||||||
# key = "/etc/ssl/consul.key"
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "consulcatalog.tmpl"
|
|
||||||
|
|
||||||
# Override template version
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# - "1": previous template version (must be used only with older custom templates, see "filename")
|
|
||||||
# - "2": current template version (must be used to force template version when "filename" is used)
|
|
||||||
#
|
|
||||||
# templateVersion = 2
|
|
||||||
```
|
|
||||||
|
|
||||||
This provider will create routes matching on hostname based on the service name used in Consul.
|
|
||||||
|
|
||||||
To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
|
|
||||||
|
|
||||||
## Tags
|
|
||||||
|
|
||||||
Additional settings can be defined using Consul Catalog tags.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
The default prefix is `traefik`.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|--------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `<prefix>.enable=false` | Disables this container in Traefik. |
|
|
||||||
| `<prefix>.protocol=https` | Overrides the default `http` protocol. |
|
|
||||||
| `<prefix>.weight=10` | Assigns this weight to the container. |
|
|
||||||
| `traefik.backend.buffering.maxRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.maxResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.retryExpression=EXPR` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `<prefix>.backend.circuitbreaker.expression=EXPR` | Creates a [circuit breaker](/basics/#backends) to be used against the backend. ex: `NetworkErrorRatio() > 0.` |
|
|
||||||
| `<prefix>.backend.responseForwarding.flushInterval=10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
|
|
||||||
| `<prefix>.backend.healthcheck.path=/health` | Enables health check for the backend, hitting the container at `path`. |
|
|
||||||
| `<prefix>.backend.healthcheck.interval=5s` | Defines the health check interval. |
|
|
||||||
| `<prefix>.backend.healthcheck.timeout=3s` | Defines the health check request timeout |
|
|
||||||
| `<prefix>.backend.healthcheck.port=8080` | Sets a different port for the health check. |
|
|
||||||
| `traefik.backend.healthcheck.scheme=http` | Overrides the server URL scheme. |
|
|
||||||
| `<prefix>.backend.healthcheck.hostname=foobar.com` | Defines the health check hostname. |
|
|
||||||
| `<prefix>.backend.healthcheck.headers=EXPR` | Defines the health check request headers <br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `<prefix>.backend.loadbalancer.method=drr` | Overrides the default `wrr` load balancer algorithm. |
|
|
||||||
| `<prefix>.backend.loadbalancer.stickiness=true` | Enables backend sticky sessions. |
|
|
||||||
| `<prefix>.backend.loadbalancer.stickiness.cookieName=NAME` | Sets the cookie name manually for sticky sessions. |
|
|
||||||
| `<prefix>.backend.maxconn.amount=10` | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect. |
|
|
||||||
| `<prefix>.backend.maxconn.extractorfunc=client.ip` | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect. |
|
|
||||||
| `<prefix>.frontend.auth.basic=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED). |
|
|
||||||
| `<prefix>.frontend.auth.basic.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `<prefix>.frontend.auth.basic.users=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`. |
|
|
||||||
| `<prefix>.frontend.auth.basic.usersfile=/path/.htpasswd` | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `<prefix>.frontend.auth.digest.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `<prefix>.frontend.auth.digest.users=EXPR` | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. |
|
|
||||||
| `<prefix>.frontend.auth.digest.usersfile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `<prefix>.frontend.auth.forward.address=https://example.com` | Sets the URL of the authentication server. |
|
|
||||||
| `<prefix>.frontend.auth.forward.authResponseHeaders=EXPR` | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header` |
|
|
||||||
| `<prefix>.frontend.auth.forward.tls.ca=/path/ca.pem` | Sets the Certificate Authority (CA) for the TLS connection with the authentication server. |
|
|
||||||
| `<prefix>.frontend.auth.forward.tls.caOptional=true` | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA). |
|
|
||||||
| `<prefix>.frontend.auth.forward.tls.cert=/path/server.pem` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `<prefix>.frontend.auth.forward.tls.insecureSkipVerify=true` | If set to true invalid SSL certificates are accepted. |
|
|
||||||
| `<prefix>.frontend.auth.forward.tls.key=/path/server.key` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `<prefix>.frontend.auth.forward.trustForwardHeader=true` | Trusts X-Forwarded-* headers. |
|
|
||||||
| `<prefix>.frontend.auth.headerField=X-WebAuth-User` | Sets the header used to pass the authenticated user to the application. |
|
|
||||||
| `<prefix>.frontend.entryPoints=http,https` | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints` |
|
|
||||||
| `<prefix>.frontend.errors.<name>.backend=NAME` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `<prefix>.frontend.errors.<name>.query=PATH` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `<prefix>.frontend.errors.<name>.status=RANGE` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `<prefix>.frontend.passHostHeader=true` | Forwards client `Host` header to the backend. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.issuer.commonName=true` | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.issuer.country=true` | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.issuer.locality=true` | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.issuer.organization=true` | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.issuer.province=true` | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.notAfter=true` | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.notBefore=true` | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.sans=true` | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.subject.commonName=true` | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.subject.country=true` | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.subject.locality=true` | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.subject.organization=true` | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.subject.province=true` | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.infos.subject.serialNumber=true` | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `<prefix>.frontend.passTLSClientCert.pem=true` | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header. |
|
|
||||||
| `<prefix>.frontend.passTLSCert=true` | Forwards TLS Client certificates to the backend. |
|
|
||||||
| `<prefix>.frontend.priority=10` | Overrides default frontend priority. |
|
|
||||||
| `<prefix>.frontend.rateLimit.extractorFunc=EXP` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `<prefix>.frontend.rateLimit.rateSet.<name>.period=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `<prefix>.frontend.rateLimit.rateSet.<name>.average=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `<prefix>.frontend.rateLimit.rateSet.<name>.burst=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `<prefix>.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS). |
|
|
||||||
| `<prefix>.frontend.redirect.regex=^http://localhost/(.*)` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`. |
|
|
||||||
| `<prefix>.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`. |
|
|
||||||
| `<prefix>.frontend.redirect.permanent=true` | Returns 301 instead of 302. |
|
|
||||||
| `<prefix>.frontend.rule=EXPR` | Overrides the default frontend rule. Default: `Host:{{.ServiceName}}.{{.Domain}}`. |
|
|
||||||
| `<prefix>.frontend.whiteList.sourceRange=RANGE` | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
|
|
||||||
| `<prefix>.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.<br>Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
|
|
||||||
| `<prefix>.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
| `<prefix>.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
|
|
||||||
### Multiple frontends for a single service
|
|
||||||
|
|
||||||
If you need to support multiple frontends for a service, for example when having multiple `rules` that can't be combined, specify them as follows:
|
|
||||||
|
|
||||||
```
|
|
||||||
<prefix>.frontends.A.rule=Host:A:PathPrefix:/A
|
|
||||||
<prefix>.frontends.B.rule=Host:B:PathPrefix:/
|
|
||||||
```
|
|
||||||
|
|
||||||
`A` and `B` here are just arbitrary names, they can be anything. You can use any setting that applies to `<prefix>.frontend` from the table above.
|
|
||||||
|
|
||||||
### Custom Headers
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
The default prefix is `traefik`.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `<prefix>.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `<prefix>.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
|
|
||||||
### Security Headers
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
The default prefix is `traefik`.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `<prefix>.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2` |
|
|
||||||
| `<prefix>.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
|
|
||||||
| `<prefix>.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
|
|
||||||
| `<prefix>.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
|
|
||||||
| `<prefix>.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
|
|
||||||
| `<prefix>.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
|
|
||||||
| `<prefix>.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
|
|
||||||
| `<prefix>.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
|
|
||||||
| `<prefix>.frontend.headers.hostsProxyHeaders=EXPR` | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2` |
|
|
||||||
| `<prefix>.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
|
|
||||||
| `<prefix>.frontend.headers.publicKey=VALUE` | Adds HPKP header. |
|
|
||||||
| `<prefix>.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
|
|
||||||
| `<prefix>.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
|
|
||||||
| `<prefix>.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
|
|
||||||
| `<prefix>.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
|
|
||||||
| `<prefix>.frontend.headers.SSLForceHost=true` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
|
|
||||||
| `<prefix>.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `<prefix>.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
|
|
||||||
| `<prefix>.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
|
|
||||||
| `<prefix>.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
|
|
||||||
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
If you want that Traefik uses Consul tags correctly you need to defined them like that:
|
|
||||||
|
|
||||||
```js
|
|
||||||
traefik.enable=true
|
|
||||||
traefik.tags=api
|
|
||||||
traefik.tags=external
|
|
||||||
```
|
|
||||||
|
|
||||||
If the prefix defined in Traefik configuration is `bla`, tags need to be defined like that:
|
|
||||||
|
|
||||||
```js
|
|
||||||
bla.enable=true
|
|
||||||
bla.tags=api
|
|
||||||
bla.tags=external
|
|
||||||
```
|
|
@ -1,19 +0,0 @@
|
|||||||
| `traefik.domain` | Sets the default base domain for the frontend rules. For more information, check the [Container Labels section's of the user guide "Let's Encrypt & Docker"](/user-guide/docker-and-lets-encrypt/#container-labels) |
|
|
||||||
| `traefik.port=80` | Registers this port. Useful when the container exposes multiples ports. |
|
|
||||||
| `traefik.protocol=https` | Overrides the default `http` protocol |
|
|
||||||
| `traefik.weight=10` | Assigns this weight to the container
|
|
||||||
|
|
||||||
[2] `traefik.frontend.auth.basic.users=EXPR`:
|
|
||||||
To create `user:password` pair, it's possible to use this command:
|
|
||||||
`echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g`.
|
|
||||||
The result will be `user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/`, note additional symbol `$` makes escaping.
|
|
||||||
|
|
||||||
[3] `traefik.backend.loadbalancer.swarm`:
|
|
||||||
If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs.
|
|
||||||
Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm.
|
|
||||||
It also means that Traefik will manipulate only one backend, not one backend per container.
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
When running inside a container, Traefik will need network access through:
|
|
||||||
|
|
||||||
`docker network connect <network> <traefik-container>`
|
|
@ -1,70 +0,0 @@
|
|||||||
# DynamoDB Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Amazon DynamoDB as a provider.
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# DynamoDB Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable DynamoDB Provider.
|
|
||||||
[dynamodb]
|
|
||||||
|
|
||||||
# Region to use when connecting to AWS.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
region = "us-west-1"
|
|
||||||
|
|
||||||
# DyanmoDB Table Name.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
tableName = "traefik"
|
|
||||||
|
|
||||||
# Enable watch DynamoDB changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Polling interval (in seconds).
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 15
|
|
||||||
#
|
|
||||||
refreshSeconds = 15
|
|
||||||
|
|
||||||
# Access Key ID to use when connecting to AWS.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
accessKeyID = "abc"
|
|
||||||
|
|
||||||
# Secret Access Key to use when connecting to AWS.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
secretAccessKey = "123"
|
|
||||||
|
|
||||||
# Endpoint of local dynamodb instance for testing?
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
endpoint = "http://localhost:8080"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Table Items
|
|
||||||
|
|
||||||
Items in the `dynamodb` table must have three attributes:
|
|
||||||
|
|
||||||
- `id` (string): The id is the primary key.
|
|
||||||
- `name`(string): The name is used as the name of the frontend or backend.
|
|
||||||
- `frontend` or `backend` (map): This attribute's structure matches exactly the structure of a Frontend or Backend type in Traefik.
|
|
||||||
See `types/types.go` for details.
|
|
||||||
The presence or absence of this attribute determines its type.
|
|
||||||
So an item should never have both a `frontend` and a `backend` attribute.
|
|
@ -1,350 +0,0 @@
|
|||||||
# ECS Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Amazon ECS as a provider.
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# ECS Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable ECS Provider.
|
|
||||||
[ecs]
|
|
||||||
|
|
||||||
# ECS Clusters Name.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: ["default"]
|
|
||||||
#
|
|
||||||
clusters = ["default"]
|
|
||||||
|
|
||||||
# Enable watch ECS changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Default base domain used for the frontend rules.
|
|
||||||
# Can be overridden by setting the "traefik.domain" label.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: ""
|
|
||||||
#
|
|
||||||
domain = "ecs.localhost"
|
|
||||||
|
|
||||||
# Enable auto discover ECS clusters.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
autoDiscoverClusters = false
|
|
||||||
|
|
||||||
# Polling interval (in seconds).
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 15
|
|
||||||
#
|
|
||||||
refreshSeconds = 15
|
|
||||||
|
|
||||||
# Expose ECS services by default in Traefik.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
exposedByDefault = false
|
|
||||||
|
|
||||||
# Region to use when connecting to AWS.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
region = "us-east-1"
|
|
||||||
|
|
||||||
# Access Key ID to use when connecting to AWS.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
accessKeyID = "abc"
|
|
||||||
|
|
||||||
# Secret Access Key to use when connecting to AWS.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
secretAccessKey = "123"
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "ecs.tmpl"
|
|
||||||
|
|
||||||
# Override template version
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# - "1": previous template version (must be used only with older custom templates, see "filename")
|
|
||||||
# - "2": current template version (must be used to force template version when "filename" is used)
|
|
||||||
#
|
|
||||||
# templateVersion = 2
|
|
||||||
```
|
|
||||||
|
|
||||||
If `accessKeyID`/`secretAccessKey` is not given credentials will be resolved in the following order:
|
|
||||||
|
|
||||||
- From environment variables; `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
|
|
||||||
- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
|
|
||||||
- EC2 instance role or ECS task role
|
|
||||||
|
|
||||||
To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
|
|
||||||
|
|
||||||
## Policy
|
|
||||||
|
|
||||||
Traefik needs the following policy to read ECS information:
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"Version": "2012-10-17",
|
|
||||||
"Statement": [
|
|
||||||
{
|
|
||||||
"Sid": "TraefikECSReadAccess",
|
|
||||||
"Effect": "Allow",
|
|
||||||
"Action": [
|
|
||||||
"ecs:ListClusters",
|
|
||||||
"ecs:DescribeClusters",
|
|
||||||
"ecs:ListTasks",
|
|
||||||
"ecs:DescribeTasks",
|
|
||||||
"ecs:DescribeContainerInstances",
|
|
||||||
"ecs:DescribeTaskDefinition",
|
|
||||||
"ec2:DescribeInstances"
|
|
||||||
],
|
|
||||||
"Resource": [
|
|
||||||
"*"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
## Labels: overriding default behavior
|
|
||||||
|
|
||||||
Labels can be used on task containers to override default behavior:
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.domain` | Sets the default base domain for frontend rules. |
|
|
||||||
| `traefik.enable=false` | Disables this container in Traefik. |
|
|
||||||
| `traefik.port=80` | Overrides the default `port` value. Overrides `NetworkBindings` from Docker Container |
|
|
||||||
| `traefik.protocol=https` | Overrides the default `http` protocol |
|
|
||||||
| `traefik.weight=10` | Assigns this weight to the container |
|
|
||||||
| `traefik.backend=foo` | Overrides the service name by `foo` in the generated name of the backend. |
|
|
||||||
| `traefik.backend.buffering.maxRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.maxResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.retryExpression=EXPR` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.circuitbreaker.expression=EXPR` | Creates a [circuit breaker](/basics/#backends) to be used against the backend |
|
|
||||||
| `traefik.backend.responseForwarding.flushInterval=10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
|
|
||||||
| `traefik.backend.healthcheck.path=/health` | Enables health check for the backend, hitting the container at `path`. |
|
|
||||||
| `traefik.backend.healthcheck.interval=5s` | Defines the health check interval. (Default: 30s) |
|
|
||||||
| `traefik.backend.healthcheck.timeout=3s` | Defines the health check request timeout. (Default: 5s) |
|
|
||||||
| `traefik.backend.healthcheck.scheme=http` | Overrides the server URL scheme. |
|
|
||||||
| `traefik.backend.healthcheck.port=8080` | Sets a different port for the health check. |
|
|
||||||
| `traefik.backend.healthcheck.hostname=foobar.com` | Defines the health check hostname. |
|
|
||||||
| `traefik.backend.healthcheck.headers=EXPR` | Defines the health check request headers <br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.backend.loadbalancer.method=drr` | Overrides the default `wrr` load balancer algorithm |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness=true` | Enables backend sticky sessions |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Sets the cookie manually name for sticky sessions |
|
|
||||||
| `traefik.backend.maxconn.amount=10` | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect. |
|
|
||||||
| `traefik.backend.maxconn.extractorfunc=client.ip` | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect. |
|
|
||||||
| `traefik.frontend.auth.basic=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED). |
|
|
||||||
| `traefik.frontend.auth.basic.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `traefik.frontend.auth.basic.users=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`. |
|
|
||||||
| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd` | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `traefik.frontend.auth.digest.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `traefik.frontend.auth.digest.users=EXPR` | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. |
|
|
||||||
| `traefik.frontend.auth.digest.usersFile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `traefik.frontend.auth.forward.address=https://example.com` | Sets the URL of the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.authResponseHeaders=EXPR` | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header` |
|
|
||||||
| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Sets the Certificate Authority (CA) for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.caOptional=true` | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA). |
|
|
||||||
| `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true` | If set to true invalid SSL certificates are accepted. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.key=/path/server.key` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.trustForwardHeader=true` | Trusts X-Forwarded-* headers. |
|
|
||||||
| `traefik.frontend.auth.headerField=X-WebAuth-User` | Sets the header used to pass the authenticated user to the application. |
|
|
||||||
| `traefik.frontend.auth.removeHeader=true` | If set to true, removes the Authorization header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true` | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.country=true` | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true` | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true` | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.province=true` | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.notAfter=true` | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.notBefore=true` | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.sans=true` | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true` | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.country=true` | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.locality=true` | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.organization=true` | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.province=true` | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true` | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.pem=true` | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header. |
|
|
||||||
| `traefik.frontend.entryPoints=http,https` | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints` |
|
|
||||||
| `traefik.frontend.errors.<name>.backend=NAME` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.errors.<name>.query=PATH` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.errors.<name>.status=RANGE` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.passHostHeader=true` | Forwards client `Host` header to the backend. |
|
|
||||||
| `traefik.frontend.passTLSCert=true` | Forwards TLS Client certificates to the backend. |
|
|
||||||
| `traefik.frontend.priority=10` | Overrides default frontend priority |
|
|
||||||
| `traefik.frontend.rateLimit.extractorFunc=EXP` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.period=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.average=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.burst=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS) |
|
|
||||||
| `traefik.frontend.redirect.regex=^http://localhost/(.*)` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`. |
|
|
||||||
| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`. |
|
|
||||||
| `traefik.frontend.redirect.permanent=true` | Returns 301 instead of 302. |
|
|
||||||
| `traefik.frontend.rule=EXPR` | Overrides the default frontend rule. Default: `Host:{instance_name}.{domain}`. |
|
|
||||||
| `traefik.frontend.whiteList.sourceRange=RANGE` | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.<br>Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
|
|
||||||
### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
|
|
||||||
### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2` |
|
|
||||||
| `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
|
|
||||||
| `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
|
|
||||||
| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
|
|
||||||
| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
|
|
||||||
| `traefik.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
|
|
||||||
| `traefik.frontend.headers.hostsProxyHeaders=EXPR ` | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2` |
|
|
||||||
| `traefik.frontend.headers.publicKey=VALUE` | Adds HPKP header. |
|
|
||||||
| `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
|
|
||||||
| `traefik.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
|
|
||||||
| `traefik.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
|
|
||||||
| `traefik.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
|
|
||||||
| `traefik.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
|
|
||||||
| `traefik.frontend.headers.SSLForceHost=true` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
|
|
||||||
| `traefik.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
|
|
||||||
|
|
||||||
### Containers with Multiple Ports (segment labels)
|
|
||||||
|
|
||||||
Segment labels are used to define routes to an application exposing multiple ports.
|
|
||||||
A segment is a group of labels that apply to a port exposed by an application.
|
|
||||||
You can define as many segments as ports exposed in an application.
|
|
||||||
|
|
||||||
Segment labels override the default behavior.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.backend=BACKEND` | Same as `traefik.backend` |
|
|
||||||
| `traefik.<segment_name>.domain=DOMAIN` | Same as `traefik.domain` |
|
|
||||||
| `traefik.<segment_name>.port=PORT` | Same as `traefik.port` |
|
|
||||||
| `traefik.<segment_name>.protocol=http` | Same as `traefik.protocol` |
|
|
||||||
| `traefik.<segment_name>.weight=10` | Same as `traefik.weight` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic=EXPR` | Same as `traefik.frontend.auth.basic` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true` | Same as `traefik.frontend.auth.basic.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.users=EXPR` | Same as `traefik.frontend.auth.basic.users` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd` | Same as `traefik.frontend.auth.basic.usersFile` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true` | Same as `traefik.frontend.auth.digest.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.users=EXPR` | Same as `traefik.frontend.auth.digest.users` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest` | Same as `traefik.frontend.auth.digest.usersFile` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com` | Same as `traefik.frontend.auth.forward.address` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.authResponseHeaders=EXPR` | Same as `traefik.frontend.auth.forward.authResponseHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem` | Same as `traefik.frontend.auth.forward.tls.ca` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true` | Same as `traefik.frontend.auth.forward.tls.caOptional` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem` | Same as `traefik.frontend.auth.forward.tls.cert` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true` | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key` | Same as `traefik.frontend.auth.forward.tls.key` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true` | Same as `traefik.frontend.auth.forward.trustForwardHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User` | Same as `traefik.frontend.auth.headerField` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.removeHeader=true` | Same as `traefik.frontend.auth.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.entryPoints=https` | Same as `traefik.frontend.entryPoints` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME` | Same as `traefik.frontend.errors.<name>.backend` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.query=PATH` | Same as `traefik.frontend.errors.<name>.query` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE` | Same as `traefik.frontend.errors.<name>.status` |
|
|
||||||
| `traefik.<segment_name>.frontend.passHostHeader=true` | Same as `traefik.frontend.passHostHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.commonName` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.country` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.locality` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.organization` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.province` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notAfter=true` | Same as `traefik.frontend.passTLSClientCert.infos.notAfter` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notBefore=true` | Same as `traefik.frontend.passTLSClientCert.infos.notBefore` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.sans=true` | Same as `traefik.frontend.passTLSClientCert.infos.sans` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.country` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.domainComponent` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.organization` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.province` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.pem=true` | Same as `traefik.frontend.passTLSClientCert.infos.pem` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSCert=true` | Same as `traefik.frontend.passTLSCert` |
|
|
||||||
| `traefik.<segment_name>.frontend.priority=10` | Same as `traefik.frontend.priority` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP` | Same as `traefik.frontend.rateLimit.extractorFunc` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.period` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.entryPoint=https` | Same as `traefik.frontend.redirect.entryPoint` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)` | Same as `traefik.frontend.redirect.regex` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.permanent=true` | Same as `traefik.frontend.redirect.permanent` |
|
|
||||||
| `traefik.<segment_name>.frontend.rule=EXP` | Same as `traefik.frontend.rule` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE` | Same as `traefik.frontend.whiteList.sourceRange` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true` | Same as `traefik.frontend.whiteList.useXForwardedFor` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy=true` | Same as `traefik.frontend.whiteList.ipStrategy` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy.depth=5` | Same as `traefik.frontend.whiteList.ipStrategy.depth` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | Same as `traefik.frontend.whiteList.ipStrategy.excludedIPs` |
|
|
||||||
|
|
||||||
#### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------------------|----------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | Same as `traefik.frontend.headers.customRequestHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
|
|
||||||
|
|
||||||
#### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------------------------|--------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR` | Same as `traefik.frontend.headers.allowedHosts` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true` | Same as `traefik.frontend.headers.browserXSSFilter` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE` | Same as `traefik.frontend.headers.contentSecurityPolicy` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true` | Same as `traefik.frontend.headers.contentTypeNosniff` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE` | Same as `traefik.frontend.headers.customBrowserXSSValue` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false` | Same as `traefik.frontend.headers.forceSTSHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.frameDeny=false` | Same as `traefik.frontend.headers.frameDeny` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR` | Same as `traefik.frontend.headers.hostsProxyHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.isDevelopment=false` | Same as `traefik.frontend.headers.isDevelopment` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.publicKey=VALUE` | Same as `traefik.frontend.headers.publicKey` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE` | Same as `traefik.frontend.headers.referrerPolicy` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLRedirect=true` | Same as `traefik.frontend.headers.SSLRedirect` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true` | Same as `traefik.frontend.headers.SSLTemporaryRedirect` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLHost=HOST` | Same as `traefik.frontend.headers.SSLHost` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLForceHost=true` | Same as `traefik.frontend.headers.SSLForceHost` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR` | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000` | Same as `traefik.frontend.headers.STSSeconds=315360000` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true` | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSPreload=true` | Same as `traefik.frontend.headers.STSPreload=true` |
|
|
@ -1,61 +0,0 @@
|
|||||||
# Etcd Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Etcd as a provider.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Etcd Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Etcd Provider.
|
|
||||||
[etcd]
|
|
||||||
|
|
||||||
# Etcd server endpoint.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "127.0.0.1:2379"
|
|
||||||
#
|
|
||||||
endpoint = "127.0.0.1:2379"
|
|
||||||
|
|
||||||
# Enable watch Etcd changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Prefix used for KV store.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "/traefik"
|
|
||||||
#
|
|
||||||
prefix = "/traefik"
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "etcd.tmpl"
|
|
||||||
|
|
||||||
# Use etcd user/pass authentication.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# username = foo
|
|
||||||
# password = bar
|
|
||||||
|
|
||||||
# Enable etcd TLS connection.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [etcd.tls]
|
|
||||||
# ca = "/etc/ssl/ca.crt"
|
|
||||||
# cert = "/etc/ssl/etcd.crt"
|
|
||||||
# key = "/etc/ssl/etcd.key"
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
```
|
|
||||||
|
|
||||||
To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
|
|
||||||
|
|
||||||
Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on Traefik KV structure.
|
|
@ -1,32 +0,0 @@
|
|||||||
# Eureka Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Eureka as a provider.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Eureka Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Eureka Provider.
|
|
||||||
[eureka]
|
|
||||||
|
|
||||||
# Eureka server endpoint.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
endpoint = "http://my.eureka.server/eureka"
|
|
||||||
|
|
||||||
# Override default configuration time between refresh.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 30s
|
|
||||||
#
|
|
||||||
refreshSeconds = "1m"
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "eureka.tmpl"
|
|
||||||
```
|
|
@ -1,357 +0,0 @@
|
|||||||
# File Provider
|
|
||||||
|
|
||||||
Traefik can be configured with a file.
|
|
||||||
|
|
||||||
## Reference
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[file]
|
|
||||||
|
|
||||||
# Backends
|
|
||||||
[backends]
|
|
||||||
|
|
||||||
[backends.backend1]
|
|
||||||
|
|
||||||
[backends.backend1.servers]
|
|
||||||
[backends.backend1.servers.server0]
|
|
||||||
url = "http://10.10.10.1:80"
|
|
||||||
weight = 1
|
|
||||||
[backends.backend1.servers.server1]
|
|
||||||
url = "http://10.10.10.2:80"
|
|
||||||
weight = 2
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[backends.backend1.circuitBreaker]
|
|
||||||
expression = "NetworkErrorRatio() > 0.5"
|
|
||||||
|
|
||||||
[backends.backend1.responseForwarding]
|
|
||||||
flushInterval = "10ms"
|
|
||||||
|
|
||||||
[backends.backend1.loadBalancer]
|
|
||||||
method = "drr"
|
|
||||||
[backends.backend1.loadBalancer.stickiness]
|
|
||||||
cookieName = "foobar"
|
|
||||||
|
|
||||||
[backends.backend1.maxConn]
|
|
||||||
amount = 10
|
|
||||||
extractorfunc = "request.host"
|
|
||||||
|
|
||||||
[backends.backend1.healthCheck]
|
|
||||||
path = "/health"
|
|
||||||
port = 88
|
|
||||||
interval = "30s"
|
|
||||||
timeout = "5s"
|
|
||||||
scheme = "http"
|
|
||||||
hostname = "myhost.com"
|
|
||||||
[backends.backend1.healthcheck.headers]
|
|
||||||
My-Custom-Header = "foo"
|
|
||||||
My-Header = "bar"
|
|
||||||
|
|
||||||
[backends.backend2]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
# Frontends
|
|
||||||
[frontends]
|
|
||||||
|
|
||||||
[frontends.frontend1]
|
|
||||||
entryPoints = ["http", "https"]
|
|
||||||
backend = "backend1"
|
|
||||||
passHostHeader = true
|
|
||||||
priority = 42
|
|
||||||
|
|
||||||
[frontends.frontend1.passTLSClientCert]
|
|
||||||
pem = true
|
|
||||||
[frontends.frontend1.passTLSClientCert.infos]
|
|
||||||
notBefore = true
|
|
||||||
notAfter = true
|
|
||||||
[frontends.frontend1.passTLSClientCert.infos.subject]
|
|
||||||
country = true
|
|
||||||
domainComponent = true
|
|
||||||
province = true
|
|
||||||
locality = true
|
|
||||||
organization = true
|
|
||||||
commonName = true
|
|
||||||
serialNumber = true
|
|
||||||
[frontends.frontend1.passTLSClientCert.infos.issuer]
|
|
||||||
country = true
|
|
||||||
domainComponent = true
|
|
||||||
province = true
|
|
||||||
locality = true
|
|
||||||
organization = true
|
|
||||||
commonName = true
|
|
||||||
serialNumber = true
|
|
||||||
[frontends.frontend1.auth]
|
|
||||||
headerField = "X-WebAuth-User"
|
|
||||||
[frontends.frontend1.auth.basic]
|
|
||||||
removeHeader = true
|
|
||||||
users = [
|
|
||||||
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
|
||||||
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
|
|
||||||
]
|
|
||||||
usersFile = "/path/to/.htpasswd"
|
|
||||||
[frontends.frontend1.auth.digest]
|
|
||||||
removeHeader = true
|
|
||||||
users = [
|
|
||||||
"test:traefik:a2688e031edb4be6a3797f3882655c05",
|
|
||||||
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
|
|
||||||
]
|
|
||||||
usersFile = "/path/to/.htdigest"
|
|
||||||
[frontends.frontend1.auth.forward]
|
|
||||||
address = "https://authserver.com/auth"
|
|
||||||
trustForwardHeader = true
|
|
||||||
authResponseHeaders = ["X-Auth-User"]
|
|
||||||
[frontends.frontend1.auth.forward.tls]
|
|
||||||
ca = "path/to/local.crt"
|
|
||||||
caOptional = true
|
|
||||||
cert = "path/to/foo.cert"
|
|
||||||
key = "path/to/foo.key"
|
|
||||||
insecureSkipVerify = true
|
|
||||||
|
|
||||||
[frontends.frontend1.whiteList]
|
|
||||||
sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
|
|
||||||
[frontends.frontend1.whiteList.IPStrategy]
|
|
||||||
depth = 6
|
|
||||||
excludedIPs = ["152.89.1.33/32", "afed:be44::/16"]
|
|
||||||
|
|
||||||
[frontends.frontend1.routes]
|
|
||||||
[frontends.frontend1.routes.route0]
|
|
||||||
rule = "Host:test.localhost"
|
|
||||||
[frontends.frontend1.routes.Route1]
|
|
||||||
rule = "Method:GET"
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[frontends.frontend1.headers]
|
|
||||||
allowedHosts = ["foobar", "foobar"]
|
|
||||||
hostsProxyHeaders = ["foobar", "foobar"]
|
|
||||||
SSLRedirect = true
|
|
||||||
SSLTemporaryRedirect = true
|
|
||||||
SSLHost = "foobar"
|
|
||||||
STSSeconds = 42
|
|
||||||
STSIncludeSubdomains = true
|
|
||||||
STSPreload = true
|
|
||||||
forceSTSHeader = true
|
|
||||||
frameDeny = true
|
|
||||||
customFrameOptionsValue = "foobar"
|
|
||||||
contentTypeNosniff = true
|
|
||||||
browserXSSFilter = true
|
|
||||||
contentSecurityPolicy = "foobar"
|
|
||||||
publicKey = "foobar"
|
|
||||||
referrerPolicy = "foobar"
|
|
||||||
isDevelopment = true
|
|
||||||
[frontends.frontend1.headers.customRequestHeaders]
|
|
||||||
X-Foo-Bar-01 = "foobar"
|
|
||||||
X-Foo-Bar-02 = "foobar"
|
|
||||||
# ...
|
|
||||||
[frontends.frontend1.headers.customResponseHeaders]
|
|
||||||
X-Foo-Bar-03 = "foobar"
|
|
||||||
X-Foo-Bar-04 = "foobar"
|
|
||||||
# ...
|
|
||||||
[frontends.frontend1.headers.SSLProxyHeaders]
|
|
||||||
X-Foo-Bar-05 = "foobar"
|
|
||||||
X-Foo-Bar-06 = "foobar"
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[frontends.frontend1.errors]
|
|
||||||
[frontends.frontend1.errors.errorPage0]
|
|
||||||
status = ["500-599"]
|
|
||||||
backend = "error"
|
|
||||||
query = "/{status}.html"
|
|
||||||
[frontends.frontend1.errors.errorPage1]
|
|
||||||
status = ["404", "403"]
|
|
||||||
backend = "error"
|
|
||||||
query = "/{status}.html"
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[frontends.frontend1.ratelimit]
|
|
||||||
extractorfunc = "client.ip"
|
|
||||||
[frontends.frontend1.ratelimit.rateset.rateset1]
|
|
||||||
period = "10s"
|
|
||||||
average = 100
|
|
||||||
burst = 200
|
|
||||||
[frontends.frontend1.ratelimit.rateset.rateset2]
|
|
||||||
period = "3s"
|
|
||||||
average = 5
|
|
||||||
burst = 10
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[frontends.frontend1.redirect]
|
|
||||||
entryPoint = "https"
|
|
||||||
regex = "^http://localhost/(.*)"
|
|
||||||
replacement = "http://mydomain/$1"
|
|
||||||
permanent = true
|
|
||||||
|
|
||||||
[frontends.frontend2]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
# HTTPS certificates
|
|
||||||
[[tls]]
|
|
||||||
entryPoints = ["https"]
|
|
||||||
[tls.certificate]
|
|
||||||
certFile = "path/to/my.cert"
|
|
||||||
keyFile = "path/to/my.key"
|
|
||||||
|
|
||||||
[[tls]]
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
## Configuration Mode
|
|
||||||
|
|
||||||
You have two choices:
|
|
||||||
|
|
||||||
- [Rules in Traefik configuration file](/configuration/backends/file/#rules-in-traefik-configuration-file)
|
|
||||||
- [Rules in dedicated files](/configuration/backends/file/#rules-in-dedicated-files)
|
|
||||||
|
|
||||||
To enable the file backend, you must either pass the `--file` option to the Traefik binary or put the `[file]` section (with or without inner settings) in the configuration file.
|
|
||||||
|
|
||||||
The configuration file allows managing both backends/frontends and HTTPS certificates (which are not [Let's Encrypt](https://letsencrypt.org) certificates generated through Traefik).
|
|
||||||
|
|
||||||
TOML templating can be used if rules are not defined in the Traefik configuration file.
|
|
||||||
|
|
||||||
### Rules in Traefik Configuration File
|
|
||||||
|
|
||||||
Add your configuration at the end of the global configuration file `traefik.toml`:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http", "https"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
# ...
|
|
||||||
[entryPoints.https]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[file]
|
|
||||||
|
|
||||||
# rules
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
# ...
|
|
||||||
[backends.backend2]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
# ...
|
|
||||||
[frontends.frontend2]
|
|
||||||
# ...
|
|
||||||
[frontends.frontend3]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
# HTTPS certificate
|
|
||||||
[[tls]]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[[tls]]
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
If `tls.entryPoints` is not defined, the certificate is attached to all the `defaultEntryPoints` with a TLS configuration.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Adding certificates directly to the entryPoint is still maintained but certificates declared in this way cannot be managed dynamically.
|
|
||||||
It's recommended to use the file provider to declare certificates.
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
TOML templating cannot be used if rules are defined in the Traefik configuration file.
|
|
||||||
|
|
||||||
### Rules in Dedicated Files
|
|
||||||
|
|
||||||
Traefik allows defining rules in one or more separate files.
|
|
||||||
|
|
||||||
#### One Separate File
|
|
||||||
|
|
||||||
You have to specify the file path in the `file.filename` option.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# traefik.toml
|
|
||||||
defaultEntryPoints = ["http", "https"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
# ...
|
|
||||||
[entryPoints.https]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[file]
|
|
||||||
filename = "rules.toml"
|
|
||||||
watch = true
|
|
||||||
```
|
|
||||||
|
|
||||||
The option `file.watch` allows Traefik to watch file changes automatically.
|
|
||||||
|
|
||||||
#### Multiple Separated Files
|
|
||||||
|
|
||||||
You could have multiple `.toml` files in a directory (and recursively in its sub-directories):
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[file]
|
|
||||||
directory = "/path/to/config/"
|
|
||||||
watch = true
|
|
||||||
```
|
|
||||||
|
|
||||||
The option `file.watch` allows Traefik to watch file changes automatically.
|
|
||||||
|
|
||||||
#### Separate Files Content
|
|
||||||
|
|
||||||
If you are defining rules in one or more separate files, you can use two formats.
|
|
||||||
|
|
||||||
##### Simple Format
|
|
||||||
|
|
||||||
Backends, Frontends and TLS certificates are defined one at time, as described in the file `rules.toml`:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# rules.toml
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
# ...
|
|
||||||
[backends.backend2]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
# ...
|
|
||||||
[frontends.frontend2]
|
|
||||||
# ...
|
|
||||||
[frontends.frontend3]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
# HTTPS certificate
|
|
||||||
[[tls]]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
[[tls]]
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
##### TOML Templating
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
TOML templating can only be used **if rules are defined in one or more separate files**.
|
|
||||||
Templating will not work in the Traefik configuration file.
|
|
||||||
|
|
||||||
Traefik allows using TOML templating.
|
|
||||||
|
|
||||||
Thus, it's possible to define easily lot of Backends, Frontends and TLS certificates as described in the file `template-rules.toml` :
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# template-rules.toml
|
|
||||||
[backends]
|
|
||||||
{{ range $i, $e := until 100 }}
|
|
||||||
[backends.backend{{ $e }}]
|
|
||||||
#...
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
[frontends]
|
|
||||||
{{ range $i, $e := until 100 }}
|
|
||||||
[frontends.frontend{{ $e }}]
|
|
||||||
#...
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
|
|
||||||
# HTTPS certificate
|
|
||||||
{{ range $i, $e := until 100 }}
|
|
||||||
[[tls]]
|
|
||||||
#...
|
|
||||||
{{ end }}
|
|
||||||
```
|
|
@ -1,389 +0,0 @@
|
|||||||
# Kubernetes Ingress Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Kubernetes Ingress as a provider.
|
|
||||||
|
|
||||||
See also [Kubernetes user guide](/user-guide/kubernetes).
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Kubernetes Ingress Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Kubernetes Ingress Provider.
|
|
||||||
[kubernetes]
|
|
||||||
|
|
||||||
# Kubernetes server endpoint.
|
|
||||||
#
|
|
||||||
# Optional for in-cluster configuration, required otherwise.
|
|
||||||
# Default: empty
|
|
||||||
#
|
|
||||||
# endpoint = "http://localhost:8080"
|
|
||||||
|
|
||||||
# Bearer token used for the Kubernetes client configuration.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: empty
|
|
||||||
#
|
|
||||||
# token = "my token"
|
|
||||||
|
|
||||||
# Path to the certificate authority file.
|
|
||||||
# Used for the Kubernetes client configuration.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: empty
|
|
||||||
#
|
|
||||||
# certAuthFilePath = "/my/ca.crt"
|
|
||||||
|
|
||||||
# Array of namespaces to watch.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: all namespaces (empty array).
|
|
||||||
#
|
|
||||||
# namespaces = ["default", "production"]
|
|
||||||
|
|
||||||
# Ingress label selector to filter Ingress objects that should be processed.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: empty (process all Ingresses)
|
|
||||||
#
|
|
||||||
# labelselector = "A and not B"
|
|
||||||
|
|
||||||
# Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
|
|
||||||
# If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
|
|
||||||
# Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: empty
|
|
||||||
#
|
|
||||||
# ingressClass = "traefik-internal"
|
|
||||||
|
|
||||||
# Disable PassHost Headers.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# disablePassHostHeaders = true
|
|
||||||
|
|
||||||
# Enable PassTLSCert Headers.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# enablePassTLSCert = true
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: <built-in template>
|
|
||||||
#
|
|
||||||
# filename = "kubernetes.tmpl"
|
|
||||||
|
|
||||||
# Enable IngressEndpoint configuration.
|
|
||||||
# This will allow Traefik to update the status section of ingress objects, if desired.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [kubernetes.ingressEndpoint]
|
|
||||||
#
|
|
||||||
# At least one must be configured.
|
|
||||||
# `publishedservice` will override the `hostname` and `ip` settings if configured.
|
|
||||||
#
|
|
||||||
# hostname = "localhost"
|
|
||||||
# ip = "127.0.0.1"
|
|
||||||
# publishedService = "namespace/servicename"
|
|
||||||
```
|
|
||||||
|
|
||||||
### `endpoint`
|
|
||||||
|
|
||||||
The Kubernetes server endpoint as URL.
|
|
||||||
|
|
||||||
When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` to construct the endpoint.
|
|
||||||
|
|
||||||
The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
|
|
||||||
Both are provided mounted automatically when deployed inside Kubernetes.
|
|
||||||
|
|
||||||
The endpoint may be specified to override the environment variable values inside a cluster.
|
|
||||||
|
|
||||||
When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
|
|
||||||
In this case, the endpoint is required.
|
|
||||||
Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
|
|
||||||
|
|
||||||
### `labelselector`
|
|
||||||
|
|
||||||
By default, Traefik processes all Ingress objects in the configured namespaces.
|
|
||||||
A label selector can be defined to filter on specific Ingress objects only.
|
|
||||||
|
|
||||||
See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
|
|
||||||
|
|
||||||
### `ingressEndpoint`
|
|
||||||
|
|
||||||
You can configure a static hostname or IP address that Traefik will add to the status section of Ingress objects that it manages.
|
|
||||||
If you prefer, you can provide a service, which traefik will copy the status spec from.
|
|
||||||
This will give more flexibility in cloud/dynamic environments.
|
|
||||||
|
|
||||||
### TLS communication between Traefik and backend pods
|
|
||||||
|
|
||||||
Traefik automatically requests endpoint information based on the service provided in the ingress spec.
|
|
||||||
Although traefik will connect directly to the endpoints (pods), it still checks the service port to see if TLS communication is required.
|
|
||||||
|
|
||||||
There are 3 ways to configure Traefik to use https to communicate with backend pods:
|
|
||||||
|
|
||||||
1. If the service port defined in the ingress spec is 443 (note that you can still use `targetPort` to use a different port on your pod).
|
|
||||||
2. If the service port defined in the ingress spec has a name that starts with `https` (such as `https-api`, `https-web` or just `https`).
|
|
||||||
3. If the ingress spec includes the annotation `ingress.kubernetes.io/protocol: https`.
|
|
||||||
|
|
||||||
If either of those configuration options exist, then the backend communication protocol is assumed to be TLS, and will connect via TLS automatically.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Please note that by enabling TLS communication between traefik and your pods, you will have to have trusted certificates that have the proper trust chain and IP subject name.
|
|
||||||
If this is not an option, you may need to skip TLS certificate verification.
|
|
||||||
See the [insecureSkipVerify](/configuration/commons/#main-section) setting for more details.
|
|
||||||
|
|
||||||
## Annotations
|
|
||||||
|
|
||||||
### General annotations
|
|
||||||
|
|
||||||
The following general annotations are applicable on the Ingress object:
|
|
||||||
|
|
||||||
| Annotation | Description |
|
|
||||||
|---------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.ingress.kubernetes.io/app-root: "/index.html"` | Redirects all requests for `/` to the defined path. (1) |
|
|
||||||
| `traefik.ingress.kubernetes.io/error-pages: <YML>` | See [custom error pages](/configuration/commons/#custom-error-pages) section. (2) |
|
|
||||||
| `traefik.ingress.kubernetes.io/frontend-entry-points: http,https` | Override the default frontend endpoints. |
|
|
||||||
| `traefik.ingress.kubernetes.io/pass-client-tls-cert: <YML>` | Forward the client certificate following the configuration in YAML. (3) |
|
|
||||||
| `traefik.ingress.kubernetes.io/pass-tls-cert: "true"` | Override the default frontend PassTLSCert value. Default: `false`.(DEPRECATED) |
|
|
||||||
| `traefik.ingress.kubernetes.io/preserve-host: "true"` | Forward client `Host` header to the backend. |
|
|
||||||
| `traefik.ingress.kubernetes.io/priority: "3"` | Override the default frontend rule priority. |
|
|
||||||
| `traefik.ingress.kubernetes.io/rate-limit: <YML>` | See [rate limiting](/configuration/commons/#rate-limiting) section. (4) |
|
|
||||||
| `traefik.ingress.kubernetes.io/redirect-entry-point: https` | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS). |
|
|
||||||
| `traefik.ingress.kubernetes.io/redirect-permanent: "true"` | Return 301 instead of 302. |
|
|
||||||
| `traefik.ingress.kubernetes.io/redirect-regex: ^http://localhost/(.*)` | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-replacement`. |
|
|
||||||
| `traefik.ingress.kubernetes.io/redirect-replacement: http://mydomain/$1` | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-regex`. |
|
|
||||||
| `traefik.ingress.kubernetes.io/request-modifier: AddPrefix: /users` | Adds a [request modifier](/basics/#modifiers) to the backend request. |
|
|
||||||
| `traefik.ingress.kubernetes.io/rewrite-target: /users` | Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header. |
|
|
||||||
| `traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip` | Overrides the default frontend rule type. Only path-related matchers can be specified [(`Path`, `PathPrefix`, `PathStrip`, `PathPrefixStrip`)](/basics/#path-matcher-usage-guidelines).(5) |
|
|
||||||
| `traefik.ingress.kubernetes.io/request-modifier: AddPrefix: /users` | Add a [request modifier](/basics/#modifiers) to the backend request. |
|
|
||||||
| `traefik.ingress.kubernetes.io/service-weights: <YML>` | Set ingress backend weights specified as percentage or decimal numbers in YAML. (6) |
|
|
||||||
| `traefik.ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"` | A comma-separated list of IP ranges permitted for access (7). |
|
|
||||||
| `traefik.ingress.kubernetes.io/whiteList-ipstrategy=true` | Uses the default IPStrategy.<br>Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
|
|
||||||
| `traefik.ingress.kubernetes.io/whiteList-ipstrategy-depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
| `traefik.ingress.kubernetes.io/whiteList-ipstrategy-excludedIPs=127.0.0. 1` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
| `ingress.kubernetes.io/protocol: <NAME>` | Set the protocol Traefik will use to communicate with pods. Acceptable protocols: http,https,h2c |
|
|
||||||
|
|
||||||
<1> `traefik.ingress.kubernetes.io/app-root`:
|
|
||||||
Non-root paths will not be affected by this annotation and handled normally.
|
|
||||||
This annotation may not be combined with other redirect annotations.
|
|
||||||
Trying to do so will result in the other redirects being ignored.
|
|
||||||
This annotation can be used in combination with `traefik.ingress.kubernetes.io/redirect-permanent` to configure whether the `app-root` redirect is a 301 or a 302.
|
|
||||||
|
|
||||||
<2> `traefik.ingress.kubernetes.io/error-pages` example:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
foo:
|
|
||||||
status:
|
|
||||||
- "404"
|
|
||||||
backend: bar
|
|
||||||
query: /bar
|
|
||||||
fii:
|
|
||||||
status:
|
|
||||||
- "503"
|
|
||||||
- "500"
|
|
||||||
backend: bar
|
|
||||||
query: /bir
|
|
||||||
```
|
|
||||||
|
|
||||||
<3> `traefik.ingress.kubernetes.io/pass-client-tls-cert` example:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
# add escaped pem in the `X-Forwarded-Tls-Client-Cert` header
|
|
||||||
pem: true
|
|
||||||
# add escaped certificate following infos in the `X-Forwarded-Tls-Client-Cert-Infos` header
|
|
||||||
infos:
|
|
||||||
notafter: true
|
|
||||||
notbefore: true
|
|
||||||
sans: true
|
|
||||||
subject:
|
|
||||||
country: true
|
|
||||||
province: true
|
|
||||||
locality: true
|
|
||||||
organization: true
|
|
||||||
commonname: true
|
|
||||||
serialnumber: true
|
|
||||||
```
|
|
||||||
|
|
||||||
If `pem` is set, it will add a `X-Forwarded-Tls-Client-Cert` header that contains the escaped pem as value.
|
|
||||||
If at least one flag of the `infos` part is set, it will add a `X-Forwarded-Tls-Client-Cert-Infos` header that contains an escaped string composed of the client certificate data selected by the infos flags.
|
|
||||||
This infos part is composed like the following example (not escaped):
|
|
||||||
```Subject="C=FR,ST=SomeState,L=Lyon,O=Cheese,CN=*.cheese.org",NB=1531900816,NA=1563436816,SAN=*.cheese.org,*.cheese.net,cheese.in,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2```
|
|
||||||
|
|
||||||
<4> `traefik.ingress.kubernetes.io/rate-limit` example:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
extractorfunc: client.ip
|
|
||||||
rateset:
|
|
||||||
bar:
|
|
||||||
period: 3s
|
|
||||||
average: 6
|
|
||||||
burst: 9
|
|
||||||
foo:
|
|
||||||
period: 6s
|
|
||||||
average: 12
|
|
||||||
burst: 18
|
|
||||||
```
|
|
||||||
|
|
||||||
<5> `traefik.ingress.kubernetes.io/rule-type`
|
|
||||||
Note: `ReplacePath` is deprecated in this annotation, use the `traefik.ingress.kubernetes.io/request-modifier` annotation instead. Default: `PathPrefix`.
|
|
||||||
|
|
||||||
<6> `traefik.ingress.kubernetes.io/service-weights`:
|
|
||||||
Service weights enable to split traffic across multiple backing services in a fine-grained manner.
|
|
||||||
|
|
||||||
Example:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
service_backend1: 12.50%
|
|
||||||
service_backend2: 12.50%
|
|
||||||
service_backend3: 75 # Same as 75%, the percentage sign is optional
|
|
||||||
```
|
|
||||||
|
|
||||||
A single service backend definition may be omitted; in this case, Traefik auto-completes that service backend to 100% automatically.
|
|
||||||
Conveniently, users need not bother to compute the percentage remainder for a main service backend.
|
|
||||||
For instance, in the example above `service_backend3` does not need to be specified to be assigned 75%.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
For each service weight given, the Ingress specification must include a backend item with the corresponding `serviceName` and (if given) matching path.
|
|
||||||
|
|
||||||
Currently, 3 decimal places for the weight are supported.
|
|
||||||
An attempt to exceed the precision should be avoided as it may lead to percentage computation flaws and, in consequence, Ingress parsing errors.
|
|
||||||
|
|
||||||
For each path definition, this annotation will fail if:
|
|
||||||
|
|
||||||
- the sum of backend weights exceeds 100% or
|
|
||||||
- the sum of backend weights is less than 100% without one or more omitted backends
|
|
||||||
|
|
||||||
See also the [user guide section traffic splitting](/user-guide/kubernetes/#traffic-splitting).
|
|
||||||
|
|
||||||
<7> `traefik.ingress.kubernetes.io/whitelist-source-range`:
|
|
||||||
All source IPs are permitted if the list is empty or a single range is ill-formatted.
|
|
||||||
Please note, you may have to set `service.spec.externalTrafficPolicy` to the value `Local` to preserve the source IP of the request for filtering.
|
|
||||||
Please see [this link](https://kubernetes.io/docs/tutorials/services/source-ip/) for more information.
|
|
||||||
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Please note that `traefik.ingress.kubernetes.io/redirect-regex` and `traefik.ingress.kubernetes.io/redirect-replacement` do not have to be set if `traefik.ingress.kubernetes.io/redirect-entry-point` is defined for the redirection (they will not be used in this case).
|
|
||||||
|
|
||||||
The following annotations are applicable on the Service object associated with a particular Ingress object:
|
|
||||||
|
|
||||||
| Annotation | Description |
|
|
||||||
|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.ingress.kubernetes.io/buffering: <YML>` | (1) See the [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.ingress.kubernetes.io/affinity: "true"` | Enable backend sticky sessions. |
|
|
||||||
| `traefik.ingress.kubernetes.io/circuit-breaker-expression: <expression>` | Set the circuit breaker expression for the backend. |
|
|
||||||
| `traefik.ingress.kubernetes.io/responseforwarding-flushinterval: "10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
|
|
||||||
| `traefik.ingress.kubernetes.io/load-balancer-method: drr` | Override the default `wrr` load balancer algorithm. |
|
|
||||||
| `traefik.ingress.kubernetes.io/max-conn-amount: "10"` | Sets the maximum number of simultaneous connections to the backend.<br>Must be used in conjunction with the label below to take effect. |
|
|
||||||
| `traefik.ingress.kubernetes.io/max-conn-extractor-func: client.ip` | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect. |
|
|
||||||
| `traefik.ingress.kubernetes.io/session-cookie-name: <NAME>` | Manually set the cookie name for sticky sessions. |
|
|
||||||
|
|
||||||
<1> `traefik.ingress.kubernetes.io/buffering` example:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
maxrequestbodybytes: 10485760
|
|
||||||
memrequestbodybytes: 2097153
|
|
||||||
maxresponsebodybytes: 10485761
|
|
||||||
memresponsebodybytes: 2097152
|
|
||||||
retryexpression: IsNetworkError() && Attempts() <= 2
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
`traefik.ingress.kubernetes.io/` and `ingress.kubernetes.io/` are supported prefixes.
|
|
||||||
|
|
||||||
### Custom Headers Annotations
|
|
||||||
|
|
||||||
| Annotation | Description |
|
|
||||||
| ------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `ingress.kubernetes.io/custom-request-headers: EXPR` | Provides the container with custom request headers that will be appended to each request forwarded to the container. Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `ingress.kubernetes.io/custom-response-headers: EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client. Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
|
|
||||||
### Security Headers Annotations
|
|
||||||
|
|
||||||
The following security annotations are applicable on the Ingress object:
|
|
||||||
|
|
||||||
| Annotation | Description |
|
|
||||||
| ----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `ingress.kubernetes.io/allowed-hosts: EXPR` | Provides a list of allowed hosts that requests will be processed. Format: `Host1,Host2` |
|
|
||||||
| `ingress.kubernetes.io/browser-xss-filter: "true"` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
|
|
||||||
| `ingress.kubernetes.io/content-security-policy: VALUE` | Adds CSP Header with the custom value. |
|
|
||||||
| `ingress.kubernetes.io/content-type-nosniff: "true"` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
|
|
||||||
| `ingress.kubernetes.io/custom-browser-xss-value: VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
|
|
||||||
| `ingress.kubernetes.io/custom-frame-options-value: VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
|
|
||||||
| `ingress.kubernetes.io/force-hsts: "false"` | Adds the STS header to non-SSL requests. |
|
|
||||||
| `ingress.kubernetes.io/frame-deny: "true"` | Adds the `X-Frame-Options` header with the value of `DENY`. |
|
|
||||||
| `ingress.kubernetes.io/hsts-max-age: "315360000"` | Sets the max-age of the HSTS header. |
|
|
||||||
| `ingress.kubernetes.io/hsts-include-subdomains: "true"` | Adds the IncludeSubdomains section of the STS header. |
|
|
||||||
| `ingress.kubernetes.io/hsts-preload: "true"` | Adds the preload flag to the HSTS header. |
|
|
||||||
| `ingress.kubernetes.io/is-development: "false"` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
|
|
||||||
| `ingress.kubernetes.io/proxy-headers: EXPR` | Provides a list of headers that the proxied hostname may be stored. Format: `HEADER1,HEADER2` |
|
|
||||||
| `ingress.kubernetes.io/public-key: VALUE` | Adds HPKP header. |
|
|
||||||
| `ingress.kubernetes.io/referrer-policy: VALUE` | Adds referrer policy header. |
|
|
||||||
| `ingress.kubernetes.io/ssl-redirect: "true"` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
|
|
||||||
| `ingress.kubernetes.io/ssl-temporary-redirect: "true"` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
|
|
||||||
| `ingress.kubernetes.io/ssl-host: HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
|
|
||||||
| `ingress.kubernetes.io/ssl-force-host: "true"` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
|
|
||||||
| `ingress.kubernetes.io/ssl-proxy-headers: EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
|
|
||||||
### Authentication
|
|
||||||
|
|
||||||
Additional authentication annotations can be added to the Ingress object.
|
|
||||||
The source of the authentication is a Secret object that contains the credentials.
|
|
||||||
|
|
||||||
| Annotation | basic | digest | forward | Description |
|
|
||||||
|----------------------------------------------------------------------|-------|--------|---------|-------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `ingress.kubernetes.io/auth-type: basic` | x | x | x | Contains the authentication type: `basic`, `digest`, `forward`. |
|
|
||||||
| `ingress.kubernetes.io/auth-secret: mysecret` | x | x | | Name of Secret containing the username and password with access to the paths defined in the Ingress object. |
|
|
||||||
| `ingress.kubernetes.io/auth-remove-header: true` | x | x | | If set to `true` removes the `Authorization` header. |
|
|
||||||
| `ingress.kubernetes.io/auth-header-field: X-WebAuth-User` | x | x | | Pass Authenticated user to application via headers. |
|
|
||||||
| `ingress.kubernetes.io/auth-url: https://example.com` | | | x | [The URL of the authentication server](/configuration/entrypoints/#forward-authentication). |
|
|
||||||
| `ingress.kubernetes.io/auth-trust-headers: false` | | | x | Trust `X-Forwarded-*` headers. |
|
|
||||||
| `ingress.kubernetes.io/auth-response-headers: X-Auth-User, X-Secret` | | | x | Copy headers from the authentication server to the request. |
|
|
||||||
| `ingress.kubernetes.io/auth-tls-secret: secret` | | | x | Name of Secret containing the certificate and key for the forward auth. |
|
|
||||||
| `ingress.kubernetes.io/auth-tls-insecure` | | | x | If set to `true` invalid SSL certificates are accepted. |
|
|
||||||
|
|
||||||
The secret must be created in the same namespace as the Ingress object.
|
|
||||||
|
|
||||||
The following limitations hold for basic/digest auth:
|
|
||||||
|
|
||||||
- The realm is not configurable; the only supported (and default) value is `traefik`.
|
|
||||||
- The Secret must contain a single file only.
|
|
||||||
|
|
||||||
### TLS certificates management
|
|
||||||
|
|
||||||
TLS certificates can be managed in Secrets objects.
|
|
||||||
More information are available in the [User Guide](/user-guide/kubernetes/#add-a-tls-certificate-to-the-ingress).
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Only TLS certificates provided by users can be stored in Kubernetes Secrets.
|
|
||||||
[Let's Encrypt](https://letsencrypt.org) certificates cannot be managed in Kubernets Secrets yet.
|
|
||||||
|
|
||||||
### Global Default Backend Ingresses
|
|
||||||
|
|
||||||
Ingresses can be created that look like the following:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
apiVersion: extensions/v1beta1
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: cheese
|
|
||||||
spec:
|
|
||||||
backend:
|
|
||||||
serviceName: stilton
|
|
||||||
servicePort: 80
|
|
||||||
```
|
|
||||||
|
|
||||||
This ingress follows the [Global Default Backend](https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource) property of ingresses.
|
|
||||||
This will allow users to create a "default backend" that will match all unmatched requests.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Due to Traefik's use of priorities, you may have to set this ingress priority lower than other ingresses in your environment, to avoid this global ingress from satisfying requests that _could_ match other ingresses.
|
|
||||||
To do this, use the `traefik.ingress.kubernetes.io/priority` annotation (as seen in [General Annotations](/configuration/backends/kubernetes/#general-annotations)) on your ingresses accordingly.
|
|
@ -1,415 +0,0 @@
|
|||||||
# Marathon Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Marathon as a provider.
|
|
||||||
|
|
||||||
See also [Marathon user guide](/user-guide/marathon).
|
|
||||||
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Mesos/Marathon Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Marathon Provider.
|
|
||||||
[marathon]
|
|
||||||
|
|
||||||
# Marathon server endpoint.
|
|
||||||
# You can also specify multiple endpoint for Marathon:
|
|
||||||
# endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "http://127.0.0.1:8080"
|
|
||||||
#
|
|
||||||
endpoint = "http://127.0.0.1:8080"
|
|
||||||
|
|
||||||
# Enable watch Marathon changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Default base domain used for the frontend rules.
|
|
||||||
# Can be overridden by setting the "traefik.domain" label on an application.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
domain = "marathon.localhost"
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "marathon.tmpl"
|
|
||||||
|
|
||||||
# Override template version
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# - "1": previous template version (must be used only with older custom templates, see "filename")
|
|
||||||
# - "2": current template version (must be used to force template version when "filename" is used)
|
|
||||||
#
|
|
||||||
# templateVersion = 2
|
|
||||||
|
|
||||||
# Expose Marathon apps by default in Traefik.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
# exposedByDefault = false
|
|
||||||
|
|
||||||
# Convert Marathon groups to subdomains.
|
|
||||||
# Default behavior: /foo/bar/myapp => foo-bar-myapp.{defaultDomain}
|
|
||||||
# with groupsAsSubDomains enabled: /foo/bar/myapp => myapp.bar.foo.{defaultDomain}
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# groupsAsSubDomains = true
|
|
||||||
|
|
||||||
# Enable compatibility with marathon-lb labels.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# marathonLBCompatibility = true
|
|
||||||
|
|
||||||
# Enable filtering using Marathon constraints..
|
|
||||||
# If enabled, Traefik will read Marathon constraints, as defined in https://mesosphere.github.io/marathon/docs/constraints.html
|
|
||||||
# Each individual constraint will be treated as a verbatim compounded tag.
|
|
||||||
# i.e. "rack_id:CLUSTER:rack-1", with all constraint groups concatenated together using ":"
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# filterMarathonConstraints = true
|
|
||||||
|
|
||||||
# Enable Marathon basic authentication.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [marathon.basic]
|
|
||||||
# httpBasicAuthUser = "foo"
|
|
||||||
# httpBasicPassword = "bar"
|
|
||||||
|
|
||||||
# TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [marathon.TLS]
|
|
||||||
# CA = "/etc/ssl/ca.crt"
|
|
||||||
# Cert = "/etc/ssl/marathon.cert"
|
|
||||||
# Key = "/etc/ssl/marathon.key"
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
|
|
||||||
# DCOSToken for DCOS environment.
|
|
||||||
# This will override the Authorization header.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# dcosToken = "xxxxxx"
|
|
||||||
|
|
||||||
# Override DialerTimeout.
|
|
||||||
# Amount of time to allow the Marathon provider to wait to open a TCP connection
|
|
||||||
# to a Marathon master.
|
|
||||||
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
|
|
||||||
# values (digits).
|
|
||||||
# If no units are provided, the value is parsed assuming seconds.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "5s"
|
|
||||||
#
|
|
||||||
# dialerTimeout = "5s"
|
|
||||||
|
|
||||||
# Override ResponseHeaderTimeout.
|
|
||||||
# Amount of time to allow the Marathon provider to wait until the first response
|
|
||||||
# header from the Marathon master is received.
|
|
||||||
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
|
|
||||||
# values (digits).
|
|
||||||
# If no units are provided, the value is parsed assuming seconds.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "60s"
|
|
||||||
#
|
|
||||||
# responseHeaderTimeout = "60s"
|
|
||||||
|
|
||||||
# Override TLSHandshakeTimeout.
|
|
||||||
# Amount of time to allow the Marathon provider to wait until the TLS
|
|
||||||
# handshake completes.
|
|
||||||
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
|
|
||||||
# values (digits).
|
|
||||||
# If no units are provided, the value is parsed assuming seconds.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "5s"
|
|
||||||
#
|
|
||||||
# TLSHandshakeTimeout = "5s"
|
|
||||||
|
|
||||||
# Set the TCP Keep Alive interval for the Marathon HTTP Client.
|
|
||||||
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
|
|
||||||
# values (digits).
|
|
||||||
# If no units are provided, the value is parsed assuming seconds.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "10s"
|
|
||||||
#
|
|
||||||
# keepAlive = "10s"
|
|
||||||
|
|
||||||
# By default, a task's IP address (as returned by the Marathon API) is used as
|
|
||||||
# backend server if an IP-per-task configuration can be found; otherwise, the
|
|
||||||
# name of the host running the task is used.
|
|
||||||
# The latter behavior can be enforced by enabling this switch.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# forceTaskHostname = true
|
|
||||||
|
|
||||||
# Applications may define readiness checks which are probed by Marathon during
|
|
||||||
# deployments periodically and the results exposed via the API.
|
|
||||||
# Enabling the following parameter causes Traefik to filter out tasks
|
|
||||||
# whose readiness checks have not succeeded.
|
|
||||||
# Note that the checks are only valid at deployment times.
|
|
||||||
# See the Marathon guide for details.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# respectReadinessChecks = true
|
|
||||||
```
|
|
||||||
|
|
||||||
To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
|
|
||||||
|
|
||||||
## Labels: overriding default behavior
|
|
||||||
|
|
||||||
Marathon labels may be used to dynamically change the routing and forwarding behavior.
|
|
||||||
|
|
||||||
They may be specified on one of two levels: Application or service.
|
|
||||||
|
|
||||||
### Application Level
|
|
||||||
|
|
||||||
The following labels can be defined on Marathon applications. They adjust the behavior for the entire application.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|---------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.domain` | Sets the default base domain used for the frontend rules. |
|
|
||||||
| `traefik.enable=false` | Disables this container in Traefik. |
|
|
||||||
| `traefik.port=80` | Registers this port. Useful when the container exposes multiples ports. |
|
|
||||||
| `traefik.portIndex=1` | Registers port by index in the application's ports array. Useful when the application exposes multiple ports. |
|
|
||||||
| `traefik.protocol=https` | Overrides the default `http` protocol. |
|
|
||||||
| `traefik.weight=10` | Assigns this weight to the container. |
|
|
||||||
| `traefik.backend=foo` | Overrides the application name by `foo` in the generated name of the backend. |
|
|
||||||
| `traefik.backend.buffering.maxRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.maxResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.retryExpression=EXPR` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.circuitbreaker.expression=EXPR` | Creates a [circuit breaker](/basics/#backends) to be used against the backend |
|
|
||||||
| `traefik.backend.responseForwarding.flushInterval=10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
|
|
||||||
| `traefik.backend.healthcheck.path=/health` | Enables health check for the backend, hitting the container at `path`. |
|
|
||||||
| `traefik.backend.healthcheck.interval=5s` | Defines the health check interval. (Default: 30s) |
|
|
||||||
| `traefik.backend.healthcheck.timeout=3s` | Defines the health check request timeout. (Default: 5s) |
|
|
||||||
| `traefik.backend.healthcheck.port=8080` | Sets a different port for the health check. |
|
|
||||||
| `traefik.backend.healthcheck.scheme=http` | Overrides the server URL scheme. |
|
|
||||||
| `traefik.backend.healthcheck.hostname=foobar.com` | Defines the health check hostname. |
|
|
||||||
| `traefik.backend.healthcheck.headers=EXPR` | Defines the health check request headers <br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.backend.loadbalancer.method=drr` | Overrides the default `wrr` load balancer algorithm |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness=true` | Enables backend sticky sessions |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Sets the cookie name manually for sticky sessions |
|
|
||||||
| `traefik.backend.maxconn.amount=10` | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect. |
|
|
||||||
| `traefik.backend.maxconn.extractorfunc=client.ip` | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect. |
|
|
||||||
| `traefik.frontend.auth.basic=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED). |
|
|
||||||
| `traefik.frontend.auth.basic.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `traefik.frontend.auth.basic.users=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`. |
|
|
||||||
| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd` | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `traefik.frontend.auth.digest.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `traefik.frontend.auth.digest.users=EXPR` | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. |
|
|
||||||
| `traefik.frontend.auth.digest.usersFile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `traefik.frontend.auth.forward.address=https://example.com` | Sets the URL of the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.authResponseHeaders=EXPR` | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header` |
|
|
||||||
| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Sets the Certificate Authority (CA) for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.caOptional=true` | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA). |
|
|
||||||
| `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true` | If set to true invalid SSL certificates are accepted. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.key=/path/server.key` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.trustForwardHeader=true` | Trusts X-Forwarded-* headers. |
|
|
||||||
| `traefik.frontend.auth.headerField=X-WebAuth-User` | Sets the header used to pass the authenticated user to the application. |
|
|
||||||
| `traefik.frontend.auth.removeHeader=true` | If set to true, removes the Authorization header. |
|
|
||||||
| `traefik.frontend.entryPoints=http,https` | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints` |
|
|
||||||
| `traefik.frontend.errors.<name>.backend=NAME` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.errors.<name>.query=PATH` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.errors.<name>.status=RANGE` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.passHostHeader=true` | Forwards client `Host` header to the backend. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true` | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.country=true` | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true` | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true` | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.province=true` | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.notAfter=true` | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.notBefore=true` | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.sans=true` | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true` | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.country=true` | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.locality=true` | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.organization=true`| Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.province=true` | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true`| Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.pem=true` | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header. |
|
|
||||||
| `traefik.frontend.passTLSCert=true` | Forwards TLS Client certificates to the backend. |
|
|
||||||
| `traefik.frontend.priority=10` | Overrides default frontend priority |
|
|
||||||
| `traefik.frontend.rateLimit.extractorFunc=EXP` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.period=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.average=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.burst=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS) |
|
|
||||||
| `traefik.frontend.redirect.regex=^http://localhost/(.*)` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`. |
|
|
||||||
| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`. |
|
|
||||||
| `traefik.frontend.redirect.permanent=true` | Returns 301 instead of 302. |
|
|
||||||
| `traefik.frontend.rule=EXPR` | Overrides the default frontend rule. Default: `Host:{sub_domain}.{domain}`. |
|
|
||||||
| `traefik.frontend.whiteList.sourceRange=RANGE` | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.<br>Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
|
|
||||||
#### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
|
|
|
||||||
|
|
||||||
#### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2` |
|
|
||||||
| `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
|
|
||||||
| `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
|
|
||||||
| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
|
|
||||||
| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
|
|
||||||
| `traefik.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
|
|
||||||
| `traefik.frontend.headers.hostsProxyHeaders=EXPR ` | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2` |
|
|
||||||
| `traefik.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
|
|
||||||
| `traefik.frontend.headers.publicKey=VALUE` | Adds HPKP header. |
|
|
||||||
| `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
|
|
||||||
| `traefik.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
|
|
||||||
| `traefik.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
|
|
||||||
| `traefik.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
|
|
||||||
| `traefik.frontend.headers.SSLForceHost=true` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
|
|
||||||
| `traefik.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
|
|
||||||
|
|
||||||
### Applications with Multiple Ports (segment labels)
|
|
||||||
|
|
||||||
Segment labels are used to define routes to an application exposing multiple ports.
|
|
||||||
A segment is a group of labels that apply to a port exposed by an application.
|
|
||||||
You can define as many segments as ports exposed in an application.
|
|
||||||
|
|
||||||
Segment labels override the default behavior.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.backend=BACKEND` | Same as `traefik.backend` |
|
|
||||||
| `traefik.<segment_name>.domain=DOMAIN` | Same as `traefik.domain` |
|
|
||||||
| `traefik.<segment_name>.portIndex=1` | Same as `traefik.portIndex` |
|
|
||||||
| `traefik.<segment_name>.port=PORT` | Same as `traefik.port` |
|
|
||||||
| `traefik.<segment_name>.protocol=http` | Same as `traefik.protocol` |
|
|
||||||
| `traefik.<segment_name>.weight=10` | Same as `traefik.weight` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic=EXPR` | Same as `traefik.frontend.auth.basic` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true` | Same as `traefik.frontend.auth.basic.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.users=EXPR` | Same as `traefik.frontend.auth.basic.users` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd` | Same as `traefik.frontend.auth.basic.usersFile` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true` | Same as `traefik.frontend.auth.digest.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.users=EXPR` | Same as `traefik.frontend.auth.digest.users` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest` | Same as `traefik.frontend.auth.digest.usersFile` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com` | Same as `traefik.frontend.auth.forward.address` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.authResponseHeaders=EXPR` | Same as `traefik.frontend.auth.forward.authResponseHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem` | Same as `traefik.frontend.auth.forward.tls.ca` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true` | Same as `traefik.frontend.auth.forward.tls.caOptional` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem` | Same as `traefik.frontend.auth.forward.tls.cert` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true` | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key` | Same as `traefik.frontend.auth.forward.tls.key` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true` | Same as `traefik.frontend.auth.forward.trustForwardHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User` | Same as `traefik.frontend.auth.headerField` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.removeHeader=true` | Same as `traefik.frontend.auth.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.entryPoints=https` | Same as `traefik.frontend.entryPoints` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME` | Same as `traefik.frontend.errors.<name>.backend` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.query=PATH` | Same as `traefik.frontend.errors.<name>.query` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE` | Same as `traefik.frontend.errors.<name>.status` |
|
|
||||||
| `traefik.<segment_name>.frontend.passHostHeader=true` | Same as `traefik.frontend.passHostHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.commonName` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.country` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.locality` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.organization` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.province` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notAfter=true` | Same as `traefik.frontend.passTLSClientCert.infos.notAfter` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notBefore=true` | Same as `traefik.frontend.passTLSClientCert.infos.notBefore` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.sans=true` | Same as `traefik.frontend.passTLSClientCert.infos.sans` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.domainComponent` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.country` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.organization=true`| Same as `traefik.frontend.passTLSClientCert.infos.subject.organization` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.province` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.serialNumber=true`| Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.pem=true` | Same as `traefik.frontend.passTLSClientCert.infos.pem` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSCert=true` | Same as `traefik.frontend.passTLSCert` |
|
|
||||||
| `traefik.<segment_name>.frontend.priority=10` | Same as `traefik.frontend.priority` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP` | Same as `traefik.frontend.rateLimit.extractorFunc` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.period` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.entryPoint=https` | Same as `traefik.frontend.redirect.entryPoint` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)` | Same as `traefik.frontend.redirect.regex` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.permanent=true` | Same as `traefik.frontend.redirect.permanent` |
|
|
||||||
| `traefik.<segment_name>.frontend.rule=EXP` | Same as `traefik.frontend.rule` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE` | Same as `traefik.frontend.whiteList.sourceRange` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy=true` | Same as `traefik.frontend.whiteList.ipStrategy` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy.depth=5` | Same as `traefik.frontend.whiteList.ipStrategy.depth` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | Same as `traefik.frontend.whiteList.ipStrategy.excludedIPs` |
|
|
||||||
|
|
||||||
#### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------------------|----------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | Same as `traefik.frontend.headers.customRequestHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
|
|
||||||
|
|
||||||
#### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------------------------|--------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR` | Same as `traefik.frontend.headers.allowedHosts` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true` | Same as `traefik.frontend.headers.browserXSSFilter` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE` | Same as `traefik.frontend.headers.contentSecurityPolicy` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true` | Same as `traefik.frontend.headers.contentTypeNosniff` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE` | Same as `traefik.frontend.headers.customBrowserXSSValue` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false` | Same as `traefik.frontend.headers.forceSTSHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.frameDeny=false` | Same as `traefik.frontend.headers.frameDeny` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR` | Same as `traefik.frontend.headers.hostsProxyHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.isDevelopment=false` | Same as `traefik.frontend.headers.isDevelopment` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.publicKey=VALUE` | Same as `traefik.frontend.headers.publicKey` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE` | Same as `traefik.frontend.headers.referrerPolicy` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLRedirect=true` | Same as `traefik.frontend.headers.SSLRedirect` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true` | Same as `traefik.frontend.headers.SSLTemporaryRedirect` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLHost=HOST` | Same as `traefik.frontend.headers.SSLHost` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLForceHost=true` | Same as `traefik.frontend.headers.SSLForceHost` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR` | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000` | Same as `traefik.frontend.headers.STSSeconds=315360000` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true` | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSPreload=true` | Same as `traefik.frontend.headers.STSPreload=true` |
|
|
@ -1,323 +0,0 @@
|
|||||||
# Mesos Generic Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Mesos as a provider.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Mesos Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Mesos Provider.
|
|
||||||
[mesos]
|
|
||||||
|
|
||||||
# Mesos server endpoint.
|
|
||||||
# You can also specify multiple endpoint for Mesos:
|
|
||||||
# endpoint = "192.168.35.40:5050,192.168.35.41:5050,192.168.35.42:5050"
|
|
||||||
# endpoint = "zk://192.168.35.20:2181,192.168.35.21:2181,192.168.35.22:2181/mesos"
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "http://127.0.0.1:5050"
|
|
||||||
#
|
|
||||||
endpoint = "http://127.0.0.1:8080"
|
|
||||||
|
|
||||||
# Enable watch Mesos changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Default base domain used for the frontend rules.
|
|
||||||
# Can be overridden by setting the "traefik.domain" label on an application.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
domain = "mesos.localhost"
|
|
||||||
|
|
||||||
# Expose Mesos apps by default in Traefik.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
# exposedByDefault = false
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "mesos.tmpl"
|
|
||||||
|
|
||||||
# Override template version
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# - "1": previous template version (must be used only with older custom templates, see "filename")
|
|
||||||
# - "2": current template version (must be used to force template version when "filename" is used)
|
|
||||||
#
|
|
||||||
# templateVersion = 2
|
|
||||||
|
|
||||||
# TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [mesos.TLS]
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
|
|
||||||
# Zookeeper timeout (in seconds).
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 30
|
|
||||||
#
|
|
||||||
# zkDetectionTimeout = 30
|
|
||||||
|
|
||||||
# Polling interval (in seconds).
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 30
|
|
||||||
#
|
|
||||||
# refreshSeconds = 30
|
|
||||||
|
|
||||||
# IP sources (e.g. host, docker, mesos, netinfo).
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# ipSources = "host"
|
|
||||||
|
|
||||||
# HTTP Timeout (in seconds).
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 30
|
|
||||||
#
|
|
||||||
# stateTimeoutSecond = "30"
|
|
||||||
|
|
||||||
# Convert groups to subdomains.
|
|
||||||
# Default behavior: /foo/bar/myapp => foo-bar-myapp.{defaultDomain}
|
|
||||||
# with groupsAsSubDomains enabled: /foo/bar/myapp => myapp.bar.foo.{defaultDomain}
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# groupsAsSubDomains = true
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
## Labels: overriding default behavior
|
|
||||||
|
|
||||||
The following labels can be defined on Mesos tasks. They adjust the behavior for the entire application.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|---------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.domain` | Sets the default domain for the frontend rules. |
|
|
||||||
| `traefik.enable=false` | Disables this container in Traefik. |
|
|
||||||
| `traefik.port=80` | Registers this port. Useful when the application exposes multiple ports. |
|
|
||||||
| `traefik.portName=web` | Registers port by name in the application's ports array. Useful when the application exposes multiple ports. |
|
|
||||||
| `traefik.portIndex=1` | Registers port by index in the application's ports array. Useful when the application exposes multiple ports. |
|
|
||||||
| `traefik.protocol=https` | Overrides the default `http` protocol |
|
|
||||||
| `traefik.weight=10` | Assigns this weight to the container |
|
|
||||||
| `traefik.backend=foo` | Overrides the task name by `foo` in the generated name of the backend. |
|
|
||||||
| `traefik.backend.buffering.maxRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.maxResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.retryExpression=EXPR` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.circuitbreaker.expression=EXPR` | Creates a [circuit breaker](/basics/#backends) to be used against the backend |
|
|
||||||
| `traefik.backend.responseForwarding.flushInterval=10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
|
|
||||||
| `traefik.backend.healthcheck.path=/health` | Enables health check for the backend, hitting the container at `path`. |
|
|
||||||
| `traefik.backend.healthcheck.interval=5s` | Defines the health check interval. (Default: 30s) |
|
|
||||||
| `traefik.backend.healthcheck.timeout=3s` | Defines the health check request timeout. (Default: 5s) |
|
|
||||||
| `traefik.backend.healthcheck.scheme=http` | Overrides the server URL scheme. |
|
|
||||||
| `traefik.backend.healthcheck.port=8080` | Sets a different port for the health check. |
|
|
||||||
| `traefik.backend.healthcheck.hostname=foobar.com` | Defines the health check hostname. |
|
|
||||||
| `traefik.backend.healthcheck.headers=EXPR` | Defines the health check request headers <br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.backend.loadbalancer.method=drr` | Overrides the default `wrr` load balancer algorithm |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness=true` | Enables backend sticky sessions |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Sets the cookie manually name for sticky sessions |
|
|
||||||
| `traefik.backend.maxconn.amount=10` | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect. |
|
|
||||||
| `traefik.backend.maxconn.extractorfunc=client.ip` | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect. |
|
|
||||||
| `traefik.frontend.auth.basic=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED). |
|
|
||||||
| `traefik.frontend.auth.basic.users=EXPR` | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`. |
|
|
||||||
| `traefik.frontend.auth.basic.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd` | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `traefik.frontend.auth.digest.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `traefik.frontend.auth.digest.users=EXPR` | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. |
|
|
||||||
| `traefik.frontend.auth.digest.usersFile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `traefik.frontend.auth.forward.address=https://example.com` | Sets the URL of the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.authResponseHeaders=EXPR` | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header` |
|
|
||||||
| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Sets the Certificate Authority (CA) for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.caOptional=true` | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA). |
|
|
||||||
| `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true` | If set to true invalid SSL certificates are accepted. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.key=/path/server.key` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.trustForwardHeader=true` | Trusts X-Forwarded-* headers. |
|
|
||||||
| `traefik.frontend.auth.headerField=X-WebAuth-User` | Sets the header used to pass the authenticated user to the application. |
|
|
||||||
| `traefik.frontend.auth.removeHeader=true` | If set to true, removes the Authorization header. |
|
|
||||||
| `traefik.frontend.entryPoints=http,https` | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints` |
|
|
||||||
| `traefik.frontend.errors.<name>.backend=NAME` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.errors.<name>.query=PATH` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.errors.<name>.status=RANGE` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.passHostHeader=true` | Forwards client `Host` header to the backend. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true` | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.country=true` | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true` | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true` | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.province=true` | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.notAfter=true` | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.notBefore=true` | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.sans=true` | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true` | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.country=true` | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.locality=true` | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.organization=true`| Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.province=true` | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true`| Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.pem=true` | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header. |
|
|
||||||
| `traefik.frontend.passTLSCert=true` | Forwards TLS Client certificates to the backend. |
|
|
||||||
| `traefik.frontend.priority=10` | Overrides default frontend priority |
|
|
||||||
| `traefik.frontend.rateLimit.extractorFunc=EXP` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.period=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.average=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.burst=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS) |
|
|
||||||
| `traefik.frontend.redirect.regex=^http://localhost/(.*)` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`. |
|
|
||||||
| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`. |
|
|
||||||
| `traefik.frontend.redirect.permanent=true` | Returns 301 instead of 302. |
|
|
||||||
| `traefik.frontend.rule=EXPR` | Overrides the default frontend rule. Default: `Host:{discovery_name}.{domain}`. |
|
|
||||||
| `traefik.frontend.whiteList.sourceRange=RANGE` | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.<br>Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
|
|
||||||
### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
|
|
||||||
### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2` |
|
|
||||||
| `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
|
|
||||||
| `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
|
|
||||||
| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
|
|
||||||
| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
|
|
||||||
| `traefik.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
|
|
||||||
| `traefik.frontend.headers.hostsProxyHeaders=EXPR ` | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2` |
|
|
||||||
| `traefik.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
|
|
||||||
| `traefik.frontend.headers.publicKey=VALUE` | Adds HPKP header. |
|
|
||||||
| `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
|
|
||||||
| `traefik.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
|
|
||||||
| `traefik.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
|
|
||||||
| `traefik.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
|
|
||||||
| `traefik.frontend.headers.SSLForceHost=true` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
|
|
||||||
| `traefik.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
|
|
||||||
|
|
||||||
### Applications with Multiple Ports (segment labels)
|
|
||||||
|
|
||||||
Segment labels are used to define routes to an application exposing multiple ports.
|
|
||||||
A segment is a group of labels that apply to a port exposed by an application.
|
|
||||||
You can define as many segments as ports exposed in an application.
|
|
||||||
|
|
||||||
Additionally, if a segment name matches a named port, that port will be used unless `portIndex`, `portName`, or `port` labels are specified for that segment.
|
|
||||||
|
|
||||||
Segment labels override the default behavior.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------------------------------------|-------------------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.backend=BACKEND` | Same as `traefik.backend` |
|
|
||||||
| `traefik.<segment_name>.domain=DOMAIN` | Same as `traefik.domain` |
|
|
||||||
| `traefik.<segment_name>.portIndex=1` | Same as `traefik.portIndex` |
|
|
||||||
| `traefik.<segment_name>.portName=web` | Same as `traefik.portName` |
|
|
||||||
| `traefik.<segment_name>.port=PORT` | Same as `traefik.port` |
|
|
||||||
| `traefik.<segment_name>.protocol=http` | Same as `traefik.protocol` |
|
|
||||||
| `traefik.<segment_name>.weight=10` | Same as `traefik.weight` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic=EXPR` | Same as `traefik.frontend.auth.basic` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true` | Same as `traefik.frontend.auth.basic.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.users=EXPR` | Same as `traefik.frontend.auth.basic.users` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd` | Same as `traefik.frontend.auth.basic.usersFile` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true` | Same as `traefik.frontend.auth.digest.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.users=EXPR` | Same as `traefik.frontend.auth.digest.users` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest` | Same as `traefik.frontend.auth.digest.usersFile` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com` | Same as `traefik.frontend.auth.forward.address` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.authResponseHeaders=EXPR` | Same as `traefik.frontend.auth.forward.authResponseHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem` | Same as `traefik.frontend.auth.forward.tls.ca` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true` | Same as `traefik.frontend.auth.forward.tls.caOptional` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem` | Same as `traefik.frontend.auth.forward.tls.cert` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true` | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key` | Same as `traefik.frontend.auth.forward.tls.key` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true` | Same as `traefik.frontend.auth.forward.trustForwardHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User` | Same as `traefik.frontend.auth.headerField` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.removeHeader=true` | Same as `traefik.frontend.auth.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.entryPoints=https` | Same as `traefik.frontend.entryPoints` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME` | Same as `traefik.frontend.errors.<name>.backend` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.query=PATH` | Same as `traefik.frontend.errors.<name>.query` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE` | Same as `traefik.frontend.errors.<name>.status` |
|
|
||||||
| `traefik.<segment_name>.frontend.passHostHeader=true` | Same as `traefik.frontend.passHostHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notAfter=true` | Same as `traefik.frontend.passTLSClientCert.infos.notAfter` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notBefore=true` | Same as `traefik.frontend.passTLSClientCert.infos.notBefore` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.sans=true` | Same as `traefik.frontend.passTLSClientCert.infos.sans` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.country` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.organization` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.province` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.pem=true` | Same as `traefik.frontend.passTLSClientCert.infos.pem` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSCert=true` | Same as `traefik.frontend.passTLSCert` |
|
|
||||||
| `traefik.<segment_name>.frontend.priority=10` | Same as `traefik.frontend.priority` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP` | Same as `traefik.frontend.rateLimit.extractorFunc` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.period` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.entryPoint=https` | Same as `traefik.frontend.redirect.entryPoint` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)` | Same as `traefik.frontend.redirect.regex` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.permanent=true` | Same as `traefik.frontend.redirect.permanent` |
|
|
||||||
| `traefik.<segment_name>.frontend.rule=EXP` | Same as `traefik.frontend.rule` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE` | Same as `traefik.frontend.whiteList.sourceRange` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy=true` | Same as `traefik.frontend.whiteList.ipStrategy` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy.depth=5` | Same as `traefik.frontend.whiteList.ipStrategy.depth` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | Same as `traefik.frontend.whiteList.ipStrategy.excludedIPs` |
|
|
||||||
|
|
||||||
#### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------------------|----------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | Same as `traefik.frontend.headers.customRequestHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
|
|
||||||
|
|
||||||
#### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------------------------|--------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR` | Same as `traefik.frontend.headers.allowedHosts` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true` | Same as `traefik.frontend.headers.browserXSSFilter` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE` | Same as `traefik.frontend.headers.contentSecurityPolicy` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true` | Same as `traefik.frontend.headers.contentTypeNosniff` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE` | Same as `traefik.frontend.headers.customBrowserXSSValue` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false` | Same as `traefik.frontend.headers.forceSTSHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.frameDeny=false` | Same as `traefik.frontend.headers.frameDeny` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR` | Same as `traefik.frontend.headers.hostsProxyHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.isDevelopment=false` | Same as `traefik.frontend.headers.isDevelopment` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.publicKey=VALUE` | Same as `traefik.frontend.headers.publicKey` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE` | Same as `traefik.frontend.headers.referrerPolicy` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLRedirect=true` | Same as `traefik.frontend.headers.SSLRedirect` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true` | Same as `traefik.frontend.headers.SSLTemporaryRedirect` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLHost=HOST` | Same as `traefik.frontend.headers.SSLHost` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLForceHost=true` | Same as `traefik.frontend.headers.SSLForceHost` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR` | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000` | Same as `traefik.frontend.headers.STSSeconds=315360000` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true` | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSPreload=true` | Same as `traefik.frontend.headers.STSPreload=true` |
|
|
@ -1,355 +0,0 @@
|
|||||||
# Rancher Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Rancher as a provider.
|
|
||||||
|
|
||||||
## Global Configuration
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Rancher Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Rancher Provider.
|
|
||||||
[rancher]
|
|
||||||
|
|
||||||
# Default base domain used for the frontend rules.
|
|
||||||
# Can be overridden by setting the "traefik.domain" label on an service.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
domain = "rancher.localhost"
|
|
||||||
|
|
||||||
# Enable watch Rancher changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Polling interval (in seconds).
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 15
|
|
||||||
#
|
|
||||||
refreshSeconds = 15
|
|
||||||
|
|
||||||
# Expose Rancher services by default in Traefik.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
exposedByDefault = false
|
|
||||||
|
|
||||||
# Filter services with unhealthy states and inactive states.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
enableServiceHealthFilter = true
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "rancher.tmpl"
|
|
||||||
|
|
||||||
# Override template version
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# - "1": previous template version (must be used only with older custom templates, see "filename")
|
|
||||||
# - "2": current template version (must be used to force template version when "filename" is used)
|
|
||||||
#
|
|
||||||
# templateVersion = 2
|
|
||||||
```
|
|
||||||
|
|
||||||
To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
|
|
||||||
|
|
||||||
## Rancher Metadata Service
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Enable Rancher metadata service provider instead of the API
|
|
||||||
# provider.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
[rancher.metadata]
|
|
||||||
|
|
||||||
# Poll the Rancher metadata service for changes every `rancher.refreshSeconds`.
|
|
||||||
# NOTE: this is less accurate than the default long polling technique which
|
|
||||||
# will provide near instantaneous updates to Traefik
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
intervalPoll = true
|
|
||||||
|
|
||||||
# Prefix used for accessing the Rancher metadata service.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "/latest"
|
|
||||||
#
|
|
||||||
prefix = "/2016-07-29"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Rancher API
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Enable Rancher API provider.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
[rancher.api]
|
|
||||||
|
|
||||||
# Endpoint to use when connecting to the Rancher API.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
endpoint = "http://rancherserver.example.com/v1"
|
|
||||||
|
|
||||||
# AccessKey to use when connecting to the Rancher API.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
accessKey = "XXXXXXXXXXXXXXXXXXXX"
|
|
||||||
|
|
||||||
# SecretKey to use when connecting to the Rancher API.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
If Traefik needs access to the Rancher API, you need to set the `endpoint`, `accesskey` and `secretkey` parameters.
|
|
||||||
|
|
||||||
To enable Traefik to fetch information about the Environment it's deployed in only, you need to create an `Environment API Key`.
|
|
||||||
This can be found within the API Key advanced options.
|
|
||||||
|
|
||||||
Add these labels to traefik docker deployment to autogenerated these values:
|
|
||||||
```
|
|
||||||
io.rancher.container.agent.role: environment
|
|
||||||
io.rancher.container.create_agent: true
|
|
||||||
```
|
|
||||||
|
|
||||||
## Labels: overriding default behavior
|
|
||||||
|
|
||||||
### On Containers
|
|
||||||
|
|
||||||
Labels can be used on task containers to override default behavior:
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|---------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.domain` | Sets the default base domain for the frontend rules. |
|
|
||||||
| `traefik.enable=false` | Disables this container in Traefik. |
|
|
||||||
| `traefik.port=80` | Registers this port. Useful when the container exposes multiple ports. |
|
|
||||||
| `traefik.protocol=https` | Overrides the default `http` protocol. |
|
|
||||||
| `traefik.weight=10` | Assigns this weight to the container. |
|
|
||||||
| `traefik.backend=foo` | Overrides the service name by `foo` in the generated name of the backend. |
|
|
||||||
| `traefik.backend.buffering.maxRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.maxResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memRequestBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.memResponseBodyBytes=0` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.buffering.retryExpression=EXPR` | See [buffering](/configuration/commons/#buffering) section. |
|
|
||||||
| `traefik.backend.circuitbreaker.expression=EXPR` | Creates a [circuit breaker](/basics/#backends) to be used against the backend |
|
|
||||||
| `traefik.backend.responseForwarding.flushInterval=10ms` | Defines the interval between two flushes when forwarding response from backend to client. |
|
|
||||||
| `traefik.backend.healthcheck.path=/health` | Enables health check for the backend, hitting the container at `path`. |
|
|
||||||
| `traefik.backend.healthcheck.interval=5s` | Defines the health check interval. |
|
|
||||||
| `traefik.backend.healthcheck.timeout=3s ` | Defines the health check request timeout. |
|
|
||||||
| `traefik.backend.healthcheck.port=8080` | Sets a different port for the health check. |
|
|
||||||
| `traefik.backend.healthcheck.scheme=http` | Overrides the server URL scheme. |
|
|
||||||
| `traefik.backend.healthcheck.hostname=foobar.com` | Defines the health check hostname. |
|
|
||||||
| `traefik.backend.healthcheck.headers=EXPR` | Defines the health check request headers <br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.backend.loadbalancer.method=drr` | Overrides the default `wrr` load balancer algorithm |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness=true` | Enables backend sticky sessions |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Sets the cookie name manually for sticky sessions |
|
|
||||||
| `traefik.backend.maxconn.amount=10` | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect. |
|
|
||||||
| `traefik.backend.maxconn.extractorfunc=client.ip` | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect. |
|
|
||||||
| `traefik.frontend.auth.basic=EXPR` | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED). |
|
|
||||||
| `traefik.frontend.auth.basic.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `traefik.frontend.auth.basic.users=EXPR` | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` . |
|
|
||||||
| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd` | Sets the basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `traefik.frontend.auth.digest.removeHeader=true` | If set to `true`, removes the `Authorization` header. |
|
|
||||||
| `traefik.frontend.auth.digest.users=EXPR` | Sets the digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. |
|
|
||||||
| `traefik.frontend.auth.digest.usersFile=/path/.htdigest` | Sets the digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. |
|
|
||||||
| `traefik.frontend.auth.forward.address=https://example.com` | Sets the URL of the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.authResponseHeaders=EXPR` | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header` |
|
|
||||||
| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Sets the Certificate Authority (CA) for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.caOptional=true` | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA). |
|
|
||||||
| `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true` | If set to true invalid SSL certificates are accepted. |
|
|
||||||
| `traefik.frontend.auth.forward.tls.key=/path/server.key` | Sets the Certificate for the TLS connection with the authentication server. |
|
|
||||||
| `traefik.frontend.auth.forward.trustForwardHeader=true` | Trusts X-Forwarded-* headers. |
|
|
||||||
| `traefik.frontend.auth.headerField=X-WebAuth-User` | Sets the header used to pass the authenticated user to the application. |
|
|
||||||
| `traefik.frontend.entryPoints=http,https` | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints` |
|
|
||||||
| `traefik.frontend.errors.<name>.backend=NAME` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.errors.<name>.query=PATH` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.errors.<name>.status=RANGE` | See [custom error pages](/configuration/commons/#custom-error-pages) section. |
|
|
||||||
| `traefik.frontend.passHostHeader=true` | Forwards client `Host` header to the backend. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true` | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.country=true` | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true` | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true` | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.province=true` | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.notAfter=true` | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.notBefore=true` | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.sans=true` | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true` | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.country=true` | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.locality=true` | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.organization=true`| Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.province=true` | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true`| Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header. |
|
|
||||||
| `traefik.frontend.passTLSClientCert.pem=true` | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header. |
|
|
||||||
| `traefik.frontend.passTLSCert=true` | Forwards TLS Client certificates to the backend. |
|
|
||||||
| `traefik.frontend.priority=10` | Overrides default frontend priority |
|
|
||||||
| `traefik.frontend.rateLimit.extractorFunc=EXP` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.period=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.average=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.rateLimit.rateSet.<name>.burst=6` | See [rate limiting](/configuration/commons/#rate-limiting) section. |
|
|
||||||
| `traefik.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS) |
|
|
||||||
| `traefik.frontend.redirect.regex=^http://localhost/(.*)` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`. |
|
|
||||||
| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`. |
|
|
||||||
| `traefik.frontend.redirect.permanent=true` | Returns 301 instead of 302. |
|
|
||||||
| `traefik.frontend.rule=EXPR` | Overrides the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`. |
|
|
||||||
| `traefik.frontend.whiteList.sourceRange=RANGE` | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.<br>Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
|
|
||||||
#### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
|
|
||||||
#### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2` |
|
|
||||||
| `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
|
|
||||||
| `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
|
|
||||||
| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
|
|
||||||
| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
|
|
||||||
| `traefik.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
|
|
||||||
| `traefik.frontend.headers.hostsProxyHeaders=EXPR ` | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2` |
|
|
||||||
| `traefik.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
|
|
||||||
| `traefik.frontend.headers.publicKey=VALUE` | Adds HPKP header. |
|
|
||||||
| `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
|
|
||||||
| `traefik.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
|
|
||||||
| `traefik.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
|
|
||||||
| `traefik.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
|
|
||||||
| `traefik.frontend.headers.SSLForceHost=true` | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false. |
|
|
||||||
| `traefik.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
|
|
||||||
|
|
||||||
### On containers with Multiple Ports (segment labels)
|
|
||||||
|
|
||||||
Segment labels are used to define routes to a container exposing multiple ports.
|
|
||||||
A segment is a group of labels that apply to a port exposed by a container.
|
|
||||||
You can define as many segments as ports exposed in a container.
|
|
||||||
|
|
||||||
Segment labels override the default behavior.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.backend=BACKEND` | Same as `traefik.backend` |
|
|
||||||
| `traefik.<segment_name>.domain=DOMAIN` | Same as `traefik.domain` |
|
|
||||||
| `traefik.<segment_name>.port=PORT` | Same as `traefik.port` |
|
|
||||||
| `traefik.<segment_name>.protocol=http` | Same as `traefik.protocol` |
|
|
||||||
| `traefik.<segment_name>.weight=10` | Same as `traefik.weight` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic=EXPR` | Same as `traefik.frontend.auth.basic` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true` | Same as `traefik.frontend.auth.basic.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.users=EXPR` | Same as `traefik.frontend.auth.basic.users` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd` | Same as `traefik.frontend.auth.basic.usersFile` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true` | Same as `traefik.frontend.auth.digest.removeHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.users=EXPR` | Same as `traefik.frontend.auth.digest.users` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest` | Same as `traefik.frontend.auth.digest.usersFile` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com` | Same as `traefik.frontend.auth.forward.address` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.authResponseHeaders=EXPR` | Same as `traefik.frontend.auth.forward.authResponseHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem` | Same as `traefik.frontend.auth.forward.tls.ca` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true` | Same as `traefik.frontend.auth.forward.tls.caOptional` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem` | Same as `traefik.frontend.auth.forward.tls.cert` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true` | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key` | Same as `traefik.frontend.auth.forward.tls.key` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true` | Same as `traefik.frontend.auth.forward.trustForwardHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User` | Same as `traefik.frontend.auth.headerField` |
|
|
||||||
| `traefik.<segment_name>.frontend.entryPoints=https` | Same as `traefik.frontend.entryPoints` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME` | Same as `traefik.frontend.errors.<name>.backend` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.query=PATH` | Same as `traefik.frontend.errors.<name>.query` |
|
|
||||||
| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE` | Same as `traefik.frontend.errors.<name>.status` |
|
|
||||||
| `traefik.<segment_name>.frontend.passHostHeader=true` | Same as `traefik.frontend.passHostHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.commonName` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.country` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.locality` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.organization` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.province` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notAfter=true` | Same as `traefik.frontend.passTLSClientCert.infos.notAfter` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notBefore=true` | Same as `traefik.frontend.passTLSClientCert.infos.notBefore` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.sans=true` | Same as `traefik.frontend.passTLSClientCert.infos.sans` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.commonName=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.country=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.country` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.domainComponent` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.locality=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.organization=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.organization` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.province=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.province` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.serialNumber=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSClientCert.pem=true` | Same as `traefik.frontend.passTLSClientCert.infos.pem` |
|
|
||||||
| `traefik.<segment_name>.frontend.passTLSCert=true` | Same as `traefik.frontend.passTLSCert` |
|
|
||||||
| `traefik.<segment_name>.frontend.priority=10` | Same as `traefik.frontend.priority` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP` | Same as `traefik.frontend.rateLimit.extractorFunc` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.period` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
|
|
||||||
| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6` | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.entryPoint=https` | Same as `traefik.frontend.redirect.entryPoint` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)` | Same as `traefik.frontend.redirect.regex` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement` |
|
|
||||||
| `traefik.<segment_name>.frontend.redirect.permanent=true` | Same as `traefik.frontend.redirect.permanent` |
|
|
||||||
| `traefik.<segment_name>.frontend.rule=EXP` | Same as `traefik.frontend.rule` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE` | Same as `traefik.frontend.whiteList.sourceRange` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy=true` | Same as `traefik.frontend.whiteList.ipStrategy` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy.depth=5` | Same as `traefik.frontend.whiteList.ipStrategy.depth` |
|
|
||||||
| `traefik.<segment_name>.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | Same as `traefik.frontend.whiteList.ipStrategy.excludedIPs` |
|
|
||||||
|
|
||||||
#### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------------------|------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | overrides `traefik.frontend.headers.customRequestHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | overrides `traefik.frontend.headers.customResponseHeaders` |
|
|
||||||
|
|
||||||
#### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------------------------|--------------------------------------------------------------|
|
|
||||||
| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR` | overrides `traefik.frontend.headers.allowedHosts` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true` | overrides `traefik.frontend.headers.browserXSSFilter` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE` | overrides `traefik.frontend.headers.contentSecurityPolicy` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true` | overrides `traefik.frontend.headers.contentTypeNosniff` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE` | overrides `traefik.frontend.headers.customBrowserXSSValue` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | overrides `traefik.frontend.headers.customFrameOptionsValue` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false` | overrides `traefik.frontend.headers.forceSTSHeader` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.frameDeny=false` | overrides `traefik.frontend.headers.frameDeny` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR` | overrides `traefik.frontend.headers.hostsProxyHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.isDevelopment=false` | overrides `traefik.frontend.headers.isDevelopment` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.publicKey=VALUE` | overrides `traefik.frontend.headers.publicKey` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE` | overrides `traefik.frontend.headers.referrerPolicy` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLRedirect=true` | overrides `traefik.frontend.headers.SSLRedirect` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true` | overrides `traefik.frontend.headers.SSLTemporaryRedirect` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLHost=HOST` | overrides `traefik.frontend.headers.SSLHost` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLForceHost=true` | overrides `traefik.frontend.headers.SSLForceHost` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR` | overrides `traefik.frontend.headers.SSLProxyHeaders` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000` | overrides `traefik.frontend.headers.STSSeconds` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true` | overrides `traefik.frontend.headers.STSIncludeSubdomains` |
|
|
||||||
| `traefik.<segment_name>.frontend.headers.STSPreload=true` | overrides `traefik.frontend.headers.STSPreload` |
|
|
@ -1,92 +0,0 @@
|
|||||||
# Rest Provider
|
|
||||||
|
|
||||||
Traefik can be configured:
|
|
||||||
|
|
||||||
- using a RESTful api.
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Enable REST Provider.
|
|
||||||
[rest]
|
|
||||||
# Name of the related entry point
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
entryPoint = "traefik"
|
|
||||||
```
|
|
||||||
|
|
||||||
## API
|
|
||||||
|
|
||||||
| Path | Method | Description |
|
|
||||||
|------------------------------|--------|-----------------|
|
|
||||||
| `/api/providers/web` | `PUT` | update provider |
|
|
||||||
| `/api/providers/rest` | `PUT` | update provider |
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
For compatibility reason, when you activate the rest provider, you can use `web` or `rest` as `provider` value.
|
|
||||||
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -XPUT -d @file "http://localhost:8080/api/providers/rest"
|
|
||||||
```
|
|
||||||
|
|
||||||
with `@file`:
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"frontends": {
|
|
||||||
"frontend2": {
|
|
||||||
"routes": {
|
|
||||||
"test_2": {
|
|
||||||
"rule": "Path:/test"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"backend": "backend1"
|
|
||||||
},
|
|
||||||
"frontend1": {
|
|
||||||
"routes": {
|
|
||||||
"test_1": {
|
|
||||||
"rule": "Host:test.localhost"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"backend": "backend2"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"backends": {
|
|
||||||
"backend2": {
|
|
||||||
"loadBalancer": {
|
|
||||||
"method": "drr"
|
|
||||||
},
|
|
||||||
"servers": {
|
|
||||||
"server2": {
|
|
||||||
"weight": 2,
|
|
||||||
"URL": "http://172.17.0.5:80"
|
|
||||||
},
|
|
||||||
"server1": {
|
|
||||||
"weight": 1,
|
|
||||||
"url": "http://172.17.0.4:80"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"backend1": {
|
|
||||||
"loadBalancer": {
|
|
||||||
"method": "wrr"
|
|
||||||
},
|
|
||||||
"circuitBreaker": {
|
|
||||||
"expression": "NetworkErrorRatio() > 0.5"
|
|
||||||
},
|
|
||||||
"servers": {
|
|
||||||
"server2": {
|
|
||||||
"weight": 1,
|
|
||||||
"url": "http://172.17.0.3:80"
|
|
||||||
},
|
|
||||||
"server1": {
|
|
||||||
"weight": 10,
|
|
||||||
"url": "http://172.17.0.2:80"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
@ -1,160 +0,0 @@
|
|||||||
# Azure Service Fabric Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Azure Service Fabric as a provider.
|
|
||||||
|
|
||||||
See [this repository for an example deployment package and further documentation.](https://aka.ms/traefikonsf)
|
|
||||||
|
|
||||||
## Azure Service Fabric
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Azure Service Fabric Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Azure Service Fabric Provider
|
|
||||||
[serviceFabric]
|
|
||||||
|
|
||||||
# Azure Service Fabric Management Endpoint
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
#
|
|
||||||
clusterManagementUrl = "https://localhost:19080"
|
|
||||||
|
|
||||||
# Azure Service Fabric Management Endpoint API Version
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "3.0"
|
|
||||||
#
|
|
||||||
apiVersion = "3.0"
|
|
||||||
|
|
||||||
# Azure Service Fabric Polling Interval (in seconds)
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: 10
|
|
||||||
#
|
|
||||||
refreshSeconds = 10
|
|
||||||
|
|
||||||
# Enable TLS connection.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [serviceFabric.tls]
|
|
||||||
# ca = "/etc/ssl/ca.crt"
|
|
||||||
# cert = "/etc/ssl/servicefabric.crt"
|
|
||||||
# key = "/etc/ssl/servicefabric.key"
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
```
|
|
||||||
|
|
||||||
## Labels
|
|
||||||
|
|
||||||
The provider uses labels to configure how services are exposed through Traefik.
|
|
||||||
These can be set using Extensions and the Property Manager API
|
|
||||||
|
|
||||||
#### Extensions
|
|
||||||
|
|
||||||
Set labels with extensions through the services `ServiceManifest.xml` file.
|
|
||||||
Here is an example of an extension setting Traefik labels:
|
|
||||||
|
|
||||||
```xml
|
|
||||||
<StatelessServiceType ServiceTypeName="WebServiceType">
|
|
||||||
<Extensions>
|
|
||||||
<Extension Name="Traefik">
|
|
||||||
<Labels xmlns="http://schemas.microsoft.com/2015/03/fabact-no-schema">
|
|
||||||
<Label Key="traefik.frontend.rule.example2">PathPrefixStrip: /a/path/to/strip</Label>
|
|
||||||
<Label Key="traefik.enable">true</Label>
|
|
||||||
<Label Key="traefik.frontend.passHostHeader">true</Label>
|
|
||||||
</Labels>
|
|
||||||
</Extension>
|
|
||||||
</Extensions>
|
|
||||||
</StatelessServiceType>
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Property Manager
|
|
||||||
|
|
||||||
Set Labels with the property manager API to overwrite and add labels, while your service is running.
|
|
||||||
Here is an example of adding a frontend rule using the property manager API.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -X PUT \
|
|
||||||
'http://localhost:19080/Names/GettingStartedApplication2/WebService/$/GetProperty?api-version=6.0&IncludeValues=true' \
|
|
||||||
-d '{
|
|
||||||
"PropertyName": "traefik.frontend.rule.default",
|
|
||||||
"Value": {
|
|
||||||
"Kind": "String",
|
|
||||||
"Data": "PathPrefixStrip: /a/path/to/strip"
|
|
||||||
},
|
|
||||||
"CustomTypeId": "LabelType"
|
|
||||||
}'
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
This functionality will be released in a future version of the [sfctl](https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-lifecycle-sfctl) tool.
|
|
||||||
|
|
||||||
## Available Labels
|
|
||||||
|
|
||||||
Labels, set through extensions or the property manager, can be used on services to override default behavior.
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.enable=false` | Disable this container in Traefik |
|
|
||||||
| `traefik.backend.circuitbreaker.expression=EXPR` | Create a [circuit breaker](/basics/#backends) to be used against the backend |
|
|
||||||
| `traefik.servicefabric.groupname` | Group all services with the same name into a single backend in Traefik |
|
|
||||||
| `traefik.servicefabric.groupweight` | Set the weighting of the current services nodes in the backend group |
|
|
||||||
| `traefik.servicefabric.enablelabeloverrides` | Toggle whether labels can be overridden using the Service Fabric Property Manager API |
|
|
||||||
| `traefik.backend.healthcheck.path=/health` | Enable health check for the backend, hitting the container at `path`. |
|
|
||||||
| `traefik.backend.healthcheck.port=8080` | Allow to use a different port for the health check. |
|
|
||||||
| `traefik.backend.healthcheck.interval=5s` | Define the health check interval. |
|
|
||||||
| `traefik.backend.healthcheck.timeout=3s` | Define the health check request timeout. |
|
|
||||||
| `traefik.backend.healthcheck.hostname=foobar.com` | Define the health check hostname. |
|
|
||||||
| `traefik.backend.healthcheck.headers=EXPR` | Define the health check request headers <br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.backend.loadbalancer.method=drr` | Override the default `wrr` load balancer algorithm |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness=true` | Enable backend sticky sessions |
|
|
||||||
| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Manually set the cookie name for sticky sessions |
|
|
||||||
| `traefik.backend.maxconn.amount=10` | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect. |
|
|
||||||
| `traefik.backend.maxconn.extractorfunc=client.ip` | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect. |
|
|
||||||
| `traefik.backend.weight=10` | Assign this weight to the container |
|
|
||||||
| `traefik.frontend.auth.basic=EXPR` | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash` |
|
|
||||||
| `traefik.frontend.entryPoints=http,https` | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints` |
|
|
||||||
| `traefik.frontend.passHostHeader=true` | Forward client `Host` header to the backend. |
|
|
||||||
| `traefik.frontend.passTLSCert=true` | Forward TLS Client certificates to the backend. |
|
|
||||||
| `traefik.frontend.priority=10` | Override default frontend priority |
|
|
||||||
| `traefik.frontend.redirect.entryPoint=https` | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS) |
|
|
||||||
| `traefik.frontend.redirect.regex=^http://localhost/(.*)` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`. |
|
|
||||||
| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`. |
|
|
||||||
| `traefik.frontend.redirect.permanent=true` | Return 301 instead of 302. |
|
|
||||||
| `traefik.frontend.rule=EXPR` | Override the default frontend rule. Defaults to SF address. |
|
|
||||||
| `traefik.frontend.whiteList.sourceRange=RANGE` | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy=true` | Uses the default IPStrategy.<br>Can be used when there is an existing `clientIPStrategy` but you want the remote address for whitelisting. |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.depth=5` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
| `traefik.frontend.whiteList.ipStrategy.excludedIPs=127.0.0.1` | See [whitelist](/configuration/entrypoints/#white-listing) |
|
|
||||||
|
|
||||||
### Custom Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
|
|
||||||
### Security Headers
|
|
||||||
|
|
||||||
| Label | Description |
|
|
||||||
|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
||||||
| `traefik.frontend.headers.allowedHosts=EXPR` | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2` |
|
|
||||||
| `traefik.frontend.headers.hostsProxyHeaders=EXPR ` | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2` |
|
|
||||||
| `traefik.frontend.headers.SSLRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent. |
|
|
||||||
| `traefik.frontend.headers.SSLTemporaryRedirect=true` | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301. |
|
|
||||||
| `traefik.frontend.headers.SSLHost=HOST` | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request. |
|
|
||||||
| `traefik.frontend.headers.SSLProxyHeaders=EXPR` | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format: <code>HEADER:value||HEADER2:value2</code> |
|
|
||||||
| `traefik.frontend.headers.STSSeconds=315360000` | Sets the max-age of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSIncludeSubdomains=true` | Adds the `IncludeSubdomains` section of the STS header. |
|
|
||||||
| `traefik.frontend.headers.STSPreload=true` | Adds the preload flag to the STS header. |
|
|
||||||
| `traefik.frontend.headers.forceSTSHeader=false` | Adds the STS header to non-SSL requests. |
|
|
||||||
| `traefik.frontend.headers.frameDeny=false` | Adds the `X-Frame-Options` header with the value of `DENY`. |
|
|
||||||
| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. |
|
|
||||||
| `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. |
|
|
||||||
| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. |
|
|
||||||
| `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. |
|
|
||||||
| `traefik.frontend.headers.publicKey=VALUE` | Adds HPKP header. |
|
|
||||||
| `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. |
|
|
||||||
| `traefik.frontend.headers.isDevelopment=false` | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
|
|
@ -1,61 +0,0 @@
|
|||||||
# Zookeeper Provider
|
|
||||||
|
|
||||||
Traefik can be configured to use Zookeeper as a provider.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
################################################################
|
|
||||||
# Zookeeper Provider
|
|
||||||
################################################################
|
|
||||||
|
|
||||||
# Enable Zookeeper Provider.
|
|
||||||
[zookeeper]
|
|
||||||
|
|
||||||
# Zookeeper server endpoint.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "127.0.0.1:2181"
|
|
||||||
#
|
|
||||||
endpoint = "127.0.0.1:2181"
|
|
||||||
|
|
||||||
# Enable watch Zookeeper changes.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
watch = true
|
|
||||||
|
|
||||||
# Prefix used for KV store.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
prefix = "traefik"
|
|
||||||
|
|
||||||
# Override default configuration template.
|
|
||||||
# For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# filename = "zookeeper.tmpl"
|
|
||||||
|
|
||||||
# Use Zookeeper user/pass authentication.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# username = foo
|
|
||||||
# password = bar
|
|
||||||
|
|
||||||
# Enable Zookeeper TLS connection.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
#
|
|
||||||
# [zookeeper.tls]
|
|
||||||
# ca = "/etc/ssl/ca.crt"
|
|
||||||
# cert = "/etc/ssl/zookeeper.crt"
|
|
||||||
# key = "/etc/ssl/zookeeper.key"
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
```
|
|
||||||
|
|
||||||
To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
|
|
||||||
|
|
||||||
Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on Traefik KV structure.
|
|
@ -1,306 +0,0 @@
|
|||||||
# Global Configuration
|
|
||||||
|
|
||||||
## Main Section
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Enable debug mode.
|
|
||||||
# This will install HTTP handlers to expose Go expvars under /debug/vars and
|
|
||||||
# pprof profiling data under /debug/pprof/.
|
|
||||||
# The log level will be set to DEBUG unless `logLevel` is specified.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# debug = true
|
|
||||||
|
|
||||||
# Periodically check if a new version has been released.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: true
|
|
||||||
#
|
|
||||||
# checkNewVersion = false
|
|
||||||
|
|
||||||
# Tells traefik whether it should keep the trailing slashes in the paths (e.g. /paths/) or redirect to the no trailing slash paths instead (/paths).
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# keepTrailingSlash = false
|
|
||||||
|
|
||||||
# Providers throttle duration.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "2s"
|
|
||||||
#
|
|
||||||
# providersThrottleDuration = "2s"
|
|
||||||
|
|
||||||
# Controls the maximum idle (keep-alive) connections to keep per-host.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 200
|
|
||||||
#
|
|
||||||
# maxIdleConnsPerHost = 200
|
|
||||||
|
|
||||||
# If set to true invalid SSL certificates are accepted for backends.
|
|
||||||
# This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
# insecureSkipVerify = true
|
|
||||||
|
|
||||||
# Register Certificates in the rootCA.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: []
|
|
||||||
#
|
|
||||||
# rootCAs = [ "/mycert.cert" ]
|
|
||||||
|
|
||||||
# Entrypoints to be used by frontends that do not specify any entrypoint.
|
|
||||||
# Each frontend can specify its own entrypoints.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: ["http"]
|
|
||||||
#
|
|
||||||
# defaultEntryPoints = ["http", "https"]
|
|
||||||
```
|
|
||||||
|
|
||||||
- `providersThrottleDuration`: Providers throttle duration: minimum duration in seconds between 2 events from providers before applying a new configuration.
|
|
||||||
It avoids unnecessary reloads if multiples events are sent in a short amount of time.
|
|
||||||
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
|
|
||||||
If no units are provided, the value is parsed assuming seconds.
|
|
||||||
|
|
||||||
- `maxIdleConnsPerHost`: Controls the maximum idle (keep-alive) connections to keep per-host.
|
|
||||||
If zero, `DefaultMaxIdleConnsPerHost` from the Go standard library net/http module is used.
|
|
||||||
If you encounter 'too many open files' errors, you can either increase this value or change the `ulimit`.
|
|
||||||
|
|
||||||
- `insecureSkipVerify` : If set to true invalid SSL certificates are accepted for backends.
|
|
||||||
**Note:** This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.
|
|
||||||
|
|
||||||
- `rootCAs`: Register Certificates in the RootCA. This certificates will be use for backends calls.
|
|
||||||
**Note** You can use file path or cert content directly
|
|
||||||
|
|
||||||
- `defaultEntryPoints`: Entrypoints to be used by frontends that do not specify any entrypoint.
|
|
||||||
Each frontend can specify its own entrypoints.
|
|
||||||
|
|
||||||
- `keepTrailingSlash`: Tells Traefik whether it should keep the trailing slashes that might be present in the paths of incoming requests (true), or if it should redirect to the slashless version of the URL (default behavior: false)
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Beware that the value of `keepTrailingSlash` can have a significant impact on the way your frontend rules are interpreted.
|
|
||||||
The table below tries to sum up several behaviors depending on requests/configurations.
|
|
||||||
The current default behavior is deprecated and kept for compatibility reasons.
|
|
||||||
As a consequence, we encourage you to set `keepTrailingSlash` to true.
|
|
||||||
|
|
||||||
| Incoming request | keepTrailingSlash | Path:{value} | Behavior
|
|
||||||
|----------------------|-------------------|--------------|----------------------------|
|
|
||||||
| http://foo.com/path/ | false | Path:/path/ | Proceeds with the request |
|
|
||||||
| http://foo.com/path/ | false | Path:/path | 301 to http://foo.com/path |
|
|
||||||
| http://foo.com/path | false | Path:/path/ | Proceeds with the request |
|
|
||||||
| http://foo.com/path | false | Path:/path | Proceeds with the request |
|
|
||||||
| http://foo.com/path/ | true | Path:/path/ | Proceeds with the request |
|
|
||||||
| http://foo.com/path/ | true | Path:/path | 404 |
|
|
||||||
| http://foo.com/path | true | Path:/path/ | 404 |
|
|
||||||
| http://foo.com/path | true | Path:/path | Proceeds with the request |
|
|
||||||
|
|
||||||
|
|
||||||
## Life Cycle
|
|
||||||
|
|
||||||
Controls the behavior of Traefik during the shutdown phase.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[lifeCycle]
|
|
||||||
|
|
||||||
# Duration to keep accepting requests prior to initiating the graceful
|
|
||||||
# termination period (as defined by the `graceTimeOut` option). This
|
|
||||||
# option is meant to give downstream load-balancers sufficient time to
|
|
||||||
# take Traefik out of rotation.
|
|
||||||
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
|
|
||||||
# If no units are provided, the value is parsed assuming seconds.
|
|
||||||
# The zero duration disables the request accepting grace period, i.e.,
|
|
||||||
# Traefik will immediately proceed to the grace period.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: 0
|
|
||||||
#
|
|
||||||
# requestAcceptGraceTimeout = "10s"
|
|
||||||
|
|
||||||
# Duration to give active requests a chance to finish before Traefik stops.
|
|
||||||
# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
|
|
||||||
# If no units are provided, the value is parsed assuming seconds.
|
|
||||||
# Note: in this time frame no new requests are accepted.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "10s"
|
|
||||||
#
|
|
||||||
# graceTimeOut = "10s"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Timeouts
|
|
||||||
|
|
||||||
### Responding Timeouts
|
|
||||||
|
|
||||||
`respondingTimeouts` are timeouts for incoming requests to the Traefik instance.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[respondingTimeouts]
|
|
||||||
|
|
||||||
# readTimeout is the maximum duration for reading the entire request, including the body.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "0s"
|
|
||||||
#
|
|
||||||
# readTimeout = "5s"
|
|
||||||
|
|
||||||
# writeTimeout is the maximum duration before timing out writes of the response.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "0s"
|
|
||||||
#
|
|
||||||
# writeTimeout = "5s"
|
|
||||||
|
|
||||||
# idleTimeout is the maximum duration an idle (keep-alive) connection will remain idle before closing itself.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "180s"
|
|
||||||
#
|
|
||||||
# idleTimeout = "360s"
|
|
||||||
```
|
|
||||||
|
|
||||||
- `readTimeout` is the maximum duration for reading the entire request, including the body.
|
|
||||||
If zero, no timeout exists.
|
|
||||||
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
|
|
||||||
If no units are provided, the value is parsed assuming seconds.
|
|
||||||
|
|
||||||
- `writeTimeout` is the maximum duration before timing out writes of the response.
|
|
||||||
It covers the time from the end of the request header read to the end of the response write.
|
|
||||||
If zero, no timeout exists.
|
|
||||||
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
|
|
||||||
If no units are provided, the value is parsed assuming seconds.
|
|
||||||
|
|
||||||
- `idleTimeout` is the maximum duration an idle (keep-alive) connection will remain idle before closing itself.
|
|
||||||
If zero, no timeout exists.
|
|
||||||
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
|
|
||||||
If no units are provided, the value is parsed assuming seconds.
|
|
||||||
|
|
||||||
### Forwarding Timeouts
|
|
||||||
|
|
||||||
`forwardingTimeouts` are timeouts for requests forwarded to the backend servers.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[forwardingTimeouts]
|
|
||||||
|
|
||||||
# dialTimeout is the amount of time to wait until a connection to a backend server can be established.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "30s"
|
|
||||||
#
|
|
||||||
# dialTimeout = "30s"
|
|
||||||
|
|
||||||
# responseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request (including its body, if any).
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "0s"
|
|
||||||
#
|
|
||||||
# responseHeaderTimeout = "0s"
|
|
||||||
```
|
|
||||||
|
|
||||||
- `dialTimeout` is the amount of time to wait until a connection to a backend server can be established.
|
|
||||||
If zero, no timeout exists.
|
|
||||||
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
|
|
||||||
If no units are provided, the value is parsed assuming seconds.
|
|
||||||
|
|
||||||
- `responseHeaderTimeout` is the amount of time to wait for a server's response headers after fully writing the request (including its body, if any).
|
|
||||||
If zero, no timeout exists.
|
|
||||||
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
|
|
||||||
If no units are provided, the value is parsed assuming seconds.
|
|
||||||
|
|
||||||
## Host Resolver
|
|
||||||
|
|
||||||
`hostResolver` are used for request host matching process.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[hostResolver]
|
|
||||||
|
|
||||||
# cnameFlattening is a trigger to flatten request host, assuming it is a CNAME record
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default : false
|
|
||||||
#
|
|
||||||
cnameFlattening = true
|
|
||||||
|
|
||||||
# resolvConf is dns resolving configuration file, the default is /etc/resolv.conf
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default : "/etc/resolv.conf"
|
|
||||||
#
|
|
||||||
# resolvConf = "/etc/resolv.conf"
|
|
||||||
|
|
||||||
# resolvDepth is the maximum CNAME recursive lookup
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default : 5
|
|
||||||
#
|
|
||||||
# resolvDepth = 5
|
|
||||||
```
|
|
||||||
|
|
||||||
- To allow serving secure https request and generate the SSL using ACME while `cnameFlattening` is active.
|
|
||||||
The `acme` configuration for `HTTP-01` challenge and `onDemand` is mandatory.
|
|
||||||
Refer to [ACME configuration](/configuration/acme) for more information.
|
|
||||||
|
|
||||||
## Override Default Configuration Template
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
For advanced users only.
|
|
||||||
|
|
||||||
Supported by all providers except: File Provider, Rest Provider and DynamoDB Provider.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[provider_name]
|
|
||||||
|
|
||||||
# Override default provider configuration template. For advanced users :)
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: ""
|
|
||||||
#
|
|
||||||
filename = "custom_config_template.tpml"
|
|
||||||
|
|
||||||
# Enable debug logging of generated configuration template.
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: false
|
|
||||||
#
|
|
||||||
debugLogGeneratedTemplate = true
|
|
||||||
```
|
|
||||||
|
|
||||||
Example:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[marathon]
|
|
||||||
filename = "my_custom_config_template.tpml"
|
|
||||||
```
|
|
||||||
|
|
||||||
The template files can be written using functions provided by:
|
|
||||||
|
|
||||||
- [go template](https://golang.org/pkg/text/template/)
|
|
||||||
- [sprig library](https://masterminds.github.io/sprig/)
|
|
||||||
|
|
||||||
Example:
|
|
||||||
|
|
||||||
```tmpl
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
url = "http://firstserver"
|
|
||||||
[backends.backend2]
|
|
||||||
url = "http://secondserver"
|
|
||||||
|
|
||||||
{{$frontends := dict "frontend1" "backend1" "frontend2" "backend2"}}
|
|
||||||
[frontends]
|
|
||||||
{{range $frontend, $backend := $frontends}}
|
|
||||||
[frontends.{{$frontend}}]
|
|
||||||
backend = "{{$backend}}"
|
|
||||||
{{end}}
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using ping for an external Load-balancer rotation health check
|
|
||||||
|
|
||||||
If you are running Traefik behind an external Load-balancer, and want to configure rotation health check on the Load-balancer to take a Traefik instance out of rotation gracefully, you can configure [lifecycle.requestAcceptGraceTimeout](/configuration/commons.md#life-cycle) and the ping endpoint will return `503` response on traefik server termination, so that the Load-balancer can take the terminating traefik instance out of rotation, before it stops responding.
|
|
Before Width: | Height: | Size: 354 KiB |
Before Width: | Height: | Size: 100 KiB |
Before Width: | Height: | Size: 186 KiB |
Before Width: | Height: | Size: 323 KiB |
@ -1,172 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
||||||
<svg
|
|
||||||
xmlns:dc="http://purl.org/dc/elements/1.1/"
|
|
||||||
xmlns:cc="http://creativecommons.org/ns#"
|
|
||||||
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
|
|
||||||
xmlns:svg="http://www.w3.org/2000/svg"
|
|
||||||
xmlns="http://www.w3.org/2000/svg"
|
|
||||||
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
|
|
||||||
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
|
|
||||||
width="337.37802"
|
|
||||||
height="107.921"
|
|
||||||
id="svg2"
|
|
||||||
version="1.1"
|
|
||||||
inkscape:version="0.48.4 r9939"
|
|
||||||
sodipodi:docname="letsencrypt-logo-horizontal.svg">
|
|
||||||
<metadata
|
|
||||||
id="metadata37">
|
|
||||||
<rdf:RDF>
|
|
||||||
<cc:Work
|
|
||||||
rdf:about="">
|
|
||||||
<dc:format>image/svg+xml</dc:format>
|
|
||||||
<dc:type
|
|
||||||
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
|
|
||||||
</cc:Work>
|
|
||||||
</rdf:RDF>
|
|
||||||
</metadata>
|
|
||||||
<defs
|
|
||||||
id="defs35" />
|
|
||||||
<sodipodi:namedview
|
|
||||||
pagecolor="#ffffff"
|
|
||||||
bordercolor="#666666"
|
|
||||||
borderopacity="1"
|
|
||||||
objecttolerance="10"
|
|
||||||
gridtolerance="10"
|
|
||||||
guidetolerance="10"
|
|
||||||
inkscape:pageopacity="0"
|
|
||||||
inkscape:pageshadow="2"
|
|
||||||
inkscape:window-width="640"
|
|
||||||
inkscape:window-height="480"
|
|
||||||
id="namedview33"
|
|
||||||
showgrid="false"
|
|
||||||
fit-margin-bottom="30"
|
|
||||||
fit-margin-top="0"
|
|
||||||
fit-margin-left="0"
|
|
||||||
fit-margin-right="0"
|
|
||||||
inkscape:zoom="0.72861357"
|
|
||||||
inkscape:cx="168.57"
|
|
||||||
inkscape:cy="69.027001"
|
|
||||||
inkscape:window-x="0"
|
|
||||||
inkscape:window-y="30"
|
|
||||||
inkscape:window-maximized="0"
|
|
||||||
inkscape:current-layer="svg2" />
|
|
||||||
<g
|
|
||||||
id="g4"
|
|
||||||
transform="translate(-0.930001,-1.606)">
|
|
||||||
<title
|
|
||||||
id="title6">Layer 1</title>
|
|
||||||
<g
|
|
||||||
id="svg_1">
|
|
||||||
<g
|
|
||||||
id="svg_2">
|
|
||||||
<g
|
|
||||||
id="svg_3">
|
|
||||||
<path
|
|
||||||
id="svg_4"
|
|
||||||
d="m 76.621002,68.878998 0,-31.406998 7.629997,0 0,24.796997 12.153999,0 0,6.609001 -19.783997,0 0,9.99e-4 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_5"
|
|
||||||
d="m 121.547,58.098999 c 0,0.295998 0,0.592003 0,0.888 0,0.295997 -0.015,0.576004 -0.044,0.843002 l -16.01301,0 c 0.059,0.620995 0.244,1.182999 0.555,1.685997 0.311,0.502998 0.71,0.938004 1.197,1.308998 0.488,0.370003 1.035,0.658005 1.642,0.864006 0.605,0.208 1.234,0.310997 1.885,0.310997 1.153,0 2.13,-0.213997 2.928,-0.642998 0.799,-0.429001 1.449,-0.983002 1.952,-1.664001 l 5.05699,3.194 c -1.03498,1.507996 -2.40199,2.668999 -4.10299,3.482002 -1.701,0.811996 -3.676,1.219994 -5.922,1.219994 -1.657,0 -3.224,-0.259995 -4.702,-0.775993 -1.479,-0.518005 -2.772,-1.271004 -3.882,-2.263 -1.108,-0.990005 -1.981,-2.210007 -2.616996,-3.659004 -0.635994,-1.448997 -0.953003,-3.104996 -0.953003,-4.969002 0,-1.802994 0.309998,-3.437996 0.931,-4.900997 0.620999,-1.463001 1.463999,-2.706001 2.528999,-3.726002 1.064,-1.021 2.32,-1.811996 3.771,-2.373997 1.448,-0.561001 3.016,-0.843002 4.701,-0.843002 1.626,0 3.12,0.274002 4.48,0.820999 1.36,0.546997 2.528,1.338001 3.505,2.373001 0.976,1.035 1.73599,2.292 2.284,3.771 0.546,1.478001 0.819,3.165001 0.819,5.056 z m -6.698,-2.794998 c 0,-1.153 -0.362,-2.144001 -1.087,-2.972 -0.725,-0.827 -1.812,-1.242001 -3.26,-1.242001 -0.71,0 -1.36,0.111 -1.952,0.333 -0.59199,0.222 -1.108,0.525002 -1.553,0.909 -0.443,0.384998 -0.798,0.835999 -1.064,1.354 -0.266,0.517998 -0.414,1.057999 -0.443,1.618 l 9.359,0 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_6"
|
|
||||||
d="m 133.168,52.200001 0,8.461002 c 0,1.038994 0.2,1.816994 0.60001,2.337997 0.39799,0.519997 1.11499,0.778 2.151,0.778 0.35399,0 0.73098,-0.028 1.13099,-0.089 0.39901,-0.05901 0.73101,-0.147003 0.998,-0.266006 l 0.089,5.323006 c -0.50299,0.176994 -1.13899,0.332001 -1.90699,0.465996 -0.76999,0.133003 -1.538,0.199005 -2.307,0.199005 -1.479,0 -2.722,-0.186005 -3.727,-0.556007 C 129.19,68.484002 128.384,67.949998 127.77901,67.252 127.172,66.556001 126.73599,65.725999 126.47,64.762002 126.203,63.799005 126.071,62.724 126.071,61.538003 l 0,-9.338001 -3.549,0 0,-5.412003 3.504,0 0,-5.810997 7.142,0 0,5.810997 5.19,0 0,5.412003 -5.19,0 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_7"
|
|
||||||
d="m 161.91299,53.307999 c -0.59201,-0.560997 -1.28601,-1.034 -2.085,-1.418999 -0.79801,-0.383999 -1.64099,-0.577 -2.528,-0.577 -0.681,0 -1.30899,0.133999 -1.885,0.398998 -0.57699,0.267002 -0.865,0.726002 -0.865,1.375 0,0.621002 0.317,1.064003 0.953,1.331001 0.636,0.266998 1.664,0.562 3.08299,0.887001 0.82801,0.177998 1.664,0.43 2.50701,0.754997 0.843,0.324997 1.604,0.754005 2.28399,1.286003 0.68001,0.531998 1.22701,1.182999 1.64202,1.951996 0.41299,0.769005 0.62098,1.686005 0.62098,2.75 0,1.391006 -0.28099,2.565002 -0.84298,3.526001 -0.56201,0.960999 -1.29401,1.737 -2.19602,2.329002 -0.902,0.592002 -1.91499,1.019997 -3.03799,1.286003 -1.12399,0.266998 -2.248,0.398994 -3.371,0.398994 -1.80499,0 -3.571,-0.287994 -5.302,-0.864998 C 149.161,68.146002 147.719,67.294996 146.566,66.170995 l 4.08099,-4.303001 c 0.649,0.710007 1.448,1.302002 2.395,1.774002 0.946,0.473999 1.952,0.709999 3.017,0.709999 0.592,0 1.176,-0.140999 1.752,-0.421997 0.577,-0.279999 0.86501,-0.776001 0.86501,-1.485001 0,-0.681 -0.35401,-1.182999 -1.06401,-1.509003 -0.71,-0.324997 -1.818,-0.664993 -3.327,-1.020996 -0.769,-0.177002 -1.53799,-0.413002 -2.30699,-0.709 -0.77001,-0.295998 -1.457,-0.694 -2.06202,-1.197998 -0.60598,-0.502007 -1.10199,-1.123001 -1.48599,-1.863007 -0.384,-0.737995 -0.576,-1.625996 -0.576,-2.660995 0,-1.331001 0.28,-2.462002 0.843,-3.394001 0.562,-0.931999 1.286,-1.692001 2.174,-2.284 0.88701,-0.591999 1.87001,-1.027 2.949,-1.308998 1.079,-0.281998 2.151,-0.422001 3.217,-0.422001 1.655,0 3.274,0.259998 4.856,0.776001 1.582,0.517998 2.921,1.293999 4.015,2.328999 l -3.995,4.127998 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_8"
|
|
||||||
d="m 179.56799,68.878998 0,-31.406998 21.114,0 0,6.388 -13.795,0 0,5.944 13.041,0 0,6.077 -13.041,0 0,6.521 14.594,0 0,6.476997 -21.913,0 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_9"
|
|
||||||
d="m 220.675,68.878998 0,-12.065994 c 0,-0.621002 -0.053,-1.212002 -0.155,-1.774002 -0.104,-0.562 -0.274,-1.057003 -0.511,-1.486 -0.237,-0.428001 -0.569,-0.769001 -0.998,-1.021 -0.429,-0.25 -0.96899,-0.377003 -1.619,-0.377003 -0.65001,0 -1.22,0.127003 -1.70799,0.377003 -0.487,0.251999 -0.89501,0.599998 -1.22001,1.042999 -0.32499,0.443001 -0.569,0.953999 -0.731,1.529999 -0.16299,0.577 -0.244,1.175999 -0.244,1.797001 l 0,11.976997 -7.319,0 0,-22.091 7.05301,0 0,3.061001 0.089,0 c 0.26699,-0.473 0.613,-0.938 1.043,-1.396 0.428,-0.459 0.932,-0.850998 1.50801,-1.175999 0.57699,-0.325001 1.20498,-0.591999 1.88598,-0.799 0.68001,-0.206001 1.40401,-0.311001 2.17301,-0.311001 1.479,0 2.735,0.266998 3.77099,0.799 1.036,0.532002 1.87001,1.220001 2.50701,2.062 0.636,0.842999 1.09401,1.812 1.375,2.904999 0.28,1.095001 0.421,2.189003 0.421,3.283001 l 0,13.661999 -7.321,0 0,9.99e-4 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_10"
|
|
||||||
d="m 246.71301,53.929001 c -0.41501,-0.532001 -0.977,-0.959999 -1.686,-1.285999 -0.70999,-0.325001 -1.43601,-0.488003 -2.174,-0.488003 -0.77,0 -1.464,0.155003 -2.085,0.466 -0.62101,0.310997 -1.153,0.726002 -1.59701,1.242001 -0.44299,0.518002 -0.79199,1.117001 -1.04299,1.797001 -0.251,0.681004 -0.377,1.404003 -0.377,2.174 0,0.768997 0.11799,1.493004 0.35499,2.173004 0.23601,0.681 0.58301,1.279999 1.04201,1.796997 0.45799,0.517998 1.005,0.924995 1.642,1.220001 0.636,0.295998 1.35299,0.443001 2.151,0.443001 0.73801,0 1.47099,-0.139999 2.19501,-0.421005 0.72401,-0.281006 1.30899,-0.687996 1.75198,-1.220001 l 4.03702,4.924004 c -0.91703,0.887001 -2.10102,1.582001 -3.54901,2.084999 -1.44899,0.501999 -2.987,0.753998 -4.61299,0.753998 -1.74501,0 -3.37401,-0.266998 -4.88701,-0.798996 -1.512,-0.531998 -2.82601,-1.308998 -3.941,-2.329002 -1.11599,-1.019997 -1.99299,-2.253998 -2.63299,-3.702995 -0.64,-1.448997 -0.959,-3.090004 -0.959,-4.924004 0,-1.804001 0.31898,-3.431 0.959,-4.880001 0.64,-1.447998 1.51699,-2.683998 2.63299,-3.703999 1.11499,-1.021 2.43,-1.804001 3.941,-2.351002 1.513,-0.546997 3.127,-0.820999 4.843,-0.820999 0.798,0 1.589,0.074 2.373,0.223 0.783,0.147003 1.53699,0.348 2.26199,0.599003 0.72501,0.251003 1.39002,0.562 1.996,0.931999 0.60599,0.369999 1.13202,0.776001 1.57502,1.219997 l -4.21201,4.877003 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_11"
|
|
||||||
d="m 268.03201,52.776001 c -0.32599,-0.089 -0.64401,-0.146999 -0.95401,-0.177002 -0.30999,-0.03 -0.61398,-0.045 -0.90899,-0.045 -0.97599,0 -1.797,0.177998 -2.46201,0.530998 -0.66498,0.354 -1.19699,0.781002 -1.59698,1.283001 -0.39902,0.500999 -0.68802,1.047001 -0.86503,1.636997 -0.177,0.589996 -0.26599,1.105003 -0.26599,1.548004 l 0,11.324997 -7.27499,0 0,-22.063999 7.009,0 0,3.194 0.089,0 c 0.56201,-1.132 1.35901,-2.055 2.396,-2.77 1.03402,-0.715 2.23202,-1.071999 3.59302,-1.071999 0.29498,0 0.58398,0.016 0.86499,0.045 0.27999,0.029 0.51001,0.074 0.68801,0.133003 L 268.03201,52.776 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_12"
|
|
||||||
d="m 285.12201,72.206001 c -0.44299,1.153 -0.939,2.181 -1.48599,3.083 -0.547,0.901001 -1.19702,1.669998 -1.95102,2.306999 -0.754,0.636002 -1.642,1.114998 -2.66199,1.441002 -1.01999,0.324997 -2.22601,0.487999 -3.61499,0.487999 -0.681,0 -1.38299,-0.045 -2.10602,-0.134003 -0.72598,-0.089 -1.354,-0.207001 -1.88598,-0.353996 L 272.215,72.916 c 0.354,0.116997 0.746,0.213997 1.17602,0.288002 0.42798,0.073 0.81998,0.110001 1.17499,0.110001 1.12399,0 1.93701,-0.259003 2.44,-0.776001 0.50199,-0.518005 0.931,-1.249001 1.28601,-2.195 l 0.70999,-1.818001 -9.22699,-21.736 8.073,0 4.92398,14.195 0.133,0 4.392,-14.195 7.71802,0 -9.89301,25.417 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_13"
|
|
||||||
d="m 321.496,57.745003 c 0,1.537994 -0.237,3.016998 -0.70999,4.435997 -0.474,1.419998 -1.16101,2.668999 -2.06201,3.748001 -0.90201,1.080002 -2.004,1.945 -3.30499,2.596001 -1.30201,0.649002 -2.78,0.975998 -4.43702,0.975998 -1.35998,0 -2.64599,-0.273003 -3.85901,-0.82 -1.21301,-0.546997 -2.15799,-1.293999 -2.83898,-2.239998 l -0.088,0 0,13.085999 -7.27502,0 0,-32.739002 6.92001,0 0,2.706001 0.133,0 c 0.681,-0.887001 1.61899,-1.662998 2.81698,-2.328999 C 307.98801,46.5 309.39999,46.167 311.02701,46.167 c 1.59698,0 3.04498,0.311001 4.34698,0.931999 1.301,0.621002 2.40201,1.464001 3.305,2.528 0.90298,1.063999 1.59701,2.299999 2.08502,3.704002 0.488,1.404999 0.73199,2.876999 0.73199,4.414001 z m -7.05301,0 c 0,-0.709999 -0.11001,-1.403999 -0.332,-2.085003 -0.22201,-0.68 -0.548,-1.278999 -0.97699,-1.797001 -0.42901,-0.516998 -0.96902,-0.938 -1.61902,-1.264 -0.64999,-0.326 -1.40399,-0.487999 -2.26199,-0.487999 -0.828,0 -1.56799,0.162998 -2.21799,0.487999 -0.651,0.325001 -1.20602,0.754002 -1.664,1.285999 -0.45901,0.532001 -0.81302,1.139 -1.06402,1.818001 -0.25199,0.681004 -0.37699,1.375004 -0.37699,2.085003 0,0.709999 0.125,1.404999 0.37699,2.084999 0.251,0.681 0.60501,1.285995 1.06402,1.818001 0.45798,0.531998 1.013,0.961998 1.664,1.286995 0.64899,0.325005 1.38999,0.487 2.21799,0.487 0.85699,0 1.61099,-0.161995 2.26199,-0.487 0.651,-0.325005 1.19001,-0.754997 1.61902,-1.286995 0.42902,-0.531998 0.75498,-1.146004 0.97699,-1.841003 0.22101,-0.693001 0.332,-1.394997 0.332,-2.104996 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_14"
|
|
||||||
d="m 333.11801,52.200001 0,8.461002 c 0,1.038994 0.20001,1.816994 0.60001,2.337997 0.39798,0.519997 1.11499,0.778 2.151,0.778 0.354,0 0.73099,-0.028 1.13098,-0.089 0.39902,-0.05901 0.73102,-0.147003 0.99802,-0.266006 l 0.089,5.323006 c -0.50299,0.176994 -1.139,0.332001 -1.90698,0.465996 -0.77002,0.133003 -1.53802,0.199005 -2.307,0.199005 -1.47901,0 -2.72202,-0.186005 -3.72702,-0.556007 -1.00599,-0.369995 -1.81199,-0.903999 -2.417,-1.601997 -0.60699,-0.695999 -1.043,-1.526001 -1.30899,-2.489998 C 326.15302,63.799005 326.021,62.724 326.021,61.538003 l 0,-9.338001 -3.54898,0 0,-5.412003 3.50399,0 0,-5.810997 7.142,0 0,5.810997 5.19,0 0,5.412003 -5.19,0 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
<path
|
|
||||||
id="svg_15"
|
|
||||||
d="m 145.00999,36.869999 c -2.18299,0 -3.89199,1.573002 -3.89199,3.582001 0,2.116001 1.43899,3.536999 3.582,3.536999 0.183,0 0.35599,-0.017 0.51899,-0.05 -0.343,1.566002 -1.852,2.690002 -3.27799,2.915001 l -0.29001,0.046 0,3.376999 0.376,-0.036 c 1.73,-0.165001 3.439,-0.951 4.691,-2.157001 1.632,-1.572998 2.49501,-3.843998 2.49501,-6.568001 0,-2.691998 -1.76799,-4.646 -4.20301,-4.646 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
</g>
|
|
||||||
<g
|
|
||||||
id="svg_16">
|
|
||||||
<path
|
|
||||||
id="svg_17"
|
|
||||||
d="m 46.488998,37.568001 -8.039997,0 0,-4.128002 c 0,-3.296997 -2.683002,-5.979 -5.98,-5.979 -3.297001,0 -5.979,2.683002 -5.979,5.979 l 0,4.128002 -8.040001,0 0,-4.128002 c 0,-7.73 6.288998,-14.019999 14.02,-14.019999 7.731002,0 14.02,6.289 14.02,14.019999 l 0,4.128002 -0.001,0 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#f9a11d" />
|
|
||||||
</g>
|
|
||||||
<path
|
|
||||||
id="svg_18"
|
|
||||||
d="m 49.731998,37.568001 -34.524998,0 c -1.474001,0 -2.68,1.205997 -2.68,2.68 l 0,25.540001 c 0,1.473999 1.205999,2.68 2.68,2.68 l 34.524998,0 c 1.474003,0 2.68,-1.206001 2.68,-2.68 l 0,-25.540001 c 0,-1.474003 -1.205997,-2.68 -2.68,-2.68 z m -15.512997,16.769001 0,3.460995 c 0,0.966003 -0.784,1.749001 -1.749001,1.749001 -0.965001,0 -1.749001,-0.783997 -1.749001,-1.749001 l 0,-3.459995 c -1.076,-0.611 -1.803001,-1.764 -1.803001,-3.09 0,-1.962002 1.591,-3.552002 3.552002,-3.552002 1.961998,0 3.551998,1.591 3.551998,3.552002 0,1.325001 -0.727001,2.478001 -1.802998,3.089001 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#2c3c69" />
|
|
||||||
<path
|
|
||||||
id="svg_19"
|
|
||||||
d="m 11.707001,33.759998 -8.331,0 c -1.351001,0 -2.446,-1.094997 -2.446,-2.445999 0,-1.351002 1.094999,-2.445999 2.446,-2.445999 l 8.331,0 c 1.351,0 2.445999,1.095001 2.445999,2.445999 0,1.350998 -1.096001,2.445999 -2.445999,2.445999 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#f9a11d" />
|
|
||||||
<path
|
|
||||||
id="svg_20"
|
|
||||||
d="m 17.575001,20.655001 c -0.546001,0 -1.097,-0.182001 -1.552,-0.557001 l -6.59,-5.418999 C 8.39,13.820999 8.239001,12.280001 9.098,11.236 9.956,10.193001 11.497,10.042 12.541001,10.9 l 6.59,5.419001 c 1.042999,0.858 1.194,2.399 0.334999,3.442999 -0.483,0.589001 -1.184,0.893002 -1.890999,0.893002 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#f9a11d" />
|
|
||||||
<path
|
|
||||||
id="svg_21"
|
|
||||||
d="m 32.469002,14.895 c -1.351002,0 -2.446003,-1.095001 -2.446003,-2.446001 l 0,-8.396999 c 0,-1.351 1.095001,-2.446 2.446003,-2.446 1.351002,0 2.445999,1.095 2.445999,2.446 l 0,8.396999 c 0,1.351 -1.095001,2.446001 -2.445999,2.446001 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#f9a11d" />
|
|
||||||
<g
|
|
||||||
id="svg_22">
|
|
||||||
<g
|
|
||||||
id="svg_23">
|
|
||||||
<path
|
|
||||||
id="svg_24"
|
|
||||||
d="M 47.362999,20.655001 C 46.655998,20.655001 45.956001,20.351 45.472,19.761999 44.613998,18.719 44.764,17.177 45.806999,16.319 l 6.59,-5.419001 c 1.044003,-0.858 2.585003,-0.706999 3.442997,0.336 0.858002,1.042999 0.708,2.584999 -0.334999,3.443001 l -6.589996,5.418999 C 48.459999,20.472999 47.91,20.655 47.362999,20.655 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#f9a11d" />
|
|
||||||
</g>
|
|
||||||
</g>
|
|
||||||
<path
|
|
||||||
id="svg_25"
|
|
||||||
d="m 61.563004,33.759998 -8.410004,0 c -1.351002,0 -2.445999,-1.094997 -2.445999,-2.445999 0,-1.351002 1.094997,-2.445999 2.445999,-2.445999 l 8.410004,0 c 1.350998,0 2.445999,1.095001 2.445999,2.445999 0,1.350998 -1.095001,2.445999 -2.445999,2.445999 z"
|
|
||||||
inkscape:connector-curvature="0"
|
|
||||||
style="fill:#f9a11d" />
|
|
||||||
</g>
|
|
||||||
</svg>
|
|
Before Width: | Height: | Size: 16 KiB |
Before Width: | Height: | Size: 218 KiB |
Before Width: | Height: | Size: 208 KiB |
Before Width: | Height: | Size: 2.0 KiB |
Before Width: | Height: | Size: 34 KiB |
Before Width: | Height: | Size: 274 KiB |
Before Width: | Height: | Size: 9.0 KiB |
@ -1,79 +0,0 @@
|
|||||||
<p align="center">
|
|
||||||
<img src="img/traefik.logo.png" alt="Traefik" title="Traefik" />
|
|
||||||
</p>
|
|
||||||
|
|
||||||
[![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
|
|
||||||
[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](/)
|
|
||||||
[![Go Report Card](https://goreportcard.com/badge/github.com/containous/traefik)](https://goreportcard.com/report/github.com/containous/traefik)
|
|
||||||
[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
|
|
||||||
[![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
|
|
||||||
[![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
|
|
||||||
|
|
||||||
|
|
||||||
Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
|
|
||||||
Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
|
|
||||||
Pointing Traefik at your orchestrator should be the _only_ configuration step you need.
|
|
||||||
|
|
||||||
## Overview
|
|
||||||
|
|
||||||
Imagine that you have deployed a bunch of microservices with the help of an orchestrator (like Swarm or Kubernetes) or a service registry (like etcd or consul).
|
|
||||||
Now you want users to access these microservices, and you need a reverse proxy.
|
|
||||||
|
|
||||||
Traditional reverse-proxies require that you configure _each_ route that will connect paths and subdomains to _each_ microservice.
|
|
||||||
In an environment where you add, remove, kill, upgrade, or scale your services _many_ times a day, the task of keeping the routes up to date becomes tedious.
|
|
||||||
|
|
||||||
**This is when Traefik can help you!**
|
|
||||||
|
|
||||||
Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part.
|
|
||||||
|
|
||||||
**Run Traefik and let it do the work for you!**
|
|
||||||
_(But if you'd rather configure some of your routes manually, Traefik supports that too!)_
|
|
||||||
|
|
||||||
![Architecture](img/architecture.png)
|
|
||||||
|
|
||||||
## Features
|
|
||||||
|
|
||||||
- Continuously updates its configuration (No restarts!)
|
|
||||||
- Supports multiple load balancing algorithms
|
|
||||||
- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support)
|
|
||||||
- Circuit breakers, retry
|
|
||||||
- High Availability with cluster mode (beta)
|
|
||||||
- See the magic through its clean web UI
|
|
||||||
- Websocket, HTTP/2, GRPC ready
|
|
||||||
- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
|
|
||||||
- Keeps access logs (JSON, CLF)
|
|
||||||
- Fast
|
|
||||||
- Exposes a Rest API
|
|
||||||
- Packaged as a single binary file (made with ❤️ with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image
|
|
||||||
|
|
||||||
|
|
||||||
## Supported Providers
|
|
||||||
|
|
||||||
- [Docker](/configuration/backends/docker/) / [Swarm mode](/configuration/backends/docker/#docker-swarm-mode)
|
|
||||||
- [Kubernetes](/configuration/backends/kubernetes/)
|
|
||||||
- [Mesos](/configuration/backends/mesos/) / [Marathon](/configuration/backends/marathon/)
|
|
||||||
- [Rancher](/configuration/backends/rancher/) (API, Metadata)
|
|
||||||
- [Azure Service Fabric](/configuration/backends/servicefabric/)
|
|
||||||
- [Consul Catalog](/configuration/backends/consulcatalog/)
|
|
||||||
- [Consul](/configuration/backends/consul/) / [Etcd](/configuration/backends/etcd/) / [Zookeeper](/configuration/backends/zookeeper/) / [BoltDB](/configuration/backends/boltdb/)
|
|
||||||
- [Eureka](/configuration/backends/eureka/)
|
|
||||||
- [Amazon ECS](/configuration/backends/ecs/)
|
|
||||||
- [Amazon DynamoDB](/configuration/backends/dynamodb/)
|
|
||||||
- [File](/configuration/backends/file/)
|
|
||||||
- [Rest](/configuration/backends/rest/)
|
|
||||||
|
|
||||||
## Security
|
|
||||||
|
|
||||||
### Security Advisories
|
|
||||||
|
|
||||||
We strongly advise you to join our mailing list to be aware of the latest announcements from our security team. You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
|
|
||||||
|
|
||||||
### CVE
|
|
||||||
|
|
||||||
Reported vulnerabilities can be found on
|
|
||||||
[cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
|
|
||||||
|
|
||||||
### Report a Vulnerability
|
|
||||||
|
|
||||||
We want to keep Traefik safe for everyone.
|
|
||||||
If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).
|
|
@ -1,148 +0,0 @@
|
|||||||
# Metrics
|
|
||||||
|
|
||||||
## Old Content
|
|
||||||
|
|
||||||
# Metrics Definition
|
|
||||||
|
|
||||||
## Prometheus
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Metrics definition
|
|
||||||
[metrics]
|
|
||||||
#...
|
|
||||||
|
|
||||||
# To enable Traefik to export internal metrics to Prometheus
|
|
||||||
[metrics.prometheus]
|
|
||||||
|
|
||||||
# Name of the related entry point
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "traefik"
|
|
||||||
#
|
|
||||||
entryPoint = "traefik"
|
|
||||||
|
|
||||||
# Buckets for latency metrics
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: [0.1, 0.3, 1.2, 5.0]
|
|
||||||
#
|
|
||||||
buckets = [0.1,0.3,1.2,5.0]
|
|
||||||
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
## DataDog
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Metrics definition
|
|
||||||
[metrics]
|
|
||||||
#...
|
|
||||||
|
|
||||||
# DataDog metrics exporter type
|
|
||||||
[metrics.datadog]
|
|
||||||
|
|
||||||
# DataDog's address.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "localhost:8125"
|
|
||||||
#
|
|
||||||
address = "localhost:8125"
|
|
||||||
|
|
||||||
# DataDog push interval
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "10s"
|
|
||||||
#
|
|
||||||
pushInterval = "10s"
|
|
||||||
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
## StatsD
|
|
||||||
|
|
||||||
```toml
|
|
||||||
# Metrics definition
|
|
||||||
[metrics]
|
|
||||||
#...
|
|
||||||
|
|
||||||
# StatsD metrics exporter type
|
|
||||||
[metrics.statsd]
|
|
||||||
|
|
||||||
# StatD's address.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "localhost:8125"
|
|
||||||
#
|
|
||||||
address = "localhost:8125"
|
|
||||||
|
|
||||||
# StatD push interval
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "10s"
|
|
||||||
#
|
|
||||||
pushInterval = "10s"
|
|
||||||
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
## InfluxDB
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[metrics]
|
|
||||||
# ...
|
|
||||||
|
|
||||||
# InfluxDB metrics exporter type
|
|
||||||
[metrics.influxdb]
|
|
||||||
|
|
||||||
# InfluxDB's address.
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "localhost:8089"
|
|
||||||
#
|
|
||||||
address = "localhost:8089"
|
|
||||||
|
|
||||||
# InfluxDB's address protocol (udp or http)
|
|
||||||
#
|
|
||||||
# Required
|
|
||||||
# Default: "udp"
|
|
||||||
#
|
|
||||||
protocol = "udp"
|
|
||||||
|
|
||||||
# InfluxDB's username
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "" (no username)
|
|
||||||
#
|
|
||||||
username = ""
|
|
||||||
|
|
||||||
# InfluxDB's password
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "" (no password)
|
|
||||||
#
|
|
||||||
password = ""
|
|
||||||
|
|
||||||
# InfluxDB push interval
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: "10s"
|
|
||||||
#
|
|
||||||
pushinterval = "10s"
|
|
||||||
|
|
||||||
# InfluxDB database used when protocol is http
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: ""
|
|
||||||
#
|
|
||||||
database = ""
|
|
||||||
|
|
||||||
# InfluxDB retention policy used when protocol is http
|
|
||||||
#
|
|
||||||
# Optional
|
|
||||||
# Default: ""
|
|
||||||
#
|
|
||||||
retentionpolicy = ""
|
|
||||||
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
4
old/docs/theme/js/extra.js
vendored
@ -1,4 +0,0 @@
|
|||||||
/* Highlight */
|
|
||||||
(function(hljs) {
|
|
||||||
hljs.initHighlightingOnLoad();
|
|
||||||
})(hljs);
|
|
24
old/docs/theme/js/hljs/LICENSE
vendored
@ -1,24 +0,0 @@
|
|||||||
Copyright (c) 2006, Ivan Sagalaev
|
|
||||||
All rights reserved.
|
|
||||||
Redistribution and use in source and binary forms, with or without
|
|
||||||
modification, are permitted provided that the following conditions are met:
|
|
||||||
|
|
||||||
* Redistributions of source code must retain the above copyright
|
|
||||||
notice, this list of conditions and the following disclaimer.
|
|
||||||
* Redistributions in binary form must reproduce the above copyright
|
|
||||||
notice, this list of conditions and the following disclaimer in the
|
|
||||||
documentation and/or other materials provided with the distribution.
|
|
||||||
* Neither the name of highlight.js nor the names of its contributors
|
|
||||||
may be used to endorse or promote products derived from this software
|
|
||||||
without specific prior written permission.
|
|
||||||
|
|
||||||
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY
|
|
||||||
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
||||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
||||||
DISCLAIMED. IN NO EVENT SHALL THE REGENTS AND CONTRIBUTORS BE LIABLE FOR ANY
|
|
||||||
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
||||||
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
||||||
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
||||||
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
||||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
2
old/docs/theme/js/hljs/highlight.pack.js
vendored
104
old/docs/theme/partials/footer.html
vendored
@ -1,104 +0,0 @@
|
|||||||
<!--
|
|
||||||
Copyright (c) 2016-2017 Martin Donath <martin.donath@squidfunk.com>
|
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
of this software and associated documentation files (the "Software"), to
|
|
||||||
deal in the Software without restriction, including without limitation the
|
|
||||||
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
|
||||||
sell copies of the Software, and to permit persons to whom the Software is
|
|
||||||
furnished to do so, subject to the following conditions:
|
|
||||||
|
|
||||||
The above copyright notice and this permission notice shall be included in
|
|
||||||
all copies or substantial portions of the Software.
|
|
||||||
|
|
||||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
||||||
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
|
||||||
IN THE SOFTWARE.
|
|
||||||
-->
|
|
||||||
|
|
||||||
{% import "partials/language.html" as lang with context %}
|
|
||||||
|
|
||||||
<!-- Application footer -->
|
|
||||||
<footer class="md-footer">
|
|
||||||
|
|
||||||
<!-- Link to previous and/or next page -->
|
|
||||||
{% if page.previous_page or page.next_page %}
|
|
||||||
<!--<div class="md-footer-nav">-->
|
|
||||||
<!--<nav class="md-footer-nav__inner md-grid">-->
|
|
||||||
<!-- -->
|
|
||||||
<!-- Link to previous page -->
|
|
||||||
<!--{% if page.previous_page %}-->
|
|
||||||
<!--<a href="{{ page.previous_page.url }}"-->
|
|
||||||
<!--title="{{ page.previous_page.title }}"-->
|
|
||||||
<!--class="md-flex md-footer-nav__link md-footer-nav__link--prev"-->
|
|
||||||
<!--rel="prev">-->
|
|
||||||
<!--<div class="md-flex__cell md-flex__cell--shrink">-->
|
|
||||||
<!--<i class="md-icon md-icon--arrow-back-->
|
|
||||||
<!--md-footer-nav__button"></i>-->
|
|
||||||
<!--</div>-->
|
|
||||||
<!--<div class="md-flex__cell md-flex__cell--stretch-->
|
|
||||||
<!--md-footer-nav__title">-->
|
|
||||||
<!--<span class="md-flex__ellipsis">-->
|
|
||||||
<!--<span class="md-footer-nav__direction">-->
|
|
||||||
<!--{{ lang.t("footer.previous") }} -->
|
|
||||||
<!--</span>-->
|
|
||||||
<!--{{ page.previous_page.title }}-->
|
|
||||||
<!--</span>-->
|
|
||||||
<!--</div>-->
|
|
||||||
<!--</a>-->
|
|
||||||
<!--{% endif %}-->
|
|
||||||
<!-- -->
|
|
||||||
<!-- Link to next page -->
|
|
||||||
<!--{% if page.next_page %}-->
|
|
||||||
<!--<a href="{{ page.next_page.url }}" title="{{ page.next_page.title }}"-->
|
|
||||||
<!--class="md-flex md-footer-nav__link md-footer-nav__link--next"-->
|
|
||||||
<!--rel="next">-->
|
|
||||||
<!--<div class="md-flex__cell md-flex__cell--stretch-->
|
|
||||||
<!--md-footer-nav__title">-->
|
|
||||||
<!--<span class="md-flex__ellipsis">-->
|
|
||||||
<!--<span class="md-footer-nav__direction">-->
|
|
||||||
<!--{{ lang.t("footer.next") }}-->
|
|
||||||
<!--</span>-->
|
|
||||||
<!--{{ page.next_page.title }}-->
|
|
||||||
<!--</span>-->
|
|
||||||
<!--</div>-->
|
|
||||||
<!--<div class="md-flex__cell md-flex__cell--shrink">-->
|
|
||||||
<!--<i class="md-icon md-icon--arrow-forward-->
|
|
||||||
<!--md-footer-nav__button"></i>-->
|
|
||||||
<!--</div>-->
|
|
||||||
<!--</a>-->
|
|
||||||
<!--{% endif %}-->
|
|
||||||
<!--</nav>-->
|
|
||||||
<!--</div>-->
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
<!-- Further information -->
|
|
||||||
<div class="md-footer-meta md-typeset">
|
|
||||||
<div class="md-footer-meta__inner md-grid">
|
|
||||||
|
|
||||||
<!-- Copyright and theme information -->
|
|
||||||
<div class="md-footer-copyright">
|
|
||||||
{% if config.copyright %}
|
|
||||||
<div class="md-footer-copyright__highlight">
|
|
||||||
{{ config.copyright }}
|
|
||||||
</div>
|
|
||||||
{% endif %}
|
|
||||||
powered by
|
|
||||||
<a href="https://www.mkdocs.org" title="MkDocs">MkDocs</a>
|
|
||||||
and
|
|
||||||
<a href="https://squidfunk.github.io/mkdocs-material/"
|
|
||||||
title="Material for MkDocs">
|
|
||||||
Material for MkDocs</a>
|
|
||||||
</div>
|
|
||||||
|
|
||||||
<!-- Social links -->
|
|
||||||
{% block social %}
|
|
||||||
{% include "partials/social.html" %}
|
|
||||||
{% endblock %}
|
|
||||||
</div>
|
|
||||||
</div>
|
|
||||||
</footer>
|
|
96
old/docs/theme/styles/atom-one-light.css
vendored
@ -1,96 +0,0 @@
|
|||||||
/*
|
|
||||||
|
|
||||||
Atom One Light by Daniel Gamage
|
|
||||||
Original One Light Syntax theme from https://github.com/atom/one-light-syntax
|
|
||||||
|
|
||||||
base: #fafafa
|
|
||||||
mono-1: #383a42
|
|
||||||
mono-2: #686b77
|
|
||||||
mono-3: #a0a1a7
|
|
||||||
hue-1: #0184bb
|
|
||||||
hue-2: #4078f2
|
|
||||||
hue-3: #a626a4
|
|
||||||
hue-4: #50a14f
|
|
||||||
hue-5: #e45649
|
|
||||||
hue-5-2: #c91243
|
|
||||||
hue-6: #986801
|
|
||||||
hue-6-2: #c18401
|
|
||||||
|
|
||||||
*/
|
|
||||||
|
|
||||||
.hljs {
|
|
||||||
display: block;
|
|
||||||
overflow-x: auto;
|
|
||||||
padding: 0.5em;
|
|
||||||
color: #383a42;
|
|
||||||
background: #fafafa;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-comment,
|
|
||||||
.hljs-quote {
|
|
||||||
color: #a0a1a7;
|
|
||||||
font-style: italic;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-doctag,
|
|
||||||
.hljs-keyword,
|
|
||||||
.hljs-formula {
|
|
||||||
color: #a626a4;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-section,
|
|
||||||
.hljs-name,
|
|
||||||
.hljs-selector-tag,
|
|
||||||
.hljs-deletion,
|
|
||||||
.hljs-subst {
|
|
||||||
color: #e45649;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-literal {
|
|
||||||
color: #0184bb;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-string,
|
|
||||||
.hljs-regexp,
|
|
||||||
.hljs-addition,
|
|
||||||
.hljs-attribute,
|
|
||||||
.hljs-meta-string {
|
|
||||||
color: #50a14f;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-built_in,
|
|
||||||
.hljs-class .hljs-title {
|
|
||||||
color: #c18401;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-attr,
|
|
||||||
.hljs-variable,
|
|
||||||
.hljs-template-variable,
|
|
||||||
.hljs-type,
|
|
||||||
.hljs-selector-class,
|
|
||||||
.hljs-selector-attr,
|
|
||||||
.hljs-selector-pseudo,
|
|
||||||
.hljs-number {
|
|
||||||
color: #986801;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-symbol,
|
|
||||||
.hljs-bullet,
|
|
||||||
.hljs-link,
|
|
||||||
.hljs-meta,
|
|
||||||
.hljs-selector-id,
|
|
||||||
.hljs-title {
|
|
||||||
color: #4078f2;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-emphasis {
|
|
||||||
font-style: italic;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-strong {
|
|
||||||
font-weight: bold;
|
|
||||||
}
|
|
||||||
|
|
||||||
.hljs-link {
|
|
||||||
text-decoration: underline;
|
|
||||||
}
|
|
20
old/docs/theme/styles/extra.css
vendored
@ -1,20 +0,0 @@
|
|||||||
.md-logo img {
|
|
||||||
background-color: white;
|
|
||||||
border-radius: 50%;
|
|
||||||
width: 30px;
|
|
||||||
height: 30px;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Fix for Chrome */
|
|
||||||
.md-typeset__table td code {
|
|
||||||
word-break: unset;
|
|
||||||
}
|
|
||||||
|
|
||||||
.md-typeset__table tr :nth-child(1) {
|
|
||||||
word-wrap: break-word;
|
|
||||||
max-width: 30em;
|
|
||||||
}
|
|
||||||
|
|
||||||
p {
|
|
||||||
text-align: justify;
|
|
||||||
}
|
|
@ -1,294 +0,0 @@
|
|||||||
# Clustering / High Availability on Docker Swarm with Consul
|
|
||||||
|
|
||||||
This guide explains how to use Traefik in high availability mode in a Docker Swarm and with Let's Encrypt.
|
|
||||||
|
|
||||||
Why do we need Traefik in cluster mode? Running multiple instances should work out of the box?
|
|
||||||
|
|
||||||
If you want to use Let's Encrypt with Traefik, sharing configuration or TLS certificates between many Traefik instances, you need Traefik cluster/HA.
|
|
||||||
|
|
||||||
Ok, could we mount a shared volume used by all my instances? Yes, you can, but it will not work.
|
|
||||||
When you use Let's Encrypt, you need to store certificates, but not only.
|
|
||||||
When Traefik generates a new certificate, it configures a challenge and once Let's Encrypt will verify the ownership of the domain, it will ping back the challenge.
|
|
||||||
If the challenge is not known by other Traefik instances, the validation will fail.
|
|
||||||
|
|
||||||
For more information about the challenge: [Automatic Certificate Management Environment (ACME)](https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#http-challenge)
|
|
||||||
|
|
||||||
## Prerequisites
|
|
||||||
|
|
||||||
You will need a working Docker Swarm cluster.
|
|
||||||
|
|
||||||
## Traefik configuration
|
|
||||||
|
|
||||||
In this guide, we will not use a TOML configuration file, but only command line flag.
|
|
||||||
With that, we can use the base image without mounting configuration file or building custom image.
|
|
||||||
|
|
||||||
What Traefik should do:
|
|
||||||
|
|
||||||
- Listen to 80 and 443
|
|
||||||
- Redirect HTTP traffic to HTTPS
|
|
||||||
- Generate SSL certificate when a domain is added
|
|
||||||
- Listen to Docker Swarm event
|
|
||||||
|
|
||||||
### EntryPoints configuration
|
|
||||||
|
|
||||||
TL;DR:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
$ traefik \
|
|
||||||
--entrypoints='Name:http Address::80 Redirect.EntryPoint:https' \
|
|
||||||
--entrypoints='Name:https Address::443 TLS' \
|
|
||||||
--defaultentrypoints=http,https
|
|
||||||
```
|
|
||||||
|
|
||||||
To listen to different ports, we need to create an entry point for each.
|
|
||||||
|
|
||||||
The CLI syntax is `--entrypoints='Name:a_name Address:an_ip_or_empty:a_port options'`.
|
|
||||||
If you want to redirect traffic from one entry point to another, it's the option `Redirect.EntryPoint:entrypoint_name`.
|
|
||||||
|
|
||||||
By default, we don't want to configure all our services to listen on http and https, we add a default entry point configuration: `--defaultentrypoints=http,https`.
|
|
||||||
|
|
||||||
### Let's Encrypt configuration
|
|
||||||
|
|
||||||
TL;DR:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
$ traefik \
|
|
||||||
--acme \
|
|
||||||
--acme.storage=/etc/traefik/acme/acme.json \
|
|
||||||
--acme.entryPoint=https \
|
|
||||||
--acme.httpChallenge.entryPoint=http \
|
|
||||||
--acme.email=contact@mydomain.ca
|
|
||||||
```
|
|
||||||
|
|
||||||
Let's Encrypt needs 4 parameters: an TLS entry point to listen to, a non-TLS entry point to allow HTTP challenges, a storage for certificates, and an email for the registration.
|
|
||||||
|
|
||||||
To enable Let's Encrypt support, you need to add `--acme` flag.
|
|
||||||
|
|
||||||
Now, Traefik needs to know where to store the certificates, we can choose between a key in a Key-Value store, or a file path: `--acme.storage=my/key` or `--acme.storage=/path/to/acme.json`.
|
|
||||||
|
|
||||||
The `acme.httpChallenge.entryPoint` flag enables the `HTTP-01` challenge and specifies the entryPoint to use during the challenges.
|
|
||||||
|
|
||||||
For your email and the entry point, it's `--acme.entryPoint` and `--acme.email` flags.
|
|
||||||
|
|
||||||
### Docker configuration
|
|
||||||
|
|
||||||
TL;DR:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
$ traefik \
|
|
||||||
--docker \
|
|
||||||
--docker.swarmMode \
|
|
||||||
--docker.domain=mydomain.ca \
|
|
||||||
--docker.watch
|
|
||||||
```
|
|
||||||
|
|
||||||
To enable docker and swarm-mode support, you need to add `--docker` and `--docker.swarmMode` flags.
|
|
||||||
To watch docker events, add `--docker.watch`.
|
|
||||||
|
|
||||||
### Full docker-compose file
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
version: "3"
|
|
||||||
services:
|
|
||||||
traefik:
|
|
||||||
image: traefik:1.5
|
|
||||||
command:
|
|
||||||
- "--api"
|
|
||||||
- "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
|
|
||||||
- "--entrypoints=Name:https Address::443 TLS"
|
|
||||||
- "--defaultentrypoints=http,https"
|
|
||||||
- "--acme"
|
|
||||||
- "--acme.storage=/etc/traefik/acme/acme.json"
|
|
||||||
- "--acme.entryPoint=https"
|
|
||||||
- "--acme.httpChallenge.entryPoint=http"
|
|
||||||
- "--acme.onHostRule=true"
|
|
||||||
- "--acme.onDemand=false"
|
|
||||||
- "--acme.email=contact@mydomain.ca"
|
|
||||||
- "--docker"
|
|
||||||
- "--docker.swarmMode"
|
|
||||||
- "--docker.domain=mydomain.ca"
|
|
||||||
- "--docker.watch"
|
|
||||||
volumes:
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
|
||||||
networks:
|
|
||||||
- webgateway
|
|
||||||
- traefik
|
|
||||||
ports:
|
|
||||||
- target: 80
|
|
||||||
published: 80
|
|
||||||
mode: host
|
|
||||||
- target: 443
|
|
||||||
published: 443
|
|
||||||
mode: host
|
|
||||||
- target: 8080
|
|
||||||
published: 8080
|
|
||||||
mode: host
|
|
||||||
deploy:
|
|
||||||
mode: global
|
|
||||||
placement:
|
|
||||||
constraints:
|
|
||||||
- node.role == manager
|
|
||||||
update_config:
|
|
||||||
parallelism: 1
|
|
||||||
delay: 10s
|
|
||||||
restart_policy:
|
|
||||||
condition: on-failure
|
|
||||||
networks:
|
|
||||||
webgateway:
|
|
||||||
driver: overlay
|
|
||||||
external: true
|
|
||||||
traefik:
|
|
||||||
driver: overlay
|
|
||||||
```
|
|
||||||
|
|
||||||
## Migrate configuration to Consul
|
|
||||||
|
|
||||||
We created a special Traefik command to help configuring your Key Value store from a Traefik TOML configuration file and/or CLI flags.
|
|
||||||
|
|
||||||
## Deploy a Traefik cluster
|
|
||||||
|
|
||||||
The best way we found is to have an initializer service.
|
|
||||||
This service will push the config to Consul via the `storeconfig` sub-command.
|
|
||||||
|
|
||||||
This service will retry until finishing without error because Consul may not be ready when the service tries to push the configuration.
|
|
||||||
|
|
||||||
The initializer in a docker-compose file will be:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
traefik_init:
|
|
||||||
image: traefik:1.5
|
|
||||||
command:
|
|
||||||
- "storeconfig"
|
|
||||||
- "--api"
|
|
||||||
[...]
|
|
||||||
- "--consul"
|
|
||||||
- "--consul.endpoint=consul:8500"
|
|
||||||
- "--consul.prefix=traefik"
|
|
||||||
networks:
|
|
||||||
- traefik
|
|
||||||
deploy:
|
|
||||||
restart_policy:
|
|
||||||
condition: on-failure
|
|
||||||
depends_on:
|
|
||||||
- consul
|
|
||||||
```
|
|
||||||
|
|
||||||
And now, the Traefik part will only have the Consul configuration.
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
traefik:
|
|
||||||
image: traefik:1.5
|
|
||||||
depends_on:
|
|
||||||
- traefik_init
|
|
||||||
- consul
|
|
||||||
command:
|
|
||||||
- "--consul"
|
|
||||||
- "--consul.endpoint=consul:8500"
|
|
||||||
- "--consul.prefix=traefik"
|
|
||||||
[...]
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
For Traefik <1.5.0 add `acme.storage=traefik/acme/account` because Traefik is not reading it from Consul.
|
|
||||||
|
|
||||||
If you have some update to do, update the initializer service and re-deploy it.
|
|
||||||
The new configuration will be stored in Consul, and you need to restart the Traefik node: `docker service update --force traefik_traefik`.
|
|
||||||
|
|
||||||
## Full docker-compose file
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
version: "3.4"
|
|
||||||
services:
|
|
||||||
traefik_init:
|
|
||||||
image: traefik:1.5
|
|
||||||
command:
|
|
||||||
- "storeconfig"
|
|
||||||
- "--api"
|
|
||||||
- "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
|
|
||||||
- "--entrypoints=Name:https Address::443 TLS"
|
|
||||||
- "--defaultentrypoints=http,https"
|
|
||||||
- "--acme"
|
|
||||||
- "--acme.storage=traefik/acme/account"
|
|
||||||
- "--acme.entryPoint=https"
|
|
||||||
- "--acme.httpChallenge.entryPoint=http"
|
|
||||||
- "--acme.onHostRule=true"
|
|
||||||
- "--acme.onDemand=false"
|
|
||||||
- "--acme.email=foobar@example.com"
|
|
||||||
- "--docker"
|
|
||||||
- "--docker.swarmMode"
|
|
||||||
- "--docker.domain=example.com"
|
|
||||||
- "--docker.watch"
|
|
||||||
- "--consul"
|
|
||||||
- "--consul.endpoint=consul:8500"
|
|
||||||
- "--consul.prefix=traefik"
|
|
||||||
networks:
|
|
||||||
- traefik
|
|
||||||
deploy:
|
|
||||||
restart_policy:
|
|
||||||
condition: on-failure
|
|
||||||
depends_on:
|
|
||||||
- consul
|
|
||||||
traefik:
|
|
||||||
image: traefik:1.5
|
|
||||||
depends_on:
|
|
||||||
- traefik_init
|
|
||||||
- consul
|
|
||||||
command:
|
|
||||||
- "--consul"
|
|
||||||
- "--consul.endpoint=consul:8500"
|
|
||||||
- "--consul.prefix=traefik"
|
|
||||||
volumes:
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
|
||||||
networks:
|
|
||||||
- webgateway
|
|
||||||
- traefik
|
|
||||||
ports:
|
|
||||||
- target: 80
|
|
||||||
published: 80
|
|
||||||
mode: host
|
|
||||||
- target: 443
|
|
||||||
published: 443
|
|
||||||
mode: host
|
|
||||||
- target: 8080
|
|
||||||
published: 8080
|
|
||||||
mode: host
|
|
||||||
deploy:
|
|
||||||
mode: global
|
|
||||||
placement:
|
|
||||||
constraints:
|
|
||||||
- node.role == manager
|
|
||||||
update_config:
|
|
||||||
parallelism: 1
|
|
||||||
delay: 10s
|
|
||||||
restart_policy:
|
|
||||||
condition: on-failure
|
|
||||||
consul:
|
|
||||||
image: consul
|
|
||||||
command: agent -server -bootstrap-expect=1
|
|
||||||
volumes:
|
|
||||||
- consul-data:/consul/data
|
|
||||||
environment:
|
|
||||||
- CONSUL_LOCAL_CONFIG={"datacenter":"us_east2","server":true}
|
|
||||||
- CONSUL_BIND_INTERFACE=eth0
|
|
||||||
- CONSUL_CLIENT_INTERFACE=eth0
|
|
||||||
deploy:
|
|
||||||
replicas: 1
|
|
||||||
placement:
|
|
||||||
constraints:
|
|
||||||
- node.role == manager
|
|
||||||
restart_policy:
|
|
||||||
condition: on-failure
|
|
||||||
networks:
|
|
||||||
- traefik
|
|
||||||
|
|
||||||
networks:
|
|
||||||
webgateway:
|
|
||||||
driver: overlay
|
|
||||||
external: true
|
|
||||||
traefik:
|
|
||||||
driver: overlay
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
consul-data:
|
|
||||||
driver: [not local]
|
|
||||||
```
|
|
@ -1,33 +0,0 @@
|
|||||||
# Clustering / High Availability (beta)
|
|
||||||
|
|
||||||
This guide explains how to use Traefik in high availability mode.
|
|
||||||
|
|
||||||
In order to deploy and configure multiple Traefik instances, without copying the same configuration file on each instance, we will use a distributed Key-Value store.
|
|
||||||
|
|
||||||
## Prerequisites
|
|
||||||
|
|
||||||
You will need a working KV store cluster.
|
|
||||||
_(Currently, we recommend [Consul](https://consul.io) .)_
|
|
||||||
|
|
||||||
## File configuration to KV store migration
|
|
||||||
|
|
||||||
We created a special Traefik command to help configuring your Key Value store from a Traefik TOML configuration file.
|
|
||||||
|
|
||||||
Please refer to [this section](/user-guide/kv-config/#store-configuration-in-key-value-store) to get more details.
|
|
||||||
|
|
||||||
## Deploy a Traefik cluster
|
|
||||||
|
|
||||||
Once your Traefik configuration is uploaded on your KV store, you can start each Traefik instance.
|
|
||||||
|
|
||||||
A Traefik cluster is based on a manager/worker model.
|
|
||||||
|
|
||||||
When starting, Traefik will elect a manager.
|
|
||||||
If this instance fails, another manager will be automatically elected.
|
|
||||||
|
|
||||||
## Traefik cluster and Let's Encrypt
|
|
||||||
|
|
||||||
**In cluster mode, ACME certificates have to be stored in [a KV Store entry](/configuration/acme/#as-a-key-value-store-entry).**
|
|
||||||
|
|
||||||
Thanks to the Traefik cluster mode algorithm (based on [the Raft Consensus Algorithm](https://raft.github.io/)), only one instance will contact Let's encrypt to solve the challenges.
|
|
||||||
|
|
||||||
The others instances will get ACME certificate from the KV Store entry.
|
|
@ -1,262 +0,0 @@
|
|||||||
# Let's Encrypt & Docker
|
|
||||||
|
|
||||||
In this use case, we want to use Traefik as a _layer-7_ load balancer with SSL termination for a set of micro-services used to run a web application.
|
|
||||||
|
|
||||||
We also want to automatically _discover any services_ on the Docker host and let Traefik reconfigure itself automatically when containers get created (or shut down) so HTTP traffic can be routed accordingly.
|
|
||||||
|
|
||||||
In addition, we want to use Let's Encrypt to automatically generate and renew SSL certificates per hostname.
|
|
||||||
|
|
||||||
## Setting Up
|
|
||||||
|
|
||||||
In order for this to work, you'll need a server with a public IP address, with Docker and docker-compose installed on it.
|
|
||||||
|
|
||||||
In this example, we're using the fictitious domain _my-awesome-app.org_.
|
|
||||||
|
|
||||||
In real-life, you'll want to use your own domain and have the DNS configured accordingly so the hostname records you'll want to use point to the aforementioned public IP address.
|
|
||||||
|
|
||||||
## Networking
|
|
||||||
|
|
||||||
Docker containers can only communicate with each other over TCP when they share at least one network.
|
|
||||||
This makes sense from a topological point of view in the context of networking, since Docker under the hood creates IPTable rules so containers can't reach other containers _unless you'd want to_.
|
|
||||||
|
|
||||||
In this example, we're going to use a single network called `web` where all containers that are handling HTTP traffic (including Traefik) will reside in.
|
|
||||||
|
|
||||||
On the Docker host, run the following command:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker network create web
|
|
||||||
```
|
|
||||||
|
|
||||||
Now, let's create a directory on the server where we will configure the rest of Traefik:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
mkdir -p /opt/traefik
|
|
||||||
```
|
|
||||||
|
|
||||||
Within this directory, we're going to create 3 empty files:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
touch /opt/traefik/docker-compose.yml
|
|
||||||
touch /opt/traefik/acme.json && chmod 600 /opt/traefik/acme.json
|
|
||||||
touch /opt/traefik/traefik.toml
|
|
||||||
```
|
|
||||||
|
|
||||||
The `docker-compose.yml` file will provide us with a simple, consistent and more importantly, a deterministic way to create Traefik.
|
|
||||||
|
|
||||||
The contents of the file is as follows:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
version: '2'
|
|
||||||
|
|
||||||
services:
|
|
||||||
traefik:
|
|
||||||
image: traefik:1.5.4
|
|
||||||
restart: always
|
|
||||||
ports:
|
|
||||||
- 80:80
|
|
||||||
- 443:443
|
|
||||||
networks:
|
|
||||||
- web
|
|
||||||
volumes:
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
|
||||||
- /opt/traefik/traefik.toml:/traefik.toml
|
|
||||||
- /opt/traefik/acme.json:/acme.json
|
|
||||||
container_name: traefik
|
|
||||||
|
|
||||||
networks:
|
|
||||||
web:
|
|
||||||
external: true
|
|
||||||
```
|
|
||||||
|
|
||||||
As you can see, we're mounting the `traefik.toml` file as well as the (empty) `acme.json` file in the container.
|
|
||||||
Also, we're mounting the `/var/run/docker.sock` Docker socket in the container as well, so Traefik can listen to Docker events and reconfigure its own internal configuration when containers are created (or shut down).
|
|
||||||
Also, we're making sure the container is automatically restarted by the Docker engine in case of problems (or: if the server is rebooted).
|
|
||||||
We're publishing the default HTTP ports `80` and `443` on the host, and making sure the container is placed within the `web` network we've created earlier on.
|
|
||||||
Finally, we're giving this container a static name called `traefik`.
|
|
||||||
|
|
||||||
Let's take a look at a simple `traefik.toml` configuration as well before we'll create the Traefik container:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
debug = false
|
|
||||||
|
|
||||||
logLevel = "ERROR"
|
|
||||||
defaultEntryPoints = ["https","http"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.redirect]
|
|
||||||
entryPoint = "https"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
|
|
||||||
[retry]
|
|
||||||
|
|
||||||
[docker]
|
|
||||||
endpoint = "unix:///var/run/docker.sock"
|
|
||||||
domain = "my-awesome-app.org"
|
|
||||||
watch = true
|
|
||||||
exposedByDefault = false
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
email = "your-email-here@my-awesome-app.org"
|
|
||||||
storage = "acme.json"
|
|
||||||
entryPoint = "https"
|
|
||||||
onHostRule = true
|
|
||||||
[acme.httpChallenge]
|
|
||||||
entryPoint = "http"
|
|
||||||
```
|
|
||||||
|
|
||||||
This is the minimum configuration required to do the following:
|
|
||||||
|
|
||||||
- Log `ERROR`-level messages (or more severe) to the console, but silence `DEBUG`-level messages
|
|
||||||
- Check for new versions of Traefik periodically
|
|
||||||
- Create two entry points, namely an `HTTP` endpoint on port `80`, and an `HTTPS` endpoint on port `443` where all incoming traffic on port `80` will immediately get redirected to `HTTPS`.
|
|
||||||
- Enable the Docker provider and listen for container events on the Docker unix socket we've mounted earlier. However, **new containers will not be exposed by Traefik by default, we'll get into this in a bit!**
|
|
||||||
- Enable automatic request and configuration of SSL certificates using Let's Encrypt.
|
|
||||||
These certificates will be stored in the `acme.json` file, which you can back-up yourself and store off-premises.
|
|
||||||
|
|
||||||
Alright, let's boot the container. From the `/opt/traefik` directory, run `docker-compose up -d` which will create and start the Traefik container.
|
|
||||||
|
|
||||||
## Exposing Web Services to the Outside World
|
|
||||||
|
|
||||||
Now that we've fully configured and started Traefik, it's time to get our applications running!
|
|
||||||
|
|
||||||
Let's take a simple example of a micro-service project consisting of various services, where some will be exposed to the outside world and some will not.
|
|
||||||
|
|
||||||
The `docker-compose.yml` of our project looks like this:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
version: "2.1"
|
|
||||||
|
|
||||||
services:
|
|
||||||
app:
|
|
||||||
image: my-docker-registry.com/my-awesome-app/app:latest
|
|
||||||
depends_on:
|
|
||||||
db:
|
|
||||||
condition: service_healthy
|
|
||||||
redis:
|
|
||||||
condition: service_healthy
|
|
||||||
restart: always
|
|
||||||
networks:
|
|
||||||
- web
|
|
||||||
- default
|
|
||||||
expose:
|
|
||||||
- "9000"
|
|
||||||
labels:
|
|
||||||
- "traefik.docker.network=web"
|
|
||||||
- "traefik.enable=true"
|
|
||||||
- "traefik.basic.frontend.rule=Host:app.my-awesome-app.org"
|
|
||||||
- "traefik.basic.port=9000"
|
|
||||||
- "traefik.basic.protocol=http"
|
|
||||||
- "traefik.admin.frontend.rule=Host:admin-app.my-awesome-app.org"
|
|
||||||
- "traefik.admin.protocol=https"
|
|
||||||
- "traefik.admin.port=9443"
|
|
||||||
|
|
||||||
db:
|
|
||||||
image: my-docker-registry.com/back-end/5.7
|
|
||||||
restart: always
|
|
||||||
|
|
||||||
redis:
|
|
||||||
image: my-docker-registry.com/back-end/redis:4-alpine
|
|
||||||
restart: always
|
|
||||||
|
|
||||||
events:
|
|
||||||
image: my-docker-registry.com/my-awesome-app/events:latest
|
|
||||||
depends_on:
|
|
||||||
db:
|
|
||||||
condition: service_healthy
|
|
||||||
redis:
|
|
||||||
condition: service_healthy
|
|
||||||
restart: always
|
|
||||||
networks:
|
|
||||||
- web
|
|
||||||
- default
|
|
||||||
expose:
|
|
||||||
- "3000"
|
|
||||||
labels:
|
|
||||||
- "traefik.backend=my-awesome-app-events"
|
|
||||||
- "traefik.docker.network=web"
|
|
||||||
- "traefik.frontend.rule=Host:events.my-awesome-app.org"
|
|
||||||
- "traefik.enable=true"
|
|
||||||
- "traefik.port=3000"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
web:
|
|
||||||
external: true
|
|
||||||
```
|
|
||||||
|
|
||||||
Here, we can see a set of services with two applications that we're actually exposing to the outside world.
|
|
||||||
Notice how there isn't a single container that has any published ports to the host -- everything is routed through Docker networks.
|
|
||||||
Also, only the containers that we want traffic to get routed to are attached to the `web` network we created at the start of this document.
|
|
||||||
|
|
||||||
Since the `traefik` container we've created and started earlier is also attached to this network, HTTP requests can now get routed to these containers.
|
|
||||||
|
|
||||||
### Labels
|
|
||||||
|
|
||||||
As mentioned earlier, we don't want containers exposed automatically by Traefik.
|
|
||||||
|
|
||||||
The reason behind this is simple: we want to have control over this process ourselves.
|
|
||||||
Thanks to Docker labels, we can tell Traefik how to create its internal routing configuration.
|
|
||||||
|
|
||||||
Let's take a look at the labels themselves for the `app` service, which is a HTTP webservice listing on port 9000:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
- "traefik.docker.network=web"
|
|
||||||
- "traefik.enable=true"
|
|
||||||
- "traefik.basic.frontend.rule=Host:app.my-awesome-app.org"
|
|
||||||
- "traefik.basic.port=9000"
|
|
||||||
- "traefik.basic.protocol=http"
|
|
||||||
- "traefik.admin.frontend.rule=Host:admin-app.my-awesome-app.org"
|
|
||||||
- "traefik.admin.protocol=https"
|
|
||||||
- "traefik.admin.port=9443"
|
|
||||||
```
|
|
||||||
|
|
||||||
We use both `container labels` and `service labels`.
|
|
||||||
|
|
||||||
#### Container labels
|
|
||||||
|
|
||||||
First, we specify the `backend` name which corresponds to the actual service we're routing **to**.
|
|
||||||
|
|
||||||
We also tell Traefik to use the `web` network to route HTTP traffic to this container.
|
|
||||||
With the `traefik.enable` label, we tell Traefik to include this container in its internal configuration.
|
|
||||||
|
|
||||||
With the `frontend.rule` label, we tell Traefik that we want to route to this container if the incoming HTTP request contains the `Host` `app.my-awesome-app.org`.
|
|
||||||
Essentially, this is the actual rule used for Layer-7 load balancing.
|
|
||||||
|
|
||||||
Finally but not unimportantly, we tell Traefik to route **to** port `9000`, since that is the actual TCP/IP port the container actually listens on.
|
|
||||||
|
|
||||||
### Service labels
|
|
||||||
|
|
||||||
`Service labels` allow managing many routes for the same container.
|
|
||||||
|
|
||||||
When both `container labels` and `service labels` are defined, `container labels` are just used as default values for missing `service labels` but no frontend/backend are going to be defined only with these labels.
|
|
||||||
Obviously, labels `traefik.frontend.rule` and `traefik.port` described above, will only be used to complete information set in `service labels` during the container frontends/backends creation.
|
|
||||||
|
|
||||||
In the example, two service names are defined : `basic` and `admin`.
|
|
||||||
They allow creating two frontends and two backends.
|
|
||||||
|
|
||||||
- `basic` has only one `service label` : `traefik.basic.protocol`.
|
|
||||||
Traefik will use values set in `traefik.frontend.rule` and `traefik.port` to create the `basic` frontend and backend.
|
|
||||||
The frontend listens to incoming HTTP requests which contain the `Host` `app.my-awesome-app.org` and redirect them in `HTTP` to the port `9000` of the backend.
|
|
||||||
- `admin` has all the `services labels` needed to create the `admin` frontend and backend (`traefik.admin.frontend.rule`, `traefik.admin.protocol`, `traefik.admin.port`).
|
|
||||||
Traefik will create a frontend to listen to incoming HTTP requests which contain the `Host` `admin-app.my-awesome-app.org` and redirect them in `HTTPS` to the port `9443` of the backend.
|
|
||||||
|
|
||||||
#### Gotchas and tips
|
|
||||||
|
|
||||||
- Always specify the correct port where the container expects HTTP traffic using `traefik.port` label.
|
|
||||||
If a container exposes multiple ports, Traefik may forward traffic to the wrong port.
|
|
||||||
Even if a container only exposes one port, you should always write configuration defensively and explicitly.
|
|
||||||
- Should you choose to enable the `exposedByDefault` flag in the `traefik.toml` configuration, be aware that all containers that are placed in the same network as Traefik will automatically be reachable from the outside world, for everyone and everyone to see.
|
|
||||||
Usually, this is a bad idea.
|
|
||||||
- With the `traefik.frontend.auth.basic` label, it's possible for Traefik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.
|
|
||||||
- Traefik has built-in support to automatically export [Prometheus](https://prometheus.io) metrics
|
|
||||||
- Traefik supports websockets out of the box. In the example above, the `events`-service could be a NodeJS-based application which allows clients to connect using websocket protocol.
|
|
||||||
Thanks to the fact that HTTPS in our example is enforced, these websockets are automatically secure as well (WSS)
|
|
||||||
|
|
||||||
### Final thoughts
|
|
||||||
|
|
||||||
Using Traefik as a Layer-7 load balancer in combination with both Docker and Let's Encrypt provides you with an extremely flexible, powerful and self-configuring solution for your projects.
|
|
||||||
|
|
||||||
With Let's Encrypt, your endpoints are automatically secured with production-ready SSL certificates that are renewed automatically as well.
|
|
@ -1,415 +0,0 @@
|
|||||||
# Examples
|
|
||||||
|
|
||||||
You will find here some configuration examples of Traefik.
|
|
||||||
|
|
||||||
## HTTP only
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
```
|
|
||||||
|
|
||||||
## HTTP + HTTPS (with SNI)
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http", "https"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.com.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.com.key"
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.org.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.org.key"
|
|
||||||
```
|
|
||||||
Note that we can either give path to certificate file or directly the file content itself ([like in this TOML example](/user-guide/kv-config/#upload-the-configuration-in-the-key-value-store)).
|
|
||||||
|
|
||||||
## HTTP redirect on HTTPS
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["http", "https"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http.redirect]
|
|
||||||
entryPoint = "https"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "examples/traefik.crt"
|
|
||||||
keyFile = "examples/traefik.key"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case)
|
|
||||||
|
|
||||||
## Let's Encrypt support
|
|
||||||
|
|
||||||
### Basic example with HTTP challenge
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
email = "test@traefik.io"
|
|
||||||
storage = "acme.json"
|
|
||||||
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
||||||
entryPoint = "https"
|
|
||||||
[acme.httpChallenge]
|
|
||||||
entryPoint = "http"
|
|
||||||
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local1.com"
|
|
||||||
sans = ["test1.local1.com", "test2.local1.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local2.com"
|
|
||||||
sans = ["test1.local2.com", "test2x.local2.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local3.com"
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local4.com"
|
|
||||||
```
|
|
||||||
|
|
||||||
This configuration allows generating Let's Encrypt certificates (thanks to `HTTP-01` challenge) for the four domains `local[1-4].com` with described SANs.
|
|
||||||
|
|
||||||
Traefik generates these certificates when it starts and it needs to be restarted if new domains are added.
|
|
||||||
|
|
||||||
### onHostRule option (with HTTP challenge)
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
email = "test@traefik.io"
|
|
||||||
storage = "acme.json"
|
|
||||||
onHostRule = true
|
|
||||||
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
||||||
entryPoint = "https"
|
|
||||||
[acme.httpChallenge]
|
|
||||||
entryPoint = "http"
|
|
||||||
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local1.com"
|
|
||||||
sans = ["test1.local1.com", "test2.local1.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local2.com"
|
|
||||||
sans = ["test1.local2.com", "test2x.local2.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local3.com"
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local4.com"
|
|
||||||
```
|
|
||||||
|
|
||||||
This configuration allows generating Let's Encrypt certificates (thanks to `HTTP-01` challenge) for the four domains `local[1-4].com`.
|
|
||||||
|
|
||||||
Traefik generates these certificates when it starts.
|
|
||||||
|
|
||||||
If a backend is added with a `onHost` rule, Traefik will automatically generate the Let's Encrypt certificate for the new domain (for frontends wired on the `acme.entryPoint`).
|
|
||||||
|
|
||||||
### OnDemand option (with HTTP challenge)
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
email = "test@traefik.io"
|
|
||||||
storage = "acme.json"
|
|
||||||
onDemand = true
|
|
||||||
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
||||||
entryPoint = "https"
|
|
||||||
[acme.httpChallenge]
|
|
||||||
entryPoint = "http"
|
|
||||||
```
|
|
||||||
|
|
||||||
This configuration allows generating a Let's Encrypt certificate (thanks to `HTTP-01` challenge) during the first HTTPS request on a new domain.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
This option simplifies the configuration but :
|
|
||||||
|
|
||||||
* TLS handshakes will be slow when requesting a hostname certificate for the first time, which can lead to DDoS attacks.
|
|
||||||
* Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits
|
|
||||||
|
|
||||||
That's why, it's better to use the `onHostRule` option if possible.
|
|
||||||
|
|
||||||
### DNS challenge
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
email = "test@traefik.io"
|
|
||||||
storage = "acme.json"
|
|
||||||
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
||||||
entryPoint = "https"
|
|
||||||
[acme.dnsChallenge]
|
|
||||||
provider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
|
|
||||||
delayBeforeCheck = 0
|
|
||||||
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local1.com"
|
|
||||||
sans = ["test1.local1.com", "test2.local1.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local2.com"
|
|
||||||
sans = ["test1.local2.com", "test2x.local2.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local3.com"
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local4.com"
|
|
||||||
```
|
|
||||||
|
|
||||||
DNS challenge needs environment variables to be executed.
|
|
||||||
These variables have to be set on the machine/container that host Traefik.
|
|
||||||
|
|
||||||
These variables are described [in this section](/configuration/acme/#provider).
|
|
||||||
|
|
||||||
### DNS challenge with wildcard domains
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
email = "test@traefik.io"
|
|
||||||
storage = "acme.json"
|
|
||||||
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
||||||
entryPoint = "https"
|
|
||||||
[acme.dnsChallenge]
|
|
||||||
provider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
|
|
||||||
delayBeforeCheck = 0
|
|
||||||
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "*.local1.com"
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local2.com"
|
|
||||||
sans = ["test1.local2.com", "test2x.local2.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "*.local3.com"
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "*.local4.com"
|
|
||||||
```
|
|
||||||
|
|
||||||
DNS challenge needs environment variables to be executed.
|
|
||||||
These variables have to be set on the machine/container that host Traefik.
|
|
||||||
|
|
||||||
These variables are described [in this section](/configuration/acme/#provider).
|
|
||||||
|
|
||||||
More information about wildcard certificates are available [in this section](/configuration/acme/#wildcard-domains).
|
|
||||||
|
|
||||||
### onHostRule option and provided certificates (with HTTP challenge)
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "examples/traefik.crt"
|
|
||||||
keyFile = "examples/traefik.key"
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
email = "test@traefik.io"
|
|
||||||
storage = "acme.json"
|
|
||||||
onHostRule = true
|
|
||||||
caServer = "http://172.18.0.1:4000/directory"
|
|
||||||
entryPoint = "https"
|
|
||||||
[acme.httpChallenge]
|
|
||||||
entryPoint = "http"
|
|
||||||
```
|
|
||||||
|
|
||||||
Traefik will only try to generate a Let's encrypt certificate (thanks to `HTTP-01` challenge) if the domain cannot be checked by the provided certificates.
|
|
||||||
|
|
||||||
### Cluster mode
|
|
||||||
|
|
||||||
#### Prerequisites
|
|
||||||
|
|
||||||
Before you use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely at [this section](/user-guide/kv-config/#store-configuration-in-key-value-store), which will describe how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.
|
|
||||||
|
|
||||||
#### Configuration
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
|
|
||||||
[acme]
|
|
||||||
email = "test@traefik.io"
|
|
||||||
storage = "traefik/acme/account"
|
|
||||||
caServer = "http://172.18.0.1:4000/directory"
|
|
||||||
entryPoint = "https"
|
|
||||||
|
|
||||||
[acme.httpChallenge]
|
|
||||||
entryPoint = "http"
|
|
||||||
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local1.com"
|
|
||||||
sans = ["test1.local1.com", "test2.local1.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local2.com"
|
|
||||||
sans = ["test1.local2.com", "test2x.local2.com"]
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local3.com"
|
|
||||||
[[acme.domains]]
|
|
||||||
main = "local4.com"
|
|
||||||
|
|
||||||
[consul]
|
|
||||||
endpoint = "127.0.0.1:8500"
|
|
||||||
watch = true
|
|
||||||
prefix = "traefik"
|
|
||||||
```
|
|
||||||
|
|
||||||
This configuration allows to use the key `traefik/acme/account` to get/set Let's Encrypt certificates content.
|
|
||||||
The `consul` provider contains the configuration.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
It's possible to use others key-value store providers as described [here](/user-guide/kv-config/#key-value-store-configuration).
|
|
||||||
|
|
||||||
## Override entrypoints in frontends
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[frontends]
|
|
||||||
|
|
||||||
[frontends.frontend1]
|
|
||||||
backend = "backend2"
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "Host:test.localhost"
|
|
||||||
|
|
||||||
[frontends.frontend2]
|
|
||||||
backend = "backend1"
|
|
||||||
passHostHeader = true
|
|
||||||
entrypoints = ["https"] # overrides defaultEntryPoints
|
|
||||||
[frontends.frontend2.routes.test_1]
|
|
||||||
rule = "Host:{subdomain:[a-z]+}.localhost"
|
|
||||||
|
|
||||||
[frontends.frontend3]
|
|
||||||
entrypoints = ["http", "https"] # overrides defaultEntryPoints
|
|
||||||
backend = "backend2"
|
|
||||||
rule = "Path:/test"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Override the Traefik HTTP server idleTimeout and/or throttle configurations from re-loading too quickly
|
|
||||||
|
|
||||||
```toml
|
|
||||||
providersThrottleDuration = "5s"
|
|
||||||
|
|
||||||
[respondingTimeouts]
|
|
||||||
idleTimeout = "360s"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Using labels in docker-compose.yml
|
|
||||||
|
|
||||||
Pay attention to the **labels** section:
|
|
||||||
|
|
||||||
```
|
|
||||||
home:
|
|
||||||
image: abiosoft/caddy:0.10.14
|
|
||||||
networks:
|
|
||||||
- ntw_front
|
|
||||||
volumes:
|
|
||||||
- ./www/home/srv/:/srv/
|
|
||||||
deploy:
|
|
||||||
mode: replicated
|
|
||||||
replicas: 2
|
|
||||||
#placement:
|
|
||||||
# constraints: [node.role==manager]
|
|
||||||
restart_policy:
|
|
||||||
condition: on-failure
|
|
||||||
max_attempts: 5
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpus: '0.20'
|
|
||||||
memory: 9M
|
|
||||||
reservations:
|
|
||||||
cpus: '0.05'
|
|
||||||
memory: 9M
|
|
||||||
labels:
|
|
||||||
- "traefik.frontend.rule=PathPrefixStrip:/"
|
|
||||||
- "traefik.backend=home"
|
|
||||||
- "traefik.port=2015"
|
|
||||||
- "traefik.weight=10"
|
|
||||||
- "traefik.enable=true"
|
|
||||||
- "traefik.passHostHeader=true"
|
|
||||||
- "traefik.docker.network=ntw_front"
|
|
||||||
- "traefik.frontend.entryPoints=http"
|
|
||||||
- "traefik.backend.loadbalancer.swarm=true"
|
|
||||||
- "traefik.backend.loadbalancer.method=drr"
|
|
||||||
```
|
|
||||||
|
|
||||||
Something more tricky using `regex`.
|
|
||||||
|
|
||||||
In this case a slash is added to `siteexample.io/portainer` and redirect to `siteexample.io/portainer/`. For more details: https://github.com/containous/traefik/issues/563
|
|
||||||
|
|
||||||
The double sign `$$` are variables managed by the docker compose file ([documentation](https://docs.docker.com/compose/compose-file/#variable-substitution)).
|
|
||||||
|
|
||||||
```
|
|
||||||
portainer:
|
|
||||||
image: portainer/portainer:1.16.5
|
|
||||||
networks:
|
|
||||||
- ntw_front
|
|
||||||
volumes:
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
|
||||||
deploy:
|
|
||||||
mode: replicated
|
|
||||||
replicas: 1
|
|
||||||
placement:
|
|
||||||
constraints: [node.role==manager]
|
|
||||||
restart_policy:
|
|
||||||
condition: on-failure
|
|
||||||
max_attempts: 5
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpus: '0.33'
|
|
||||||
memory: 20M
|
|
||||||
reservations:
|
|
||||||
cpus: '0.05'
|
|
||||||
memory: 10M
|
|
||||||
labels:
|
|
||||||
- "traefik.frontend.rule=PathPrefixStrip:/portainer"
|
|
||||||
- "traefik.backend=portainer"
|
|
||||||
- "traefik.port=9000"
|
|
||||||
- "traefik.weight=10"
|
|
||||||
- "traefik.enable=true"
|
|
||||||
- "traefik.passHostHeader=true"
|
|
||||||
- "traefik.docker.network=ntw_front"
|
|
||||||
- "traefik.frontend.entryPoints=http"
|
|
||||||
- "traefik.backend.loadbalancer.swarm=true"
|
|
||||||
- "traefik.backend.loadbalancer.method=drr"
|
|
||||||
# https://github.com/containous/traefik/issues/563#issuecomment-421360934
|
|
||||||
- "traefik.frontend.redirect.regex=^(.*)/portainer$$"
|
|
||||||
- "traefik.frontend.redirect.replacement=$$1/portainer/"
|
|
||||||
- "traefik.frontend.rule=PathPrefix:/portainer;ReplacePathRegex: ^/portainer/(.*) /$$1"
|
|
||||||
```
|
|
@ -1,183 +0,0 @@
|
|||||||
# gRPC examples
|
|
||||||
|
|
||||||
## With HTTP (h2c)
|
|
||||||
|
|
||||||
This section explains how to use Traefik as reverse proxy for gRPC application.
|
|
||||||
|
|
||||||
### Traefik configuration
|
|
||||||
|
|
||||||
At last, we configure our Traefik instance to use both self-signed certificates.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["https"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.http]
|
|
||||||
|
|
||||||
[api]
|
|
||||||
|
|
||||||
[file]
|
|
||||||
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.servers.server1]
|
|
||||||
# Access on backend with h2c
|
|
||||||
url = "h2c://backend.local:8080"
|
|
||||||
|
|
||||||
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
backend = "backend1"
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "Host:frontend.local"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
For provider with label, you will have to specify the `traefik.protocol=h2c`
|
|
||||||
|
|
||||||
### Conclusion
|
|
||||||
|
|
||||||
We don't need specific configuration to use gRPC in Traefik, we just need to use `h2c` protocol, or use HTTPS communications to have HTTP2 with the backend.
|
|
||||||
|
|
||||||
## With HTTPS
|
|
||||||
|
|
||||||
This section explains how to use Traefik as reverse proxy for gRPC application with self-signed certificates.
|
|
||||||
|
|
||||||
![gRPC architecture](/img/grpc.svg)
|
|
||||||
|
|
||||||
### gRPC Server certificate
|
|
||||||
|
|
||||||
In order to secure the gRPC server, we generate a self-signed certificate for backend url:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./backend.key -out ./backend.cert
|
|
||||||
```
|
|
||||||
|
|
||||||
That will prompt for information, the important answer is:
|
|
||||||
|
|
||||||
```
|
|
||||||
Common Name (e.g. server FQDN or YOUR name) []: backend.local
|
|
||||||
```
|
|
||||||
|
|
||||||
### gRPC Client certificate
|
|
||||||
|
|
||||||
Generate your self-signed certificate for frontend url:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./frontend.key -out ./frontend.cert
|
|
||||||
```
|
|
||||||
|
|
||||||
with
|
|
||||||
|
|
||||||
```
|
|
||||||
Common Name (e.g. server FQDN or YOUR name) []: frontend.local
|
|
||||||
```
|
|
||||||
|
|
||||||
### Traefik configuration
|
|
||||||
|
|
||||||
At last, we configure our Traefik instance to use both self-signed certificates.
|
|
||||||
|
|
||||||
```toml
|
|
||||||
defaultEntryPoints = ["https"]
|
|
||||||
|
|
||||||
# For secure connection on backend.local
|
|
||||||
rootCAs = [ "./backend.cert" ]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":4443"
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
# For secure connection on frontend.local
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "./frontend.cert"
|
|
||||||
keyFile = "./frontend.key"
|
|
||||||
|
|
||||||
|
|
||||||
[api]
|
|
||||||
|
|
||||||
[file]
|
|
||||||
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.servers.server1]
|
|
||||||
# Access on backend with HTTPS
|
|
||||||
url = "https://backend.local:8080"
|
|
||||||
|
|
||||||
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
backend = "backend1"
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "Host:frontend.local"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
With some backends, the server URLs use the IP, so you may need to configure `insecureSkipVerify` instead of the `rootCAS` to activate HTTPS without hostname verification.
|
|
||||||
|
|
||||||
### A gRPC example in go (modify for https)
|
|
||||||
|
|
||||||
We use the gRPC greeter example in [grpc-go](https://github.com/grpc/grpc-go/tree/master/examples/helloworld)
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
In order to use this gRPC example, we need to modify it to use HTTPS
|
|
||||||
|
|
||||||
So we modify the "gRPC server example" to use our own self-signed certificate:
|
|
||||||
|
|
||||||
```go
|
|
||||||
// ...
|
|
||||||
|
|
||||||
// Read cert and key file
|
|
||||||
BackendCert, _ := ioutil.ReadFile("./backend.cert")
|
|
||||||
BackendKey, _ := ioutil.ReadFile("./backend.key")
|
|
||||||
|
|
||||||
// Generate Certificate struct
|
|
||||||
cert, err := tls.X509KeyPair(BackendCert, BackendKey)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("failed to parse certificate: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Create credentials
|
|
||||||
creds := credentials.NewServerTLSFromCert(&cert)
|
|
||||||
|
|
||||||
// Use Credentials in gRPC server options
|
|
||||||
serverOption := grpc.Creds(creds)
|
|
||||||
var s *grpc.Server = grpc.NewServer(serverOption)
|
|
||||||
defer s.Stop()
|
|
||||||
|
|
||||||
pb.RegisterGreeterServer(s, &server{})
|
|
||||||
err := s.Serve(lis)
|
|
||||||
|
|
||||||
// ...
|
|
||||||
```
|
|
||||||
|
|
||||||
Next we will modify gRPC Client to use our Traefik self-signed certificate:
|
|
||||||
|
|
||||||
```go
|
|
||||||
// ...
|
|
||||||
|
|
||||||
// Read cert file
|
|
||||||
FrontendCert, _ := ioutil.ReadFile("./frontend.cert")
|
|
||||||
|
|
||||||
// Create CertPool
|
|
||||||
roots := x509.NewCertPool()
|
|
||||||
roots.AppendCertsFromPEM(FrontendCert)
|
|
||||||
|
|
||||||
// Create credentials
|
|
||||||
credsClient := credentials.NewClientTLSFromCert(roots, "")
|
|
||||||
|
|
||||||
// Dial with specific Transport (with credentials)
|
|
||||||
conn, err := grpc.Dial("frontend.local:4443", grpc.WithTransportCredentials(credsClient))
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("did not connect: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
defer conn.Close()
|
|
||||||
client := pb.NewGreeterClient(conn)
|
|
||||||
|
|
||||||
name := "World"
|
|
||||||
r, err := client.SayHello(context.Background(), &pb.HelloRequest{Name: name})
|
|
||||||
|
|
||||||
// ...
|
|
||||||
```
|
|
@ -1,444 +0,0 @@
|
|||||||
# Key-value store configuration
|
|
||||||
|
|
||||||
Both [static global configuration](/user-guide/kv-config/#static-configuration-in-key-value-store) and [dynamic](/user-guide/kv-config/#dynamic-configuration-in-key-value-store) configuration can be stored in a Key-value store.
|
|
||||||
|
|
||||||
This section explains how to launch Traefik using a configuration loaded from a Key-value store.
|
|
||||||
|
|
||||||
Traefik supports several Key-value stores:
|
|
||||||
|
|
||||||
- [Consul](https://consul.io)
|
|
||||||
- [etcd](https://coreos.com/etcd/)
|
|
||||||
- [ZooKeeper](https://zookeeper.apache.org/)
|
|
||||||
- [boltdb](https://github.com/boltdb/bolt)
|
|
||||||
|
|
||||||
## Static configuration in Key-value store
|
|
||||||
|
|
||||||
We will see the steps to set it up with an easy example.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
We could do the same with any other Key-value Store.
|
|
||||||
|
|
||||||
### docker-compose file for Consul
|
|
||||||
|
|
||||||
The Traefik global configuration will be retrieved from a [Consul](https://consul.io) store.
|
|
||||||
|
|
||||||
First we have to launch Consul in a container.
|
|
||||||
|
|
||||||
The [docker-compose file](https://docs.docker.com/compose/compose-file/) allows us to launch Consul and four instances of the trivial app [containous/whoami](https://github.com/containous/whoami) :
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
consul:
|
|
||||||
image: progrium/consul
|
|
||||||
command: -server -bootstrap -log-level debug -ui-dir /ui
|
|
||||||
ports:
|
|
||||||
- "8400:8400"
|
|
||||||
- "8500:8500"
|
|
||||||
- "8600:53/udp"
|
|
||||||
expose:
|
|
||||||
- "8300"
|
|
||||||
- "8301"
|
|
||||||
- "8301/udp"
|
|
||||||
- "8302"
|
|
||||||
- "8302/udp"
|
|
||||||
|
|
||||||
whoami1:
|
|
||||||
image: containous/whoami
|
|
||||||
|
|
||||||
whoami2:
|
|
||||||
image: containous/whoami
|
|
||||||
|
|
||||||
whoami3:
|
|
||||||
image: containous/whoami
|
|
||||||
|
|
||||||
whoami4:
|
|
||||||
image: containous/whoami
|
|
||||||
```
|
|
||||||
|
|
||||||
### Upload the configuration in the Key-value store
|
|
||||||
|
|
||||||
We should now fill the store with the Traefik global configuration.
|
|
||||||
To do that, we can send the Key-value pairs via [curl commands](https://www.consul.io/intro/getting-started/kv.html) or via the [Web UI](https://www.consul.io/intro/getting-started/ui.html).
|
|
||||||
|
|
||||||
Fortunately, Traefik allows automation of this process using the `storeconfig` subcommand.
|
|
||||||
Please refer to the [store Traefik configuration](/user-guide/kv-config/#store-configuration-in-key-value-store) section to get documentation on it.
|
|
||||||
|
|
||||||
Here is the toml configuration we would like to store in the Key-value Store :
|
|
||||||
|
|
||||||
```toml
|
|
||||||
logLevel = "DEBUG"
|
|
||||||
|
|
||||||
defaultEntryPoints = ["http", "https"]
|
|
||||||
|
|
||||||
[entryPoints]
|
|
||||||
[entryPoints.api]
|
|
||||||
address = ":8081"
|
|
||||||
[entryPoints.http]
|
|
||||||
address = ":80"
|
|
||||||
[entryPoints.https]
|
|
||||||
address = ":443"
|
|
||||||
|
|
||||||
[entryPoints.https.tls]
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = "integration/fixtures/https/snitest.com.cert"
|
|
||||||
keyFile = "integration/fixtures/https/snitest.com.key"
|
|
||||||
[[entryPoints.https.tls.certificates]]
|
|
||||||
certFile = """-----BEGIN CERTIFICATE-----
|
|
||||||
<cert file content>
|
|
||||||
-----END CERTIFICATE-----"""
|
|
||||||
keyFile = """-----BEGIN PRIVATE KEY-----
|
|
||||||
<key file content>
|
|
||||||
-----END PRIVATE KEY-----"""
|
|
||||||
[entryPoints.other-https]
|
|
||||||
address = ":4443"
|
|
||||||
[entryPoints.other-https.tls]
|
|
||||||
|
|
||||||
[consul]
|
|
||||||
endpoint = "127.0.0.1:8500"
|
|
||||||
watch = true
|
|
||||||
prefix = "traefik"
|
|
||||||
|
|
||||||
[api]
|
|
||||||
entrypoint = "api"
|
|
||||||
```
|
|
||||||
|
|
||||||
And there, the same global configuration in the Key-value Store (using `prefix = "traefik"`):
|
|
||||||
|
|
||||||
| Key | Value |
|
|
||||||
|-----------------------------------------------------------|---------------------------------------------------------------|
|
|
||||||
| `/traefik/loglevel` | `DEBUG` |
|
|
||||||
| `/traefik/defaultentrypoints/0` | `http` |
|
|
||||||
| `/traefik/defaultentrypoints/1` | `https` |
|
|
||||||
| `/traefik/entrypoints/api/address` | `:8081` |
|
|
||||||
| `/traefik/entrypoints/http/address` | `:80` |
|
|
||||||
| `/traefik/entrypoints/https/address` | `:443` |
|
|
||||||
| `/traefik/entrypoints/https/tls/certificates/0/certfile` | `integration/fixtures/https/snitest.com.cert` |
|
|
||||||
| `/traefik/entrypoints/https/tls/certificates/0/keyfile` | `integration/fixtures/https/snitest.com.key` |
|
|
||||||
| `/traefik/entrypoints/https/tls/certificates/1/certfile` | `--BEGIN CERTIFICATE--<cert file content>--END CERTIFICATE--` |
|
|
||||||
| `/traefik/entrypoints/https/tls/certificates/1/keyfile` | `--BEGIN CERTIFICATE--<key file content>--END CERTIFICATE--` |
|
|
||||||
| `/traefik/entrypoints/other-https/address` | `:4443` |
|
|
||||||
| `/traefik/consul/endpoint` | `127.0.0.1:8500` |
|
|
||||||
| `/traefik/consul/watch` | `true` |
|
|
||||||
| `/traefik/consul/prefix` | `traefik` |
|
|
||||||
| `/traefik/api/entrypoint` | `api` |
|
|
||||||
|
|
||||||
In case you are setting key values manually:
|
|
||||||
|
|
||||||
- Remember to specify the indexes (`0`,`1`, `2`, ... ) under prefixes `/traefik/defaultentrypoints/` and `/traefik/entrypoints/https/tls/certificates/` in order to match the global configuration structure.
|
|
||||||
- Be careful to give the correct IP address and port on the key `/traefik/consul/endpoint`.
|
|
||||||
|
|
||||||
Note that we can either give path to certificate file or directly the file content itself.
|
|
||||||
|
|
||||||
### Launch Traefik
|
|
||||||
|
|
||||||
We will now launch Traefik in a container.
|
|
||||||
|
|
||||||
We use CLI flags to setup the connection between Traefik and Consul.
|
|
||||||
All the rest of the global configuration is stored in Consul.
|
|
||||||
|
|
||||||
Here is the [docker-compose file](https://docs.docker.com/compose/compose-file/) :
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
traefik:
|
|
||||||
image: traefik
|
|
||||||
command: --consul --consul.endpoint=127.0.0.1:8500
|
|
||||||
ports:
|
|
||||||
- "80:80"
|
|
||||||
- "8080:8080"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
Be careful to give the correct IP address and port in the flag `--consul.endpoint`.
|
|
||||||
|
|
||||||
### Consul ACL Token support
|
|
||||||
|
|
||||||
To specify a Consul ACL token for Traefik, we have to set a System Environment variable named `CONSUL_HTTP_TOKEN` prior to starting Traefik.
|
|
||||||
This variable must be initialized with the ACL token value.
|
|
||||||
|
|
||||||
If Traefik is launched into a Docker container, the variable `CONSUL_HTTP_TOKEN` can be initialized with the `-e` Docker option : `-e "CONSUL_HTTP_TOKEN=[consul-acl-token-value]"`
|
|
||||||
|
|
||||||
If a Consul ACL is used to restrict Traefik read/write access, one of the following configurations is needed.
|
|
||||||
|
|
||||||
- HCL format :
|
|
||||||
|
|
||||||
```
|
|
||||||
key "traefik" {
|
|
||||||
policy = "write"
|
|
||||||
},
|
|
||||||
|
|
||||||
session "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
- JSON format :
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"key": {
|
|
||||||
"traefik": {
|
|
||||||
"policy": "write"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"session": {
|
|
||||||
"": {
|
|
||||||
"policy": "write"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
### TLS support
|
|
||||||
|
|
||||||
To connect to a Consul endpoint using SSL, simply specify `https://` in the `consul.endpoint` property
|
|
||||||
|
|
||||||
- `--consul.endpoint=https://[consul-host]:[consul-ssl-port]`
|
|
||||||
|
|
||||||
### TLS support with client certificates
|
|
||||||
|
|
||||||
So far, only [Consul](https://consul.io) and [etcd](https://coreos.com/etcd/) support TLS connections with client certificates.
|
|
||||||
|
|
||||||
To set it up, we should enable [consul security](https://www.consul.io/docs/internals/security.html) (or [etcd security](https://coreos.com/etcd/docs/latest/security.html)).
|
|
||||||
|
|
||||||
Then, we have to provide CA, Cert and Key to Traefik using `consul` flags :
|
|
||||||
|
|
||||||
- `--consul.tls`
|
|
||||||
- `--consul.tls.ca=path/to/the/file`
|
|
||||||
- `--consul.tls.cert=path/to/the/file`
|
|
||||||
- `--consul.tls.key=path/to/the/file`
|
|
||||||
|
|
||||||
Or etcd flags :
|
|
||||||
|
|
||||||
- `--etcd.tls`
|
|
||||||
- `--etcd.tls.ca=path/to/the/file`
|
|
||||||
- `--etcd.tls.cert=path/to/the/file`
|
|
||||||
- `--etcd.tls.key=path/to/the/file`
|
|
||||||
|
|
||||||
!! note
|
|
||||||
We can either give directly directly the file content itself (instead of the path to certificate) in a TOML file configuration.
|
|
||||||
|
|
||||||
Remember the command `traefik --help` to display the updated list of flags.
|
|
||||||
|
|
||||||
## Dynamic configuration in Key-value store
|
|
||||||
|
|
||||||
Following our example, we will provide backends/frontends rules and HTTPS certificates to Traefik.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
This section is independent of the way Traefik got its static configuration.
|
|
||||||
It means that the static configuration can either come from the same Key-value store or from any other sources.
|
|
||||||
|
|
||||||
### Key-value storage structure
|
|
||||||
|
|
||||||
Here is the toml configuration we would like to store in the store :
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[file]
|
|
||||||
|
|
||||||
# rules
|
|
||||||
[backends]
|
|
||||||
[backends.backend1]
|
|
||||||
[backends.backend1.circuitbreaker]
|
|
||||||
expression = "NetworkErrorRatio() > 0.5"
|
|
||||||
[backends.backend1.servers.server1]
|
|
||||||
url = "http://172.17.0.2:80"
|
|
||||||
weight = 10
|
|
||||||
[backends.backend1.servers.server2]
|
|
||||||
url = "http://172.17.0.3:80"
|
|
||||||
weight = 1
|
|
||||||
[backends.backend2]
|
|
||||||
[backends.backend1.maxconn]
|
|
||||||
amount = 10
|
|
||||||
extractorfunc = "request.host"
|
|
||||||
[backends.backend2.LoadBalancer]
|
|
||||||
method = "drr"
|
|
||||||
[backends.backend2.servers.server1]
|
|
||||||
url = "http://172.17.0.4:80"
|
|
||||||
weight = 1
|
|
||||||
[backends.backend2.servers.server2]
|
|
||||||
url = "http://172.17.0.5:80"
|
|
||||||
weight = 2
|
|
||||||
|
|
||||||
[frontends]
|
|
||||||
[frontends.frontend1]
|
|
||||||
backend = "backend2"
|
|
||||||
[frontends.frontend1.routes.test_1]
|
|
||||||
rule = "Host:test.localhost"
|
|
||||||
[frontends.frontend2]
|
|
||||||
backend = "backend1"
|
|
||||||
passHostHeader = true
|
|
||||||
priority = 10
|
|
||||||
[frontends.frontend2.auth.basic]
|
|
||||||
users = [
|
|
||||||
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
|
|
||||||
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
|
|
||||||
]
|
|
||||||
entrypoints = ["https"] # overrides defaultEntryPoints
|
|
||||||
[frontends.frontend2.routes.test_1]
|
|
||||||
rule = "Host:{subdomain:[a-z]+}.localhost"
|
|
||||||
[frontends.frontend3]
|
|
||||||
entrypoints = ["http", "https"] # overrides defaultEntryPoints
|
|
||||||
backend = "backend2"
|
|
||||||
rule = "Path:/test"
|
|
||||||
|
|
||||||
[[tls]]
|
|
||||||
[tls.certificate]
|
|
||||||
certFile = "path/to/your.cert"
|
|
||||||
keyFile = "path/to/your.key"
|
|
||||||
|
|
||||||
[[tls]]
|
|
||||||
entryPoints = ["https","other-https"]
|
|
||||||
[tls.certificate]
|
|
||||||
certFile = """-----BEGIN CERTIFICATE-----
|
|
||||||
<cert file content>
|
|
||||||
-----END CERTIFICATE-----"""
|
|
||||||
keyFile = """-----BEGIN CERTIFICATE-----
|
|
||||||
<key file content>
|
|
||||||
-----END CERTIFICATE-----"""
|
|
||||||
```
|
|
||||||
|
|
||||||
And there, the same dynamic configuration in a KV Store (using `prefix = "traefik"`):
|
|
||||||
|
|
||||||
- backend 1
|
|
||||||
|
|
||||||
| Key | Value |
|
|
||||||
|--------------------------------------------------------|-----------------------------|
|
|
||||||
| `/traefik/backends/backend1/circuitbreaker/expression` | `NetworkErrorRatio() > 0.5` |
|
|
||||||
| `/traefik/backends/backend1/servers/server1/url` | `http://172.17.0.2:80` |
|
|
||||||
| `/traefik/backends/backend1/servers/server1/weight` | `10` |
|
|
||||||
| `/traefik/backends/backend1/servers/server2/url` | `http://172.17.0.3:80` |
|
|
||||||
| `/traefik/backends/backend1/servers/server2/weight` | `1` |
|
|
||||||
| `/traefik/backends/backend1/servers/server2/tags` | `api,helloworld` |
|
|
||||||
|
|
||||||
- backend 2
|
|
||||||
|
|
||||||
| Key | Value |
|
|
||||||
|-----------------------------------------------------|------------------------|
|
|
||||||
| `/traefik/backends/backend2/maxconn/amount` | `10` |
|
|
||||||
| `/traefik/backends/backend2/maxconn/extractorfunc` | `request.host` |
|
|
||||||
| `/traefik/backends/backend2/loadbalancer/method` | `drr` |
|
|
||||||
| `/traefik/backends/backend2/servers/server1/url` | `http://172.17.0.4:80` |
|
|
||||||
| `/traefik/backends/backend2/servers/server1/weight` | `1` |
|
|
||||||
| `/traefik/backends/backend2/servers/server2/url` | `http://172.17.0.5:80` |
|
|
||||||
| `/traefik/backends/backend2/servers/server2/weight` | `2` |
|
|
||||||
| `/traefik/backends/backend2/servers/server2/tags` | `web` |
|
|
||||||
|
|
||||||
- frontend 1
|
|
||||||
|
|
||||||
| Key | Value |
|
|
||||||
|---------------------------------------------------|-----------------------|
|
|
||||||
| `/traefik/frontends/frontend1/backend` | `backend2` |
|
|
||||||
| `/traefik/frontends/frontend1/routes/test_1/rule` | `Host:test.localhost` |
|
|
||||||
|
|
||||||
- frontend 2
|
|
||||||
|
|
||||||
| Key | Value |
|
|
||||||
|----------------------------------------------------|-----------------------------------------------|
|
|
||||||
| `/traefik/frontends/frontend2/backend` | `backend1` |
|
|
||||||
| `/traefik/frontends/frontend2/passhostheader` | `true` |
|
|
||||||
| `/traefik/frontends/frontend2/priority` | `10` |
|
|
||||||
| `/traefik/frontends/frontend2/auth/basic/users/0` | `test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/` |
|
|
||||||
| `/traefik/frontends/frontend2/auth/basic/users/1` | `test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0` |
|
|
||||||
| `/traefik/frontends/frontend2/entrypoints` | `http,https` |
|
|
||||||
| `/traefik/frontends/frontend2/routes/test_2/rule` | `PathPrefix:/test` |
|
|
||||||
|
|
||||||
- certificate 1
|
|
||||||
|
|
||||||
| Key | Value |
|
|
||||||
|---------------------------------------|--------------------|
|
|
||||||
| `/traefik/tls/1/certificate/certfile` | `path/to/your.cert`|
|
|
||||||
| `/traefik/tls/1/certificate/keyfile` | `path/to/your.key` |
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
As `/traefik/tls/1/entrypoints` is not defined, the certificate will be attached to all `defaulEntryPoints` with a TLS configuration (in the example, the entryPoint `https`)
|
|
||||||
|
|
||||||
- certificate 2
|
|
||||||
|
|
||||||
| Key | Value |
|
|
||||||
|---------------------------------------|-----------------------|
|
|
||||||
| `/traefik/tls/2/entrypoints` | `https,other-https` |
|
|
||||||
| `/traefik/tls/2/certificate/certfile` | `<cert file content>` |
|
|
||||||
| `/traefik/tls/2/certificate/keyfile` | `<key file content>` |
|
|
||||||
|
|
||||||
### Atomic configuration changes
|
|
||||||
|
|
||||||
Traefik can watch the backends/frontends configuration changes and generate its configuration automatically.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Only backends/frontends rules are dynamic, the rest of the Traefik configuration stay static.
|
|
||||||
|
|
||||||
The [Etcd](https://github.com/coreos/etcd/issues/860) and [Consul](https://github.com/hashicorp/consul/issues/886) backends do not support updating multiple keys atomically.
|
|
||||||
As a result, it may be possible for Traefik to read an intermediate configuration state despite judicious use of the `--providersThrottleDuration` flag.
|
|
||||||
To solve this problem, Traefik supports a special key called `/traefik/alias`.
|
|
||||||
If set, Traefik use the value as an alternative key prefix.
|
|
||||||
|
|
||||||
Given the key structure below, Traefik will use the `http://172.17.0.2:80` as its only backend (frontend keys have been omitted for brevity).
|
|
||||||
|
|
||||||
| Key | Value |
|
|
||||||
|-------------------------------------------------------------------------|-----------------------------|
|
|
||||||
| `/traefik/alias` | `/traefik_configurations/1` |
|
|
||||||
| `/traefik_configurations/1/backends/backend1/servers/server1/url` | `http://172.17.0.2:80` |
|
|
||||||
| `/traefik_configurations/1/backends/backend1/servers/server1/weight` | `10` |
|
|
||||||
|
|
||||||
When an atomic configuration change is required, you may write a new configuration at an alternative prefix.
|
|
||||||
|
|
||||||
Here, although the `/traefik_configurations/2/...` keys have been set, the old configuration is still active because the `/traefik/alias` key still points to `/traefik_configurations/1`:
|
|
||||||
|
|
||||||
| Key | Value |
|
|
||||||
|-------------------------------------------------------------------------|-----------------------------|
|
|
||||||
| `/traefik/alias` | `/traefik_configurations/1` |
|
|
||||||
| `/traefik_configurations/1/backends/backend1/servers/server1/url` | `http://172.17.0.2:80` |
|
|
||||||
| `/traefik_configurations/1/backends/backend1/servers/server1/weight` | `10` |
|
|
||||||
| `/traefik_configurations/2/backends/backend1/servers/server1/url` | `http://172.17.0.2:80` |
|
|
||||||
| `/traefik_configurations/2/backends/backend1/servers/server1/weight` | `5` |
|
|
||||||
| `/traefik_configurations/2/backends/backend1/servers/server2/url` | `http://172.17.0.3:80` |
|
|
||||||
| `/traefik_configurations/2/backends/backend1/servers/server2/weight` | `5` |
|
|
||||||
|
|
||||||
Once the `/traefik/alias` key is updated, the new `/traefik_configurations/2` configuration becomes active atomically.
|
|
||||||
|
|
||||||
Here, we have a 50% balance between the `http://172.17.0.3:80` and the `http://172.17.0.4:80` hosts while no traffic is sent to the `172.17.0.2:80` host:
|
|
||||||
|
|
||||||
| Key | Value |
|
|
||||||
|-------------------------------------------------------------------------|-----------------------------|
|
|
||||||
| `/traefik/alias` | `/traefik_configurations/2` |
|
|
||||||
| `/traefik_configurations/1/backends/backend1/servers/server1/url` | `http://172.17.0.2:80` |
|
|
||||||
| `/traefik_configurations/1/backends/backend1/servers/server1/weight` | `10` |
|
|
||||||
| `/traefik_configurations/2/backends/backend1/servers/server1/url` | `http://172.17.0.3:80` |
|
|
||||||
| `/traefik_configurations/2/backends/backend1/servers/server1/weight` | `5` |
|
|
||||||
| `/traefik_configurations/2/backends/backend1/servers/server2/url` | `http://172.17.0.4:80` |
|
|
||||||
| `/traefik_configurations/2/backends/backend1/servers/server2/weight` | `5` |
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Traefik *will not watch for key changes in the `/traefik_configurations` prefix*. It will only watch for changes in the `/traefik/alias`.
|
|
||||||
Further, if the `/traefik/alias` key is set, all other configuration with `/traefik/backends` or `/traefik/frontends` prefix are ignored.
|
|
||||||
|
|
||||||
## Store configuration in Key-value store
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Don't forget to [setup the connection between Traefik and Key-value store](/user-guide/kv-config/#launch-traefik).
|
|
||||||
|
|
||||||
The static Traefik configuration in a key-value store can be automatically created and updated, using the [`storeconfig` subcommand](/basics/#commands).
|
|
||||||
|
|
||||||
```bash
|
|
||||||
traefik storeconfig [flags] ...
|
|
||||||
```
|
|
||||||
This command is here only to automate the [process which upload the configuration into the Key-value store](/user-guide/kv-config/#upload-the-configuration-in-the-key-value-store).
|
|
||||||
Traefik will not start but the [static configuration](/basics/#static-traefik-configuration) will be uploaded into the Key-value store.
|
|
||||||
|
|
||||||
If you configured ACME (Let's Encrypt), your registration account and your certificates will also be uploaded.
|
|
||||||
|
|
||||||
If you configured a file provider `[file]`, all your dynamic configuration (backends, frontends...) will be uploaded to the Key-value store.
|
|
||||||
|
|
||||||
To upload your ACME certificates to the KV store, get your Traefik TOML file and add the new `storage` option in the `acme` section:
|
|
||||||
|
|
||||||
```toml
|
|
||||||
[acme]
|
|
||||||
email = "test@traefik.io"
|
|
||||||
storage = "traefik/acme/account" # the key where to store your certificates in the KV store
|
|
||||||
storageFile = "acme.json" # your old certificates store
|
|
||||||
```
|
|
||||||
|
|
||||||
Call `traefik storeconfig` to upload your config in the KV store.
|
|
||||||
Then remove the line `storageFile = "acme.json"` from your TOML config file.
|
|
||||||
|
|
||||||
That's it!
|
|
||||||
|
|
||||||
![GIF Magica](https://i.giphy.com/ujUdrdpX7Ok5W.gif)
|
|
@ -1,144 +0,0 @@
|
|||||||
# Marathon
|
|
||||||
|
|
||||||
This guide explains how to integrate Marathon and operate the cluster in a reliable way from Traefik's standpoint.
|
|
||||||
|
|
||||||
## Host detection
|
|
||||||
|
|
||||||
Marathon offers multiple ways to run (Docker-containerized) applications, the most popular ones being
|
|
||||||
|
|
||||||
- BRIDGE-networked containers with dynamic high ports exposed
|
|
||||||
- HOST-networked containers with host machine ports
|
|
||||||
- containers with dedicated IP addresses ([IP-per-task](https://mesosphere.github.io/marathon/docs/ip-per-task.html)).
|
|
||||||
|
|
||||||
Traefik tries to detect the configured mode and route traffic to the right IP addresses. It is possible to force using task hosts with the `forceTaskHostname` option.
|
|
||||||
|
|
||||||
Given the complexity of the subject, it is possible that the heuristic fails.
|
|
||||||
Apart from filing an issue and waiting for the feature request / bug report to get addressed, one workaround for such situations is to customize the Marathon template file to the individual needs.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
This does _not_ require rebuilding Traefik but only to point the `filename` configuration parameter to a customized version of the `marathon.tmpl` file on Traefik startup.
|
|
||||||
|
|
||||||
## Port detection
|
|
||||||
|
|
||||||
Traefik also attempts to determine the right port (which is a [non-trivial matter in Marathon](https://mesosphere.github.io/marathon/docs/ports.html)).
|
|
||||||
Following is the order by which Traefik tries to identify the port (the first one that yields a positive result will be used):
|
|
||||||
|
|
||||||
1. A arbitrary port specified through the `traefik.port` label.
|
|
||||||
1. The task port (possibly indexed through the `traefik.portIndex` label, otherwise the first one).
|
|
||||||
1. The port from the application's `portDefinitions` field (possibly indexed through the `traefik.portIndex` label, otherwise the first one).
|
|
||||||
1. The port from the application's `ipAddressPerTask` field (possibly indexed through the `traefik.portIndex` label, otherwise the first one).
|
|
||||||
|
|
||||||
## Applications with multiple ports
|
|
||||||
|
|
||||||
Some Marathon applications may expose multiple ports. Traefik supports creating one so-called _segment_ per port using [segment labels](/configuration/backends/marathon#applications-with-multiple-ports-segment-labels).
|
|
||||||
|
|
||||||
For instance, assume that a Marathon application exposes a web API on port 80 and an admin interface on port 8080. It would then be possible to make each service available by specifying the following Marathon labels:
|
|
||||||
|
|
||||||
```
|
|
||||||
traefik.web.port=80
|
|
||||||
```
|
|
||||||
|
|
||||||
```
|
|
||||||
traefik.admin.port=8080
|
|
||||||
```
|
|
||||||
|
|
||||||
(Note that the service names `web` and `admin` can be chosen arbitrarily.)
|
|
||||||
|
|
||||||
Technically, Traefik will create one pair of frontend and backend configurations for each service.
|
|
||||||
|
|
||||||
## Achieving high availability
|
|
||||||
|
|
||||||
### Scenarios
|
|
||||||
|
|
||||||
There are three scenarios where the availability of a Marathon application could be impaired along with the risk of losing or failing requests:
|
|
||||||
|
|
||||||
- During the startup phase when Traefik already routes requests to the backend even though it has not completed its bootstrapping process yet.
|
|
||||||
- During the shutdown phase when Traefik still routes requests to the backend while the backend is already terminating.
|
|
||||||
- During a failure of the application when Traefik has not yet identified the backend as being erroneous.
|
|
||||||
|
|
||||||
The first two scenarios are common with every rolling upgrade of an application (i.e. a new version release or configuration update).
|
|
||||||
|
|
||||||
The following sub-sections describe how to resolve or mitigate each scenario.
|
|
||||||
|
|
||||||
#### Startup
|
|
||||||
|
|
||||||
It is possible to define [readiness checks](https://mesosphere.github.io/marathon/docs/readiness-checks.html) (available since Marathon version 1.1) per application and have Marathon take these into account during the startup phase.
|
|
||||||
|
|
||||||
The idea is that each application provides an HTTP endpoint that Marathon queries periodically during an ongoing deployment in order to mark the associated readiness check result as successful if and only if the endpoint returns a response within the configured HTTP code range.
|
|
||||||
As long as the check keeps failing, Marathon will not proceed with the deployment (within the configured upgrade strategy bounds).
|
|
||||||
|
|
||||||
Beginning with version 1.4, Traefik respects readiness check results if the Traefik option is set and checks are configured on the applications accordingly.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
Due to the way readiness check results are currently exposed by the Marathon API, ready tasks may be taken into rotation with a small delay.
|
|
||||||
It is on the order of one readiness check timeout interval (as configured on the application specification) and guarantees that non-ready tasks do not receive traffic prematurely.
|
|
||||||
|
|
||||||
If readiness checks are not possible, a current mitigation strategy is to enable [retries](/configuration/commons#retry-configuration) and make sure that a sufficient number of healthy application tasks exist so that one retry will likely hit one of those.
|
|
||||||
Apart from its probabilistic nature, the workaround comes at the price of increased latency.
|
|
||||||
|
|
||||||
#### Shutdown
|
|
||||||
|
|
||||||
It is possible to install a [termination handler](https://mesosphere.github.io/marathon/docs/health-checks.html) (available since Marathon version 1.3) with each application whose responsibility it is to delay the shutdown process long enough until the backend has been taken out of load-balancing rotation with reasonable confidence (i.e., Traefik has received an update from the Marathon event bus, recomputes the available Marathon backends, and applies the new configuration).
|
|
||||||
Specifically, each termination handler should install a signal handler listening for a SIGTERM signal and implement the following steps on signal reception:
|
|
||||||
|
|
||||||
1. Disable Keep-Alive HTTP connections.
|
|
||||||
1. Keep accepting HTTP requests for a certain period of time.
|
|
||||||
1. Stop accepting new connections.
|
|
||||||
1. Finish serving any in-flight requests.
|
|
||||||
1. Shut down.
|
|
||||||
|
|
||||||
Traefik already ignores Marathon tasks whose state does not match `TASK_RUNNING`; since terminating tasks transition into the `TASK_KILLING` and eventually `TASK_KILLED` state, there is nothing further that needs to be done on Traefik's end.
|
|
||||||
|
|
||||||
How long HTTP requests should continue to be accepted in step 2 depends on how long Traefik needs to receive and process the Marathon configuration update.
|
|
||||||
Under regular operational conditions, it should be on the order of seconds, with 10 seconds possibly being a good default value.
|
|
||||||
|
|
||||||
Again, configuring Traefik to do retries (as discussed in the previous section) can serve as a decent workaround strategy.
|
|
||||||
Paired with termination handlers, they would cover for those cases where either the termination sequence or Traefik cannot complete their part of the orchestration process in time.
|
|
||||||
|
|
||||||
#### Failure
|
|
||||||
|
|
||||||
A failing application always happens unexpectedly, and hence, it is very difficult or even impossible to rule out the adversal effects categorically.
|
|
||||||
|
|
||||||
Failure reasons vary broadly and could stretch from unacceptable slowness, a task crash, or a network split.
|
|
||||||
|
|
||||||
There are two mitigaton efforts:
|
|
||||||
|
|
||||||
1. Configure [Marathon health checks](https://mesosphere.github.io/marathon/docs/health-checks.html) on each application.
|
|
||||||
1. Configure Traefik health checks (possibly via the `traefik.backend.healthcheck.*` labels) and make sure they probe with proper frequency.
|
|
||||||
|
|
||||||
The Marathon health check makes sure that applications once deemed dysfunctional are being rescheduled to different slaves.
|
|
||||||
However, they might take a while to get triggered and the follow-up processes to complete.
|
|
||||||
|
|
||||||
For that reason, the Treafik health check provides an additional check that responds more rapidly and does not require a configuration reload to happen.
|
|
||||||
Additionally, it protects from cases that the Marathon health check may not be able to cover, such as a network split.
|
|
||||||
|
|
||||||
### (Non-)Alternatives
|
|
||||||
|
|
||||||
There are a few alternatives of varying quality that are frequently asked for.
|
|
||||||
|
|
||||||
The remaining section is going to explore them along with a benefit/cost trade-off.
|
|
||||||
|
|
||||||
#### Reusing Marathon health checks
|
|
||||||
|
|
||||||
It may seem obvious to reuse the Marathon health checks as a signal to Traefik whether an application should be taken into load-balancing rotation or not.
|
|
||||||
|
|
||||||
Apart from the increased latency a failing health check may have, a major problem with this is is that Marathon does not persist the health check results.
|
|
||||||
Consequently, if a master re-election occurs in the Marathon clusters, all health check results will revert to the _unknown_ state, effectively causing all applications inside the cluster to become unavailable and leading to a complete cluster failure.
|
|
||||||
Re-elections do not only happen during regular maintenance work (often requiring rolling upgrades of the Marathon nodes) but also when the Marathon leader fails spontaneously.
|
|
||||||
As such, there is no way to handle this situation deterministically.
|
|
||||||
|
|
||||||
Finally, Marathon health checks are not mandatory (the default is to use the task state as reported by Mesos), so requiring them for Traefik would raise the entry barrier for Marathon users.
|
|
||||||
|
|
||||||
Traefik used to use the health check results as a strict requirement but moved away from it as [users reported the dramatic consequences](https://github.com/containous/traefik/issues/653).
|
|
||||||
|
|
||||||
#### Draining
|
|
||||||
|
|
||||||
Another common approach is to let a proxy drain backends that are supposed to shut down.
|
|
||||||
That is, once a backend is supposed to shut down, Traefik would stop forwarding requests.
|
|
||||||
|
|
||||||
On the plus side, this would not require any modifications to the application in question.
|
|
||||||
However, implementing this fully within Traefik seems like a non-trivial undertaking.
|
|
||||||
|
|
||||||
Additionally, the approach is less flexible compared to a custom termination handler since only the latter allows for the implementation of custom termination sequences that go beyond simple request draining (e.g., persisting a snapshot state to disk prior to terminating).
|
|
||||||
|
|
||||||
The feature is currently not implemented; a request for draining in general is at [issue 41](https://github.com/containous/traefik/issues/41).
|
|
@ -1,332 +0,0 @@
|
|||||||
# Docker Swarm (mode) cluster
|
|
||||||
|
|
||||||
This section explains how to create a multi-host docker cluster with swarm mode using [docker-machine](https://docs.docker.com/machine) and how to deploy Traefik on it.
|
|
||||||
|
|
||||||
The cluster consists of:
|
|
||||||
|
|
||||||
- 3 servers
|
|
||||||
- 1 manager
|
|
||||||
- 2 workers
|
|
||||||
- 1 [overlay](https://docs.docker.com/network/overlay/) network (multi-host networking)
|
|
||||||
|
|
||||||
|
|
||||||
## Prerequisites
|
|
||||||
|
|
||||||
1. You will need to install [docker-machine](https://docs.docker.com/machine/)
|
|
||||||
2. You will need the latest [VirtualBox](https://www.virtualbox.org/wiki/Downloads)
|
|
||||||
|
|
||||||
|
|
||||||
## Cluster provisioning
|
|
||||||
|
|
||||||
First, let's create all the required nodes.
|
|
||||||
It's a shorter version of the [swarm tutorial](https://docs.docker.com/engine/swarm/swarm-tutorial/).
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine create -d virtualbox manager
|
|
||||||
docker-machine create -d virtualbox worker1
|
|
||||||
docker-machine create -d virtualbox worker2
|
|
||||||
```
|
|
||||||
|
|
||||||
Then, let's setup the cluster, in order:
|
|
||||||
|
|
||||||
1. initialize the cluster
|
|
||||||
1. get the token for other host to join
|
|
||||||
1. on both workers, join the cluster with the token
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine ssh manager "docker swarm init \
|
|
||||||
--listen-addr $(docker-machine ip manager) \
|
|
||||||
--advertise-addr $(docker-machine ip manager)"
|
|
||||||
|
|
||||||
export worker_token=$(docker-machine ssh manager "docker swarm \
|
|
||||||
join-token worker -q")
|
|
||||||
|
|
||||||
docker-machine ssh worker1 "docker swarm join \
|
|
||||||
--token=${worker_token} \
|
|
||||||
--listen-addr $(docker-machine ip worker1) \
|
|
||||||
--advertise-addr $(docker-machine ip worker1) \
|
|
||||||
$(docker-machine ip manager)"
|
|
||||||
|
|
||||||
docker-machine ssh worker2 "docker swarm join \
|
|
||||||
--token=${worker_token} \
|
|
||||||
--listen-addr $(docker-machine ip worker2) \
|
|
||||||
--advertise-addr $(docker-machine ip worker2) \
|
|
||||||
$(docker-machine ip manager)"
|
|
||||||
```
|
|
||||||
|
|
||||||
Let's validate the cluster is up and running.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine ssh manager docker node ls
|
|
||||||
```
|
|
||||||
```
|
|
||||||
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS
|
|
||||||
013v16l1sbuwjqcn7ucbu4jwt worker1 Ready Active
|
|
||||||
8buzkquycd17jqjber0mo2gn8 worker2 Ready Active
|
|
||||||
fnpj8ozfc85zvahx2r540xfcf * manager Ready Active Leader
|
|
||||||
```
|
|
||||||
|
|
||||||
Finally, let's create a network for Traefik to use.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine ssh manager "docker network create --driver=overlay traefik-net"
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Deploy Traefik
|
|
||||||
|
|
||||||
Let's deploy Traefik as a docker service in our cluster.
|
|
||||||
The only requirement for Traefik to work with swarm mode is that it needs to run on a manager node - we are going to use a [constraint](https://docs.docker.com/engine/reference/commandline/service_create/#specify-service-constraints---constraint) for that.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine ssh manager "docker service create \
|
|
||||||
--name traefik \
|
|
||||||
--constraint=node.role==manager \
|
|
||||||
--publish 80:80 --publish 8080:8080 \
|
|
||||||
--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
|
|
||||||
--network traefik-net \
|
|
||||||
traefik \
|
|
||||||
--docker \
|
|
||||||
--docker.swarmMode \
|
|
||||||
--docker.domain=traefik \
|
|
||||||
--docker.watch \
|
|
||||||
--api"
|
|
||||||
```
|
|
||||||
|
|
||||||
Let's explain this command:
|
|
||||||
|
|
||||||
| Option | Description |
|
|
||||||
|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|
|
|
||||||
| `--publish 80:80 --publish 8080:8080` | we publish port `80` and `8080` on the cluster. |
|
|
||||||
| `--constraint=node.role==manager` | we ask docker to schedule Traefik on a manager node. |
|
|
||||||
| `--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock` | we bind mount the docker socket where Traefik is scheduled to be able to speak to the daemon. |
|
|
||||||
| `--network traefik-net` | we attach the Traefik service (and thus the underlying container) to the `traefik-net` network. |
|
|
||||||
| `--docker` | enable docker provider, and `--docker.swarmMode` to enable the swarm mode on Traefik. |
|
|
||||||
| `--api` | activate the webUI on port 8080 |
|
|
||||||
|
|
||||||
|
|
||||||
## Deploy your apps
|
|
||||||
|
|
||||||
We can now deploy our app on the cluster, here [whoami](https://github.com/containous/whoami), a simple web server in Go.
|
|
||||||
We start 2 services, on the `traefik-net` network.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine ssh manager "docker service create \
|
|
||||||
--name whoami0 \
|
|
||||||
--label traefik.port=80 \
|
|
||||||
--network traefik-net \
|
|
||||||
containous/whoami"
|
|
||||||
|
|
||||||
docker-machine ssh manager "docker service create \
|
|
||||||
--name whoami1 \
|
|
||||||
--label traefik.port=80 \
|
|
||||||
--network traefik-net \
|
|
||||||
containous/whoami"
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
We set `whoami1` to use sticky sessions (`--label traefik.backend.loadbalancer.stickiness=true`).
|
|
||||||
We'll demonstrate that later.
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
If using `docker stack deploy`, there is [a specific way that the labels must be defined in the docker-compose file](https://github.com/containous/traefik/issues/994#issuecomment-269095109).
|
|
||||||
|
|
||||||
Check that everything is scheduled and started:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine ssh manager "docker service ls"
|
|
||||||
```
|
|
||||||
```
|
|
||||||
ID NAME MODE REPLICAS IMAGE PORTS
|
|
||||||
moq3dq4xqv6t traefik replicated 1/1 traefik:latest *:80->80/tcp,*:8080->8080/tcp
|
|
||||||
ysil6oto1wim whoami0 replicated 1/1 containous/whoami:latest
|
|
||||||
z9re2mnl34k4 whoami1 replicated 1/1 containous/whoami:latest
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Access to your apps through Traefik
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -H Host:whoami0.traefik http://$(docker-machine ip manager)
|
|
||||||
```
|
|
||||||
```yaml
|
|
||||||
Hostname: 5b0b3d148359
|
|
||||||
IP: 127.0.0.1
|
|
||||||
IP: 10.0.0.8
|
|
||||||
IP: 10.0.0.4
|
|
||||||
IP: 172.18.0.5
|
|
||||||
GET / HTTP/1.1
|
|
||||||
Host: whoami0.traefik
|
|
||||||
User-Agent: curl/7.55.1
|
|
||||||
Accept: */*
|
|
||||||
Accept-Encoding: gzip
|
|
||||||
X-Forwarded-For: 10.255.0.2
|
|
||||||
X-Forwarded-Host: whoami0.traefik
|
|
||||||
X-Forwarded-Proto: http
|
|
||||||
X-Forwarded-Server: 77fc29c69fe4
|
|
||||||
```
|
|
||||||
```shell
|
|
||||||
curl -H Host:whoami1.traefik http://$(docker-machine ip manager)
|
|
||||||
```
|
|
||||||
```yaml
|
|
||||||
Hostname: 3633163970f6
|
|
||||||
IP: 127.0.0.1
|
|
||||||
IP: 10.0.0.14
|
|
||||||
IP: 10.0.0.6
|
|
||||||
IP: 172.18.0.5
|
|
||||||
GET / HTTP/1.1
|
|
||||||
Host: whoami1.traefik
|
|
||||||
User-Agent: curl/7.55.1
|
|
||||||
Accept: */*
|
|
||||||
Accept-Encoding: gzip
|
|
||||||
X-Forwarded-For: 10.255.0.2
|
|
||||||
X-Forwarded-Host: whoami1.traefik
|
|
||||||
X-Forwarded-Proto: http
|
|
||||||
X-Forwarded-Server: 77fc29c69fe4
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
|
||||||
As Traefik is published, you can access it from any machine and not only the manager.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -H Host:whoami0.traefik http://$(docker-machine ip worker1)
|
|
||||||
```
|
|
||||||
```yaml
|
|
||||||
Hostname: 5b0b3d148359
|
|
||||||
IP: 127.0.0.1
|
|
||||||
IP: 10.0.0.8
|
|
||||||
IP: 10.0.0.4
|
|
||||||
IP: 172.18.0.5
|
|
||||||
GET / HTTP/1.1
|
|
||||||
Host: whoami0.traefik
|
|
||||||
User-Agent: curl/7.55.1
|
|
||||||
Accept: */*
|
|
||||||
Accept-Encoding: gzip
|
|
||||||
X-Forwarded-For: 10.255.0.3
|
|
||||||
X-Forwarded-Host: whoami0.traefik
|
|
||||||
X-Forwarded-Proto: http
|
|
||||||
X-Forwarded-Server: 77fc29c69fe4
|
|
||||||
```
|
|
||||||
```shell
|
|
||||||
curl -H Host:whoami1.traefik http://$(docker-machine ip worker2)
|
|
||||||
```
|
|
||||||
```yaml
|
|
||||||
Hostname: 3633163970f6
|
|
||||||
IP: 127.0.0.1
|
|
||||||
IP: 10.0.0.14
|
|
||||||
IP: 10.0.0.6
|
|
||||||
IP: 172.18.0.5
|
|
||||||
GET / HTTP/1.1
|
|
||||||
Host: whoami1.traefik
|
|
||||||
User-Agent: curl/7.55.1
|
|
||||||
Accept: */*
|
|
||||||
Accept-Encoding: gzip
|
|
||||||
X-Forwarded-For: 10.255.0.4
|
|
||||||
X-Forwarded-Host: whoami1.traefik
|
|
||||||
X-Forwarded-Proto: http
|
|
||||||
X-Forwarded-Server: 77fc29c69fe4
|
|
||||||
```
|
|
||||||
|
|
||||||
## Scale both services
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine ssh manager "docker service scale whoami0=5"
|
|
||||||
docker-machine ssh manager "docker service scale whoami1=5"
|
|
||||||
```
|
|
||||||
|
|
||||||
Check that we now have 5 replicas of each `whoami` service:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine ssh manager "docker service ls"
|
|
||||||
```
|
|
||||||
```
|
|
||||||
ID NAME MODE REPLICAS IMAGE PORTS
|
|
||||||
moq3dq4xqv6t traefik replicated 1/1 traefik:latest *:80->80/tcp,*:8080->8080/tcp
|
|
||||||
ysil6oto1wim whoami0 replicated 5/5 containous/whoami:latest
|
|
||||||
z9re2mnl34k4 whoami1 replicated 5/5 containous/whoami:latest
|
|
||||||
```
|
|
||||||
|
|
||||||
## Access to your `whoami0` through Traefik multiple times.
|
|
||||||
|
|
||||||
Repeat the following command multiple times and note that the Hostname changes each time as Traefik load balances each request against the 5 tasks:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -H Host:whoami0.traefik http://$(docker-machine ip manager)
|
|
||||||
```
|
|
||||||
```yaml
|
|
||||||
Hostname: f3138d15b567
|
|
||||||
IP: 127.0.0.1
|
|
||||||
IP: 10.0.0.5
|
|
||||||
IP: 10.0.0.4
|
|
||||||
IP: 172.18.0.3
|
|
||||||
GET / HTTP/1.1
|
|
||||||
Host: whoami0.traefik
|
|
||||||
User-Agent: curl/7.55.1
|
|
||||||
Accept: */*
|
|
||||||
Accept-Encoding: gzip
|
|
||||||
X-Forwarded-For: 10.255.0.2
|
|
||||||
X-Forwarded-Host: whoami0.traefik
|
|
||||||
X-Forwarded-Proto: http
|
|
||||||
X-Forwarded-Server: 77fc29c69fe4
|
|
||||||
```
|
|
||||||
|
|
||||||
Do the same against `whoami1`:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -c cookies.txt -H Host:whoami1.traefik http://$(docker-machine ip manager)
|
|
||||||
```
|
|
||||||
```yaml
|
|
||||||
Hostname: 348e2f7bf432
|
|
||||||
IP: 127.0.0.1
|
|
||||||
IP: 10.0.0.15
|
|
||||||
IP: 10.0.0.6
|
|
||||||
IP: 172.18.0.6
|
|
||||||
GET / HTTP/1.1
|
|
||||||
Host: whoami1.traefik
|
|
||||||
User-Agent: curl/7.55.1
|
|
||||||
Accept: */*
|
|
||||||
Accept-Encoding: gzip
|
|
||||||
X-Forwarded-For: 10.255.0.2
|
|
||||||
X-Forwarded-Host: whoami1.traefik
|
|
||||||
X-Forwarded-Proto: http
|
|
||||||
X-Forwarded-Server: 77fc29c69fe4
|
|
||||||
```
|
|
||||||
|
|
||||||
Because the sticky sessions require cookies to work, we used the `-c cookies.txt` option to store the cookie into a file.
|
|
||||||
The cookie contains the IP of the container to which the session sticks:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
cat ./cookies.txt
|
|
||||||
```
|
|
||||||
```
|
|
||||||
# Netscape HTTP Cookie File
|
|
||||||
# https://curl.haxx.se/docs/http-cookies.html
|
|
||||||
# This file was generated by libcurl! Edit at your own risk.
|
|
||||||
|
|
||||||
whoami1.traefik FALSE / FALSE 0 _TRAEFIK_BACKEND http://10.0.0.15:80
|
|
||||||
```
|
|
||||||
|
|
||||||
If you load the cookies file (`-b cookies.txt`) for the next request, you will see that stickiness is maintained:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -b cookies.txt -H Host:whoami1.traefik http://$(docker-machine ip manager)
|
|
||||||
```
|
|
||||||
```yaml
|
|
||||||
Hostname: 348e2f7bf432
|
|
||||||
IP: 127.0.0.1
|
|
||||||
IP: 10.0.0.15
|
|
||||||
IP: 10.0.0.6
|
|
||||||
IP: 172.18.0.6
|
|
||||||
GET / HTTP/1.1
|
|
||||||
Host: whoami1.traefik
|
|
||||||
User-Agent: curl/7.55.1
|
|
||||||
Accept: */*
|
|
||||||
Accept-Encoding: gzip
|
|
||||||
Cookie: _TRAEFIK_BACKEND=http://10.0.0.15:80
|
|
||||||
X-Forwarded-For: 10.255.0.2
|
|
||||||
X-Forwarded-Host: whoami1.traefik
|
|
||||||
X-Forwarded-Proto: http
|
|
||||||
X-Forwarded-Server: 77fc29c69fe4
|
|
||||||
```
|
|
||||||
|
|
||||||
![GIF Magica](https://i.giphy.com/ujUdrdpX7Ok5W.gif)
|
|
@ -1,181 +0,0 @@
|
|||||||
# Swarm cluster
|
|
||||||
|
|
||||||
This section explains how to create a multi-host [swarm](https://docs.docker.com/swarm) cluster using [docker-machine](https://docs.docker.com/machine/) and how to deploy Traefik on it.
|
|
||||||
|
|
||||||
The cluster consists of:
|
|
||||||
|
|
||||||
- 2 servers
|
|
||||||
- 1 swarm master
|
|
||||||
- 2 swarm nodes
|
|
||||||
- 1 [overlay](https://docs.docker.com/network/overlay/) network (multi-host networking)
|
|
||||||
|
|
||||||
## Prerequisites
|
|
||||||
|
|
||||||
1. You need to install [docker-machine](https://docs.docker.com/machine/)
|
|
||||||
2. You need the latest [VirtualBox](https://www.virtualbox.org/wiki/Downloads)
|
|
||||||
|
|
||||||
## Cluster provisioning
|
|
||||||
|
|
||||||
We first follow [this guide](https://docs.docker.com/engine/userguide/networking/get-started-overlay/) to create the cluster.
|
|
||||||
|
|
||||||
### Create machine `mh-keystore`
|
|
||||||
|
|
||||||
This machine is the service registry of our cluster.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine create -d virtualbox mh-keystore
|
|
||||||
```
|
|
||||||
|
|
||||||
Then we install the service registry [Consul](https://consul.io) on this machine:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
eval "$(docker-machine env mh-keystore)"
|
|
||||||
docker run -d \
|
|
||||||
-p "8500:8500" \
|
|
||||||
-h "consul" \
|
|
||||||
progrium/consul -server -bootstrap
|
|
||||||
```
|
|
||||||
|
|
||||||
### Create machine `mhs-demo0`
|
|
||||||
|
|
||||||
This machine is a swarm master and a swarm agent on it.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine create -d virtualbox \
|
|
||||||
--swarm --swarm-master \
|
|
||||||
--swarm-discovery="consul://$(docker-machine ip mh-keystore):8500" \
|
|
||||||
--engine-opt="cluster-store=consul://$(docker-machine ip mh-keystore):8500" \
|
|
||||||
--engine-opt="cluster-advertise=eth1:2376" \
|
|
||||||
mhs-demo0
|
|
||||||
```
|
|
||||||
|
|
||||||
### Create machine `mhs-demo1`
|
|
||||||
|
|
||||||
This machine have a swarm agent on it.
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker-machine create -d virtualbox \
|
|
||||||
--swarm \
|
|
||||||
--swarm-discovery="consul://$(docker-machine ip mh-keystore):8500" \
|
|
||||||
--engine-opt="cluster-store=consul://$(docker-machine ip mh-keystore):8500" \
|
|
||||||
--engine-opt="cluster-advertise=eth1:2376" \
|
|
||||||
mhs-demo1
|
|
||||||
```
|
|
||||||
|
|
||||||
### Create the overlay Network
|
|
||||||
|
|
||||||
Create the overlay network on the swarm master:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
eval $(docker-machine env --swarm mhs-demo0)
|
|
||||||
docker network create --driver overlay --subnet=10.0.9.0/24 my-net
|
|
||||||
```
|
|
||||||
|
|
||||||
## Deploy Traefik
|
|
||||||
|
|
||||||
Deploy Traefik:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker $(docker-machine config mhs-demo0) run \
|
|
||||||
-d \
|
|
||||||
-p 80:80 -p 8080:8080 \
|
|
||||||
--net=my-net \
|
|
||||||
-v /var/lib/boot2docker/:/ssl \
|
|
||||||
traefik \
|
|
||||||
-l DEBUG \
|
|
||||||
-c /dev/null \
|
|
||||||
--docker \
|
|
||||||
--docker.domain=traefik \
|
|
||||||
--docker.endpoint=tcp://$(docker-machine ip mhs-demo0):2376 \
|
|
||||||
--docker.tls \
|
|
||||||
--docker.tls.ca=/ssl/ca.pem \
|
|
||||||
--docker.tls.cert=/ssl/server.pem \
|
|
||||||
--docker.tls.key=/ssl/server-key.pem \
|
|
||||||
--docker.tls.insecureSkipVerify \
|
|
||||||
--docker.watch \
|
|
||||||
--api
|
|
||||||
```
|
|
||||||
|
|
||||||
Let's explain this command:
|
|
||||||
|
|
||||||
| Option | Description |
|
|
||||||
|-------------------------------------------|---------------------------------------------------------------|
|
|
||||||
| `-p 80:80 -p 8080:8080` | we bind ports 80 and 8080 |
|
|
||||||
| `--net=my-net` | run the container on the network my-net |
|
|
||||||
| `-v /var/lib/boot2docker/:/ssl` | mount the ssl keys generated by docker-machine |
|
|
||||||
| `-c /dev/null` | empty config file |
|
|
||||||
| `--docker` | enable docker provider |
|
|
||||||
| `--docker.endpoint=tcp://172.18.0.1:2376` | connect to the swarm master using the docker_gwbridge network |
|
|
||||||
| `--docker.tls` | enable TLS using the docker-machine keys |
|
|
||||||
| `--api` | activate the webUI on port 8080 |
|
|
||||||
|
|
||||||
|
|
||||||
## Deploy your apps
|
|
||||||
|
|
||||||
We can now deploy our app on the cluster, here [whoami](https://github.com/containous/whoami), a simple web server in GO, on the network `my-net`:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
eval $(docker-machine env --swarm mhs-demo0)
|
|
||||||
docker run -d --name=whoami0 --net=my-net --env="constraint:node==mhs-demo0" containous/whoami
|
|
||||||
docker run -d --name=whoami1 --net=my-net --env="constraint:node==mhs-demo1" containous/whoami
|
|
||||||
```
|
|
||||||
|
|
||||||
Check that everything is started:
|
|
||||||
|
|
||||||
```shell
|
|
||||||
docker ps
|
|
||||||
```
|
|
||||||
```
|
|
||||||
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
|
|
||||||
ba2c21488299 containous/whoami "/whoamI" 8 seconds ago Up 9 seconds 80/tcp mhs-demo1/whoami1
|
|
||||||
8147a7746e7a containous/whoami "/whoamI" 19 seconds ago Up 20 seconds 80/tcp mhs-demo0/whoami0
|
|
||||||
8fbc39271b4c traefik "/traefik -l DEBUG -c" 36 seconds ago Up 37 seconds 192.168.99.101:80->80/tcp, 192.168.99.101:8080->8080/tcp mhs-demo0/serene_bhabha
|
|
||||||
```
|
|
||||||
|
|
||||||
## Access to your apps through Traefik
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -H Host:whoami0.traefik http://$(docker-machine ip mhs-demo0)
|
|
||||||
```
|
|
||||||
```yaml
|
|
||||||
Hostname: 8147a7746e7a
|
|
||||||
IP: 127.0.0.1
|
|
||||||
IP: ::1
|
|
||||||
IP: 10.0.9.3
|
|
||||||
IP: fe80::42:aff:fe00:903
|
|
||||||
IP: 172.18.0.3
|
|
||||||
IP: fe80::42:acff:fe12:3
|
|
||||||
GET / HTTP/1.1
|
|
||||||
Host: 10.0.9.3:80
|
|
||||||
User-Agent: curl/7.35.0
|
|
||||||
Accept: */*
|
|
||||||
Accept-Encoding: gzip
|
|
||||||
X-Forwarded-For: 192.168.99.1
|
|
||||||
X-Forwarded-Host: 10.0.9.3:80
|
|
||||||
X-Forwarded-Proto: http
|
|
||||||
X-Forwarded-Server: 8fbc39271b4c
|
|
||||||
```
|
|
||||||
|
|
||||||
```shell
|
|
||||||
curl -H Host:whoami1.traefik http://$(docker-machine ip mhs-demo0)
|
|
||||||
```
|
|
||||||
```yaml
|
|
||||||
Hostname: ba2c21488299
|
|
||||||
IP: 127.0.0.1
|
|
||||||
IP: ::1
|
|
||||||
IP: 10.0.9.4
|
|
||||||
IP: fe80::42:aff:fe00:904
|
|
||||||
IP: 172.18.0.2
|
|
||||||
IP: fe80::42:acff:fe12:2
|
|
||||||
GET / HTTP/1.1
|
|
||||||
Host: 10.0.9.4:80
|
|
||||||
User-Agent: curl/7.35.0
|
|
||||||
Accept: */*
|
|
||||||
Accept-Encoding: gzip
|
|
||||||
X-Forwarded-For: 192.168.99.1
|
|
||||||
X-Forwarded-Host: 10.0.9.4:80
|
|
||||||
X-Forwarded-Proto: http
|
|
||||||
X-Forwarded-Server: 8fbc39271b4c
|
|
||||||
```
|
|
||||||
|
|
||||||
![GIF Magica](https://i.giphy.com/ujUdrdpX7Ok5W.gif)
|
|