IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This change introduces the builder pattern to the Marathon unit tests in
order to simplify and reduce the amount of testing boilerplate.
Additional changes:
- Add missing unit tests.
- Make all tests look consistent.
- Use dedicated type for task states for increased type safety.
- Remove obsoleted getApplication function.
Documentation stated that GraceTimeOut describes the timeout between
hot-reloads, which is not the case. GraceTimeOut describes the timeout
Traefik uses to finish serving active requests before stopping only.
Change Marathon provider to make just one API call instead of two per
configuration update by means of specifying embedded resources, which
enable retrieving multiple response types from the API at once. Apart
from the obvious savings in API calls, we primarily gain a consistent
view on both applications and tasks that allows us to drop a lot of
correlation logic. Additionally, it will serve as the basis for the
introduction of readiness checks which require application/task
consistency for correct leverage on the proxy end.
Additional changes:
marathon.go:
- Filter on tasks now embedded inside the applications.
- Reduce/simplify signature on multiple template functions as we do not
need to check for proper application/task correlation anymore.
- Remove getFrontendBackend in favor of just getBackend.
- Move filtering on enabled/exposed applications from `taskFilter` to
`applicationFilter`. (The task filter just reached out to the
applications anyway, so it never made sense to locate it with the
tasks where the filter was called once for every task even though the
result would never change.)
- Remove duplicate constraints filter in tasks, where it neither made
sense to keep as it operates on the application level only.
- Add context to rendering error.
marathon_test.go:
- Simplify and reduce numerous tests.
- Convert tests with high number of cases into parallelized sub-tests.
- Improve readability/structure for several tests.
- Add missing test for enabled/exposed applications.
- Simplify the mocked Marathon server.
marathon.tmpl:
- Update application/task iteration.
- Replace `getFrontendBackend` by `getBackend`.
When Secrets permissions have not been granted (which is likely to be
the case for users not needing the basic auth feature), the watch on the
Secrets API will never yield a response, thereby causing the controller
to never sync successfully, and in turn causing the check for all
controller synchronizations to fail consistently. Thus, no event will
ever be handled.
Update traefik dependencies (docker/docker and related)
- Update dependencies
- Fix compilation problems
- Remove vdemeester/docker-events (in docker api now)
- Remove `integration/vendor`
- Use `testImport`
- update some deps.
- regenerate the lock from scratch (after a `glide cc`)
- remove docker/docker from Traefik vendor (unused)
- use `ignore` for all Traefik vendor in integration glide.
- defined only integration specific version of the dependencies.
Log message produced by go-marathon was:
time="2017-06-28T09:08:19Z" level=debug msg="listenToSSE(): failed to
handle event: failed to decode the event type, content: , error: EOF"
The fix for this was done in the upstream project of go-marathon
donovanhide/eventsource.
Background is that Marathon periodically sends a \n over the SSE
subscription, in order to keep the connection alive. This was parsed as
empty event by the eventsource and published. go-marathon in turn was
not able to do something with this empty event was producing the log
message above. By getting rid of publishing empty events in the
downstream library, we also get rid of this log message.
Fixes a problem with UnreachableStrategy being available now in two
type-incompatible formats (object and string).
We also upgrade the transitive dependency
github.com/donovanhide/eventsource.
In the event that a user needs to explode their acme.json file into
a set of directories and relevant files for troubleshooting or use
with other programs this script will parse them into the components
in the following path structure:
```
certdir
├── certs
│ ├── domain-1.example.com
│ ├── domain-2.example.com
│ └── domain-n.example.com
└── private
└── letsencrypt.key
```
Introduces Rancher's metadata service as an optional provider source for
Traefik, enabled by setting `rancher.MetadataService`.
The provider uses a long polling technique to watch the metadata service and
obtain near instantaneous updates. Alternatively it can be configured to poll
the metadata service every `rancher.RefreshSeconds` by setting
`rancher.MetadataPoll`.
The refactor splits API and metadata service code into separate source
files respectively, and specific configuration is deferred to
sub-structs.
Incorporates bugfix #1414
Now retries only happen when actual network errors occur and not only
anymore based on the HTTP status code. This is because the backend could
also send this status codes as their normal interface and in that case
we don't want to retry.
`github.com/golang/protobuf`:
- `github.com/prometheus/client_golang` (no version)
- `github.com/gogo/protobuf` (no version)
- `google.golang.org/appengine` (no version)
- `github.com/matttproud/golang_protobuf_extensions` (no version)
State:
- Current version: 2bba0603135d7d7f5cb73b2125beeda19c09f4ef
- Glide suggest: 8616e8ee5e20a1704615e6c8d7afcdac06087a67
Force to keep the current version.
Refs
- 2bba060313 (Mar 31, 2017) next commit the Apr 27, 2017.
- 8616e8ee5e (8 Jun 2016)
`vulcand/predicate` is used by:
- `github.com/vulcand/oxy` (no dependencies manager)
- `github.com/vulcand/route` (used by `github.com/vulcand/vulcand`)
`github.com/vulcand/vulcand` (Godeps) required a old version `cb0bff91a7ab7cf7571e661ff883fc997bc554a3`.
`19b9dde14240d94c804ae5736ad0e1de10bf8fe6` is the only commit before `cb0bff91a7ab7cf7571e661ff883fc997bc554a3`.
refs:
- 42492a3a85/Godeps/Godeps.json
- https://github.com/vulcand/predicate/commits/master
- 19b9dde142
Traefik should follow modern IT trends, and use manager/leader/worker/agent, etc. instead of "master/slave".
e.g jenkinsci/jenkins#2007 (https://issues.jenkins-ci.org/browse/JENKINS-27268)
NB: of course, it can only apply where possible, since backends like Mesos should retain their own concepts, and not add more confusion.
Copys the incoming TLS client certificate to the outgoing
request. The backend can then use this certificate for
client authentication ie. k8s client cert authentication
- format the Oy axis ticks as integers on the Total Status Code
Count chart
- prevent the Average Response Time chart from showing negative
values on the Oy axis
- remove the deprecated transitionDuration field
- set the transition duration to 0 on the Average Response Time
chart to avoid triggering an NVD3 marker placement bug
This was likely just a copy-paste issue, the bug should be benign because the secret is cast to the correct type later, but the additional logging is a major annoyance, and is happening even if basic auth is not in use with Kubernetes.
We previously fell back to using ClusterIPs. However, the approach can
lead to all kinds of problems since Ingresses rely on being able to talk
to Endpoints directly. For instance, it can break stickiness and
retries.
Instead of doing sanity checks in the Kubernetes provider, we just
accept any non-empty value from the annotation and rely on the server
part to filter out unknown rules.
This allows us to automatically stay in sync with the currently
supported Path matchers/modifiers.
While usage of the word "guys" can be considered gender neutral depending on location and context, it is widely considered to be gendered -- and more inclusive options are readily available. 💜
References:
* [When is "guys" gender neutral? I did a survey! -- Julia Evans](https://jvns.ca/blog/2013/12/27/guys-guys-guys/)
Our vendored copy contains a bug that causes unavailable Marathon nodes
to never be marked as available again due to a misconstruction in the
URL to the Marathon health check / ping endpoint used by go-marathon
internally.
A fix[1] has been published.
[1]https://github.com/gambol99/go-marathon/pull/283
- Be more explicit in the purpose of the issue tracker.
- Move SO before Slack since it seems preferable.
- Refer to SO and Slack on first question again.
* Adds some raw.githubusercontent.com links to the kubectl examples to
make following along at home simpler.
* Dedupe the config for rbac so it can just be ommited if not needed.
We previously did not copy the sticky flag if the load-balancer
method validation failed, causing enabled stickiness to be dropped in
case of a validation error (which, technically, for us is the same as a
load-balancer configuration without an explicitly set method). This
change fixes that.
A few refactorings and improvements along the way:
- Move the frontend and backend configuration steps into separate
methods/functions for better testability.
- Include the invalid method name in the error value and avoid log
duplication.
- Add tests for the backend configuration part.
A missing annotation would previously be handled in the default error
case, causing a noisy warning-level log message to be generated each
time.
We add another case statement to ignore the case where the annotation is
missing from the annotations map.
Also piggybacking a minor improvement to the log message.
to avoid conflict with Hadoop Yarn cli.
I don’t know the best practice, but i do
have Apache Yarn installed on my machine, so
I get this conflict. Of course this conflict does
not arised when building within the docker.
https://github.com/yarnpkg/yarn/issues/2337
Signed-off-by: Gaetan Semet <gaetan@xeberon.net>
- fixed dependencies order and renamed Makefile target
- extracted docker run params into DOCKER_RUN_OPTS
- crossbinary-default contains 64bit Linux, Win and Darwin
- crossbinary-others contains 32bit Linux, Win, Darwin and 32/64bit *bsd
- added dependencies to crossbinary-default and crossbinary-others targets
Commit coreos/go-systemd@0c088e introduce cleaning environment.
First usage of sdnotify (for type=notify) was clearing NOTIFY_SOCKET environment variable.
sdnotify in watchdog was unable to ping back.
Fix#1353
attempt to remove glide from integration
glide trim
Revert "attempt to remove glide from integration"
This reverts commit c5b42b6cdebb44e730080a0cf20a871c11ef095b.
- Improves default filtering behavior to filter by container health/healthState
- Optionally allows filtering by service health/healthState
- Allows configuration of refresh interval
For the two existing health check parameters (path and interval), we add
support for Marathon labels.
Changes in detail:
- Extend the Marathon provider and template.
- Refactor Server.loadConfig to reduce duplication.
- Refactor the healthcheck package slightly to accommodate the changes
and allow extending by future parameters.
- Update documentation.
The IP-Per-Task feature changed the behavior for
clients without this configuration (using the task IP instead
of task hostname). This patch make the new behavior available
just for Mesos installation with IP-Per-Task enabled. It also
make it possible to force the use of task's hostname.
Previously, we did the check too late resulting in the traefik.port
label not being effective.
The change comes with additional refactorings in production and tests.
As of now, it does nothing (`/dist/` doesn't filter the dist folder)
and sending anything from `dist` doesn't make sense as it's mounted
anyway.
Removing the traefik binary from whitelist as the integration script
compiles the binary before running, so we don't need to send it via
the build context.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
- This will help split stuff in smaller, better tested packages
- This moves some stuff like the traefik command to package `cmd`
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix allows the Traefik Rancher provider to obtain a complete view
of the environments, services and containers being managed by the
Rancher deployment.
- Split the file into smaller ones (docker, swarm and service tests)
- Use some builder to reduce a little bit the noise for creating containers
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
* Abort Kubernetes Ingress update if Kubernetes API call fails
Currently if a Kubernetes API call fails we potentially remove a working service from Traefik. This changes it so if a Kubernetes API call fails we abort out of the ingress update and use the current working config. Github issue: #1240
Also added a test to cover when requested resources (services and endpoints) that the user has specified don’t exist.
* Specifically capturing the tc range as documented here: https://blog.golang.org/subtests
* Updating service names in the mock data to be more clear
* Updated expected data to match what currently happens in the loadIngress
* Adding a blank Servers to the expected output so we compare against that instead of nil.
* Replacing the JSON test output with spew for the TestMissingResources test to help ensure we have useful output incase of failures
* Adding a temporary fix to the GetEndoints mocked function so we can override the return value for if the endpoints exist.
After the 1.2 release the use of properExists should be removed and the GetEndpoints function should return false for the second value indicating the endpoint doesn’t exist. However at this time that would break a lot of the tests.
* Adding quick TODO line about removing the properExists property
* Link to issue 1307 re: properExists flag.
If the ECS cluster has > 100 tasks, passing them to
ecs.DescribeTasksRequest() will result in the AWS API returning
errors.
This patch breaks them into chunks of at most 100, and calls
DescribeTasks for each chunk.
We also return early in case ListTasks returns no values; this
prevents DescribeTasks from throwing HTTP errors.
Do not wait a full tick cycle to execute the first health check.
Additional changes:
- Make request timeout configurable (for testing purposes).
- Support synchronizing on health check goroutine termination through an
internal wait group (for testing purposes).
- Stop leaking by closing the HTTP response body.
- Extend health check logging and use WARNING level for (continuously)
failing health checks.
Currently with a kv tree like:
/traefik/backends/b1/servers/ẁeb1
/traefik/backends/b1/servers/web2
/traefik/backends/b1/servers/web2/url
Traefik would try to forward traffic to web1, which is impossible as
traefik doesn't know the url of web1.
This commit solve that, by ignoring backend server with no url "key"
when generating the config.
This is very useful, for people who use etcd TTL feature. They can then
just "renew" the url key every X second, and if the server goes down, it
is automatic removed from traefik after the TTL.
* Add IdleTimeout setting to http.server
Without such a timeout there is a risk of resource leakage from piling up connections, particularly when exposing Traefik to the Internet.
Set the default to be 180 seconds
* Add IdleConnTimeout to Traefik's http.server settings
Without enforcing a timeout Traefik is susceptible to resource leakage, particularly when deployed as a public facing proxy exposed to the Internet.
Set the default to be 180 seconds
* tweak
* Update configuration.go
* add some documentation for the idletimeout setting
* need to cast idletimeout
* update doc to refect format specifics
Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
add some comments
Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
update readmes
make test runnable
Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
make test
squash! add dynamo
add glide.lock
format imports
gofmt
update glide.lock
fixes for review
golint
clean up and reorganize tests
add dynamodb integration test
remove default region. clean up tests. consistent docs
forgot the region is required
DRY
make validate
update readme and commit dependencies
- traefik.mycustomservice.port=443
- traefik.mycustomservice.frontend.rule=Path:/mycustomservice
- traefik.anothercustomservice.port=8080
- traefik.anothercustomservice.frontend.rule=Path:/anotherservice
all traffic to frontend /mycustomservice is redirected to the port 443 of the container while using /anotherservice will redirect to the port 8080 of the docker container
More documentation in the docs/toml.md file
Change-Id: Ifaa3bb00ef0a0f38aa189e0ca1586fde8c5ed862
Signed-off-by: Florent BENOIT <fbenoit@codenvy.com>
- Add helper script to simplify glide usage.
- Add validation script for unwanted changes to vendoring.
- Relax/tighten up .{git,docker}ignore to cover vendored files properly.
- .validate: Protect from unbound variable in case of nounset setting.
- Install more recent hg version in the build container.
- Remove glide installation steps from Dockerfile.
- Update documentation.
Detect whether in-cluster or cluster-external Kubernetes client should
be used based on the KUBERNETES_SERVICE_{HOST,PORT} environment
variables.
Adds bearer token and CA certificate file path parameters.
validate-glide is called with errexit enabled (in script/make.sh that
sources validate-glide), which means that grep returning a non-zero exit
code will cause the script to terminate prematurely. Thus, we will never
get to the point where we see the error message.
The fix is to embed the grep check directly inside the if statement.
Traefik won’t start correctly if heterogeneous numbers in a toml array. This commit makes all numbers homogene.
Signed-off-by: solidnerd <niclas@mietz.io>
In Swarm mode with with Docker Swarm’s Load Balancer disabled (traefik.backend.loadbalancer.swarm=false)
service name will be the name of the docker service and name will be the container task name
(e.g. whoami0.1). When generating backend and fronted rules, we will use service name instead of name if a
rule is not provided.
Initialize dockerData.ServiceName to dockerData.Name to support non-swarm mode.
SWARM Mode has it's own built in Load balancer, so if we want to leverage sticky sessions,
or if we would just prefer to bypass it and go directly to the containers (aka tasks), via
--label traefik.backend.disable.swarm.loadbalancer=true
then we need to let Traefik know about the underlying tasks and register them as
services within it's backend.
The IP-Per-Task PR introduced a bug using the marathon application
port mapping. This port should be used only in the proxy server, the
downstream connection should be always made with the task port.
This commit fix the regression and adds a unit test to prevent new
problems in this setup.
* Fix Docker version specifier.
- The download URL[1] does not contain a leading 'v'.
- The major version is 1.
[1] https://github.com/docker/docker/releases/tag/v1.10.3
* Drop -S and and -f in build.Dockerfile curl commands.
- `-f` (`--fail`) turns HTTP error response codes into a non-zero exit
code, making curl fail early and properly. While the documentation
mentions that there is supposed to be no output, we do see an error
message.
- `-S` (`--show-error`) is only meaningful when used together with `-s`
(`--silent`). We do not want to go silent but see the progress bar
though.
Follow-up from #639. At the moment people that were affected
by this security issue would still be vulnerable even after upgrading.
This patch makes sure permissions are also checked for already existing
files.
Signed-off-by: Bilal Amarni <bilal.amarni@gmail.com>
Having a release tarball including all vendor source makes life of maintainers a lot easier to create downstream packages.
It also ensures that as long as the go release is available the software can be build reproducible.
* Add ability to set authenticated user in request header
Some web applications provide the ability to authorize users based on
the authenticated from Basic Auth. This patch provides a way to set a
key to which the authenticated user can be set in the Header.
For example, if I set `HeaderValue = "X-WebAuth-User"` and authenticate,
my application will be able to read my user name from that header and
provide me with the proper access.
This fixes#802
Only use one channel for all watches
Re-use stop channel from the provider
Skip events that have already been handled by the provider, builds on 007f8cc48e
On a reasonably sized cluster:
63 nodes
87 services
90 endpoints
The initialization of the k8s provider would hang.
I tracked this down to the ResourceEventHandlerFuncs. Once you reach the
channel buffer size (10) the k8s Informer gets stuck. You can't read or
write messages to the channel anymore. I think this is probably a lock
issue somewhere in k8s but the more reasonable solution for the traefik
usecase is to just drop events when the queue is full since we only use
the events for signalling, not their content, thus dropping an event
doesn't matter.
[Yarn](https://yarnpkg.com/) is a drop in replacement for npm.
We should use it because:
* It's faster
* It uses a lockfile, making the builds more deterministic.
recent additions to golint mean that a number of files cause the
build to start failing if they are edited (we only run against changed
files)
This fixes all the errors in the repo so things don't unexpectedly start
failing for people making PRs
recent additions to golint mean that a number of files cause the
build to start failing if they are edited (we only run against changed
files)
This fixes all the errors in the repo so things don't unexpectedly start
failing for people making PRs
git rev-parse --abbrev-ref HEAD can return results in a couple different ways:
1) tag v1.1.0-rc3 exists and branch==v1.1.0-rc3
result: heads/v1.1.0-rc3
2) tag v1.1.0-rc3 doesn't exist and branch==v1.1.0-rc3
result: v1.1.0-rc3
Strip it off GIT_BRANCH regardless as it will break the build. e.g.
$ make binary
docker build -t "traefik-dev:heads/v1.1.0-rc3" -f build.Dockerfile .
invalid value "traefik-dev:heads/v1.1.0-rc3" for flag -t: Error parsing reference: "traefik-dev:heads/v1.1.0-rc3" is not a valid repository/tag
See 'docker build --help'.
Makefile:51: recipe for target 'build' failed
make: *** [build] Error 125
A new option (--web.statistics) enables the collection of some basic
information about requests and responses. This currently consists of
the most recent 10 requests that resulted in HTTP 4xx or 5xx errors.
Add compatibility with labels: `HAPROXY_GROUP` and `HAPROXY_0_VHOST`.
* `HAPROXY_GROUP` become a new tag
* `HAPROXY_0_VHOST` become a rule `Host:`
https://github.com/mesosphere/marathon-lb
- React to health_status events
- Filter container that have a health status *and* that are not healthy
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Prior to this fix the documentation for the swarm example included
syntax that would fail with the following error.
`Error : flag needs an argument: --docker.domain`
This fix specifies flags using the `=` between the flag name and value.
Tested on: Docker version 1.12.2-rc1, build 45bed2c, experimental
This change adds sticky session support, by using the new
oxy/rr/StickySession feature.
To use it, set traefik.backend.sticky to true.
This is currently only implemented in the wrr load balancer, and against
the Marathon backend, but lifting it should be very doable.
In the wrr load balancer, a cookie called _TRAEFIK_SERVERNAME will be
set with the backend to use. If the cookie is altered to an invalid
backend server, or the server is removed from the load balancer, the
next server will be used instead.
Otherwise, the cookie will be checked in Oxy's rr on access and if valid
the connection will be wired through to it.
This replace the badge of imagelayers.io with a badge microbadger.com because imagelayers.io doesn't work anymore through the registry v2 specification and docker hub supports only the v2 spec.
This fixes#167 and #651. By default, gorilla/mux cleans URL paths
such that adjacent slashes are collapsed into one single slash. This
behavior is pretty common in application stacks and it is fine, but
for Traefik, this can lead to incorrect URL paths forwarded to backend
servers.
See https://github.com/gorilla/mux/issues/94 for background.
Initial implementation: Force both to be present to trigger behavior.
add ability to see rendered template in debug
add support for loadbalancer and circuit breaker specification
add documentation for new configuration
Healthcheck are not mandatory, so if a result is not present, assume it
is ok to continue. Fixes the case when a new leader is elected and
don't have any healthcheck result's, returning 404 to all requests.
https://github.com/containous/traefik/issues/653
Having a install section makes it possible to enable/disable traefik
using the standard systemd commands
`systemctl enable traefik`
`systemctl disable traefk`
We added the ability to filter the ingresses used by traefik based
on a label selector, but we shouldn't need to have matching
labels on every other resource, Ingress allready has a way
to explicty choose which pods end up in the load ballancer
(by refering to the membership of a particular service)
GH #559 points out that the logging of the elapsed time is inconsistent
depending on the scale of the measured time; this is due to Duration’s
String handling.
With this PR, I propose that traefik logs millis, and not fractions of
millis.
The TargetRef contains information from the object referenced
by the pod, unless the service has been set up with bare
endpoints - i.e. not pointing at pods this information
will be present.
It just makes the information that we show in the web-ui
a little more constent with that shown in kubectl
and the kuberntes dashboard.
… making it possible to use in other packages ; and thus in the
User-Agent header for the docker client.
Also removing the dockerverion hack as it's not required anymore.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
The watch of consul can return for various reasons and not of all of
them require a reload of the config. The order of nodes provided by
consul is not stable so to ensure a identical config is generated for an
identical server set the nodes needs to be sorted before creating the
config.
* Trim spaces in rules
Signed-off-by: Emile Vauge <emile@vauge.com>
* dont break the whole config while only one part is wrong
Signed-off-by: Emile Vauge <emile@vauge.com>
… and also share context accross API call, as this is how it's meant to
be used (and it allows to skip some calls if `cancel` is called).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
add flag on Retry
set Retry.MaxMem to 2 by default
rm useless import
rm useless structtag
add custom parser on []acme.Domain type
add commants + refactor
Since we already know the name and namespace
of the service(s) we want we can just get the
correct one back from the API without filtering
the results.
* Potentialy saves a network hop
* Ability to configure LB algothim (given some work to expose an
anotation etc...)
* K8s config Watch is triggered far less often
By design k8s ingress is only designed to ballance services from within
the namespace of the ingress.
This is disscuessed a little in
https://github.com/kubernetes/kubernetes/issues/17088.
For now traefik should only reference the services in the current
namespace. For me this was a confusing change of behaviour
from the reference implimentations, as I have services
with the same name in each namespace.
Update engine-api, libcompose and related dependencies (including
libkermit), to fix issues with docker v1.9.1 and lower.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Another fun thing consul lets you do is use spaces in your tags. This
means when including tags in backend name it's possible to generate
invalid names.
If the flag kubernetes.namespaces is set...
Then we only select ingresses from that/those namespace(s)
This allows multiple instances of traefik to
independently load balance for each namespace.
This could be for logical or security reasons.
Addresses #336
In order to meet the requirements of the updated libkv library I have
also replaced etcd-go with the up2date etcd client.
Signed-off-by: Thomas Boerger <thomas@webhippie.de>
In order to fix the TLS client authentication I have updated the libkv
dependency. Now the connection to secured etcd and consuld should work
properly.
Signed-off-by: Thomas Boerger <thomas@webhippie.de>
The docker provider now uses docker/engine-api and
vdemeester/docker-events instead of fsouza-dockerclient.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
`*.test` files are generated by `go test`, do not include them into the
build context. It will lighter a bit the build context..
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
The issue tracker is for reporting bugs and feature requests only.
For end-user related support questions, please refer to one of the following:
-Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-the Traefik community Slack channel: https://slack.traefik.io
-->
### Do you want to request a *feature* or report a *bug*?
<!--
If you intend to ask a support question: DO NOT FILE AN ISSUE.
-->
### Did you try using a 1.7.x configuration for the version 2.0?
- [ ] Yes
- [ ] No
<!--
If you just checked the "Yes" box, be aware that this is probably not a bug. The configurations between 1.X and 2.X are NOT compatible. Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
-->
### What did you do?
<!--
HOW TO WRITE A GOOD ISSUE?
-Respect the issue template as much as possible.
-The title should be short and descriptive.
-Explain the conditions which led you to report this issue: the context.
-The context should lead to something, an idea or a problem that you’re facing.
-Remain clear and concise.
-Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-->
### What did you expect to see?
### What did you see instead?
### Output of `traefik version`: (_What version of Traefik are you using?_)
<!--
For the Traefik Docker image:
docker run [IMAGE] version
ex: docker run traefik version
For the alpine Traefik Docker image:
docker run [IMAGE] traefik version
ex: docker run traefik traefik version
-->
```
(paste your output here)
```
### What is your environment & configuration (arguments, toml, provider, platform, ...)?
```toml
# (paste your configuration here)
```
<!--
Add more configuration information here.
-->
### If applicable, please paste the log output at DEBUG level (`--log.level=DEBUG` switch)
The issue tracker is for reporting bugs and feature requests only.
For end-user related support questions, please refer to one of the following:
-Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-the Traefik community Slack channel: https://slack.traefik.io
-->
### Do you want to request a *feature* or report a *bug*?
Bug
### Did you try using a 1.7.x configuration for the version 2.0?
- [ ] Yes
- [ ] No
<!--
If you just checked the "Yes" box, be aware that this is probably not a bug. The configurations between 1.X and 2.X are NOT compatible. Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
-->
### What did you do?
<!--
HOW TO WRITE A GOOD BUG REPORT?
-Respect the issue template as much as possible.
-The title should be short and descriptive.
-Explain the conditions which led you to report this issue: the context.
-The context should lead to something, an idea or a problem that you’re facing.
-Remain clear and concise.
-Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-->
### What did you expect to see?
### What did you see instead?
### Output of `traefik version`: (_What version of Traefik are you using?_)
<!--
For the Traefik Docker image:
docker run [IMAGE] version
ex: docker run traefik version
For the alpine Traefik Docker image:
docker run [IMAGE] traefik version
ex: docker run traefik traefik version
-->
```
(paste your output here)
```
### What is your environment & configuration (arguments, toml, provider, platform, ...)?
```toml
# (paste your configuration here)
```
<!--
Add more configuration information here.
-->
### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
The issue tracker is for reporting bugs and feature requests only.
For end-user related support questions, please refer to one of the following:
-Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-the Traefik community Slack channel: https://slack.traefik.io
-->
### Do you want to request a *feature* or report a *bug*?
Feature
### What did you expect to see?
<!--
HOW TO WRITE A GOOD ISSUE?
-Respect the issue template as much as possible.
-The title should be short and descriptive.
-Explain the conditions which led you to report this issue: the context.
-The context should lead to something, an idea or a problem that you’re facing.
-Remain clear and concise.
-Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
# "bodyclose", # Too many false-positive and panics.
]
[issues]
exclude-use-default=false
max-per-linter=0
max-same-issues=0
exclude=[
"SA1019: http.CloseNotifier is deprecated: the CloseNotifier interface predates Go's context package. New code should use Request.Context instead.",# FIXME must be fixed
"Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked",
"should have a package comment, unless it's in another file for this package",
]
[[issues.exclude-rules]]
path=".+_test.go"
linters=["goconst"]
[[issues.exclude-rules]]
path="integration/.+_test.go"
text="Error return value of `cmd\\.Process\\.Kill` is not checked"
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience,nationality, personal appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery and unwelcome sexual attention or advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
Representation of a project may be further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@containo.us
All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances.
The project team is obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
[](https://semaphoreci.com/containous/traefik)
[](https://traefik.herokuapp.com)
[](https://slack.traefik.io)
Traefik (pronounced _traffic_) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
Pointing Traefik at your orchestrator should be the _only_ configuration step you need.
Træfɪk is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
It supports several backends ([Docker :whale:](https://www.docker.com/), [Swarm :whale: :whale:](https://docs.docker.com/swarm), [Mesos/Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Zookeeper](https://zookeeper.apache.org), [BoltDB](https://github.com/boltdb/bolt), Rest API, file...) to manage its configuration automatically and dynamically.
---
. **[Overview](#overview)** .
**[Features](#features)** .
**[Supported backends](#supported-backends)** .
**[Quickstart](#quickstart)** .
**[Web UI](#web-ui)** .
**[Documentation](#documentation)** .
. **[Support](#support)** .
**[Release cycle](#release-cycle)** .
**[Contributing](#contributing)** .
**[Maintainers](#maintainers)** .
**[Credits](#credits)** .
---
:warning: Please be aware that the old configurations for Traefik v1.X are NOT compatible with the v2.X config as of now. If you're testing out v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/v2.0/).
## Overview
Imagine that you have deployed a bunch of microservices with the help of an orchestrator (like Swarm or Kubernetes) or a service registry (like etcd or consul).
Now you want users to access these microservices, and you need a reverse proxy.
Traditional reverse-proxies require that you configure _each_ route that will connect paths and subdomains to _each_ microservice.
In an environment where you add, remove, kill, upgrade, or scale your services _many_ times a day, the task of keeping the routes up to date becomes tedious.
**This is when Traefik can help you!**
Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part.
**Run Traefik and let it do the work for you!**
_(But if you'd rather configure some of your routes manually, Traefik supports that too!)_
-Packaged as a single binary file (made with :heart: with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image
## Demo
Here is a demo of Træfɪk using Docker backend, showing a load-balancing between two servers, hot reloading of configuration, and graceful shutdown.
To get your hands on Traefik, you can use the [5-Minute Quickstart](http://docs.traefik.io/#the-traefik-quickstart-using-docker) in our documentation (you will need Docker).
## Web UI
You can access to a simple HTML frontend of Træfik.
You can access the simple HTML frontend of Traefik.
- [Oxy](https://github.com/vulcand/oxy): an awsome proxy library made by Mailgun guys
- [Gorilla mux](https://github.com/gorilla/mux): famous request router
- [Negroni](https://github.com/codegangsta/negroni): web middlewares made simple
- [Manners](https://github.com/mailgun/manners): graceful shutdown of http.Handler servers
- [Lego](https://github.com/xenolf/lego): the best [Let's Encrypt](https://letsencrypt.org) library in go
You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
## Quick start
:warning: If you're testing out v2, please ensure you are using the [v2 documentation](https://docs.traefik.io/v2.0/).
- The simple way: grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and just run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
## Support
To get community support, you can:
- join the Traefik community Slack channel: [](https://slack.traefik.io)
- use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
## Download
- Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
```shell
./traefik -c traefik.toml
./traefik --configFile=traefik.toml
```
-Use the tiny Docker image:
-Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
```shell
docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml containous/traefik
docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
```
-From sources:
-Or get the sources:
```shell
git clone https://github.com/containous/traefik
```
## Documentation
## Introductory Videos
You can find the complete documentation [here](docs/index.md).
:warning: Please be aware that these videos are for v1.X. The old configurations for Traefik v1.X are NOT compatible with Traefik v2. If you're testing out v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/v2.0/).
Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at GopherCon 2017.
You will learn Traefik basics in less than 10 minutes.
[Information about process and maintainers](docs/content/contributing/maintainers.md)
## Contributing
Please refer to [this section](.github/CONTRIBUTING.md).
If you'd like to contribute to the project, refer to the [contributing documentation](CONTRIBUTING.md).
## Træfɪk here and there
Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md).
By participating in this project, you agree to abide by its terms.
These projects use Træfɪk internally. If your company uses Træfɪk, we would be glad to get your feedback :) Contact us on [](https://traefik.herokuapp.com)
## Release Cycle
-Project [Mantl](https://mantl.io/) from Cisco
-We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0)
- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only)

> Mantl is a modern platform for rapidly deploying globally distributed services. A container orchestrator, docker, a network stack, something to pool your logs, something to monitor health, a sprinkle of service discovery and some automation.
Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out)
- Project [Apollo](http://capgemini.github.io/devops/apollo/) from Cap Gemini
We use [Semantic Versioning](http://semver.org/)

> Apollo is an open source project to aid with building and deploying IAAS and PAAS services. It is particularly geared towards managing containerized applications across multiple hosts, and big data type workloads. Apollo leverages other open source components to provide basic mechanisms for deployment, maintenance, and scaling of infrastructure and applications.
## Mailing lists
## Partners
- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news)
- Security announcements: mail at security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
Founded in 2014, Asteris creates next-generation infrastructure software for the modern datacenter. Asteris writes software that makes it easy for companies to implement continuous delivery and realtime data pipelines. We support the HashiCorp stack, along with Kubernetes, Apache Mesos, Spark and Kafka. We're core committers on mantl.io, consul-cli and mesos-consul.
.
Traefik's logo was inspired by the gopher stickers made by Takuya Ueda (https://twitter.com/tenntenn).
The original Go gopher was designed by Renee French (http://reneefrench.blogspot.com/).
Long:`traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
Complete documentation is available at http://traefik.io`,
Run:func(cmd*cobra.Command,args[]string){
run()
},
}
varversionCmd=&cobra.Command{
Use:"version",
Short:"Print version",
Long:`Print version`,
Run:func(cmd*cobra.Command,args[]string){
fmtlog.Println(Version+" built on the "+BuildDate)
os.Exit(0)
},
}
vararguments=struct{
GlobalConfiguration
webbool
filebool
dockerbool
dockerTLSbool
marathonbool
consulbool
consulTLSbool
consulCatalogbool
zookeeperbool
etcdbool
etcdTLSbool
boltdbbool
}{
GlobalConfiguration{
EntryPoints:make(EntryPoints),
Docker:&provider.Docker{
TLS:&provider.DockerTLS{},
},
File:&provider.File{},
Web:&WebProvider{},
Marathon:&provider.Marathon{},
Consul:&provider.Consul{
Kv:provider.Kv{
TLS:&provider.KvTLS{},
},
},
ConsulCatalog:&provider.ConsulCatalog{},
Zookeeper:&provider.Zookepper{},
Etcd:&provider.Etcd{
Kv:provider.Kv{
TLS:&provider.KvTLS{},
},
},
Boltdb:&provider.BoltDb{},
},
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
}
funcinit(){
traefikCmd.AddCommand(versionCmd)
traefikCmd.PersistentFlags().StringP("configFile","c","","Configuration file to use (TOML, JSON, YAML, HCL).")
traefikCmd.PersistentFlags().StringP("graceTimeOut","g","10","Timeout in seconds. Duration to give active requests a chance to finish during hot-reloads")
traefikCmd.PersistentFlags().Var(&arguments.EntryPoints,"entryPoints","Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key'")
traefikCmd.PersistentFlags().Var(&arguments.DefaultEntryPoints,"defaultEntryPoints","Entrypoints to be used by frontends that do not specify any entrypoint")
traefikCmd.PersistentFlags().DurationVar(&arguments.ProvidersThrottleDuration,"providersThrottleDuration",time.Duration(2*time.Second),"Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time.")
traefikCmd.PersistentFlags().Int("maxIdleConnsPerHost",0,"If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used")
traefikCmd.PersistentFlags().BoolVar(&arguments.web,"web",false,"Enable Web backend")
traefikCmd.PersistentFlags().StringVar(&arguments.Docker.Filename,"docker.filename","","Override default configuration template. For advanced users :)")
traefikCmd.PersistentFlags().StringVar(&arguments.Docker.Endpoint,"docker.endpoint","unix:///var/run/docker.sock","Docker server endpoint. Can be a tcp or a unix socket endpoint")
traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Filename,"marathon.filename","","Override default configuration template. For advanced users :)")
traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Endpoint,"marathon.endpoint","http://127.0.0.1:8080","Marathon server endpoint. You can also specify multiple endpoint for Marathon")
traefikCmd.PersistentFlags().StringVar(&arguments.Zookeeper.Filename,"zookeeper.filename","","Override default configuration template. For advanced users :)")
traefikCmd.PersistentFlags().StringVar(&arguments.Zookeeper.Endpoint,"zookeeper.endpoint","127.0.0.1:2181","Comma sepparated Zookeeper server endpoints")
traefikCmd.PersistentFlags().StringVar(&arguments.Zookeeper.Prefix,"zookeeper.prefix","/traefik","Prefix used for KV store")
There are many ways to contribute to the project, and there is one that always spark joy: when we see/read about users talking about how Traefik helps them solve their problems.
If you're talking about Traefik, [let us know](https://blog.containo.us/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/containous/traefik/wiki/Awesome-Traefik).
docker run -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER -v "/home/ldez/sources/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"""traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
---> Making bundle: generate (in .)
removed 'autogen/genstatic/gen.go'
---> Making bundle: binary (in .)
$ ls dist/
traefik*
```
The following targets can be executed outside Docker by setting the variable `PRE_TARGET` to an empty string (we don't recommend that):
-`test-unit`
-`test-integration`
-`validate`
-`binary` (the webUI is still generated by using Docker)
ex:
```bash
PRE_TARGET= make test-unit
```
### Method 2: Using `go`
You need `go` v1.12+.
!!! tip "Source Directory"
It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory.
This is the official golang workspace hierarchy that will allow dependencies to be properly resolved.
!!! note "Environment"
Set your `GOPATH` and `PATH` variable to be set to `~/go` via:
```bash
export GOPATH=~/go
export PATH=$PATH:$GOPATH/bin
```
For convenience, add `GOPATH` and `PATH` to your `.bashrc` or `.bash_profile`
Verify your environment is setup properly by running `$ go env`.
Depending on your OS and environment, you should see an output similar to:
```bash
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/<yourusername>/go"
GORACE=""
## ... and the list goes on
```
#### Build Traefik
Once you've set up your go environment and cloned the source repository, you can build Traefik.
Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
```bash
cd ~/go/src/github.com/containous/traefik
# Get go-bindata. (Important: the ellipses are required.)
go get github.com/containous/go-bindata/...
# Let's build
# generate
# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates)
go generate
# Standard go build
go build ./cmd/traefik
```
You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
### Updating the templates
If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
### Setting up dependency management
The [dep](https://github.com/golang/dep) command is not required for building;
however, it is necessary if you need to update the dependencies (i.e., add, update, or remove third-party packages).
You need [dep](https://github.com/golang/dep) >= 0.5.0.
If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).
A following `make dep-prune` run should be triggered to trim down the size of the vendor folder.
The final result must be committed into VCS.
Here's a full example using dep to add a new dependency:
```bash
# install the new main dependency github.com/foo/bar and minimize vendor size
$ dep ensure -add github.com/foo/bar
# generate (Only required to integrate other components such as web dashboard)
$ go generate
# Standard go build
$ go build ./cmd/traefik
```
## Testing
### Method 1: `Docker` and `make`
Run unit tests using the `test-unit` target.
Run integration tests using the `test-integration` target.
Run all tests (unit and integration) using the `test` target.
ok github.com/containous/traefik 0.005s coverage: 4.1% of statements
Test success
```
For development purposes, you can specify which tests to run by using (only works the `test-integration` target):
```bash
# Run every tests in the MyTest suite
TESTFLAGS="-check.f MyTestSuite" make test-integration
# Run the test "MyTest" in the MyTest suite
TESTFLAGS="-check.f MyTestSuite.MyTest" make test-integration
# Run every tests starting with "My", in the MyTest suite
TESTFLAGS="-check.f MyTestSuite.My" make test-integration
# Run every tests ending with "Test", in the MyTest suite
TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
```
More: https://labix.org/gocheck
### Method 2: `go`
Unit tests can be run from the cloned directory using `$ go test ./...` which should return `ok`, similar to:
```test
ok _/home/user/go/src/github/containous/traefik 0.004s
```
Integration tests must be run from the `integration/` directory and require the `-integration` switch: `$ cd integration && go test -integration ./...`.
Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.
For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us so we can benefit from your experience and use cases.
!!! warning
During the alpha stage only, leaving this option unset will not prevent Traefik from running but will generate an error log indicating that it enables data collection by default.
??? example "Enabling Data Collection with TOML"
```toml
[Global]
# Send anonymous usage data
sendAnonymousUsage = true
```
??? example "Enabling Data Collection with the CLI"
```bash
./traefik --sendAnonymousUsage=true
```
## Collected Data
This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369).
In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
### What's collected / when ?
Once a day (the first call begins 10 minutes after the start of Traefik), we collect:
- the Traefik version number
- a hash of the configuration
- an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
!!! note
We do not collect the dynamic configuration information (routers & services).
We do not collect these data to run advertising programs.
We do not sell these data to third-parties.
### Example of Collected Data
??? example "Original configuration"
```toml
[entryPoints]
[entryPoints.web]
address = ":80"
[api]
[Docker]
endpoint = "tcp://10.10.10.10:2375"
domain = "foo.bir"
exposedByDefault = true
swarmMode = true
[Docker.TLS]
ca = "dockerCA"
cert = "dockerCert"
key = "dockerKey"
insecureSkipVerify = true
[ECS]
domain = "foo.bar"
exposedByDefault = true
clusters = ["foo-bar"]
region = "us-west-2"
accessKeyID = "AccessKeyID"
secretAccessKey = "SecretAccessKey"
```
??? example "Resulting Obfuscated Configuration"
```toml
[entryPoints]
[entryPoints.web]
address = ":80"
[api]
[Docker]
endpoint = "xxxx"
domain = "xxxx"
exposedByDefault = true
swarmMode = true
[Docker.TLS]
ca = "xxxx"
cert = "xxxx"
key = "xxxx"
insecureSkipVerify = false
[ECS]
domain = "xxxx"
exposedByDefault = true
clusters = []
region = "us-west-2"
accessKeyID = "xxxx"
secretAccessKey = "xxxx"
```
## The Code for Data Collection
If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/pkg/collector/collector.go)
By default we anonymize all configuration fields, except fields tagged with `export=true`.
* 3 Maintainers should attend to a Contributions Daily Meeting where we sort and label new issues ([is:issue label:status/0-needs-triage](https://github.com/containous/traefik/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Astatus%2F0-needs-triage+)), and review every Pull Requests
* Every pull request should be checked during the Contributions Daily Meeting
* Even if it’s already assigned
* Even PR labelled with `contributor/waiting-for-corrections` or `contributor/waiting-for-feedback`
* Issues labeled with `priority/P0` and `priority/P1` should be assigned.
* Modifying an issue or a pull request (labels, assignees, milestone) is only possible:
* During the Contributions Daily Meeting
* By an assigned maintainer
* In case of emergency, if a change proposal is approved by 2 other maintainers (on Slack, Discord, etc)
## PR review process:
* The status `needs-design-review` is only used in complex/heavy/tricky PRs.
* From `1` to `2`: 1 comment that says “design LGTM” (by a senior maintainer).
* From `2` to `3`: 3 LGTM approvals by any maintainer.
* If needed, a specific maintainer familiar with a particular domain can be requested for the review.
* If a PR has been implemented in pair programming, one peer's LGTM goes into the review for free
* Amending someone else's pull request is authorized only in emergency, if a rebase is needed, or if the initial contributor is silent
We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
* Add milestone to a new PR based on a branch version (1.4, 1.3, ...) [GitHub WebHook]
* Add and remove `contributor/waiting-for-corrections` label when a review request changes [GitHub WebHook]
* Weekly report of PR status on Slack (CaptainPR) [cron]
## Labels
A maintainer that looks at an issue/PR must define its `kind/*`, `area/*`, and `status/*`.
### Status - Workflow
The `status/*` labels represent the desired state in the workflow.
*`status/0-needs-triage`: all the new issues and PRs have this status. _[bot only]_
*`status/1-needs-design-review`: needs a design review. **(only for PR)**
*`status/2-needs-review`: needs a code/documentation review. **(only for PR)**
*`status/3-needs-merge`: ready to merge. **(only for PR)**
*`status/4-merge-in-progress`: merge is in progress. _[bot only]_
### Contributor
*`contributor/need-more-information`: we need more information from the contributor in order to analyze a problem.
*`contributor/waiting-for-feedback`: we need the contributor to give us feedback.
*`contributor/waiting-for-corrections`: we need the contributor to take actions in order to move forward with a PR. **(only for PR)** _[bot, humans]_
*`contributor/needs-resolve-conflicts`: use it only when there is some conflicts (and an automatic rebase is not possible). **(only for PR)** _[bot, humans]_
### Kind
*`kind/enhancement`: a new or improved feature.
*`kind/question`: a question. **(only for issue)**
*`kind/proposal`: a proposal that needs to be discussed.
* _Proposal issues_ are design proposals
* _Proposal PRs_ are technical prototypes that need to be refined with multiple contributors.
*`kind/bug/possible`: a possible bug that needs analysis before it is confirmed or fixed. **(only for issues)**
*`kind/bug/confirmed`: a confirmed bug (reproducible). **(only for issues)**
*`kind/bug/fix`: a bug fix. **(only for PR)**
### Resolution
*`resolution/duplicate`: a duplicate issue/PR.
*`resolution/declined`: declined (Rule #1 of open-source: no is temporary, yes is forever).
*`WIP`: Work In Progress. **(only for PR)**
### Platform
*`platform/windows`: Windows related.
### Area
*`area/acme`: ACME related.
*`area/api`: Traefik API related.
*`area/authentication`: Authentication related.
*`area/cluster`: Traefik clustering related.
*`area/documentation`: Documentation related.
*`area/infrastructure`: CI or Traefik building scripts related.
We use the [GitHub issue tracker](https://github.com/containous/traefik/issues) to keep track of issues in Traefik.
The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
To save us some time and get quicker feedback, be sure to follow the guide lines below.
!!! important "Getting Help Vs Reporting an Issue"
The issue tracker is not a general support forum, but a place to report bugs and asks for new features.
For end-user related support questions, try using first:
- the Traefik community Slack channel: [](https://slack.traefik.io)
- [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
## Issue Title
The title must be short and descriptive. (~60 characters)
## Description
Follow the [issue template](https://github.com/containous/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.
Explain us in which conditions you encountered the issue, what is your context.
Remain as clear and concise as possible
Take time to polish the format of your message so we'll enjoy reading it and working on it.
Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
## Feature Request
Traefik is an open-source project and aims to be the best edge router possible.
Remember when asking for new features that these must be useful to the majority (and not only useful in edge case scenarios, or hack-like setups).
Do you best to explain what you're looking for, and why it would improve Traefik for everyone.
## International English
Every maintainer / Traefik user is not a native English speaker, so if you feel sometimes that some messages sound rude, remember that it probably is a language barrier problem from someone willing to help you.
Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.
Let's go though the classic pitfalls to make sure everything is right.
## Title
The title must be short and descriptive. (~60 characters)
## Description
Follow the [pull request template](https://github.com/containous/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
Explain the conditions which led you to write this PR: give us context.
The context should lead to something, an idea or a problem that you’re facing.
Remain clear and concise.
Take time to polish the format of your message so we'll enjoy reading it and working on it.
Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
## PR Content
- Make it small.
- One feature per Pull Request.
- Write useful descriptions and titles.
- Avoid re-formatting code that is not on the path of your PR.
- Make sure the [code builds](building-testing.md).
- Make sure [all tests pass](building-testing.md).
- Add tests.
- Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
!!! note "third-party dependencies"
If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
!!! tip "10 Tips for Better Pull Requests"
We enjoyed this article, maybe you will too! [10 tips for better pull requests](https://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).
Traefik truly is an [open-source project](https://github.com/containous/traefik/),
and wouldn't have become what it is today without the help of our [many contributors](https://github.com/containous/traefik/graphs/contributors) (at the time of writing this),
not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.
So once again, thank you for your invaluable help on making Traefik such a good product.
!!! question "Where to Go Next?"
If you want to:
- Propose and idea, request a feature a report a bug,
read the page [Submitting Issues](./submitting-issues.md).
- Discover how to make an efficient contribution,
read the page [Submitting Pull Requests](./submitting-pull-requests.md).
- Learn how to build and test Traefik,
the page [Building and Testing](./building-testing.md) is for you.
- Contribute to the documentation,
read the related page [Documentation](./documentation.md).
- Understand how do we learn about Traefik usage,
read the [Data Collection](./data-collection.md) page.
- Spread the love about Traefik, please check the [Advocating](./advocating.md) page.
- Learn about who are the maintainers and how they work on the project,
Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request:
it knows all the logic and every rule that determine which services handle which requests (based on the [path](../routing/routers/index.md#rule), the [host](../routing/routers/index.md#rule), [headers](../routing/routers/index.md#rule), [and so on](../routing/routers/index.md#rule) ...).

## Auto Service Discovery
Where traditionally edge routers (or reverse proxies) need a configuration file that contains every possible route to your services, Traefik gets them from the services themselves.
Deploying your services, you attach information that tells Traefik the characteristics of the requests the services can handle.
It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
The opposite is true: when you remove a service from your infrastructure, the route will disappear accordingly.
You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.
!!! note "Many different rules"
In the example above, we used the request [path](../routing/routers/index.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers/index.md#rule).
!!! note "Updating the requests"
In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services.
!!! question "How does Traefik discover the services?"
Traefik is able to use your cluster API to discover the services and read the attached information. In Traefik, these connectors are called [providers](../providers/overview.md) because they _provide_ the configuration to Traefik. To learn more about them, read the [provider overview](../providers/overview.md) section.
Configuration in Traefik can refer to two different things:
- The fully dynamic routing configuration (referred to as the _dynamic configuration_)
- The startup configuration (referred to as the _static configuration_)
Elements in the _static configuration_ set up connections to [providers](../../providers/overview/) and define the [entrypoints](../../routing/entrypoints/) Traefik will listen to (these elements don't change often).
The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
This configuration can change and is seamlessly hot-reloaded, without any request interuption or connection loss.
!!! warning "Incompatible Configuration"
Please be aware that the old configurations for Traefik v1.X are NOT compatible with the v2.X config as of now.
If you're testing out v2, please ensure you are using a v2 configuration.
## The Dynamic Configuration
Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
!!! Note
In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
!!! Note
HTTPS Certificates also belong to the dynamic configuration. You can add / update / remove them without restarting your Traefik instance.
## The Static Configuration
There are three different, mutually exclusive, ways to define static configuration options in Traefik:
- In a configuration file
- As environment variables
- In the command-line arguments
These ways are evaluated in the order listed above.
If no value was provided for a given option, a default value applies.
Moreover, if an option has sub-options, and any of these sub-options is not specified, a default value will apply as well.
For example, the `--providers.docker` option is enough by itself to enable the docker provider, even though sub-options like `--providers.docker.endpoint` exist.
Once positioned, this option sets (and resets) all the default values of the sub-options of `--providers.docker`.
### Configuration File
At startup, Traefik searches for a file named `traefik.toml` in `/etc/traefik/`, `$XDG_CONFIG_HOME/`, `$HOME/.config/`, and `.` (_the working directory_).
You can override this using the `configFile` argument.
```bash
traefik --configFile=foo/bar/myconfigfile.toml
```
### Arguments
To get the list of all available arguments:
```bash
traefik --help
# or
docker run traefik[:version] --help
# ex: docker run traefik:2.0 --help
```
## Available Configuration Options
All the configuration options are documented in their related section.
You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.
Create a `docker-compose.yml` file where you will define a `reverse-proxy` service that uses the official Traefik image:
```yaml
version:'3'
services:
reverse-proxy:
image:traefik:v2.0# The official v2.0 Traefik docker image
command:--api --providers.docker# Enables the web UI and tells Traefik to listen to docker
ports:
- "80:80"# The HTTP port
- "8080:8080"# The Web UI (enabled by --api)
volumes:
- /var/run/docker.sock:/var/run/docker.sock# So that Traefik can listen to the Docker events
```
**That's it. Now you can launch Traefik!**
Start your `reverse-proxy` with the following command:
```shell
docker-compose up -d reverse-proxy
```
You can open a browser and go to [http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata) to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).
## Traefik Detects New Services and Creates the Route for You
Now that we have a Traefik instance up and running, we will deploy new services.
Edit your `docker-compose.yml` file and add the following at the end of your file.
```yaml
# ...
whoami:
image:containous/whoami# A container that exposes an API to show its IP address
The above defines `whoami`: a simple web service that outputs information about the machine it is deployed on (its IP address, host, and so on).
Start the `whoami` service with the following command:
```shell
docker-compose up -d whoami
```
Go back to your browser ([http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata)) and see that Traefik has automatically detected the new container and updated its own configuration.
When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_ (Here, we're using curl)
Run more instances of your `whoami` service with the following command:
```shell
docker-compose up -d --scale whoami=2
```
Go back to your browser ([http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata)) and see that Traefik has automatically detected the new instance of the container.
Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:
The output will show alternatively one of the followings:
```yaml
Hostname:a656c8ddca6c
IP:172.27.0.3
#...
```
```yaml
Hostname:s458f154e1f1
IP:172.27.0.4
# ...
```
!!! question "Where to Go Next?"
Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you!
You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.
!!! warning "Let's Encrypt and Rate Limiting"
Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
## Configuration Examples
??? example "Enabling ACME"
```toml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.http-tls]
address = ":443"
[acme] # every router with TLS enabled will now be able to use ACME for its certificates
email = "your-email@your-domain.org"
storage = "acme.json"
onHostRule = true # dynamic generation based on the Host() & HostSNI() matchers
[acme.httpChallenge]
entryPoint = "web" # used during the challenge
```
??? example "Configuring Wildcard Certificates"
```toml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.http-tls]
address = ":443"
[acme]
email = "your-email@your-domain.org"
storage = "acme.json"
[acme.dnsChallenge]
provider = "xxx"
[[acme.domains]]
main = "*.mydomain.com"
sans = ["mydomain.com"]
```
??? note "Configuration Reference"
There are many available options for ACME. For a quick glance at what's possible, browse the configuration reference:
```toml
--8<-- "content/https-tls/ref-acme.toml"
```
## Automatic Renewals
Traefik automatically tracks the expiry date of ACME certificates it generates.
If there are less than 30 days remaining before the certificate expires, Traefik will attempt to rewnew it automatically.
!!! note
Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
## The Different ACME Challenges
### `tlsChallenge`
Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encrypt through port 443.
??? example "Configuring the `tlsChallenge`"
```toml
[acme]
[acme.tlsChallenge]
```
### `httpChallenge`
Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
when using the `HTTP-01` challenge, `acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
??? example "Using an EntryPoint Called http for the `httpChallenge`"
```toml
[acme]
# ...
[acme.httpChallenge]
entryPoint = "http"
```
!!! note
Redirection is fully compatible with the `HTTP-01` challenge.
### `dnsChallenge`
Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
```toml
[acme]
# ...
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
# ...
```
!!! important
A `provider` is mandatory.
#### `providers`
Here is a list of supported `providers`, that can automate the DNS verification,
along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
Do not hesitate to complete it.
Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
| [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare) |
[^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
!!! note "`delayBeforeCheck`"
By default, the `provider` verifies the TXT record _before_ letting ACME verify.
You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
This option is useful when internal networks block external DNS queries.
#### `resolvers`
Use custom DNS servers to resolve the FQDN authority.
As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
```toml
[acme]
# ...
[[acme.domains]]
main = "*.local1.com"
sans = ["local1.com"]
# ...
```
!!! note "Double Wildcard Certificates"
It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
In this case the generated DNS TXT record for both domains is the same.
Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant,
it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail.
The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
The [Supported `provider` table](#providers) indicates if they allow generating certificates for a wildcard domain and its root domain.
## Known Domains, SANs
You can set SANs (alternative domains) for each main domain.
Every domain must have A/AAAA records pointing to Traefik.
Each domain & SAN will lead to a certificate request.
```toml
[acme]
# ...
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
[[acme.domains]]
main = "*.local3.com"
sans = ["local3.com", "test1.test1.local3.com"]
# ...
```
!!! important
The certificates for the domains listed in `acme.domains` are negotiated at Traefik startup only.
!!! note
Wildcard certificates can only be verified through a `DNS-01` challenge.
## `caServer`
??? example "Using the Let's Encrypt staging server"
Traefik supports HTTPS & TLS, and is able to accept new certificates / updates over time (without being restarted).
TLS is enabled at the [router](../routing/routers/index.md) level, but some options are configured in dedicated sections (`tlsOptions`&`tlsStores`) described in this section.
## Configuration Example
??? example "Configuring a Default Certificate"
```toml
[tlsStores]
[tlsStores.default]
[tlsStores.default.defaultCertificate]
certFile = "path/to/cert.crt"
keyFile = "path/to/cert.key"
```
??? example "Configuring a Minimum TLS Version"
```toml
[tlsOptions]
[tlsOptions.default]
minVersion = "VersionTLS12"
```
??? example "Defining Certificates"
```toml
[[tls]]
[tls.certificate]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls]]
[tls.certificate]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
!!! important "File Provider Only"
In the above example, we've used the [file provider](../providers/file.md) to handle the TLS configuration (tlsStores, tlsOptions, and TLS certificates).
In its current alpha version, it is the only available method to configure these elements.
Of course, these options are hot reloaded and can be updated at runtime (they belong to the [dynamic configuration](../getting-started/configuration-overview.md)).
## Configuration Options
### Dynamic Certificates
To add / remove TLS certificates while Traefik is running, the [file provider](../providers/file.md) supports Dynamic TLS certificates in its `[[tls]]` section.
!!! example "Defining Certificates"
```toml
[[tls]]
stores = ["default"]
[tls.certificate]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls]]
stores = ["default"]
[tls.certificate]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
??? note "Stores"
During the alpha version, the stores option will be ignored and be automatically set to ["default"].
### Mutual Authentication
Traefik supports both optional and non optional (defaut value) mutual authentication.
- When `optional = false`, Traefik accepts connections only from client presenting a certificate signed by a CA listed in `ClientCA.files`.
- When `optional = true`, Traefik authorizes connections from client presenting a certificate signed by an unknown CA.
!!! example "Non Optional Mutual Authentication"
In the following example, both `snitest.com` and `snitest.org` will require client certificates.
You can use a file per `CA:s`, or a single file containing multiple `CA:s` (in `PEM` format).
`ClientCA.files` is not optional: every client will have to present a valid certificate. (This requirement will apply to every server certificate declared in the entrypoint.)
### Minimum TLS Version
!!! example "Min TLS version & [cipherSuites](https://godoc.org/crypto/tls#pkg-constants)"
```toml
[tlsOptions]
[tlsOptions.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
```
### Strict SNI Checking
With strict SNI checking, Traefik won't allow connections without a matching certificate.
!!! example "Strict SNI"
```toml
[tlsOptions]
[tlsOptions.default]
sniStrict = true
```
### Default Certificate
Traefik can use a default certificate for connections without a SNI, or without a matching domain.
If no default certificate is provided, Traefik generates and uses a self-signed certificate.
!!! example "Setting a Default Certificate"
```toml
[tlsStores]
[tlsStores.default]
[tlsStores.default.defaultCertificate]
certFile = "path/to/cert.crt"
keyFile = "path/to/cert.key"
```
??? note "Only One Default Certificate"
There can only be one `defaultCertificate` per tlsOptions.
??? note "Default TLS Store"
During the alpha version, there is only one globally available TLS Store (`default`).
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.