shaba/traefik
1
0
Fork 0
mirror of https://github.com/containous/traefik.git synced 2025-09-16 17:44:30 +03:00
Code Releases Activity

Compare commits

base: shaba:v3.2.1
Branches Tags
shaba:master shaba:v3.5 shaba:v2.11 shaba:v3.4 shaba:v3.3 shaba:v3.2 shaba:v3.1 shaba:v3.0 shaba:v1.0 shaba:v1.1 shaba:v1.2 shaba:v1.3 shaba:v1.4 shaba:v2.10 shaba:v1.5 shaba:v1.6 shaba:v1.7 shaba:v2.0 shaba:v2.1 shaba:v2.2 shaba:v2.6 shaba:v2.7 shaba:v2.8 shaba:v2.9 shaba:v2.3 shaba:v2.4 shaba:v2.5
shaba:v3.5.2 shaba:v3.5.1 shaba:v2.11.29 shaba:v3.5.0 shaba:v3.4.5 shaba:v2.11.28 shaba:v3.5.0-rc2 shaba:v3.4.4 shaba:v2.11.27 shaba:v3.5.0-rc1 shaba:v3.4.3 shaba:v3.4.2 shaba:v2.11.26 shaba:v3.4.1 shaba:v2.11.25 shaba:v3.4.0 shaba:v3.3.7 shaba:v3.4.0-rc2 shaba:v3.3.6 shaba:v2.11.24 shaba:v2.11.23 shaba:v3.4.0-rc1 shaba:v3.3.5 shaba:v2.11.22 shaba:v3.3.4 shaba:v2.11.21 shaba:v3.3.3 shaba:v2.11.20 shaba:v2.11.19 shaba:v3.3.2 shaba:v2.11.18 shaba:v3.3.1 shaba:v3.2.5 shaba:v3.3.0 shaba:v3.2.4 shaba:v2.11.17 shaba:v3.3.0-rc2 shaba:v3.3.0-rc1 shaba:v3.2.3 shaba:v2.11.16 shaba:v3.2.2 shaba:v2.11.15 shaba:v3.2.1 shaba:v2.11.14 shaba:v3.2.0 shaba:v3.1.7 shaba:v2.11.13 shaba:v3.2.0-rc2 shaba:v3.1.6 shaba:v2.11.12 shaba:v3.2.0-rc1 shaba:v3.1.5 shaba:v2.11.11 shaba:v3.1.4 shaba:v2.11.10 shaba:v3.1.3 shaba:v2.11.9 shaba:v3.1.2 shaba:v2.11.8 shaba:v3.1.1 shaba:v2.11.7 shaba:v3.1.0 shaba:v3.1.0-rc3 shaba:v3.0.4 shaba:v2.11.6 shaba:v3.1.0-rc2 shaba:v3.1.0-rc1 shaba:v3.0.3 shaba:v2.11.5 shaba:v3.0.2 shaba:v2.11.4 shaba:v3.0.1 shaba:v2.11.3 shaba:v3.0.0 shaba:v3.0.0-rc5 shaba:v2.11.2 shaba:v3.0.0-rc4 shaba:v2.11.1 shaba:v3.0.0-rc3 shaba:v3.0.0-rc2 shaba:v3.0.0-rc1 shaba:v2.11.0 shaba:v2.11.0-rc2 shaba:v2.11.0-rc1 shaba:v2.10.7 shaba:v3.0.0-beta5 shaba:v2.10.6 shaba:v3.0.0-beta4 shaba:v2.10.5 shaba:v2.10.4 shaba:v3.0.0-beta3 shaba:v2.10.3 shaba:v2.10.2 shaba:v2.10.1 shaba:v2.10.0 shaba:v2.10.0-rc2 shaba:v2.9.10 shaba:v2.10.0-rc1 shaba:v2.9.9 shaba:v2.9.8 shaba:v2.9.7 shaba:v3.0.0-beta2 shaba:v2.9.6 shaba:v3.0.0-beta1 shaba:v2.9.5 shaba:v2.9.4 shaba:v2.9.3 shaba:v2.9.2 shaba:v2.9.1 shaba:v2.9.0-rc5 shaba:v2.8.8 shaba:v2.8.7 shaba:v2.9.0-rc4 shaba:v2.8.6 shaba:v2.9.0-rc3 shaba:v2.9.0-rc2 shaba:v2.9.0-rc1 shaba:v2.8.5 shaba:v2.8.4 shaba:v2.8.3 shaba:v2.8.2 shaba:v2.8.1 shaba:v2.8.0 shaba:v2.7.3 shaba:v2.8.0-rc2 shaba:v2.7.2 shaba:v2.8.0-rc1 shaba:v2.7.1 shaba:v2.7.0 shaba:v2.6.7 shaba:v2.6.6 shaba:v2.6.5 shaba:v2.6.4 shaba:v2.7.0-rc2 shaba:v2.6.3 shaba:v2.7.0-rc1 shaba:v2.6.2 shaba:v2.6.1 shaba:v2.6.0 shaba:v2.6.0-rc3 shaba:v2.5.7 shaba:v2.6.0-rc2 shaba:v2.5.6 shaba:v2.6.0-rc1 shaba:v1.7.34 shaba:v2.5.5 shaba:v2.5.4 shaba:v1.7.33 shaba:v1.7.32 shaba:v1.7.31 shaba:v2.5.3 shaba:v2.5.2 shaba:v2.5.1 shaba:v2.5.0 shaba:v2.4.14 shaba:v2.5.0-rc6 shaba:v2.5.0-rc5 shaba:v2.5.0-rc4 shaba:v2.4.13 shaba:v2.4.12 shaba:v2.5.0-rc3 shaba:v2.4.11 shaba:v2.4.10 shaba:v2.5.0-rc2 shaba:v2.5.0-rc1 shaba:v2.4.9 shaba:v1.7.30 shaba:v1.7.29 shaba:v2.4.8 shaba:v2.4.7 shaba:v2.4.6 shaba:v2.4.5 shaba:v2.4.4 shaba:v2.4.3 shaba:v2.4.2 shaba:v2.4.1 shaba:v2.4.0 shaba:v1.7.28 shaba:v1.7.27 shaba:v2.4.0-rc2 shaba:v2.3.7 shaba:v2.3.6 shaba:v2.4.0-rc1 shaba:v2.3.5 shaba:v2.3.4 shaba:v2.3.3 shaba:v2.3.2 shaba:v2.3.1 shaba:v2.3.0 shaba:v2.3.0-rc7 shaba:v2.3.0-rc6 shaba:v2.3.0-rc5 shaba:v2.2.11 shaba:v2.2.10 shaba:v2.3.0-rc4 shaba:v2.3.0-rc3 shaba:v2.2.8 shaba:v1.7.26 shaba:v2.2.7 shaba:v2.2.6 shaba:v2.3.0-rc2 shaba:v2.3.0-rc1 shaba:v1.7.25 shaba:v2.2.5 shaba:v2.2.4 shaba:v2.2.3 shaba:v2.2.2 shaba:v2.2.1 shaba:v2.2.0 shaba:v1.7.24 shaba:v2.1.9 shaba:v1.7.23 shaba:v2.2.0-rc4 shaba:v2.1.8 shaba:v2.2.0-rc3 shaba:v2.1.7 shaba:v1.7.22 shaba:v2.2.0-rc2 shaba:v2.2.0-rc1 shaba:v2.1.6 shaba:v2.1.5 shaba:v1.7.21 shaba:v2.1.4 shaba:v2.1.3 shaba:v2.1.2 shaba:v2.1.1 shaba:v2.1.0 shaba:v1.7.20 shaba:v2.0.7 shaba:v2.1.0-rc3 shaba:v2.0.6 shaba:v2.1.0-rc2 shaba:v2.1.0-rc1 shaba:v2.0.5 shaba:v2.0.4 shaba:v2.0.3 shaba:v1.7.19 shaba:v2.0.2 shaba:v2.0.1 shaba:v1.7.18 shaba:v1.7.17 shaba:v2.0.0 shaba:v2.0.0-rc4 shaba:v1.7.16 shaba:v1.7.15 shaba:v2.0.0-rc3 shaba:v2.0.0-rc2 shaba:v2.0.0-rc1 shaba:v1.7.14 shaba:v1.7.13 shaba:v2.0.0-beta1 shaba:v2.0.0-alpha8 shaba:v2.0.0-alpha7 shaba:v2.0.0-alpha6 shaba:v2.0.0-alpha5 shaba:v1.7.12 shaba:v1.7.11 shaba:v2.0.0-alpha4 shaba:v2.0.0-alpha3 shaba:v1.7.10 shaba:v2.0.0-alpha2 shaba:v2.0.0-alpha1 shaba:v1.7.9 shaba:v1.7.8 shaba:v1.7.7 shaba:v1.7.6 shaba:v1.7.5 shaba:v1.7.4 shaba:v1.7.3 shaba:v1.7.2 shaba:v1.7.1 shaba:v1.7.0 shaba:v1.7.0-rc5 shaba:v1.7.0-rc4 shaba:v1.6.6 shaba:v1.7.0-rc3 shaba:v1.7.0-rc2 shaba:v1.6.5 shaba:v1.7.0-rc1 shaba:v1.6.4 shaba:v1.6.3 shaba:v1.6.2 shaba:v1.6.1 shaba:v1.6.0 shaba:v1.6.0-rc6 shaba:v1.6.0-rc5 shaba:v1.6.0-rc4 shaba:v1.6.0-rc3 shaba:v1.6.0-rc2 shaba:v1.6.0-rc1 shaba:v1.5.4 shaba:v1.5.3 shaba:v1.5.2 shaba:v1.5.1 shaba:v1.5.0 shaba:v1.5.0-rc5 shaba:v1.5.0-rc4 shaba:v1.4.6 shaba:v1.5.0-rc3 shaba:v1.5.0-rc2 shaba:v1.4.5 shaba:v1.5.0-rc1 shaba:v1.4.4 shaba:v1.4.3 shaba:v1.4.2 shaba:v1.4.1 shaba:v1.4.0 shaba:v1.4.0-rc5 shaba:v1.4.0-rc4 shaba:v1.4.0-rc3 shaba:v1.4.0-rc2 shaba:v1.3.8 shaba:v1.4.0-rc1 shaba:v1.3.7 shaba:v1.3.6 shaba:v1.3.5 shaba:v1.3.4 shaba:v1.3.3 shaba:v1.3.2 shaba:v1.3.1 shaba:v1.3.0 shaba:v1.3.0-rc3 shaba:v1.3.0-rc2 shaba:v1.3.0-rc1 shaba:v1.2.3 shaba:v1.2.2 shaba:v1.2.1 shaba:v1.2.0 shaba:v1.2.0-rc2 shaba:v1.2.0-rc1 shaba:v1.1.2 shaba:v1.1.1 shaba:v1.1.0 shaba:v1.1.0-rc4 shaba:v1.1.0-rc3 shaba:v1.1.0-rc2 shaba:v1.1.0-rc1 shaba:v1.0.3 shaba:v1.0.2 shaba:v1.0.1 shaba:v1.0.0 shaba:v1.0.0-rc3 shaba:v1.0.0-rc2 shaba:v1.0.0-rc1 shaba:v1.0.0-beta.809 shaba:v1.0.0-beta.804 shaba:v1.0.0-beta.794 shaba:v1.0.0-beta.784 shaba:v1.0.0-beta.771 shaba:v1.0.0-beta.767 shaba:v1.0.0-beta.756 shaba:v1.0.0-beta.754 shaba:v1.0.0-beta.744 shaba:v1.0.0-beta.732 shaba:v1.0.0-beta.723 shaba:v1.0.0-beta.721 shaba:v1.0.0-beta.712 shaba:v1.0.0-beta.704 shaba:v1.0.0-beta.695 shaba:v1.0.0-beta.692 shaba:v1.0.0-beta.682 shaba:v1.0.0-beta.676 shaba:v1.0.0-beta.673 shaba:v1.0.0-beta.666 shaba:v1.0.0-beta.652 shaba:v1.0.0-beta.644 shaba:v1.0.0-beta.621 shaba:v1.0.0-beta.614 shaba:v1.0.0-beta.610 shaba:v1.0.0-beta.601 shaba:v1.0.0-beta.582 shaba:v1.0.0-beta.576 shaba:v1.0.0-beta.573 shaba:v1.0.0-beta.555 shaba:v1.0.0-beta.548 shaba:v1.0.0-beta.545 shaba:v1.0.0-beta.524 shaba:v1.0.0-beta.513 shaba:v1.0.0-beta.508 shaba:v1.0.0-beta.505 shaba:v1.0.0-beta.484 shaba:v1.0.0-beta.481 shaba:v1.0.0-beta.475 shaba:v1.0.0-beta.470 shaba:v1.0.0-beta.453 shaba:v1.0.0-beta.442 shaba:v1.0.0-beta.440 shaba:v1.0.0-beta.436 shaba:v1.0.0-beta.433 shaba:v1.0.0-beta.427 shaba:v1.0.0-beta.421 shaba:v1.0.0-beta.416 shaba:v1.0.0-beta.408 shaba:v1.0.0-beta.404 shaba:v1.0.0-beta.395 shaba:v1.0.0-beta.392 shaba:v1.0.0-beta.374 shaba:v1.0.0-beta.366 shaba:v1.0.0-beta.355 shaba:v1.0.0-beta.352 shaba:v1.0.0-beta.341 shaba:v1.0.0-beta.339 shaba:v1.0.0-beta.324 shaba:v1.0.0-beta.300 shaba:v1.0.0-beta.291 shaba:v1.0.0-beta.289 shaba:v1.0.0-beta.287 shaba:v1.0.0-beta.280 shaba:v1.0.0-beta.277 shaba:v1.0.0-beta.254 shaba:v1.0.0-beta.247 shaba:v1.0.0-beta.224 shaba:v1.0.0-beta.220 shaba:v1.0.0-beta.212 shaba:v1.0.0-beta.211 shaba:v1.0.alpha.4c447985b63f8c90dcbde70b2eaef19d9a8c5ad2 shaba:v1.0.alpha.9830086790caf40ce30eb9ed5d317917f8157708 shaba:v1.0.alpha.3af21612b65fc578585a98c30090d1e613f791eb shaba:v1.0.alpha.a458018aa2ccb637abacfc696157e00321cf982f shaba:v1.0.alpha.4ded2682d2831ed703282b2f4585e17a62ee258e shaba:v1.0.alpha.0e683cc5355bc507dabac68bbc7559d3f179e185 shaba:v1.0.alpha.11781087cadf9068d1d0b43902b6161ee10ea458 shaba:v1.0.alpha.b42b170ad29a0f042ddee0f5a5098aa9a59a9c8e shaba:v1.0.alpha.a00eb81f0301f5e61024dea3b92ba632d6a61a8b shaba:v1.0.alpha.6c3c5578c64125838abbc437a0242e1742d6f47a shaba:v1.0.alpha.b84b95fe97df5c0f234d8693fbff03fa0d6a441b shaba:v1.0.alpha.1a5668377cc840a35d233a0eb817ee9bacf0ba3e shaba:v1.0.alpha.331cd173ce8ad858d767510fbcbc653e2dde657d shaba:v1.0.alpha.e0872b61579c8e6b8fc6124c8836660c11840f5d shaba:v1.0.alpha.99646544953d5793f18ccb22dae2458be4ba0e05 shaba:v1.0.alpha.7acc2beae0f0235d9408e8ed7a51f0ef3dae3aff shaba:v1.0.alpha.ac56c1310c46f9c18dcad9d7ec680926fae821bb shaba:v1.0.alpha.71b0e27517841ec7b911bafb109846ee96109f30 shaba:v1.0.alpha.60e9282f0adac48cbf283306ceb08ad7a31ac94b shaba:v1.0.alpha.522 shaba:v1.0.alpha.516 shaba:v1.0.alpha.506 shaba:v1.0.alpha.481 shaba:v1.0.alpha.477 shaba:v1.0.alpha.471 shaba:v1.0.alpha.469 shaba:v1.0.alpha.463 shaba:v1.0.alpha.450 shaba:v1.0.alpha.443 shaba:v1.0.alpha.439 shaba:v1.0.alpha.425 shaba:v1.0.alpha.421 shaba:v1.0.alpha.418 shaba:v1.0.alpha.412 shaba:v1.0.alpha.404 shaba:v1.0.alpha.392 shaba:v1.0.alpha.374 shaba:v1.0.alpha.367 shaba:v1.0.alpha.364 shaba:v1.0.alpha.361 shaba:v1.0.alpha.358 shaba:v1.0.alpha.357 shaba:v1.0.alpha.341 shaba:v1.0.alpha.338 shaba:v1.0.alpha.336 shaba:v1.0.alpha.333 shaba:v1.0.alpha.329 shaba:v1.0.alpha.311 shaba:v1.0.alpha.306 shaba:v1.0.alpha.302 shaba:v1.0.alpha.291 shaba:v1.0.alpha.290 shaba:v1.0.alpha.288 shaba:v1.0.alpha.285 shaba:v1.0.alpha.275 shaba:v1.0.alpha.274 shaba:v1.0.alpha.273 shaba:v1.0.alpha.272 shaba:v1.0.alpha.271 shaba:v1.0.alpha.270 shaba:v1.0.alpha.268 shaba:v1.0.alpha.269 shaba:v1.0.alpha.267 shaba:v1.0.alpha.266 shaba:v1.0.alpha.263 shaba:v1.0.alpha.257 shaba:v1.0.alpha.256 shaba:v1.0.alpha.251 shaba:v1.0.alpha.252 shaba:v1.0.alpha.250 shaba:v1.0.alpha.249 shaba:v1.0.alpha.247 shaba:v1.0.alpha.228 shaba:v1.0.alpha.217 shaba:v1.0.alpha.216 shaba:v1.0.alpha.215 shaba:v1.0.alpha.212 shaba:v1.0.alpha.200 shaba:v1.0.alpha.186 shaba:v1.0.alpha.182 shaba:v1.0.alpha.178 shaba:v1.0.alpha.176 shaba:v1.0.alpha.171 shaba:v1.0.alpha.170 shaba:v1.0.alpha.164 shaba:v1.0.alpha.157 shaba:v1.0
...
compare: shaba:v3.4.2
Branches Tags
shaba:v3.5 shaba:master shaba:v2.11 shaba:v3.4 shaba:v3.3 shaba:v3.2 shaba:v3.1 shaba:v3.0 shaba:v1.0 shaba:v1.1 shaba:v1.2 shaba:v1.3 shaba:v1.4 shaba:v2.10 shaba:v1.5 shaba:v1.6 shaba:v1.7 shaba:v2.0 shaba:v2.1 shaba:v2.2 shaba:v2.6 shaba:v2.7 shaba:v2.8 shaba:v2.9 shaba:v2.3 shaba:v2.4 shaba:v2.5
shaba:v3.5.2 shaba:v3.5.1 shaba:v2.11.29 shaba:v3.5.0 shaba:v3.4.5 shaba:v2.11.28 shaba:v3.5.0-rc2 shaba:v3.4.4 shaba:v2.11.27 shaba:v3.5.0-rc1 shaba:v3.4.3 shaba:v3.4.2 shaba:v2.11.26 shaba:v3.4.1 shaba:v2.11.25 shaba:v3.4.0 shaba:v3.3.7 shaba:v3.4.0-rc2 shaba:v3.3.6 shaba:v2.11.24 shaba:v2.11.23 shaba:v3.4.0-rc1 shaba:v3.3.5 shaba:v2.11.22 shaba:v3.3.4 shaba:v2.11.21 shaba:v3.3.3 shaba:v2.11.20 shaba:v2.11.19 shaba:v3.3.2 shaba:v2.11.18 shaba:v3.3.1 shaba:v3.2.5 shaba:v3.3.0 shaba:v3.2.4 shaba:v2.11.17 shaba:v3.3.0-rc2 shaba:v3.3.0-rc1 shaba:v3.2.3 shaba:v2.11.16 shaba:v3.2.2 shaba:v2.11.15 shaba:v3.2.1 shaba:v2.11.14 shaba:v3.2.0 shaba:v3.1.7 shaba:v2.11.13 shaba:v3.2.0-rc2 shaba:v3.1.6 shaba:v2.11.12 shaba:v3.2.0-rc1 shaba:v3.1.5 shaba:v2.11.11 shaba:v3.1.4 shaba:v2.11.10 shaba:v3.1.3 shaba:v2.11.9 shaba:v3.1.2 shaba:v2.11.8 shaba:v3.1.1 shaba:v2.11.7 shaba:v3.1.0 shaba:v3.1.0-rc3 shaba:v3.0.4 shaba:v2.11.6 shaba:v3.1.0-rc2 shaba:v3.1.0-rc1 shaba:v3.0.3 shaba:v2.11.5 shaba:v3.0.2 shaba:v2.11.4 shaba:v3.0.1 shaba:v2.11.3 shaba:v3.0.0 shaba:v3.0.0-rc5 shaba:v2.11.2 shaba:v3.0.0-rc4 shaba:v2.11.1 shaba:v3.0.0-rc3 shaba:v3.0.0-rc2 shaba:v3.0.0-rc1 shaba:v2.11.0 shaba:v2.11.0-rc2 shaba:v2.11.0-rc1 shaba:v2.10.7 shaba:v3.0.0-beta5 shaba:v2.10.6 shaba:v3.0.0-beta4 shaba:v2.10.5 shaba:v2.10.4 shaba:v3.0.0-beta3 shaba:v2.10.3 shaba:v2.10.2 shaba:v2.10.1 shaba:v2.10.0 shaba:v2.10.0-rc2 shaba:v2.9.10 shaba:v2.10.0-rc1 shaba:v2.9.9 shaba:v2.9.8 shaba:v2.9.7 shaba:v3.0.0-beta2 shaba:v2.9.6 shaba:v3.0.0-beta1 shaba:v2.9.5 shaba:v2.9.4 shaba:v2.9.3 shaba:v2.9.2 shaba:v2.9.1 shaba:v2.9.0-rc5 shaba:v2.8.8 shaba:v2.8.7 shaba:v2.9.0-rc4 shaba:v2.8.6 shaba:v2.9.0-rc3 shaba:v2.9.0-rc2 shaba:v2.9.0-rc1 shaba:v2.8.5 shaba:v2.8.4 shaba:v2.8.3 shaba:v2.8.2 shaba:v2.8.1 shaba:v2.8.0 shaba:v2.7.3 shaba:v2.8.0-rc2 shaba:v2.7.2 shaba:v2.8.0-rc1 shaba:v2.7.1 shaba:v2.7.0 shaba:v2.6.7 shaba:v2.6.6 shaba:v2.6.5 shaba:v2.6.4 shaba:v2.7.0-rc2 shaba:v2.6.3 shaba:v2.7.0-rc1 shaba:v2.6.2 shaba:v2.6.1 shaba:v2.6.0 shaba:v2.6.0-rc3 shaba:v2.5.7 shaba:v2.6.0-rc2 shaba:v2.5.6 shaba:v2.6.0-rc1 shaba:v1.7.34 shaba:v2.5.5 shaba:v2.5.4 shaba:v1.7.33 shaba:v1.7.32 shaba:v1.7.31 shaba:v2.5.3 shaba:v2.5.2 shaba:v2.5.1 shaba:v2.5.0 shaba:v2.4.14 shaba:v2.5.0-rc6 shaba:v2.5.0-rc5 shaba:v2.5.0-rc4 shaba:v2.4.13 shaba:v2.4.12 shaba:v2.5.0-rc3 shaba:v2.4.11 shaba:v2.4.10 shaba:v2.5.0-rc2 shaba:v2.5.0-rc1 shaba:v2.4.9 shaba:v1.7.30 shaba:v1.7.29 shaba:v2.4.8 shaba:v2.4.7 shaba:v2.4.6 shaba:v2.4.5 shaba:v2.4.4 shaba:v2.4.3 shaba:v2.4.2 shaba:v2.4.1 shaba:v2.4.0 shaba:v1.7.28 shaba:v1.7.27 shaba:v2.4.0-rc2 shaba:v2.3.7 shaba:v2.3.6 shaba:v2.4.0-rc1 shaba:v2.3.5 shaba:v2.3.4 shaba:v2.3.3 shaba:v2.3.2 shaba:v2.3.1 shaba:v2.3.0 shaba:v2.3.0-rc7 shaba:v2.3.0-rc6 shaba:v2.3.0-rc5 shaba:v2.2.11 shaba:v2.2.10 shaba:v2.3.0-rc4 shaba:v2.3.0-rc3 shaba:v2.2.8 shaba:v1.7.26 shaba:v2.2.7 shaba:v2.2.6 shaba:v2.3.0-rc2 shaba:v2.3.0-rc1 shaba:v1.7.25 shaba:v2.2.5 shaba:v2.2.4 shaba:v2.2.3 shaba:v2.2.2 shaba:v2.2.1 shaba:v2.2.0 shaba:v1.7.24 shaba:v2.1.9 shaba:v1.7.23 shaba:v2.2.0-rc4 shaba:v2.1.8 shaba:v2.2.0-rc3 shaba:v2.1.7 shaba:v1.7.22 shaba:v2.2.0-rc2 shaba:v2.2.0-rc1 shaba:v2.1.6 shaba:v2.1.5 shaba:v1.7.21 shaba:v2.1.4 shaba:v2.1.3 shaba:v2.1.2 shaba:v2.1.1 shaba:v2.1.0 shaba:v1.7.20 shaba:v2.0.7 shaba:v2.1.0-rc3 shaba:v2.0.6 shaba:v2.1.0-rc2 shaba:v2.1.0-rc1 shaba:v2.0.5 shaba:v2.0.4 shaba:v2.0.3 shaba:v1.7.19 shaba:v2.0.2 shaba:v2.0.1 shaba:v1.7.18 shaba:v1.7.17 shaba:v2.0.0 shaba:v2.0.0-rc4 shaba:v1.7.16 shaba:v1.7.15 shaba:v2.0.0-rc3 shaba:v2.0.0-rc2 shaba:v2.0.0-rc1 shaba:v1.7.14 shaba:v1.7.13 shaba:v2.0.0-beta1 shaba:v2.0.0-alpha8 shaba:v2.0.0-alpha7 shaba:v2.0.0-alpha6 shaba:v2.0.0-alpha5 shaba:v1.7.12 shaba:v1.7.11 shaba:v2.0.0-alpha4 shaba:v2.0.0-alpha3 shaba:v1.7.10 shaba:v2.0.0-alpha2 shaba:v2.0.0-alpha1 shaba:v1.7.9 shaba:v1.7.8 shaba:v1.7.7 shaba:v1.7.6 shaba:v1.7.5 shaba:v1.7.4 shaba:v1.7.3 shaba:v1.7.2 shaba:v1.7.1 shaba:v1.7.0 shaba:v1.7.0-rc5 shaba:v1.7.0-rc4 shaba:v1.6.6 shaba:v1.7.0-rc3 shaba:v1.7.0-rc2 shaba:v1.6.5 shaba:v1.7.0-rc1 shaba:v1.6.4 shaba:v1.6.3 shaba:v1.6.2 shaba:v1.6.1 shaba:v1.6.0 shaba:v1.6.0-rc6 shaba:v1.6.0-rc5 shaba:v1.6.0-rc4 shaba:v1.6.0-rc3 shaba:v1.6.0-rc2 shaba:v1.6.0-rc1 shaba:v1.5.4 shaba:v1.5.3 shaba:v1.5.2 shaba:v1.5.1 shaba:v1.5.0 shaba:v1.5.0-rc5 shaba:v1.5.0-rc4 shaba:v1.4.6 shaba:v1.5.0-rc3 shaba:v1.5.0-rc2 shaba:v1.4.5 shaba:v1.5.0-rc1 shaba:v1.4.4 shaba:v1.4.3 shaba:v1.4.2 shaba:v1.4.1 shaba:v1.4.0 shaba:v1.4.0-rc5 shaba:v1.4.0-rc4 shaba:v1.4.0-rc3 shaba:v1.4.0-rc2 shaba:v1.3.8 shaba:v1.4.0-rc1 shaba:v1.3.7 shaba:v1.3.6 shaba:v1.3.5 shaba:v1.3.4 shaba:v1.3.3 shaba:v1.3.2 shaba:v1.3.1 shaba:v1.3.0 shaba:v1.3.0-rc3 shaba:v1.3.0-rc2 shaba:v1.3.0-rc1 shaba:v1.2.3 shaba:v1.2.2 shaba:v1.2.1 shaba:v1.2.0 shaba:v1.2.0-rc2 shaba:v1.2.0-rc1 shaba:v1.1.2 shaba:v1.1.1 shaba:v1.1.0 shaba:v1.1.0-rc4 shaba:v1.1.0-rc3 shaba:v1.1.0-rc2 shaba:v1.1.0-rc1 shaba:v1.0.3 shaba:v1.0.2 shaba:v1.0.1 shaba:v1.0.0 shaba:v1.0.0-rc3 shaba:v1.0.0-rc2 shaba:v1.0.0-rc1 shaba:v1.0.0-beta.809 shaba:v1.0.0-beta.804 shaba:v1.0.0-beta.794 shaba:v1.0.0-beta.784 shaba:v1.0.0-beta.771 shaba:v1.0.0-beta.767 shaba:v1.0.0-beta.756 shaba:v1.0.0-beta.754 shaba:v1.0.0-beta.744 shaba:v1.0.0-beta.732 shaba:v1.0.0-beta.723 shaba:v1.0.0-beta.721 shaba:v1.0.0-beta.712 shaba:v1.0.0-beta.704 shaba:v1.0.0-beta.695 shaba:v1.0.0-beta.692 shaba:v1.0.0-beta.682 shaba:v1.0.0-beta.676 shaba:v1.0.0-beta.673 shaba:v1.0.0-beta.666 shaba:v1.0.0-beta.652 shaba:v1.0.0-beta.644 shaba:v1.0.0-beta.621 shaba:v1.0.0-beta.614 shaba:v1.0.0-beta.610 shaba:v1.0.0-beta.601 shaba:v1.0.0-beta.582 shaba:v1.0.0-beta.576 shaba:v1.0.0-beta.573 shaba:v1.0.0-beta.555 shaba:v1.0.0-beta.548 shaba:v1.0.0-beta.545 shaba:v1.0.0-beta.524 shaba:v1.0.0-beta.513 shaba:v1.0.0-beta.508 shaba:v1.0.0-beta.505 shaba:v1.0.0-beta.484 shaba:v1.0.0-beta.481 shaba:v1.0.0-beta.475 shaba:v1.0.0-beta.470 shaba:v1.0.0-beta.453 shaba:v1.0.0-beta.442 shaba:v1.0.0-beta.440 shaba:v1.0.0-beta.436 shaba:v1.0.0-beta.433 shaba:v1.0.0-beta.427 shaba:v1.0.0-beta.421 shaba:v1.0.0-beta.416 shaba:v1.0.0-beta.408 shaba:v1.0.0-beta.404 shaba:v1.0.0-beta.395 shaba:v1.0.0-beta.392 shaba:v1.0.0-beta.374 shaba:v1.0.0-beta.366 shaba:v1.0.0-beta.355 shaba:v1.0.0-beta.352 shaba:v1.0.0-beta.341 shaba:v1.0.0-beta.339 shaba:v1.0.0-beta.324 shaba:v1.0.0-beta.300 shaba:v1.0.0-beta.291 shaba:v1.0.0-beta.289 shaba:v1.0.0-beta.287 shaba:v1.0.0-beta.280 shaba:v1.0.0-beta.277 shaba:v1.0.0-beta.254 shaba:v1.0.0-beta.247 shaba:v1.0.0-beta.224 shaba:v1.0.0-beta.220 shaba:v1.0.0-beta.212 shaba:v1.0.0-beta.211 shaba:v1.0.alpha.4c447985b63f8c90dcbde70b2eaef19d9a8c5ad2 shaba:v1.0.alpha.9830086790caf40ce30eb9ed5d317917f8157708 shaba:v1.0.alpha.3af21612b65fc578585a98c30090d1e613f791eb shaba:v1.0.alpha.a458018aa2ccb637abacfc696157e00321cf982f shaba:v1.0.alpha.4ded2682d2831ed703282b2f4585e17a62ee258e shaba:v1.0.alpha.0e683cc5355bc507dabac68bbc7559d3f179e185 shaba:v1.0.alpha.11781087cadf9068d1d0b43902b6161ee10ea458 shaba:v1.0.alpha.b42b170ad29a0f042ddee0f5a5098aa9a59a9c8e shaba:v1.0.alpha.a00eb81f0301f5e61024dea3b92ba632d6a61a8b shaba:v1.0.alpha.6c3c5578c64125838abbc437a0242e1742d6f47a shaba:v1.0.alpha.b84b95fe97df5c0f234d8693fbff03fa0d6a441b shaba:v1.0.alpha.1a5668377cc840a35d233a0eb817ee9bacf0ba3e shaba:v1.0.alpha.331cd173ce8ad858d767510fbcbc653e2dde657d shaba:v1.0.alpha.e0872b61579c8e6b8fc6124c8836660c11840f5d shaba:v1.0.alpha.99646544953d5793f18ccb22dae2458be4ba0e05 shaba:v1.0.alpha.7acc2beae0f0235d9408e8ed7a51f0ef3dae3aff shaba:v1.0.alpha.ac56c1310c46f9c18dcad9d7ec680926fae821bb shaba:v1.0.alpha.71b0e27517841ec7b911bafb109846ee96109f30 shaba:v1.0.alpha.60e9282f0adac48cbf283306ceb08ad7a31ac94b shaba:v1.0.alpha.522 shaba:v1.0.alpha.516 shaba:v1.0.alpha.506 shaba:v1.0.alpha.481 shaba:v1.0.alpha.477 shaba:v1.0.alpha.471 shaba:v1.0.alpha.469 shaba:v1.0.alpha.463 shaba:v1.0.alpha.450 shaba:v1.0.alpha.443 shaba:v1.0.alpha.439 shaba:v1.0.alpha.425 shaba:v1.0.alpha.421 shaba:v1.0.alpha.418 shaba:v1.0.alpha.412 shaba:v1.0.alpha.404 shaba:v1.0.alpha.392 shaba:v1.0.alpha.374 shaba:v1.0.alpha.367 shaba:v1.0.alpha.364 shaba:v1.0.alpha.361 shaba:v1.0.alpha.358 shaba:v1.0.alpha.357 shaba:v1.0.alpha.341 shaba:v1.0.alpha.338 shaba:v1.0.alpha.336 shaba:v1.0.alpha.333 shaba:v1.0.alpha.329 shaba:v1.0.alpha.311 shaba:v1.0.alpha.306 shaba:v1.0.alpha.302 shaba:v1.0.alpha.291 shaba:v1.0.alpha.290 shaba:v1.0.alpha.288 shaba:v1.0.alpha.285 shaba:v1.0.alpha.275 shaba:v1.0.alpha.274 shaba:v1.0.alpha.273 shaba:v1.0.alpha.272 shaba:v1.0.alpha.271 shaba:v1.0.alpha.270 shaba:v1.0.alpha.268 shaba:v1.0.alpha.269 shaba:v1.0.alpha.267 shaba:v1.0.alpha.266 shaba:v1.0.alpha.263 shaba:v1.0.alpha.257 shaba:v1.0.alpha.256 shaba:v1.0.alpha.251 shaba:v1.0.alpha.252 shaba:v1.0.alpha.250 shaba:v1.0.alpha.249 shaba:v1.0.alpha.247 shaba:v1.0.alpha.228 shaba:v1.0.alpha.217 shaba:v1.0.alpha.216 shaba:v1.0.alpha.215 shaba:v1.0.alpha.212 shaba:v1.0.alpha.200 shaba:v1.0.alpha.186 shaba:v1.0.alpha.182 shaba:v1.0.alpha.178 shaba:v1.0.alpha.176 shaba:v1.0.alpha.171 shaba:v1.0.alpha.170 shaba:v1.0.alpha.164 shaba:v1.0.alpha.157 shaba:v1.0

253 Commits
v3.2.1 ... v3.4.2

Author SHA1 Message Date
Romain
a519180665 Prepare release v3.4.2 2025-06-26 12:30:04 +02:00
romain
e223116225 Merge branch v2.11 into v3.4 2025-06-26 12:05:16 +02:00
Romain
8ae0379171 Prepare release v2.11.26 2025-06-26 11:50:04 +02:00
Sheddy
4daf13b866 Update the EntryPoints Documentation 2025-06-25 14:30:04 +02:00
Adrien Kunysz
c2c488ffc5 Remove conflicting information from the CircuitBreaker documentation. 2025-06-25 11:12:04 +02:00
Sheddy
107efb8a5a Add New Observe Guides to the Documentation 2025-06-23 17:06:04 +02:00
Sheddy
0f862f4792 Update Getting started Section with New Docker and Kubernetes Tutorial 2025-06-20 17:36:04 +02:00
romain
74eafcd044 Merge branch v2.11 into v3.4 2025-06-11 10:03:28 +02:00
Romain
b0d8e08e2b Fix typo in redirect middleware documentation 2025-06-11 09:46:05 +02:00
Etienne Dysli Metref
917771739e Add a note about Ingress Backend Resource support 2025-06-04 16:22:04 +02:00
Kevin Pollet
ae79d4e5f0 Do not log redis sentinel username and password 2025-06-04 12:08:04 +02:00
Alexy Van Den Abele
aac8bc69ad Clarify mirroring service default percent value 2025-06-04 11:18:04 +02:00
Romain
bfcef58a4f Fix KV reference rendering 2025-06-03 16:56:04 +02:00
Jesper Noordsij
f7a6f32784 Update Dockerfiles to Alpine 3.22 2025-06-03 11:24:05 +02:00
Lukáš Stuchlík
fe5c7fdc65 Add a note to certificatesDuration 2025-06-02 16:22:04 +02:00
Jesper Noordsij
92f798dfcd Update supported versions 2025-06-02 16:08:04 +02:00
romain
bd4bfd8919 Merge branch v2.11 into v3.4 2025-06-02 15:50:06 +02:00
Michael
f174014d96 feat: parallelise unit tests 2025-06-02 11:00:05 +02:00
Romain
2fdee25bb3 Attempt to fix TestProxyFromEnvironment test 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-06-02 10:46:04 +02:00
Kevin Pollet
cd16321dd9 Bump to go1.24 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-06-02 10:36:05 +02:00
Thomas Mauran
0b4058dde0 Remove obsolete version field in compose files 2025-05-28 17:16:08 +02:00
Corey
6a54f1f66c Add WebSocket guide 2025-05-28 11:46:04 +02:00
Romain
8b495b45a5 Prepare release v3.4.1 2025-05-27 14:32:04 +02:00
kevinpollet
4b68e674eb Merge branch v2.11 into v3.4 2025-05-27 14:00:30 +02:00
Romain
5f35c88805 Prepare release v2.11.25 2025-05-27 12:10:05 +02:00
Kevin Pollet
859f4e8868 Use routing path in v3 matchers 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-05-27 11:06:05 +02:00
kevinpollet
de1802d849 Merge branch v2.11 into v3.4 2025-05-27 09:51:59 +02:00
Patrick Evans
a3745d1eb2 Match encoded certificate to example data for tlspassthrough 2025-05-27 09:46:04 +02:00
Romain
23c7c78a1a Add HTTP/2 maxConcurrentStream parameter test 2025-05-27 09:34:04 +02:00
Julien Salleyron
fa18c35a9a Refactor new muxer to have only one parser instance 2025-05-26 17:12:08 +02:00
Josh McKinney
55e6d327bc acme.md: specify which file should be specified between restarts 2025-05-26 15:50:04 +02:00
kevinpollet
be0b54bade Merge branch v2.11 into v3.4 2025-05-23 16:16:18 +02:00
aromeyer
ab3234e458 Scope the rate limit counter key by source AND by middleware 2025-05-23 15:38:04 +02:00
Kevin Pollet
08d5dfee01 Normalize request path 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-05-23 15:10:05 +02:00
Romain
b669981018 Fix panic for ingress with backend resource 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-05-23 14:56:05 +02:00
Romain
76153acac6 Fix CEL validation for RootCA in ServersTransport 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-05-23 11:34:05 +02:00
Kevin Pollet
06b02bcd95 Do not display RemoveHeader option when not defined 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-05-23 10:44:40 +02:00
Landry Benguigui
3deea566ac Make P2C strategy thread-safe 2025-05-19 09:52:05 +02:00
Patrick Evans
79fde2b6dd Do not warn network missing if connected to a container network 2025-05-19 09:26:09 +02:00
Sheddy
aa5f2b92d4 Fix broken link in documentation 2025-05-16 12:02:04 +02:00
mmatur
9ee0e43eac Merge current v2.11 into v3.4 2025-05-14 09:34:13 +02:00
Michael
6b9738e675 GOGC empty default value for build 2025-05-14 09:32:04 +02:00
borja ortiz llamas
b82290ac5b Adding garbage collector as variable in compilation 2025-05-13 16:02:04 +02:00
Michael
3ee316c5bb Fix incorrect case and missing rbac in documentation 2025-05-13 11:04:05 +02:00
mmatur
0dc5b7d013 Merge current v2.11 into v3.4 2025-05-12 15:06:32 +02:00
Patrick Evans
49b598d087 tests: create redis sentinel config with permissive perms 2025-05-12 14:30:04 +02:00
Sheddy
448785d830 Add multi-tenant TLS guidance to the docs 2025-05-07 09:16:04 +02:00
Kevin Pollet
ce42e8501e Prepare release v3.4.0 2025-05-05 15:34:04 +02:00
kevinpollet
bf399f3075 Merge branch v3.3 into v3.4 2025-05-05 11:08:36 +02:00
Romain
74bc93308b Prepare release v3.3.7 2025-05-05 10:38:04 +02:00
Romain
87b57406ff Add SpanID and TraceID accessLogs fields only when tracing is enabled 2025-04-28 14:26:05 +02:00
Romain
9bc71b0010 Add a note about how to disable connection reuse with backends 2025-04-28 09:10:04 +02:00
Romain
9d0e76baa8 Prepare release v3.4.0 rc2 2025-04-18 14:24:04 +02:00
kevinpollet
9c1902c62e Merge branch v3.3 into v3.4 2025-04-18 11:49:36 +02:00
Romain
b05ec75f98 Prepare release v3.3.6 2025-04-18 11:10:04 +02:00
Kevin Pollet
2d617b3a65 Remove default load-balancing strategy from CRD 2025-04-18 10:58:04 +02:00
kevinpollet
ec6deb40ab Merge branch v2.11 into v3.3 2025-04-18 10:45:03 +02:00
Romain
160edff257 Change version for path sanitization migration guide 2025-04-18 10:42:04 +02:00
Romain
8816cb86a4 Prepare release v2.11.24 2025-04-18 09:34:04 +02:00
Sheddy
316be0782c Add content-length best practice documentation 2025-04-18 08:12:04 +02:00
romain
30d836f963 Merge branch v2.11 into v3.3 2025-04-17 17:02:40 +02:00
Kevin Pollet
14da838a21 Bump github.com/redis/go-redis/v9 to v9.7.3 2025-04-17 16:56:05 +02:00
romain
f6fb240eb6 Merge branch v2.11 into v3.3 2025-04-17 16:18:33 +02:00
Romain
a75b2384ea Prepare release v2.11.23 2025-04-17 11:56:03 +02:00
Kevin Pollet
8bdca45861 Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.72.2 2025-04-17 11:48:04 +02:00
Kevin Pollet
7442162e3f Bump golang.org/x/net to v0.38.0 2025-04-17 10:16:04 +02:00
Romain
dd5cb68cb1 Sanitize request path 2025-04-17 10:02:04 +02:00
Ludovic Fernandez
299a16f0a4 Bump github.com/go-acme/lego/v4 to v4.23.1 2025-04-17 09:20:04 +02:00
Landry Benguigui
545f2feacc Add Content-Length header to preflight response 2025-04-16 15:00:05 +02:00
Romain
e3caaf0791 Bump golang.org/x/oauth2 to v0.28.0 2025-04-16 11:58:04 +02:00
Kevin Pollet
746cc80d0f Bump github.com/redis/go-redis/v9 to v9.7.3 2025-04-15 11:40:04 +02:00
Matthew Carroll
fd0fd39642 Typos on what is Traefik docs page 2025-04-15 09:22:04 +02:00
Ludovic Fernandez
f794f8a294 chore: update linter 2025-04-11 10:56:05 +02:00
YapWC
8cf22207b5 Typo fix on the Explanation Section for User Guide HTTP Challenge. 2025-04-11 10:18:04 +02:00
Sheddy
5e44a138a8 Update Welcome Page 2025-04-10 14:56:04 +02:00
Michel Loiseleur
0664367c53 Document how to pass multiple Headers on tracing with CLI 2025-04-09 10:20:05 +02:00
Jesper Noordsij
bb8dfa568a Restrict regex validation of HTTP status codes for Ingress CRD resources 2025-04-08 09:38:04 +02:00
Jesper Noordsij
88c5e6a3fd Remove empty (v2) CRD definition file 2025-04-08 09:36:04 +02:00
Kevin Pollet
2965aa42cc Fix Kubernetes Gateway statusAddress documentation 2025-04-03 10:02:04 +02:00
Kevin Pollet
405be420c9 Prepare release v3.4.0-rc1 2025-03-31 15:42:05 +02:00
kevinpollet
ec38a0675f Merge branch v3.3 into master 2025-03-31 10:43:49 +02:00
Romain
bd4ff81818 Prepare release v3.3.5 2025-03-31 10:38:04 +02:00
romain
e817d822d7 Merge branch v2.11 into v3.3 2025-03-31 10:04:06 +02:00
Romain
b7be71c02a Prepare release v2.11.22 2025-03-31 09:48:04 +02:00
Adam Duke
6e9d713668 Bump github.com/vulcand/oxy/v2 to v2.0.3 2025-03-31 09:24:06 +02:00
Rohit Lohar
ddb32ef86f Allow underscore character in hostSNI matcher 2025-03-28 11:36:04 +01:00
Romain
496f00c7c2 Revert compress middleware algorithms priority to v2 behavior 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-03-28 11:30:05 +01:00
Avdhoot Dendge
f0cd6f210b Add support to disable session ticket 2025-03-28 10:58:04 +01:00
kevinpollet
c910ceeb00 Merge branch v2.11 into v3.3 2025-03-27 09:38:43 +01:00
Kevin Pollet
2087e11f55 Bump nokogiri to 1.18.6 and html-proofer to 5.0.10 2025-03-26 17:52:05 +01:00
Kevin Pollet
42778d2ba6 Do not abort request when response content-type is malformed 2025-03-26 11:30:05 +01:00
Romain
a5d46fc6ef Change boolean module properties default value to undefined 2025-03-26 10:22:05 +01:00
Kevin Pollet
84742275a4 Bump golang.org/x/net to v0.37.0 2025-03-26 10:06:05 +01:00
Kevin Pollet
54a2d657f3 Bump github.com/redis/go-redis/v9 to v9.6.3 2025-03-26 09:48:05 +01:00
Kevin Pollet
08b90ade94 Bump github.com/golang-jwt/jwt to v4.5.2 and v5.2.2 2025-03-26 09:30:05 +01:00
Romain
bb7ef7b48a Deprecate defaultRuleSyntax and ruleSyntax options 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-03-21 11:02:04 +01:00
Romain
8ba99adc50 Error level log for configuration-related TLS errors with backends 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-03-21 11:00:06 +01:00
Ludovic Fernandez
50b0d772e5 Add acme.profile and acme.emailAddresses options 2025-03-17 10:00:07 +01:00
Kevin Pollet
b02946147d Bump golang.org/x/net to v0.36.0 2025-03-14 09:24:05 +01:00
Nicolas Mengin
137c632793 Add Security Support 2025-03-14 09:10:04 +01:00
nmengin
e76b65f44d Add Security Support column in deprecation section 2025-03-13 17:08:15 +01:00
Gérald Croës
55ebaee4a7 Clarifies that retry middleware uses TCP, not HTTP status codes 2025-03-13 09:44:04 +01:00
Kevin Pollet
5953331c73 Add back forwarded headers section in FAQ 2025-03-13 09:42:04 +01:00
Nelson Isioma
ae4a00b4bc Allow root CA to be added through config maps 2025-03-11 15:38:05 +01:00
Romain
4ff76e13c4 Remove documentation for OriginStatusLine and DownstreamStatusLine accessLogs fields 2025-03-11 15:32:04 +01:00
kevinpollet
30fe11eccf Merge branch v3.3 into master 2025-03-10 16:48:27 +01:00
romain
05eb438ae1 Merge branch v2.11 into v3.3 2025-03-10 16:07:04 +01:00
Sheddy
b7170df2c3 New Routing Reference Documentation 2025-03-10 15:28:06 +01:00
Romain
9e029a84c4 Add p2c load-balancing strategy for servers load-balancer 
Co-authored-by: Ian Ross <ifross@gmail.com>
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-03-10 12:12:04 +01:00
Eng Zer Jun
14e400bcd0 Bump AWS SDK to v2 2025-03-10 11:50:04 +01:00
longquan0104
550d96ea67 Add Redis rate limiter 2025-03-10 11:02:05 +01:00
Romain
3c99135bf9 Set scheme to https with BackendTLSPolicy 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-03-07 16:56:04 +01:00
Kevin Pollet
474ab23fe9 Compress data on flush when compression is not started 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-03-07 16:16:04 +01:00
Michel Loiseleur
c166a41c99 Improve CEL validation on Ingress CRD resources 2025-03-06 15:48:04 +01:00
Jorge
740b4cfd25 Support domain configuration for sticky cookies 2025-03-06 09:38:04 +01:00
Michel Loiseleur
7cfd10db62 Update codegen to v0.30.10 2025-03-05 10:20:05 +01:00
Daniel Peinhopf
fa76ed57d3 Support rewriting status codes in error page middleware 2025-03-03 11:54:04 +01:00
Alan
9d8a42111f Add tip for dynamic configuration updates of Redis 2025-02-28 14:18:05 +01:00
Kevin Pollet
0dfd12ee61 Bump github.com/go-jose/go-jose/v4 to v4.0.5 2025-02-25 14:06:04 +01:00
Kevin Pollet
07e6491ace Prepare release v3.3.4 2025-02-25 11:04:04 +01:00
kevinpollet
32ea014d07 Merge branch v2.11 into v3.3 2025-02-25 10:06:03 +01:00
Kevin Pollet
a3fd484728 Prepare release v2.11.21 2025-02-24 15:32:06 +01:00
Sheddy
9b0348577a Update ACME provider configuration options 2025-02-24 15:26:06 +01:00
Peter Maguire
efe03bc9da Fix incorrect grammar in ACME documentation 2025-02-24 10:42:06 +01:00
Bastien Gysler
cce935493a Fix panic when calling Tracer 2025-02-24 10:26:39 +01:00
Kevin Pollet
f196de90e1 Enable the retry middleware in the proxy 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-02-21 11:36:05 +01:00
Kevin Pollet
c2a294c872 Retry should send headers on Write 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-02-21 10:52:04 +01:00
Ludovic Fernandez
8e5d4c6ae9 Bum github.com/go-acme/lego/v4 to v4.22.2 2025-02-21 09:36:04 +01:00
kevinpollet
f0849e8ee6 Merge branch v3.3 into master 2025-02-19 10:48:30 +01:00
Kevin Pollet
1ccbf743cb Add WebSocket headers if they are present in the request 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-02-17 20:20:05 +01:00
Kevin Pollet
1cfcf0d318 Chunked responses does not have a Content-Length header 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-02-14 17:44:04 +01:00
Kevin Pollet
eb07a5ca1a Bump github.com/traefik/paerser to v0.2.2 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-02-14 11:24:04 +01:00
Romain
56ea028e81 Change request duration metric unit from millisecond to second 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-02-14 11:22:04 +01:00
Julien Salleyron
05c547f211 Fix double hash in sticky cookie 2025-02-13 16:42:08 +01:00
Romain
dcd9f2ea96 Replace globalAttributes with resourceAttributes in tracing reference 2025-02-13 14:58:05 +01:00
Ludovic Fernandez
84e20aa9c3 chore: update linter 2025-02-12 10:02:04 +01:00
Kevin Pollet
b5a5e259ed Bump github.com/valyala/fasthttp to v1.58.0 2025-02-11 14:26:04 +01:00
Sheddy
8488214e93 Add missing options in entrypoints page 2025-02-10 15:20:04 +01:00
Bruno de Queiroz
b74767bfa4 Use ResourceAttributes instead of GlobalAttributes 2025-02-06 11:24:04 +01:00
kevinpollet
786d9f3272 Merge branch v3.3 into master 2025-01-31 16:23:49 +01:00
Romain
da2278b29a Prepare release v3.3.3 2025-01-31 15:46:04 +01:00
romain
cfebed7328 Merge branch v2.11 into v3.3 2025-01-31 15:20:12 +01:00
Romain
4e441d09ed Prepare release v2.11.20 2025-01-31 15:16:04 +01:00
khai-pi
8f5dd7bd9d Change docker-compose to docker compose 2025-01-31 14:30:05 +01:00
Harold Ozouf
d04e2d717c Add missing headerField in Middleware CRD 2025-01-31 14:28:06 +01:00
Kevin Pollet
cdd24e91b4 Fix content-length header assertion 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-01-31 12:00:05 +01:00
romain
4fd6b10b7d Merge branch v2.11 into v3.3 2025-01-31 11:14:59 +01:00
Julien Salleyron
86315e0f18 Fix ACME write when traefik is shutting down 2025-01-31 11:06:04 +01:00
Kevin Pollet
c20af070e3 Set check-latest to true in Go setup 2025-01-30 14:06:04 +01:00
Kevin Pollet
8593581cbf Fix integration tests for HTTPS 2025-01-29 17:04:05 +01:00
Romain
857fbb933e Do not create observability model by default 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-01-29 13:56:04 +01:00
Romain
8103992977 Prepare release v2.11.19 2025-01-29 11:36:08 +01:00
Kevin Pollet
c5b92b5260 Do not create a logger instance for each proxy 2025-01-27 11:24:04 +01:00
Shivam Saxena
2afa03b55c Add option to preserve request method in forwardAuth 2025-01-23 14:28:04 +01:00
Augusto Zanellato
2b6a04bc1d Set rule priority in Gateway API TLSRoute 2025-01-23 11:46:04 +01:00
Romain
fb527dac1c Handle responses without content length header 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-01-23 10:00:05 +01:00
Kuba
ef887332c2 Add auto webui theme option and default to it 2025-01-23 09:36:04 +01:00
DoubleREW
c19cf125e8 Fix auto refresh not clearing on component unmount 2025-01-21 14:58:04 +01:00
tsiid
261e4395f3 Add support for UDP routing in systemd socket activation 2025-01-21 09:38:09 +01:00
Nelson Isioma
435d28c790 changing log message when client cert is not available to debug 2025-01-17 09:42:04 +01:00
Romain
4ce4bd7121 Bring back TraceID and SpanID fields in access logs 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-01-15 16:26:08 +01:00
Kevin Pollet
020ab5f347 Prepare release v3.3.2 2025-01-14 16:46:04 +01:00
Romain
ad7fb8e82b Fix observability configuration on EntryPoints 2025-01-14 16:28:05 +01:00
Kevin Pollet
0528c054a6 Do not read response body for HEAD requests 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2025-01-14 15:16:05 +01:00
Kevin Pollet
ad99c5bbea Update Gateway API CRDs for integration tests 2025-01-14 10:36:04 +01:00
Kevin Pollet
8272be0eda Remove awesome.traefik.io reference in documentation section 2025-01-13 10:28:04 +01:00
thomscode
0a6ff446c7 Fix deprecated dnsChallenge propagation logging and documentation 2025-01-13 10:06:04 +01:00
Kevin Pollet
9a9644bafe Set content-type when serving webui index 2025-01-13 09:18:04 +01:00
Taylor Yelverton
95dd17e020 Allow configuring server URLs with label providers 2025-01-09 17:20:06 +01:00
kevinpollet
b0a72960bc Merge branch v3.3 into master 2025-01-08 11:29:59 +01:00
kevinpollet
a57e118a1a Merge branch v2.11 into v3.3 2025-01-08 11:10:59 +01:00
Kevin Pollet
d2414feaff Add test to check that SettingEnableConnectProtocol frame is not sent 2025-01-08 11:02:37 +01:00
Jeff Spiers
6aa56788ea Add missing trailing s to propagation.delayBeforeCheck option 2025-01-08 09:36:04 +01:00
Kevin Pollet
1aa450c028 Prepare release v2.11.18 2025-01-07 16:24:04 +01:00
Romain
f9ff6049d3 Disable http2 connect setting for websocket by default 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
Co-authored-by: Michael <michael.matur@gmail.com>
 2025-01-07 16:12:04 +01:00
Romain
d4d61151e1 Prepare release v3.3.1 2025-01-07 15:46:04 +01:00
romain
456188fa0d Merge current branch v3.2 into v3.3 2025-01-07 15:14:43 +01:00
Romain
03c170f264 Prepare release v3.2.5 2025-01-07 15:10:04 +01:00
Romain
7cb46626a1 Disable http2 connect setting for websocket by default 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
Co-authored-by: Michael <michael.matur@gmail.com>
 2025-01-07 14:58:04 +01:00
Kevin Pollet
5b53bae42d Prepare release v3.3.0 2025-01-06 12:04:04 +01:00
kevinpollet
caf56e6aed Merge branch v3.2 into v3.3 2025-01-06 11:13:12 +01:00
Kevin Pollet
69c8ecfa99 Prepare release v3.2.4 2025-01-06 11:04:04 +01:00
kevinpollet
7db2bbb4a3 Merge branch v2.11 into v3.2 2025-01-06 10:29:57 +01:00
Michael
ee8305549a Allow release only on traefik/traefik repo 2025-01-06 10:28:04 +01:00
Kevin Pollet
a31b026364 Prepare release v2.11.17 2025-01-06 10:00:07 +01:00
Thomas Francis
20d496268c Fix typo in basicauth note 2025-01-06 09:36:08 +01:00
mlec
6d3a685d5a Add ingress status for ClusterIP and NodePort Service Type 2025-01-03 16:10:04 +01:00
mmatur
845d0b5ac7 Merge current v3.3 into master 2025-01-03 15:36:10 +01:00
mmatur
34aa3b75b8 Merge current v3.2 into v3.3 2025-01-03 15:07:43 +01:00
romain
f62fc67418 Merge current v2.11 into v3.2 2025-01-03 14:50:43 +01:00
Ludovic Fernandez
5f3c30e37b chore: update linter 2025-01-03 09:58:04 +01:00
Romain
139f929ec8 Support empty value for core Kubernetes API group 2025-01-03 09:56:04 +01:00
Michael
e20409676a Upgrade github.com/spiffe/go-spiffe/v2 to v2.4.0 2025-01-03 09:38:04 +01:00
mmatur
d152f7fafc Merge current v3.2 into v3.3 2025-01-02 19:32:34 +01:00
mmatur
ee449db656 Merge current v2.11 into v3.2 2025-01-02 17:15:11 +01:00
Ludovic Fernandez
38ac1e75a2 Update go-acme/lego to v4.21.0 2025-01-02 12:46:04 +01:00
Kevin Pollet
109a8712cc Update copyright for 2025 2025-01-02 12:08:04 +01:00
Hannes Braun
278e739242 Fix allowACMEByPass TOML example 2024-12-30 16:08:03 +01:00
Michael
db31a4c961 Add webui static files in release tarball 2024-12-20 16:46:04 +01:00
kevinpollet
a1099bf8d0 Merge branch v3.2 into v3.3 2024-12-20 15:55:24 +01:00
kevinpollet
596aadfe68 Merge branch v2.11 into v3.2 2024-12-20 15:19:30 +01:00
Kevin Pollet
35ce6baaae Bump golang.org/x/net to v0.33.0 2024-12-20 14:36:06 +01:00
Daniel Anugerah
95f20fc753 Configure ErrorLog in httputil.ReverseProxy 2024-12-20 14:18:04 +01:00
Romain
d9f58f94a2 Prepare release v3.3.0-rc2 2024-12-20 11:52:04 +01:00
Kevin Pollet
a29628fa2e Fix fenced server status computation 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2024-12-20 11:26:04 +01:00
Kevin Pollet
e280716645 Update Gateway API version support to v1.2.1 2024-12-19 11:12:04 +01:00
Eng Zer Jun
f1c4ba2f26 Remove duplicate github.com/coreos/go-systemd dependency 2024-12-19 09:20:04 +01:00
Emile Vauge
a870c2af9b Add @jnoordsij to maintainers 2024-12-17 15:34:04 +01:00
Eng Zer Jun
aa8eb1af6e Replace experimental maps and slices with stdlib 2024-12-17 11:24:04 +01:00
Philipp
189db8d990 Pass TLS bool from IngressRouteTCP to TCPService 2024-12-17 10:12:04 +01:00
Romain
68a8650297 Prepare Release v3.3.0-rc1 2024-12-16 15:30:05 +01:00
kevinpollet
1a5ea1c597 Merge branch v3.2 into master 2024-12-16 11:30:15 +01:00
Kevin Pollet
8983e45fcf Prepare release v3.2.3 2024-12-16 11:20:04 +01:00
kevinpollet
ec214fa825 Merge branch v2.11 into v3.2 2024-12-16 10:51:44 +01:00
Kevin Pollet
1c0094048b Prepare release v2.11.16 2024-12-16 10:48:04 +01:00
Michel Loiseleur
3a3ffab689 Update reference install documentation with current chart default 2024-12-13 11:14:06 +01:00
Nelson Isioma
2302debac2 Add an option to preserve the ForwardAuth Server Location header 2024-12-13 10:38:37 +01:00
kevinpollet
4974d9e4d7 Merge branch v3.2 into master 2024-12-12 15:47:51 +01:00
kevinpollet
33cf06b36a Merge branch v2.11 into v3.2 2024-12-12 15:20:22 +01:00
Romain
590ddfc990 Update nokogiri gem to v1.16.8 2024-12-12 15:12:04 +01:00
Kevin Pollet
39d7b77609 Bump Dockerfile to Alpine v3.21 2024-12-12 14:44:05 +01:00
Michael
e85d02c530 Add support dump API endpoint 2024-12-12 14:12:04 +01:00
Romain
74e0abf8bf Update golang.org/x dependencies 2024-12-12 13:02:04 +01:00
Kevin Pollet
d953ee69b4 Add exprimental flag for OTLP logs integration 2024-12-12 12:22:05 +01:00
kyosuke
26738cbf93 Send request body to authorization server for forward auth 2024-12-12 10:18:05 +01:00
Romain
b1934231ca Manage observability at entrypoint and router level 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2024-12-12 09:52:07 +01:00
Valéry Fouques
9588e51146 Implementation of serving not ready endpoints 2024-12-11 13:54:05 +01:00
Romain
e87da0f390 Prepare release v3.2.2 2024-12-10 15:48:04 +01:00
romain
8eb12795d7 Merge current branch v2.11 into v3.2 2024-12-10 15:04:04 +01:00
Kevin Pollet
cc14c165c0 Prepare release v2.11.15 2024-12-10 14:18:04 +01:00
Michael
f2ba4353b2 Fix experimental build ci 2024-12-10 12:12:05 +01:00
Anchal Sharma
514914639a Rename traefik.docker.* labels for Docker Swarm to traefik.swarm.* 2024-12-10 09:48:05 +01:00
Emile Vauge
a4c0b1649d Create FUNDING.yml 2024-12-09 14:46:05 +01:00
Kevin Pollet
f547f1b22b Update sigs.k8s.io/gateway-api to v1.2.1 2024-12-09 09:44:05 +01:00
Michael
42df9afeaf Fix release by using github action 2024-12-06 16:56:06 +01:00
Julien Salleyron
c8b0285c91 Fix WASM settings 2024-12-06 16:38:05 +01:00
Kevin Pollet
2df655cefe Update github.com/quic-go/quic-go to v0.48.2 2024-12-06 16:36:05 +01:00
Romain
826a2b74aa OpenTelemetry Logs and Access Logs 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2024-12-06 14:50:04 +01:00
Sheddy
47b4df71bf New Install Reference Documentation 2024-12-06 10:14:07 +01:00
Romain
2b35c7e205 Fix models mechanism for default rule syntax 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2024-11-29 10:52:05 +01:00
Ludovic Fernandez
33c1d700c0 Add options to control ACME propagation checks 2024-11-26 09:08:04 +01:00
Kevin Pollet
536e11d949 Move callout to the entrypoint page footer 2024-11-25 17:22:04 +01:00
Romain
0ec12c7aa7 Configurable API & Dashboard base path 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2024-11-25 11:52:04 +01:00
Ludovic Fernandez
c120b70483 Update go-acme/lego to v4.20.4 2024-11-22 09:54:04 +01:00
Kevin Pollet
ab0713d587 Fix incorrect links in v3 migration sections 2024-11-22 09:44:04 +01:00
kevinpollet
090db6d4b0 Merge branch v3.2 into master 2024-11-21 14:53:27 +01:00
IIpragmaII
ec00c4aa42 Configurable path for sticky cookies 2024-11-06 16:04:04 +01:00
Bmagic
552bd8f180 Add AbortOnPluginFailure option to abort startup on plugin load failure 2024-11-06 11:58:04 +01:00
Shreyas Kirtane
97caf758ef Make the IngressRoute kind optional 2024-11-04 16:26:04 +01:00
Nikolai K
e8ff825ed2 Set Host header in HTTP provider request 2024-10-29 15:30:38 +01:00
kevinpollet
7004f0e750 Merge branch v3.2 into master 2024-10-29 09:29:27 +01:00
kevinpollet
06e64af9e9 Merge branch v3.2 into master 2024-10-10 11:32:18 +02:00
Michel Heusschen
6f469ee1ec Only calculate basic auth hashes once for concurrent requests 2024-10-10 10:36:04 +02:00
638 changed files with 38896 additions and 9813 deletions
Expand all files Collapse all files

3
.github/FUNDING.yml vendored Normal file
View File

@@ -0,0 +1,3 @@
# These are supported funding model platforms
github: traefik

4
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.
Documentation fixes or enhancements:
- for Traefik v2: use branch v2.11
- for Traefik v3: use branch v3.2
- for Traefik v3: use branch v3.4
Bug fixes:
- for Traefik v2: use branch v2.11
- for Traefik v3: use branch v3.2
- for Traefik v3: use branch v3.4
Enhancements:
- for Traefik v2: we only accept bug fixes

38
.github/workflows/build.yaml vendored
View File

@@ -10,42 +10,13 @@ on:
- 'script/gcg/**'
env:
GO_VERSION: '1.23'
GO_VERSION: '1.24'
CGO_ENABLED: 0
jobs:
build-webui:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup node
uses: actions/setup-node@v4
with:
node-version-file: webui/.nvmrc
cache: yarn
cache-dependency-path: webui/yarn.lock
- name: Build webui
working-directory: ./webui
run: |
yarn install
yarn build
- name: Package webui
run: |
tar czvf webui.tar.gz ./webui/static/
- name: Artifact webui
uses: actions/upload-artifact@v4
with:
name: webui.tar.gz
path: webui.tar.gz
uses: ./.github/workflows/template-webui.yaml
build:
runs-on: ubuntu-latest
@@ -90,6 +61,7 @@ jobs:
ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Artifact webui
uses: actions/download-artifact@v4
@@ -97,7 +69,9 @@ jobs:
name: webui.tar.gz
- name: Untar webui
run: tar xvf webui.tar.gz
run: |
tar xvf webui.tar.gz
rm webui.tar.gz
- name: Build
env:

34
.github/workflows/experimental.yaml vendored
View File

@@ -7,41 +7,33 @@ on:
- v*
env:
GO_VERSION: '1.23'
GO_VERSION: '1.24'
CGO_ENABLED: 0
jobs:
build-webui:
if: github.repository == 'traefik/traefik'
uses: ./.github/workflows/template-webui.yaml
experimental:
if: github.repository == 'traefik/traefik'
name: Build experimental image on branch
runs-on: ubuntu-latest
steps:
# https://github.com/marketplace/actions/checkout
- name: Check out code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup node
uses: actions/setup-node@v4
with:
node-version-file: webui/.nvmrc
cache: yarn
cache-dependency-path: webui/yarn.lock
- name: Build webui
working-directory: ./webui
run: |
yarn install
yarn build
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
env:
ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Build
run: make generate binary
@@ -61,6 +53,16 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Artifact webui
uses: actions/download-artifact@v4
with:
name: webui.tar.gz
- name: Untar webui
run: |
tar xvf webui.tar.gz
rm webui.tar.gz
- name: Build docker experimental image
env:
DOCKER_BUILDX_ARGS: "--push"

138
.github/workflows/release.yaml vendored Normal file
View File

@@ -0,0 +1,138 @@
name: Release
on:
push:
tags:
- 'v*.*.*'
env:
GO_VERSION: '1.24'
CGO_ENABLED: 0
VERSION: ${{ github.ref_name }}
TRAEFIKER_EMAIL: "traefiker@traefik.io"
CODENAME: chaource
jobs:
build-webui:
if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
uses: ./.github/workflows/template-webui.yaml
build:
if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
runs-on: ubuntu-latest
strategy:
matrix:
os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin, windows-amd64, windows-arm64, windows-386, freebsd, openbsd ]
needs:
- build-webui
steps:
- name: Check out code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
env:
# Ensure cache consistency on Linux, see https://github.com/actions/setup-go/pull/383
ImageOS: ${{ matrix.os }}
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Artifact webui
uses: actions/download-artifact@v4
with:
name: webui.tar.gz
- name: Untar webui
run: |
tar xvf webui.tar.gz
rm webui.tar.gz
- name: Go generate
run: go generate
- name: Generate goreleaser file
run: |
GORELEASER_CONFIG_FILE_PATH=$(go run ./internal/release "${{ matrix.os }}")
echo "GORELEASER_CONFIG_FILE_PATH=$GORELEASER_CONFIG_FILE_PATH" >> $GITHUB_ENV
- name: Build with goreleaser
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
# 'latest', 'nightly', or a semver
version: '~> v2'
args: release --clean --timeout="90m" --config "${{ env.GORELEASER_CONFIG_FILE_PATH }}"
- name: Artifact binaries
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os }}-binaries
path: |
dist/**/*_checksums.txt
dist/**/*.tar.gz
dist/**/*.zip
retention-days: 1
release:
if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
runs-on: ubuntu-latest
needs:
- build
steps:
- name: Check out code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Artifact webui
uses: actions/download-artifact@v4
with:
name: webui.tar.gz
- name: Untar webui
run: |
tar xvf webui.tar.gz
rm webui.tar.gz
- name: Retrieve the secret and decode it to a file
env:
TRAEFIKER_RSA: ${{ secrets.TRAEFIKER_RSA }}
run: |
mkdir -p ~/.ssh
echo "${TRAEFIKER_RSA}" | base64 --decode > ~/.ssh/traefiker_rsa
- name: Download All Artifacts
uses: actions/download-artifact@v4
with:
path: dist/
pattern: "*-binaries"
merge-multiple: true
- name: Publish Release
env:
GH_TOKEN: ${{ github.token }}
run: |
cat dist/**/*_checksums.txt >> "dist/traefik_${VERSION}_checksums.txt"
rm dist/**/*_checksums.txt
tar cfz "dist/traefik-${VERSION}.src.tar.gz" \
--exclude-vcs \
--exclude .idea \
--exclude .travis \
--exclude .semaphoreci \
--exclude .github \
--exclude dist .
chown -R "$(id -u)":"$(id -g)" dist/
gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION}
./script/deploy.sh

37
.github/workflows/template-webui.yaml vendored Normal file
View File

@@ -0,0 +1,37 @@
name: Build Web UI
on:
workflow_call: {}
jobs:
build-webui:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup node
uses: actions/setup-node@v4
with:
node-version-file: webui/.nvmrc
cache: yarn
cache-dependency-path: webui/yarn.lock
- name: Build webui
working-directory: ./webui
run: |
yarn install
yarn build
- name: Package webui
run: |
tar czvf webui.tar.gz ./webui/static/
- name: Artifact webui
uses: actions/upload-artifact@v4
with:
name: webui.tar.gz
path: webui.tar.gz
retention-days: 1

4
.github/workflows/test-integration.yaml vendored
View File

@@ -10,7 +10,7 @@ on:
- 'script/gcg/**'
env:
GO_VERSION: '1.23'
GO_VERSION: '1.24'
CGO_ENABLED: 0
jobs:
@@ -28,6 +28,7 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Avoid generating webui
run: touch webui/static/index.html
@@ -55,6 +56,7 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Avoid generating webui
run: touch webui/static/index.html

34
.github/workflows/test-unit.yaml vendored
View File

@@ -10,12 +10,40 @@ on:
- 'script/gcg/**'
env:
GO_VERSION: '1.23'
GO_VERSION: '1.24'
jobs:
generate-packages:
name: List Go Packages
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- name: Check out code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Generate matrix
id: set-matrix
run: |
matrix_output=$(go run ./internal/testsci/genmatrix.go)
echo "$matrix_output"
echo "$matrix_output" >> $GITHUB_OUTPUT
test-unit:
runs-on: ubuntu-latest
needs: generate-packages
strategy:
matrix:
package: ${{ fromJson(needs.generate-packages.outputs.matrix) }}
steps:
- name: Check out code
@@ -27,12 +55,14 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Avoid generating webui
run: touch webui/static/index.html
- name: Tests
run: make test-unit
run: |
go test -v -parallel 8 ${{ matrix.package.group }}
test-ui-unit:
runs-on: ubuntu-latest

11
.github/workflows/validate.yaml vendored
View File

@@ -6,8 +6,8 @@ on:
- '*'
env:
GO_VERSION: '1.23'
GOLANGCI_LINT_VERSION: v1.62.0
GO_VERSION: '1.24'
GOLANGCI_LINT_VERSION: v2.0.2
MISSPELL_VERSION: v0.6.0
jobs:
@@ -25,9 +25,10 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: golangci-lint
uses: golangci/golangci-lint-action@v6
uses: golangci/golangci-lint-action@v7
with:
version: "${{ env.GOLANGCI_LINT_VERSION }}"
@@ -44,9 +45,10 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Install misspell ${{ env.MISSPELL_VERSION }}
run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}
run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/HEAD/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}
- name: Avoid generating webui
run: touch webui/static/index.html
@@ -67,6 +69,7 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: go generate
run: |

597
.golangci.yml
View File

@@ -1,301 +1,324 @@
run:
timeout: 10m
version: "2"
linters-settings:
govet:
enable-all: true
disable:
- shadow
- fieldalignment
gocyclo:
min-complexity: 14
goconst:
min-len: 3
min-occurrences: 4
misspell:
locale: US
funlen:
lines: -1
statements: 120
forbidigo:
forbid:
- ^print(ln)?$
- ^spew\.Print(f|ln)?$
- ^spew\.Dump$
depguard:
rules:
main:
deny:
- pkg: "github.com/instana/testify"
desc: not allowed
- pkg: "github.com/pkg/errors"
desc: Should be replaced by standard lib errors package
- pkg: "k8s.io/api/networking/v1beta1"
desc: This API is deprecated
- pkg: "k8s.io/api/extensions/v1beta1"
desc: This API is deprecated
godox:
keywords:
- FIXME
importas:
no-unaliased: true
alias:
- alias: composeapi
pkg: github.com/docker/compose/v2/pkg/api
formatters:
enable:
- gci
- gofumpt
exclusions:
generated: lax
paths:
- pkg/provider/kubernetes/crd/generated/
# Standard Kubernetes rewrites:
- alias: corev1
pkg: "k8s.io/api/core/v1"
- alias: netv1
pkg: "k8s.io/api/networking/v1"
- alias: admv1
pkg: "k8s.io/api/admission/v1"
- alias: admv1beta1
pkg: "k8s.io/api/admission/v1beta1"
- alias: metav1
pkg: "k8s.io/apimachinery/pkg/apis/meta/v1"
- alias: ktypes
pkg: "k8s.io/apimachinery/pkg/types"
- alias: kerror
pkg: "k8s.io/apimachinery/pkg/api/errors"
- alias: kclientset
pkg: "k8s.io/client-go/kubernetes"
- alias: kinformers
pkg: "k8s.io/client-go/informers"
- alias: ktesting
pkg: "k8s.io/client-go/testing"
- alias: kschema
pkg: "k8s.io/apimachinery/pkg/runtime/schema"
- alias: kscheme
pkg: "k8s.io/client-go/kubernetes/scheme"
- alias: kversion
pkg: "k8s.io/apimachinery/pkg/version"
- alias: kubefake
pkg: "k8s.io/client-go/kubernetes/fake"
- alias: discoveryfake
pkg: "k8s.io/client-go/discovery/fake"
# Kubernetes Gateway rewrites:
- alias: gateclientset
pkg: "sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned"
- alias: gateinformers
pkg: "sigs.k8s.io/gateway-api/pkg/client/informers/gateway/externalversions"
- alias: gatev1alpha2
pkg: "sigs.k8s.io/gateway-api/apis/v1alpha2"
# Traefik Kubernetes rewrites:
- alias: traefikv1alpha1
pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1"
- alias: traefikclientset
pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned"
- alias: traefikinformers
pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/informers/externalversions"
- alias: traefikscheme
pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme"
- alias: traefikcrdfake
pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake"
tagalign:
align: false
sort: true
order:
- description
- json
- toml
- yaml
- yml
- label
- label-slice-as-struct
- file
- kv
- export
revive:
rules:
- name: struct-tag
- name: blank-imports
- name: context-as-argument
- name: context-keys-type
- name: dot-imports
- name: error-return
- name: error-strings
- name: error-naming
- name: exported
disabled: true
- name: if-return
- name: increment-decrement
- name: var-naming
- name: var-declaration
- name: package-comments
disabled: true
- name: range
- name: receiver-naming
- name: time-naming
- name: unexported-return
- name: indent-error-flow
- name: errorf
- name: empty-block
- name: superfluous-else
- name: unused-parameter
disabled: true
- name: unreachable-code
- name: redefines-builtin-id
gomoddirectives:
replace-allow-list:
- github.com/abbot/go-http-auth
- github.com/gorilla/mux
- github.com/mailgun/minheap
- github.com/mailgun/multibuf
- github.com/jaguilar/vt100
- github.com/cucumber/godog
- github.com/http-wasm/http-wasm-host-go
testifylint:
disable:
- suite-dont-use-pkg
- require-error
- go-require
staticcheck:
checks:
- all
- -SA1019
errcheck:
exclude-functions:
- fmt.Fprintln
linters:
enable-all: true
default: all
disable:
- sqlclosecheck # not relevant (SQL)
- rowserrcheck # not relevant (SQL)
- bodyclose # too many false-positive
- containedctx # too many false-positive
- contextcheck # too many false-positive
- cyclop # duplicate of gocyclo
- lll # Not relevant
- gocyclo # FIXME must be fixed
- gocognit # Too strict
- nestif # Too many false-positive.
- prealloc # Too many false-positive.
- makezero # Not relevant
- dupl # Too strict
- gosec # Too strict
- gochecknoinits
- gochecknoglobals
- wsl # Too strict
- nlreturn # Not relevant
- mnd # Too strict
- stylecheck # skip because report issues related to some generated files.
- testpackage # Too strict
- tparallel # Not relevant
- paralleltest # Not relevant
- err113 # Too strict
- exhaustive # Not relevant
- exhaustruct # Not relevant
- err113 # Too strict
- wrapcheck # Too strict
- noctx # Too strict
- bodyclose # too many false-positive
- forcetypeassert # Too strict
- tagliatelle # Too strict
- varnamelen # Not relevant
- nilnil # Not relevant
- ireturn # Not relevant
- contextcheck # too many false-positive
- containedctx # too many false-positive
- maintidx # kind of duplicate of gocyclo
- nonamedreturns # Too strict
- gochecknoglobals
- gochecknoinits
- gocognit # Too strict
- gocyclo # FIXME must be fixed
- gosec # Too strict
- gosmopolitan # not relevant
- exportloopref # Not relevant since go1.22
- ireturn # Not relevant
- lll # Not relevant
- maintidx # kind of duplicate of gocyclo
- makezero # Not relevant
- mnd # Too strict
- nestif # Too many false-positive.
- nilnil # Not relevant
- nlreturn # Not relevant
- noctx # Too strict
- nonamedreturns # Too strict
- paralleltest # Not relevant
- prealloc # Too many false-positive.
- rowserrcheck # not relevant (SQL)
- sqlclosecheck # not relevant (SQL)
- tagliatelle # Too strict
- testpackage # Too strict
- tparallel # Not relevant
- varnamelen # Not relevant
- wrapcheck # Too strict
- wsl # Too strict
settings:
depguard:
rules:
main:
deny:
- pkg: github.com/instana/testify
desc: not allowed
- pkg: github.com/pkg/errors
desc: Should be replaced by standard lib errors package
errcheck:
exclude-functions:
- fmt.Fprintln
forbidigo:
forbid:
- pattern: ^print(ln)?$
- pattern: ^spew\.Print(f|ln)?$
- pattern: ^spew\.Dump$
funlen:
lines: -1
statements: 120
goconst:
min-len: 3
min-occurrences: 4
gocyclo:
min-complexity: 14
godox:
keywords:
- FIXME
gomoddirectives:
toolchain-pattern: go1\.\d+\.\d+$
tool-forbidden: true
go-version-pattern: ^1\.\d+(\.0)?$
replace-allow-list:
- github.com/abbot/go-http-auth
- github.com/gorilla/mux
- github.com/mailgun/minheap
- github.com/mailgun/multibuf
- github.com/jaguilar/vt100
- github.com/cucumber/godog
govet:
enable-all: true
disable:
- shadow
- fieldalignment
importas:
no-unaliased: true
alias:
- pkg: github.com/docker/compose/v2/pkg/api
alias: composeapi
# Standard Kubernetes rewrites:
- pkg: k8s.io/api/core/v1
alias: corev1
- pkg: k8s.io/api/networking/v1
alias: netv1
- pkg: k8s.io/api/networking/v1beta1
alias: netv1beta1
- pkg: k8s.io/api/admission/v1
alias: admv1
- pkg: k8s.io/api/admission/v1beta1
alias: admv1beta1
- pkg: k8s.io/api/extensions/v1beta1
alias: extv1beta1
- pkg: k8s.io/apimachinery/pkg/apis/meta/v1
alias: metav1
- pkg: k8s.io/apimachinery/pkg/types
alias: ktypes
- pkg: k8s.io/apimachinery/pkg/api/errors
alias: kerror
- pkg: k8s.io/client-go/kubernetes
alias: kclientset
- pkg: k8s.io/client-go/informers
alias: kinformers
- pkg: k8s.io/client-go/testing
alias: ktesting
- pkg: k8s.io/apimachinery/pkg/runtime/schema
alias: kschema
- pkg: k8s.io/client-go/kubernetes/scheme
alias: kscheme
- pkg: k8s.io/apimachinery/pkg/version
alias: kversion
- pkg: k8s.io/client-go/kubernetes/fake
alias: kubefake
- pkg: k8s.io/client-go/discovery/fake
alias: discoveryfake
# Kubernetes Gateway rewrites:
- pkg: sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned
alias: gateclientset
- pkg: sigs.k8s.io/gateway-api/pkg/client/informers/gateway/externalversions
alias: gateinformers
- pkg: sigs.k8s.io/gateway-api/apis/v1alpha2
alias: gatev1alpha2
# Traefik Kubernetes rewrites:
- pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1
alias: traefikv1alpha1
- pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned
alias: traefikclientset
- pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/informers/externalversions
alias: traefikinformers
- pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme
alias: traefikscheme
- pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake
alias: traefikcrdfake
misspell:
locale: US
revive:
rules:
- name: struct-tag
- name: blank-imports
- name: context-as-argument
- name: context-keys-type
- name: dot-imports
- name: error-return
- name: error-strings
- name: error-naming
- name: exported
disabled: true
- name: if-return
- name: increment-decrement
- name: var-naming
- name: var-declaration
- name: package-comments
disabled: true
- name: range
- name: receiver-naming
- name: time-naming
- name: unexported-return
- name: indent-error-flow
- name: errorf
- name: empty-block
- name: superfluous-else
- name: unused-parameter
disabled: true
- name: unreachable-code
- name: redefines-builtin-id
tagalign:
align: false
sort: true
order:
- description
- json
- toml
- yaml
- yml
- label
- label-slice-as-struct
- file
- kv
- export
testifylint:
disable:
- suite-dont-use-pkg
- require-error
- go-require
perfsprint:
err-error: true
errorf: true
sprintf1: true
strconcat: false
staticcheck:
checks:
- all
- '-SA1019'
- '-ST1000'
- '-ST1003'
- '-ST1016'
- '-ST1020'
- '-ST1021'
- '-ST1022'
- '-QF1001'
- '-QF1008' # TODO must be fixed
exclusions:
generated: lax
presets:
- comments
- std-error-handling
rules:
- path: (.+)_test.go
linters:
- canonicalheader
- fatcontext
- funlen
- goconst
- godot
- path: (.+)_test.go
text: ' always receives '
linters:
- unparam
- path: pkg/server/service/bufferpool.go
text: 'SA6002: argument should be pointer-like to avoid allocations'
- path: pkg/server/middleware/middlewares.go
text: Function 'buildConstructor' has too many statements
linters:
- funlen
- path: pkg/tracing/haystack/logger.go
linters:
- goprintffuncname
- path: pkg/tracing/tracing.go
text: printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'
linters:
- goprintffuncname
- path: pkg/tls/tlsmanager_test.go
text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
- path: pkg/types/tls_test.go
text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
- path: pkg/provider/kubernetes/(crd|gateway)/client.go
linters:
- interfacebloat
- path: pkg/metrics/metrics.go
linters:
- interfacebloat
- path: integration/healthcheck_test.go
text: Duplicate words \(wsp2,\) found
linters:
- dupword
- path: pkg/types/domain_test.go
text: Duplicate words \(sub\) found
linters:
- dupword
- path: pkg/provider/kubernetes/gateway/client_mock_test.go
text: 'unusedwrite: unused write to field'
linters:
- govet
- path: pkg/provider/acme/local_store.go
linters:
- musttag
- path: pkg/tls/certificate.go
text: the methods of "Certificates" use pointer receiver and non-pointer receiver.
linters:
- recvcheck
- path: pkg/config/static/static_config.go
source: 'errors.New\("Consul Catalog provider'
text: 'ST1005: error strings should not be capitalized'
- path: pkg/config/static/static_config.go
source: 'errors.New\("Consul provider'
text: 'ST1005: error strings should not be capitalized'
- path: pkg/config/static/static_config.go
source: 'errors.New\("Nomad provider'
text: 'ST1005: error strings should not be capitalized'
- path: (.+)\.go
text: 'struct-tag: unknown option ''inline'' in JSON tag'
linters:
- revive
- path: (.+)\.go
text: 'struct-tag: unknown option ''omitzero'' in TOML tag'
linters:
- revive
- path: (.+)\.go$
text: 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
- path: (.+)\.go$
text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
- path: (.+)\.go$
text: 'SA1019: c.Providers.(ConsulCatalog|Consul|Nomad).Namespace is deprecated'
- path: (.+)\.go$
text: 'SA1019: dockertypes.ContainerNode is deprecated'
- path: pkg/provider/kubernetes/crd/kubernetes.go
text: "Function 'loadConfigurationFromCRD' has too many statements"
linters:
- funlen
- path: pkg/plugins/middlewarewasm.go
text: 'the methods of "wasmMiddlewareBuilder" use pointer receiver and non-pointer receiver.'
linters:
- recvcheck
- path: pkg/proxy/httputil/bufferpool.go
text: 'SA6002: argument should be pointer-like to avoid allocations'
paths:
- pkg/provider/kubernetes/crd/generated/
issues:
exclude-use-default: false
max-issues-per-linter: 0
max-same-issues: 0
exclude-dirs:
- pkg/provider/kubernetes/crd/generated/
exclude:
- 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
- "should have a package comment, unless it's in another file for this package"
- 'fmt.Sprintf can be replaced with string'
- 'SA1019: dockertypes.ContainerNode is deprecated'
exclude-rules:
- path: '(.+)_test.go'
linters:
- goconst
- funlen
- godot
- canonicalheader
- fatcontext
- path: '(.+)_test.go'
text: ' always receives '
linters:
- unparam
- path: '(.+)\.go'
text: 'struct-tag: unknown option ''inline'' in JSON tag'
linters:
- revive
- path: pkg/proxy/httputil/bufferpool.go
text: 'SA6002: argument should be pointer-like to avoid allocations'
- path: pkg/server/middleware/middlewares.go
text: "Function 'buildConstructor' has too many statements"
linters:
- funlen
- path: pkg/logs/haystack.go
linters:
- goprintffuncname
- path: pkg/tracing/tracing.go
text: "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
linters:
- goprintffuncname
- path: pkg/tls/tlsmanager_test.go
text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
- path: pkg/types/tls_test.go
text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
- path: pkg/provider/kubernetes/crd/kubernetes.go
text: 'SA1019: middleware.Spec.IPWhiteList is deprecated: please use IPAllowList instead.'
- path: pkg/server/middleware/tcp/middlewares.go
text: 'SA1019: config.IPWhiteList is deprecated: please use IPAllowList instead.'
- path: pkg/server/middleware/middlewares.go
text: 'SA1019: config.IPWhiteList is deprecated: please use IPAllowList instead.'
- path: pkg/provider/kubernetes/(crd|gateway)/client.go
linters:
- interfacebloat
- path: pkg/metrics/metrics.go
linters:
- interfacebloat
- path: integration/healthcheck_test.go
text: 'Duplicate words \(wsp2,\) found'
linters:
- dupword
- path: pkg/types/domain_test.go
text: 'Duplicate words \(sub\) found'
linters:
- dupword
- path: pkg/provider/kubernetes/crd/kubernetes.go
text: "Function 'loadConfigurationFromCRD' has too many statements"
linters:
- funlen
- path: pkg/provider/kubernetes/gateway/client_mock_test.go
text: 'unusedwrite: unused write to field'
linters:
- govet
- path: pkg/cli/deprecation.go
linters:
- goconst
- path: pkg/cli/loader_file.go
linters:
- goconst
- path: pkg/provider/acme/local_store.go
linters:
- musttag
- path: pkg/types/metrics.go
linters:
- goconst
- path: pkg/tls/certificate.go
text: 'the methods of "Certificates" use pointer receiver and non-pointer receiver.'
linters:
- recvcheck
- path: pkg/plugins/middlewarewasm.go
text: 'the methods of "wasmMiddlewareBuilder" use pointer receiver and non-pointer receiver.'
linters:
- recvcheck
output:
show-stats: true
sort-results: true
sort-order:
- linter
- file

15
.goreleaser.yml.tmpl
View File

@@ -1,12 +1,11 @@
project_name: traefik
version: 2
[[if .GOARCH]]
dist: "./dist/[[ .GOOS ]]-[[ .GOARCH ]]"
[[else]]
dist: "./dist/[[ .GOOS ]]"
[[ if eq .GOOS "linux" ]]
before:
hooks:
- go generate
[[ end ]]
[[end]]
builds:
- binary: traefik
@@ -21,6 +20,9 @@ builds:
goos:
- "[[ .GOOS ]]"
goarch:
[[if .GOARCH]]
- "[[ .GOARCH ]]"
[[else]]
- amd64
- '386'
- arm
@@ -28,6 +30,7 @@ builds:
- ppc64le
- s390x
- riscv64
[[end]]
goarm:
- '7'
- '6'

62
.semaphore/semaphore.yml
View File

@@ -1,63 +1,13 @@
version: v1.0
name: Traefik
name: Traefik Release - deprecated
agent:
machine:
type: e1-standard-4
os_image: ubuntu2004
fail_fast:
stop:
when: "branch != 'master'"
auto_cancel:
queued:
when: "branch != 'master'"
running:
when: "branch != 'master'"
global_job_config:
prologue:
commands:
- curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
- sudo semgo go1.23
- export "GOPATH=$(go env GOPATH)"
- export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
- export "PATH=${GOPATH}/bin:${PATH}"
- mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
- export GOPROXY=https://proxy.golang.org,direct
- curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.62.0
- curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
- checkout
- cache restore traefik-$(checksum go.sum)
type: f1-standard-2
os_image: ubuntu2204
blocks:
- name: Release
dependencies: []
run:
when: "tag =~ '.*'"
- name: 'Do nothing'
task:
agent:
machine:
type: e1-standard-8
os_image: ubuntu2004
secrets:
- name: traefik
env_vars:
- name: GH_VERSION
value: 2.32.1
- name: CODENAME
value: "munster"
prologue:
commands:
- export VERSION=${SEMAPHORE_GIT_TAG_NAME}
- curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
- tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
- sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
- sudo rm -rf ~/.phpbrew ~/.kerl ~/.sbt ~/.nvm ~/.npm ~/.kiex /usr/lib/jvm /opt/az /opt/firefox /usr/lib/google-cloud-sdk ~/.rbenv ~/.pip_download_cache # Remove unnecessary data.
- sudo service docker stop && sudo umount /var/lib/docker && sudo service docker start # Unmounts the docker disk and the whole system disk is usable.
jobs:
- name: Release
- name: 'Do nothing'
commands:
- make release-packages
- gh release create ${SEMAPHORE_GIT_TAG_NAME} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${SEMAPHORE_GIT_TAG_NAME} --notes ${SEMAPHORE_GIT_TAG_NAME}
- ./script/deploy.sh
- echo "Do nothing"

455
CHANGELOG.md
View File

@@ -1,3 +1,458 @@
## [v3.4.2](https://github.com/traefik/traefik/tree/v3.4.2) (2025-06-26)
[All Commits](https://github.com/traefik/traefik/compare/v3.4.1...v3.4.2)
**Documentation:**
- **[acme]** Add a note to certificatesDuration ([#11808](https://github.com/traefik/traefik/pull/11808) by [sMteX](https://github.com/sMteX))
- **[docker,k8s]** Update Getting started Section with New Docker and Kubernetes Tutorial ([#11714](https://github.com/traefik/traefik/pull/11714) by [sheddy-traefik](https://github.com/sheddy-traefik))
- **[docker]** Remove obsolete version field in compose files ([#11798](https://github.com/traefik/traefik/pull/11798) by [thomas-mauran](https://github.com/thomas-mauran))
- **[k8s]** Add a note about Ingress Backend Resource support ([#11785](https://github.com/traefik/traefik/pull/11785) by [edysli](https://github.com/edysli))
- **[logs,metrics,tracing,accesslogs]** Update the EntryPoints Documentation ([#11856](https://github.com/traefik/traefik/pull/11856) by [sheddy-traefik](https://github.com/sheddy-traefik))
- **[logs,metrics,tracing,accesslogs]** Add New Observe Guides to the Documentation ([#11828](https://github.com/traefik/traefik/pull/11828) by [sheddy-traefik](https://github.com/sheddy-traefik))
- **[middleware]** Remove conflicting information from the CircuitBreaker documentation. ([#11835](https://github.com/traefik/traefik/pull/11835) by [adk-swisstopo](https://github.com/adk-swisstopo))
- **[service]** Clarify mirroring service default percent value ([#11804](https://github.com/traefik/traefik/pull/11804) by [Alexy-vda](https://github.com/Alexy-vda))
- **[websocket]** Add WebSocket guide ([#11623](https://github.com/traefik/traefik/pull/11623) by [NX211](https://github.com/NX211))
**Misc:**
- Merge branch v2.11 into v3.4 ([#11859](https://github.com/traefik/traefik/pull/11859) by [rtribotte](https://github.com/rtribotte))
- Merge branch v2.11 into v3.4 ([#11831](https://github.com/traefik/traefik/pull/11831) by [rtribotte](https://github.com/rtribotte))
- Merge branch v2.11 into v3.4 ([#11810](https://github.com/traefik/traefik/pull/11810) by [rtribotte](https://github.com/rtribotte))
## [v2.11.26](https://github.com/traefik/traefik/tree/v2.11.26) (2025-06-26)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.25...v2.11.26)
**Bug fixes:**
- **[middleware]** Do not log redis sentinel username and password ([#11819](https://github.com/traefik/traefik/pull/11819) by [kevinpollet](https://github.com/kevinpollet))
**Documentation:**
- **[kv]** Fix KV reference rendering ([#11815](https://github.com/traefik/traefik/pull/11815) by [rtribotte](https://github.com/rtribotte))
- **[middleware,k8s/crd]** Fix typo in redirect middleware documentation ([#11830](https://github.com/traefik/traefik/pull/11830) by [rtribotte](https://github.com/rtribotte))
- Update supported versions ([#11811](https://github.com/traefik/traefik/pull/11811) by [jnoordsij](https://github.com/jnoordsij))
## [v3.4.1](https://github.com/traefik/traefik/tree/v3.4.1) (2025-05-27)
[All Commits](https://github.com/traefik/traefik/compare/v3.4.0...v3.4.1)
**Bug fixes:**
- **[docker]** Do not warn network missing if connected to a container network ([#11698](https://github.com/traefik/traefik/pull/11698) by [holysoles](https://github.com/holysoles))
- **[k8s/crd]** Fix CEL validation for RootCA in ServersTransport ([#11775](https://github.com/traefik/traefik/pull/11775) by [rtribotte](https://github.com/rtribotte))
- **[middleware]** Scope the rate limit counter key by source and by middleware ([#11753](https://github.com/traefik/traefik/pull/11753) by [aromeyer](https://github.com/aromeyer))
- **[server]** Use routing path in v3 matchers ([#11790](https://github.com/traefik/traefik/pull/11790) by [kevinpollet](https://github.com/kevinpollet))
- **[service]** Make P2C strategy thread-safe ([#11762](https://github.com/traefik/traefik/pull/11762) by [lbenguigui](https://github.com/lbenguigui))
- **[webui]** Do not display RemoveHeader option when not defined ([#11782](https://github.com/traefik/traefik/pull/11782) by [kevinpollet](https://github.com/kevinpollet))
**Documentation:**
- **[acme]** Fix ambiguous wording in ACME page ([#11789](https://github.com/traefik/traefik/pull/11789) by [joshka](https://github.com/joshka))
- **[k8s]** Fix incorrect case and missing rbac in documentation ([#11742](https://github.com/traefik/traefik/pull/11742) by [mmatur](https://github.com/mmatur))
- **[middleware]** Match encoded certificate to example data for TLS passthrough ([#11759](https://github.com/traefik/traefik/pull/11759) by [holysoles](https://github.com/holysoles))
**Misc:**
- Merge branch v2.11 into v3.4 ([#11799](https://github.com/traefik/traefik/pull/11799) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v2.11 into v3.4 ([#11796](https://github.com/traefik/traefik/pull/11796) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v2.11 into v3.4 ([#11783](https://github.com/traefik/traefik/pull/11783) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v2.11 into v3.4 ([#11757](https://github.com/traefik/traefik/pull/11757) by [mmatur](https://github.com/mmatur))
- Merge v2.11 into v3.4 ([#11751](https://github.com/traefik/traefik/pull/11751) by [mmatur](https://github.com/mmatur))
## [v2.11.25](https://github.com/traefik/traefik/tree/v2.11.25) (2025-05-27)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.24...v2.11.25)
**Bug fixes:**
- **[k8s/ingress]** Fix panic for ingress with backend resource ([#11777](https://github.com/traefik/traefik/pull/11777) by [rtribotte](https://github.com/rtribotte))
- **[server]** Normalize request path ([#11768](https://github.com/traefik/traefik/pull/11768) by [kevinpollet](https://github.com/kevinpollet))
**Documentation:**
- **[middleware,k8s]** Add multi-tenant TLS guidance to the docs ([#11724](https://github.com/traefik/traefik/pull/11724) by [sheddy-traefik](https://github.com/sheddy-traefik))
- **[service]** Add a note about how to disable connection reuse with backends ([#11716](https://github.com/traefik/traefik/pull/11716) by [rtribotte](https://github.com/rtribotte))
- Fix broken link in documentation ([#11761](https://github.com/traefik/traefik/pull/11761) by [sheddy-traefik](https://github.com/sheddy-traefik))
- Change version for path sanitization migration guide ([#11702](https://github.com/traefik/traefik/pull/11702) by [rtribotte](https://github.com/rtribotte))
## [v3.4.0](https://github.com/traefik/traefik/tree/v3.4.0) (2025-05-05)
[All Commits](https://github.com/traefik/traefik/compare/v3.3.0-rc1...v3.4.0)
**Enhancements:**
- **[acme]** Add acme.profile and acme.emailAddresses options ([#11597](https://github.com/traefik/traefik/pull/11597) by [ldez](https://github.com/ldez))
- **[docker,ecs,docker/swarm,consulcatalog,nomad]** Allow configuring server URLs with label providers ([#11374](https://github.com/traefik/traefik/pull/11374) by [yelvert](https://github.com/yelvert))
- **[k8s/crd]** Improve CEL validation on Ingress CRD resources ([#11311](https://github.com/traefik/traefik/pull/11311) by [mloiseleur](https://github.com/mloiseleur))
- **[k8s/crd]** Remove default load-balancing strategy from CRD ([#11701](https://github.com/traefik/traefik/pull/11701) by [kevinpollet](https://github.com/kevinpollet))
- **[k8s/crd]** Restrict regex validation of HTTP status codes for Ingress CRD resources ([#11670](https://github.com/traefik/traefik/pull/11670) by [jnoordsij](https://github.com/jnoordsij))
- **[k8s/gatewayapi]** Set rule priority in Gateway API TLSRoute ([#11443](https://github.com/traefik/traefik/pull/11443) by [augustozanellato](https://github.com/augustozanellato))
- **[k8s/ingress]** Add ingress status for ClusterIP and NodePort Service Type ([#11100](https://github.com/traefik/traefik/pull/11100) by [mlec1](https://github.com/mlec1))
- **[middleware,authentication]** Add option to preserve request method in forwardAuth ([#11473](https://github.com/traefik/traefik/pull/11473) by [an09mous](https://github.com/an09mous))
- **[middleware]** Support rewriting status codes in error page middleware ([#11520](https://github.com/traefik/traefik/pull/11520) by [sevensolutions](https://github.com/sevensolutions))
- **[middleware]** Add Redis rate limiter ([#10211](https://github.com/traefik/traefik/pull/10211) by [longquan0104](https://github.com/longquan0104))
- **[service]** Add p2c load-balancing strategy for servers load-balancer ([#11547](https://github.com/traefik/traefik/pull/11547) by [rtribotte](https://github.com/rtribotte))
- **[sticky-session]** Support domain configuration for sticky cookies ([#11556](https://github.com/traefik/traefik/pull/11556) by [jleal52](https://github.com/jleal52))
- **[tls,k8s/crd,service]** Allow root CA to be added through config maps ([#11475](https://github.com/traefik/traefik/pull/11475) by [Nelwhix](https://github.com/Nelwhix))
- **[tls]** Add support to disable session ticket ([#11609](https://github.com/traefik/traefik/pull/11609) by [avdhoot](https://github.com/avdhoot))
- **[udp]** Add support for UDP routing in systemd socket activation ([#11022](https://github.com/traefik/traefik/pull/11022) by [tsiid](https://github.com/tsiid))
- **[webui]** Add auto webui theme option and default to it ([#11455](https://github.com/traefik/traefik/pull/11455) by [zizzfizzix](https://github.com/zizzfizzix))
- Replace experimental maps and slices with stdlib ([#11350](https://github.com/traefik/traefik/pull/11350) by [Juneezee](https://github.com/Juneezee))
- Bump github.com/redis/go-redis/v9 to v9.7.3 ([#11687](https://github.com/traefik/traefik/pull/11687) by [kevinpollet](https://github.com/kevinpollet))
**Documentation:**
- Prepare release v3.4.0-rc1 ([#11654](https://github.com/traefik/traefik/pull/11654) by [kevinpollet](https://github.com/kevinpollet))
- Prepare release v3.4.0-rc2 ([#11707](https://github.com/traefik/traefik/pull/11707) by [rtribotte](https://github.com/rtribotte))
- Deprecate defaultRuleSyntax and ruleSyntax options ([#11619](https://github.com/traefik/traefik/pull/11619) by [rtribotte](https://github.com/rtribotte))
**Misc:**
- Merge branch v3.3 into master ([#11653](https://github.com/traefik/traefik/pull/11653) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into master ([#11595](https://github.com/traefik/traefik/pull/11595) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into master ([#11541](https://github.com/traefik/traefik/pull/11541) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into master ([#11504](https://github.com/traefik/traefik/pull/11504) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into master ([#11420](https://github.com/traefik/traefik/pull/11420) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into master ([#11394](https://github.com/traefik/traefik/pull/11394) by [mmatur](https://github.com/mmatur))
- Merge branch v3.3 into v3.4 ([#11736](https://github.com/traefik/traefik/pull/11736) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into v3.4 ([#11705](https://github.com/traefik/traefik/pull/11705) by [kevinpollet](https://github.com/kevinpollet))
## [v3.3.7](https://github.com/traefik/traefik/tree/v3.3.7) (2025-05-05)
[All Commits](https://github.com/traefik/traefik/compare/v3.3.6...v3.3.7)
**Bug fixes:**
- **[logs,middleware,accesslogs]** Add SpanID and TraceID accessLogs fields only when tracing is enabled ([#11715](https://github.com/traefik/traefik/pull/11715) by [rtribotte](https://github.com/rtribotte))
## [v3.4.0-rc2](https://github.com/traefik/traefik/tree/v3.4.0-rc2) (2025-04-18)
[All Commits](https://github.com/traefik/traefik/compare/v3.4.0-rc1...v3.4.0-rc2)
**Bug fixes:**
- **[k8s/crd]** Remove default load-balancing strategy from CRD ([#11701](https://github.com/traefik/traefik/pull/11701) by [kevinpollet](https://github.com/kevinpollet))
- **[k8s/crd]** Restrict regex validation of HTTP status codes for Ingress CRD resources ([#11670](https://github.com/traefik/traefik/pull/11670) by [jnoordsij](https://github.com/jnoordsij))
- Bump github.com/redis/go-redis/v9 to v9.7.3 ([#11687](https://github.com/traefik/traefik/pull/11687) by [kevinpollet](https://github.com/kevinpollet))
## [v3.3.6](https://github.com/traefik/traefik/tree/v3.3.6) (2025-04-18)
[All Commits](https://github.com/traefik/traefik/compare/v3.3.5...v3.3.6)
**Documentation:**
- **[k8s/gatewayapi]** Fix Kubernetes Gateway statusAddress documentation ([#11663](https://github.com/traefik/traefik/pull/11663) by [kevinpollet](https://github.com/kevinpollet))
- **[tracing]** Document how to pass multiple Headers on tracing with CLI ([#11665](https://github.com/traefik/traefik/pull/11665) by [mloiseleur](https://github.com/mloiseleur))
- Fix typos on what is Traefik docs page ([#11685](https://github.com/traefik/traefik/pull/11685) by [matthewCmatt](https://github.com/matthewCmatt))
- Update Welcome Page ([#11615](https://github.com/traefik/traefik/pull/11615) by [sheddy-traefik](https://github.com/sheddy-traefik))
**Misc:**
- Merge branch v2.11 into v3.3 ([#11703](https://github.com/traefik/traefik/pull/11703) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v2.11 into v3.3 ([#11696](https://github.com/traefik/traefik/pull/11696) by [rtribotte](https://github.com/rtribotte))
- Merge branch v2.11 into v3.3 ([#11694](https://github.com/traefik/traefik/pull/11694) by [rtribotte](https://github.com/rtribotte))
## [v2.11.24](https://github.com/traefik/traefik/tree/v2.11.24) (2025-04-18)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.22...v2.11.24)
**Bug fixes:**
- **[acme]** Bump github.com/go-acme/lego/v4 to v4.23.1 ([#11690](https://github.com/traefik/traefik/pull/11690) by [ldez](https://github.com/ldez))
- **[metrics]** Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.72.2 ([#11693](https://github.com/traefik/traefik/pull/11693) by [kevinpollet](https://github.com/kevinpollet))
- **[middleware]** Add Content-Length header to preflight response ([#11682](https://github.com/traefik/traefik/pull/11682) by [lbenguigui](https://github.com/lbenguigui))
- **[server]** Sanitize request path ([#11684](https://github.com/traefik/traefik/pull/11684) by [rtribotte](https://github.com/rtribotte))
- Bump github.com/redis/go-redis/v9 to v9.7.3 ([#11695](https://github.com/traefik/traefik/pull/11695) by [kevinpollet](https://github.com/kevinpollet))
- Bump golang.org/x/net to v0.38.0 ([#11691](https://github.com/traefik/traefik/pull/11691) by [kevinpollet](https://github.com/kevinpollet))
- Bump golang.org/x/oauth2 to v0.28.0 ([#11689](https://github.com/traefik/traefik/pull/11689) by [rtribotte](https://github.com/rtribotte))
**Documentation:**
- **[middleware]** Add content-length best practice documentation ([#11697](https://github.com/traefik/traefik/pull/11697) by [sheddy-traefik](https://github.com/sheddy-traefik))
- Typo fix on the Explanation Section for User Guide HTTP Challenge. ([#11676](https://github.com/traefik/traefik/pull/11676) by [YapWC](https://github.com/YapWC))
## [v2.11.23](https://github.com/traefik/traefik/tree/v2.11.23) (2025-04-17)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.22...v2.11.23)
Release canceled.
## [v3.4.0-rc1](https://github.com/traefik/traefik/tree/v3.4.0-rc1) (2025-03-31)
[All Commits](https://github.com/traefik/traefik/compare/v3.3.0-rc1...v3.4.0-rc1)
**Enhancements:**
- **[acme]** Add acme.profile and acme.emailAddresses options ([#11597](https://github.com/traefik/traefik/pull/11597) by [ldez](https://github.com/ldez))
- **[docker,ecs,docker/swarm,consulcatalog,nomad]** Allow configuring server URLs with label providers ([#11374](https://github.com/traefik/traefik/pull/11374) by [yelvert](https://github.com/yelvert))
- **[k8s/crd,k8s]** Improve CEL validation on Ingress CRD resources ([#11311](https://github.com/traefik/traefik/pull/11311) by [mloiseleur](https://github.com/mloiseleur))
- **[k8s/gatewayapi]** Set rule priority in Gateway API TLSRoute ([#11443](https://github.com/traefik/traefik/pull/11443) by [augustozanellato](https://github.com/augustozanellato))
- **[k8s/ingress]** Add ingress status for ClusterIP and NodePort Service Type ([#11100](https://github.com/traefik/traefik/pull/11100) by [mlec1](https://github.com/mlec1))
- **[middleware,authentication]** Add option to preserve request method in forwardAuth ([#11473](https://github.com/traefik/traefik/pull/11473) by [an09mous](https://github.com/an09mous))
- **[middleware]** Support rewriting status codes in error page middleware ([#11520](https://github.com/traefik/traefik/pull/11520) by [sevensolutions](https://github.com/sevensolutions))
- **[middleware]** Add Redis rate limiter ([#10211](https://github.com/traefik/traefik/pull/10211) by [longquan0104](https://github.com/longquan0104))
- **[service]** Add p2c load-balancing strategy for servers load-balancer ([#11547](https://github.com/traefik/traefik/pull/11547) by [rtribotte](https://github.com/rtribotte))
- **[sticky-session]** Support domain configuration for sticky cookies ([#11556](https://github.com/traefik/traefik/pull/11556) by [jleal52](https://github.com/jleal52))
- **[tls,k8s/crd,service]** Allow root CA to be added through config maps ([#11475](https://github.com/traefik/traefik/pull/11475) by [Nelwhix](https://github.com/Nelwhix))
- **[tls]** Add support to disable session ticket ([#11609](https://github.com/traefik/traefik/pull/11609) by [avdhoot](https://github.com/avdhoot))
- **[udp]** Add support for UDP routing in systemd socket activation ([#11022](https://github.com/traefik/traefik/pull/11022) by [tsiid](https://github.com/tsiid))
- **[webui]** Add auto webui theme option and default to it ([#11455](https://github.com/traefik/traefik/pull/11455) by [zizzfizzix](https://github.com/zizzfizzix))
- Replace experimental maps and slices with stdlib ([#11350](https://github.com/traefik/traefik/pull/11350) by [Juneezee](https://github.com/Juneezee))
**Documentation:**
- Deprecate defaultRuleSyntax and ruleSyntax options ([#11619](https://github.com/traefik/traefik/pull/11619) by [rtribotte](https://github.com/rtribotte))
**Misc:**
- Merge branch v3.3 into master ([#11653](https://github.com/traefik/traefik/pull/11653) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into master ([#11595](https://github.com/traefik/traefik/pull/11595) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into master ([#11541](https://github.com/traefik/traefik/pull/11541) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into master ([#11504](https://github.com/traefik/traefik/pull/11504) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into master ([#11420](https://github.com/traefik/traefik/pull/11420) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.3 into master ([#11394](https://github.com/traefik/traefik/pull/11394) by [mmatur](https://github.com/mmatur))
## [v3.3.5](https://github.com/traefik/traefik/tree/v3.3.5) (2025-03-31)
[All Commits](https://github.com/traefik/traefik/compare/v3.3.4...v3.3.5)
**Bug fixes:**
- **[k8s/gatewayapi]** Set scheme to https with BackendTLSPolicy ([#11586](https://github.com/traefik/traefik/pull/11586) by [rtribotte](https://github.com/rtribotte))
- **[middleware]** Revert compress middleware algorithms priority to v2 behavior ([#11641](https://github.com/traefik/traefik/pull/11641) by [rtribotte](https://github.com/rtribotte))
- **[middleware]** Do not abort request when response content-type is malformed ([#11628](https://github.com/traefik/traefik/pull/11628) by [kevinpollet](https://github.com/kevinpollet))
- **[middleware]** Compress data on flush when compression is not started ([#11583](https://github.com/traefik/traefik/pull/11583) by [kevinpollet](https://github.com/kevinpollet))
**Documentation:**
- **[middleware]** Add back forwarded headers section in FAQ ([#11606](https://github.com/traefik/traefik/pull/11606) by [kevinpollet](https://github.com/kevinpollet))
- New Routing Reference Documentation ([#11330](https://github.com/traefik/traefik/pull/11330) by [sheddy-traefik](https://github.com/sheddy-traefik))
**Misc:**
- Merge branch v2.11 into v3.3 ([#11644](https://github.com/traefik/traefik/pull/11644) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v2.11 into v3.3 ([#11594](https://github.com/traefik/traefik/pull/11594) by [rtribotte](https://github.com/rtribotte))
## [v2.11.22](https://github.com/traefik/traefik/tree/v2.11.22) (2025-03-31)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.21...v2.11.22)
**Bug fixes:**
- **[ecs,logs]** Bump AWS SDK to v2 ([#11359](https://github.com/traefik/traefik/pull/11359) by [Juneezee](https://github.com/Juneezee))
- **[logs,tls]** Error level log for configuration-related TLS errors with backends ([#11611](https://github.com/traefik/traefik/pull/11611) by [rtribotte](https://github.com/rtribotte))
- **[rules]** Allow underscore character in HostSNI matcher ([#11557](https://github.com/traefik/traefik/pull/11557) by [rohitlohar45](https://github.com/rohitlohar45))
- **[server]** Bump github.com/vulcand/oxy/v2 to v2.0.3 ([#11649](https://github.com/traefik/traefik/pull/11649) by [adamvduke](https://github.com/adamvduke))
- **[server]** Bump golang.org/x/net to v0.37.0 ([#11632](https://github.com/traefik/traefik/pull/11632) by [kevinpollet](https://github.com/kevinpollet))
- **[webui]** Change boolean module properties default value to undefined ([#11639](https://github.com/traefik/traefik/pull/11639) by [rtribotte](https://github.com/rtribotte))
- Bump github.com/golang-jwt/jwt to v4.5.2 and v5.2.2 ([#11634](https://github.com/traefik/traefik/pull/11634) by [kevinpollet](https://github.com/kevinpollet))
- Bump github.com/redis/go-redis/v9 to v9.6.3 ([#11633](https://github.com/traefik/traefik/pull/11633) by [kevinpollet](https://github.com/kevinpollet))
- Bump golang.org/x/net to v0.36.0 ([#11608](https://github.com/traefik/traefik/pull/11608) by [kevinpollet](https://github.com/kevinpollet))
- Bump github.com/go-jose/go-jose/v4 to v4.0.5 ([#11571](https://github.com/traefik/traefik/pull/11571) by [kevinpollet](https://github.com/kevinpollet))
**Documentation:**
- **[accesslogs]** Remove documentation for OriginStatusLine and DownstreamStatusLine accessLogs fields ([#11599](https://github.com/traefik/traefik/pull/11599) by [rtribotte](https://github.com/rtribotte))
- **[middleware]** Clarifies that retry middleware uses TCP, not HTTP status codes ([#11603](https://github.com/traefik/traefik/pull/11603) by [geraldcroes](https://github.com/geraldcroes))
- **[redis]** Add tip for dynamic configuration updates of Redis ([#11577](https://github.com/traefik/traefik/pull/11577) by [Alanxtl](https://github.com/Alanxtl))
- Add Security Support ([#11610](https://github.com/traefik/traefik/pull/11610) by [nmengin](https://github.com/nmengin))
## [v3.3.4](https://github.com/traefik/traefik/tree/v3.3.4) (2025-02-25)
[All Commits](https://github.com/traefik/traefik/compare/v3.3.3...v3.3.4)
**Bug fixes:**
- **[fastproxy]** Bump github.com/valyala/fasthttp to v1.58.0 ([#11526](https://github.com/traefik/traefik/pull/11526) by [kevinpollet](https://github.com/kevinpollet))
- **[fastproxy]** Add WebSocket headers if they are present in the request ([#11522](https://github.com/traefik/traefik/pull/11522) by [kevinpollet](https://github.com/kevinpollet))
- **[fastproxy]** Chunked responses does not have a Content-Length header ([#11514](https://github.com/traefik/traefik/pull/11514) by [kevinpollet](https://github.com/kevinpollet))
- **[metrics,otel]** Change request duration metric unit from millisecond to second ([#11523](https://github.com/traefik/traefik/pull/11523) by [rtribotte](https://github.com/rtribotte))
- **[sticky-session]** Fix double hash in sticky cookie ([#11518](https://github.com/traefik/traefik/pull/11518) by [juliens](https://github.com/juliens))
- **[tracing]** Use ResourceAttributes instead of GlobalAttributes ([#11515](https://github.com/traefik/traefik/pull/11515) by [bruno-de-queiroz](https://github.com/bruno-de-queiroz))
- **[tracing]** Fix panic when calling Tracer ([#11479](https://github.com/traefik/traefik/pull/11479) by [basgys](https://github.com/basgys))
**Documentation:**
- **[acme]** Update ACME provider configuration options ([#11564](https://github.com/traefik/traefik/pull/11564) by [sheddy-traefik](https://github.com/sheddy-traefik))
- **[acme]** Fix incorrect grammar in ACME documentation ([#11553](https://github.com/traefik/traefik/pull/11553) by [Peter-Maguire](https://github.com/Peter-Maguire))
- **[metrics,tracing,accesslogs]** Add missing options in entrypoints page ([#11524](https://github.com/traefik/traefik/pull/11524) by [sheddy-traefik](https://github.com/sheddy-traefik))
- **[tracing]** Replace globalAttributes with resourceAttributes in tracing reference ([#11531](https://github.com/traefik/traefik/pull/11531) by [rtribotte](https://github.com/rtribotte))
**Misc:**
- Merge branch v2.11 into v3.3 ([#11567](https://github.com/traefik/traefik/pull/11567) by [kevinpollet](https://github.com/kevinpollet))
# [v2.11.21](https://github.com/traefik/traefik/tree/v2.11.21) (2025-02-24)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.20...v2.11.21)
**Bug fixes:**
- **[acme]** Bump github.com/go-acme/lego/v4 to v4.22.2 ([#11537](https://github.com/traefik/traefik/pull/11537) by [ldez](https://github.com/ldez))
- **[cli]** Bump github.com/traefik/paerser to v0.2.2 ([#11530](https://github.com/traefik/traefik/pull/11530) by [kevinpollet](https://github.com/kevinpollet))
- **[middleware]** Enable the retry middleware in the proxy ([#11536](https://github.com/traefik/traefik/pull/11536) by [kevinpollet](https://github.com/kevinpollet))
- **[middleware]** Retry should send headers on Write ([#11534](https://github.com/traefik/traefik/pull/11534) by [kevinpollet](https://github.com/kevinpollet))
## [v3.3.3](https://github.com/traefik/traefik/tree/v3.3.3) (2025-01-31)
[All Commits](https://github.com/traefik/traefik/compare/v3.3.2...v3.3.3)
**Bug fixes:**
- **[api]** Do not create observability model by default ([#11476](https://github.com/traefik/traefik/pull/11476) by [rtribotte](https://github.com/rtribotte))
- **[fastproxy]** Fix content-length header assertion ([#11498](https://github.com/traefik/traefik/pull/11498) by [kevinpollet](https://github.com/kevinpollet))
- **[fastproxy]** Handle responses without content length header ([#11458](https://github.com/traefik/traefik/pull/11458) by [rtribotte](https://github.com/rtribotte))
- **[k8s/crd,k8s]** Add missing headerField in Middleware CRD ([#11499](https://github.com/traefik/traefik/pull/11499) by [jspdown](https://github.com/jspdown))
- **[tracing,accesslogs]** Bring back TraceID and SpanID fields in access logs ([#11450](https://github.com/traefik/traefik/pull/11450) by [rtribotte](https://github.com/rtribotte))
**Misc:**
- Merge branch v2.11 into v3.3 ([#11502](https://github.com/traefik/traefik/pull/11502) by [rtribotte](https://github.com/rtribotte))
- Merge branch v2.11 into v3.3 ([#11491](https://github.com/traefik/traefik/pull/11491) by [rtribotte](https://github.com/rtribotte))
## [v2.11.20](https://github.com/traefik/traefik/tree/v2.11.20) (2025-01-31)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.19...v2.11.20)
**Bug fixes:**
- **[acme]** Graceful shutdown for ACME JSON write operation ([#11497](https://github.com/traefik/traefik/pull/11497) by [juliens](https://github.com/juliens))
**Documentation:**
- Change docker-compose to docker compose ([#11496](https://github.com/traefik/traefik/pull/11496) by [khai-pi](https://github.com/khai-pi))
## [v2.11.19](https://github.com/traefik/traefik/tree/v2.11.19) (2025-01-29)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.18...v2.11.19)
**Bug fixes:**
- **[middleware]** Changing log message when client cert is not available to debug ([#11453](https://github.com/traefik/traefik/pull/11453) by [Nelwhix](https://github.com/Nelwhix))
- **[service]** Do not create a logger instance for each proxy ([#11487](https://github.com/traefik/traefik/pull/11487) by [kevinpollet](https://github.com/kevinpollet))
- **[webui]** Fix auto refresh not clearing on component unmount ([#11477](https://github.com/traefik/traefik/pull/11477) by [DoubleREW](https://github.com/DoubleREW))
**Documentation:**
- Remove awesome.traefik.io reference in documentation section ([#11435](https://github.com/traefik/traefik/pull/11435) by [kevinpollet](https://github.com/kevinpollet))
## [v3.3.2](https://github.com/traefik/traefik/tree/v3.3.2) (2025-01-14)
[All Commits](https://github.com/traefik/traefik/compare/v3.3.1...v3.3.2)
**Bug fixes:**
- **[fastproxy]** Do not read response body for HEAD requests ([#11442](https://github.com/traefik/traefik/pull/11442) by [kevinpollet](https://github.com/kevinpollet))
- **[metrics,tracing,accesslogs]** Fix observability configuration on EntryPoints ([#11446](https://github.com/traefik/traefik/pull/11446) by [rtribotte](https://github.com/rtribotte))
- **[webui]** Set content-type when serving webui index ([#11428](https://github.com/traefik/traefik/pull/11428) by [kevinpollet](https://github.com/kevinpollet))
**Documentation:**
- **[acme]** Fix deprecated dnsChallenge propagation logging and documentation ([#11433](https://github.com/traefik/traefik/pull/11433) by [thomscode](https://github.com/thomscode))
- **[acme]** Add missing trailing s to propagation.delayBeforeCheck option ([#11417](https://github.com/traefik/traefik/pull/11417) by [jspiers](https://github.com/jspiers))
**Misc:**
- Merge branch v2.11 into v3.3 ([#11419](https://github.com/traefik/traefik/pull/11419) by [kevinpollet](https://github.com/kevinpollet))
## [v3.3.1](https://github.com/traefik/traefik/tree/v3.3.1) (2025-01-07)
[All Commits](https://github.com/traefik/traefik/compare/v3.3.0...v3.3.1)
**Bug fixes:**
- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11408](https://github.com/traefik/traefik/pull/11408) by [rtribotte](https://github.com/rtribotte))
## [v3.2.5](https://github.com/traefik/traefik/tree/v3.2.5) (2025-01-07)
[All Commits](https://github.com/traefik/traefik/compare/v3.2.4...v3.2.5)
**Bug fixes:**
- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11408](https://github.com/traefik/traefik/pull/11408) by [rtribotte](https://github.com/rtribotte))
## [v2.11.18](https://github.com/traefik/traefik/tree/v2.11.18) (2025-01-07)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.17...v2.11.18)
**Bug fixes:**
- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11412](https://github.com/traefik/traefik/pull/11412) by [rtribotte](https://github.com/rtribotte))
## [v3.3.0](https://github.com/traefik/traefik/tree/v3.3.0) (2025-01-06)
[All Commits](https://github.com/traefik/traefik/compare/v3.2.0-rc1...v3.3.0)
**Enhancements:**
- **[acme]** Add options to control ACME propagation checks ([#11241](https://github.com/traefik/traefik/pull/11241) by [ldez](https://github.com/ldez))
- **[api]** Add support dump API endpoint ([#11328](https://github.com/traefik/traefik/pull/11328) by [mmatur](https://github.com/mmatur))
- **[http]** Set Host header in HTTP provider request ([#11237](https://github.com/traefik/traefik/pull/11237) by [nikonhub](https://github.com/nikonhub))
- **[k8s/crd,k8s]** Make the IngressRoute kind optional ([#11177](https://github.com/traefik/traefik/pull/11177) by [skirtan1](https://github.com/skirtan1))
- **[k8s/ingress,sticky-session,k8s/crd,k8s]** Support serving endpoints ([#11121](https://github.com/traefik/traefik/pull/11121) by [BZValoche](https://github.com/BZValoche))
- **[logs,accesslogs]** OpenTelemetry Logs and Access Logs ([#11319](https://github.com/traefik/traefik/pull/11319) by [rtribotte](https://github.com/rtribotte))
- **[logs,accesslogs]** Add experimental flag for OTLP logs integration ([#11335](https://github.com/traefik/traefik/pull/11335) by [kevinpollet](https://github.com/kevinpollet))
- **[metrics,tracing,accesslogs]** Manage observability at entrypoint and router level ([#11308](https://github.com/traefik/traefik/pull/11308) by [rtribotte](https://github.com/rtribotte))
- **[middleware,authentication]** Add an option to preserve the ForwardAuth Server Location header ([#11318](https://github.com/traefik/traefik/pull/11318) by [Nelwhix](https://github.com/Nelwhix))
- **[middleware,authentication]** Only calculate basic auth hashes once for concurrent requests ([#11143](https://github.com/traefik/traefik/pull/11143) by [michelheusschen](https://github.com/michelheusschen))
- **[middleware,authentication]** Send request body to authorization server for forward auth ([#11097](https://github.com/traefik/traefik/pull/11097) by [kyo-ke](https://github.com/kyo-ke))
- **[plugins]** Add AbortOnPluginFailure option to abort startup on plugin load failure ([#11228](https://github.com/traefik/traefik/pull/11228) by [bmagic](https://github.com/bmagic))
- **[sticky-session]** Configurable path for sticky cookies ([#11166](https://github.com/traefik/traefik/pull/11166) by [IIpragmaII](https://github.com/IIpragmaII))
- **[webui,api]** Configurable API &amp; Dashboard base path ([#11250](https://github.com/traefik/traefik/pull/11250) by [rtribotte](https://github.com/rtribotte))
**Bug fixes:**
- **[k8s/ingress,k8s/crd]** Fix fenced server status computation ([#11361](https://github.com/traefik/traefik/pull/11361) by [kevinpollet](https://github.com/kevinpollet))
**Documentation:**
- Prepare release v3.3.0-rc2 ([#11362](https://github.com/traefik/traefik/pull/11362) by [rtribotte](https://github.com/rtribotte))
- Prepare Release v3.3.0-rc1 ([#11349](https://github.com/traefik/traefik/pull/11349) by [rtribotte](https://github.com/rtribotte))
**Misc:**
- Merge branch v3.2 into v3.3 ([#11402](https://github.com/traefik/traefik/pull/11402) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.2 into v3.3 ([#11393](https://github.com/traefik/traefik/pull/11393) by [mmatur](https://github.com/mmatur))
- Merge branch v3.2 into v3.3 ([#11389](https://github.com/traefik/traefik/pull/11389) by [mmatur](https://github.com/mmatur))
- Merge branch v3.2 into v3.3 ([#11367](https://github.com/traefik/traefik/pull/11367) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.2 into master ([#11340](https://github.com/traefik/traefik/pull/11340) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.2 into master ([#11293](https://github.com/traefik/traefik/pull/11293) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.2 into master ([#11239](https://github.com/traefik/traefik/pull/11239) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.2 into master ([#11187](https://github.com/traefik/traefik/pull/11187) by [kevinpollet](https://github.com/kevinpollet))
## [v3.2.4](https://github.com/traefik/traefik/tree/v3.2.4) (2025-01-06)
[All Commits](https://github.com/traefik/traefik/compare/v3.2.3...v3.2.4)
**Bug fixes:**
- **[k8s/gatewayapi]** Support empty value for core Kubernetes API group ([#11386](https://github.com/traefik/traefik/pull/11386) by [rtribotte](https://github.com/rtribotte))
- **[tcp,k8s/crd]** Pass TLS bool from IngressRouteTCP to TCPService ([#11343](https://github.com/traefik/traefik/pull/11343) by [lipmem](https://github.com/lipmem))
- **[tls]** Upgrade github.com/spiffe/go-spiffe/v2 to v2.4.0 ([#11385](https://github.com/traefik/traefik/pull/11385) by [mmatur](https://github.com/mmatur))
- Remove duplicate github.com/coreos/go-systemd dependency ([#11354](https://github.com/traefik/traefik/pull/11354) by [Juneezee](https://github.com/Juneezee))
**Documentation:**
- **[k8s/gatewayapi]** Update Gateway API version support to v1.2.1 ([#11357](https://github.com/traefik/traefik/pull/11357) by [kevinpollet](https://github.com/kevinpollet))
- Add @jnoordsij to maintainers ([#11352](https://github.com/traefik/traefik/pull/11352) by [emilevauge](https://github.com/emilevauge))
**Misc:**
- Merge branch v2.11 into v3.2 ([#11400](https://github.com/traefik/traefik/pull/11400) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v2.11 into v3.2 ([#11392](https://github.com/traefik/traefik/pull/11392) by [rtribotte](https://github.com/rtribotte))
- Merge branch v2.11 into v3.2 ([#11388](https://github.com/traefik/traefik/pull/11388) by [mmatur](https://github.com/mmatur))
- Merge branch v2.11 into v3.2 ([#11366](https://github.com/traefik/traefik/pull/11366) by [kevinpollet](https://github.com/kevinpollet))
## [v2.11.17](https://github.com/traefik/traefik/tree/v2.11.17) (2025-01-06)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.16...v2.11.17)
**Bug fixes:**
- **[acme]** Update go-acme/lego to v4.21.0 ([#11368](https://github.com/traefik/traefik/pull/11368) by [ldez](https://github.com/ldez))
- **[middleware]** Fix typo in basicauth note ([#11397](https://github.com/traefik/traefik/pull/11397) by [tieje](https://github.com/tieje))
- **[service]** Configure ErrorLog in httputil.ReverseProxy ([#11344](https://github.com/traefik/traefik/pull/11344) by [peacewalker122](https://github.com/peacewalker122))
- Bump golang.org/x/net to v0.33.0 ([#11365](https://github.com/traefik/traefik/pull/11365) by [kevinpollet](https://github.com/kevinpollet))
**Documentation:**
- **[acme]** Fix allowACMEByPass TOML example ([#11370](https://github.com/traefik/traefik/pull/11370) by [hannesbraun](https://github.com/hannesbraun))
- **[k8s/crd]** Update copyright for 2025 ([#11383](https://github.com/traefik/traefik/pull/11383) by [kevinpollet](https://github.com/kevinpollet))
## [v3.3.0-rc2](https://github.com/traefik/traefik/tree/v3.3.0-rc2) (2024-12-20)
[All Commits](https://github.com/traefik/traefik/compare/v3.3.0-rc1...v3.3.0-rc2)
**Bug fixes:**
- **[k8s/ingress,k8s/crd]** Fix fenced server status computation ([#11361](https://github.com/traefik/traefik/pull/11361) by [kevinpollet](https://github.com/kevinpollet))
## [v3.3.0-rc1](https://github.com/traefik/traefik/tree/v3.3.0-rc1) (2024-12-16)
[All Commits](https://github.com/traefik/traefik/compare/v3.2.0-rc1...v3.3.0-rc1)
**Enhancements:**
- **[acme]** Add options to control ACME propagation checks ([#11241](https://github.com/traefik/traefik/pull/11241) by [ldez](https://github.com/ldez))
- **[api]** Add support dump API endpoint ([#11328](https://github.com/traefik/traefik/pull/11328) by [mmatur](https://github.com/mmatur))
- **[http]** Set Host header in HTTP provider request ([#11237](https://github.com/traefik/traefik/pull/11237) by [nikonhub](https://github.com/nikonhub))
- **[k8s/crd,k8s]** Make the IngressRoute kind optional ([#11177](https://github.com/traefik/traefik/pull/11177) by [skirtan1](https://github.com/skirtan1))
- **[logs,accesslogs]** OpenTelemetry Logs and Access Logs ([#11319](https://github.com/traefik/traefik/pull/11319) by [rtribotte](https://github.com/rtribotte))
- **[logs,accesslogs]** Add experimental flag for OTLP logs integration ([#11335](https://github.com/traefik/traefik/pull/11335) by [kevinpollet](https://github.com/kevinpollet))
- **[metrics,tracing,accesslogs]** Manage observability at entrypoint and router level ([#11308](https://github.com/traefik/traefik/pull/11308) by [rtribotte](https://github.com/rtribotte))
- **[middleware,authentication]** Add an option to preserve the ForwardAuth Server Location header ([#11318](https://github.com/traefik/traefik/pull/11318) by [Nelwhix](https://github.com/Nelwhix))
- **[middleware,authentication]** Only calculate basic auth hashes once for concurrent requests ([#11143](https://github.com/traefik/traefik/pull/11143) by [michelheusschen](https://github.com/michelheusschen))
- **[middleware,authentication]** Send request body to authorization server for forward auth ([#11097](https://github.com/traefik/traefik/pull/11097) by [kyo-ke](https://github.com/kyo-ke))
- **[plugins]** Add AbortOnPluginFailure option to abort startup on plugin load failure ([#11228](https://github.com/traefik/traefik/pull/11228) by [bmagic](https://github.com/bmagic))
- **[sticky-session]** Configurable path for sticky cookies ([#11166](https://github.com/traefik/traefik/pull/11166) by [IIpragmaII](https://github.com/IIpragmaII))
- **[sticky-session,k8s/ingress,k8s/crd,k8s]** Support serving endpoints ([#11121](https://github.com/traefik/traefik/pull/11121) by [BZValoche](https://github.com/BZValoche))
- **[webui,api]** Configurable API &amp; Dashboard base path ([#11250](https://github.com/traefik/traefik/pull/11250) by [rtribotte](https://github.com/rtribotte))
**Misc:**
- Merge branch v3.2 into master ([#11340](https://github.com/traefik/traefik/pull/11340) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.2 into master ([#11293](https://github.com/traefik/traefik/pull/11293) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.2 into master ([#11239](https://github.com/traefik/traefik/pull/11239) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v3.2 into master ([#11187](https://github.com/traefik/traefik/pull/11187) by [kevinpollet](https://github.com/kevinpollet))
## [v3.2.3](https://github.com/traefik/traefik/tree/v3.2.3) (2024-12-16)
[All Commits](https://github.com/traefik/traefik/compare/v3.2.2...v3.2.3)
**Documentation:**
- Update reference install documentation with current chart default ([#11332](https://github.com/traefik/traefik/pull/11332) by [mloiseleur](https://github.com/mloiseleur))
**Misc:**
- Merge branch v2.11 into v3.2 ([#11346](https://github.com/traefik/traefik/pull/11346) by [kevinpollet](https://github.com/kevinpollet))
- Merge branch v2.11 into v3.2 ([#11337](https://github.com/traefik/traefik/pull/11337) by [kevinpollet](https://github.com/kevinpollet))
## [v2.11.16](https://github.com/traefik/traefik/tree/v2.11.16) (2024-12-16)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.15...v2.11.16)
**Bug fixes:**
- **[server]** Update golang.org/x dependencies ([#11336](https://github.com/traefik/traefik/pull/11336) by [rtribotte](https://github.com/rtribotte))
## [v3.2.2](https://github.com/traefik/traefik/tree/v3.2.2) (2024-12-10)
[All Commits](https://github.com/traefik/traefik/compare/v3.2.1...v3.2.2)
**Bug fixes:**
- **[docker,docker/swarm]** Rename traefik.docker.* labels for Docker Swarm to traefik.swarm.* ([#11247](https://github.com/traefik/traefik/pull/11247) by [anchal00](https://github.com/anchal00))
- **[k8s/gatewayapi]** Update sigs.k8s.io/gateway-api to v1.2.1 ([#11314](https://github.com/traefik/traefik/pull/11314) by [kevinpollet](https://github.com/kevinpollet))
- **[plugins]** Fix WASM settings ([#11321](https://github.com/traefik/traefik/pull/11321) by [juliens](https://github.com/juliens))
- **[rules]** Fix models mechanism for default rule syntax ([#11300](https://github.com/traefik/traefik/pull/11300) by [rtribotte](https://github.com/rtribotte))
**Documentation:**
- Move callout to the entrypoint page footer ([#11305](https://github.com/traefik/traefik/pull/11305) by [kevinpollet](https://github.com/kevinpollet))
- Fix incorrect links in v3 migration sections ([#11297](https://github.com/traefik/traefik/pull/11297) by [kevinpollet](https://github.com/kevinpollet))
- New Install Reference Documentation ([#11213](https://github.com/traefik/traefik/pull/11213) by [sheddy-traefik](https://github.com/sheddy-traefik))
## [v2.11.15](https://github.com/traefik/traefik/tree/v2.11.15) (2024-12-06)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.14...v2.11.15)
**Bug fixes:**
- **[acme]** Update go-acme/lego to v4.20.4 ([#11295](https://github.com/traefik/traefik/pull/11295) by [ldez](https://github.com/ldez))
- **[http3]** Update github.com/quic-go/quic-go to v0.48.2 ([#11320](https://github.com/traefik/traefik/pull/11320) by [kevinpollet](https://github.com/kevinpollet))
## [v3.2.1](https://github.com/traefik/traefik/tree/v3.2.1) (2024-11-20)
[All Commits](https://github.com/traefik/traefik/compare/v3.2.0...v3.2.1)

2
Dockerfile
View File

@@ -1,5 +1,5 @@
# syntax=docker/dockerfile:1.2
FROM alpine:3.20
FROM alpine:3.22
RUN apk add --no-cache --no-progress ca-certificates tzdata

2
LICENSE.md
View File

@@ -1,6 +1,6 @@
The MIT License (MIT)
Copyright (c) 2016-2020 Containous SAS; 2020-2024 Traefik Labs
Copyright (c) 2016-2020 Containous SAS; 2020-2025 Traefik Labs
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

7
Makefile
View File

@@ -13,6 +13,7 @@ DATE := $(shell date -u '+%Y-%m-%d_%I:%M:%S%p')
# Default build target
GOOS := $(shell go env GOOS)
GOARCH := $(shell go env GOARCH)
GOGC ?=
LINT_EXECUTABLES = misspell shellcheck
@@ -56,7 +57,7 @@ generate:
#? binary: Build the binary
binary: generate-webui dist
@echo SHA: $(VERSION) $(CODENAME) $(DATE)
CGO_ENABLED=0 GOGC=off GOOS=${GOOS} GOARCH=${GOARCH} go build ${FLAGS[*]} -ldflags "-s -w \
CGO_ENABLED=0 GOGC=${GOGC} GOOS=${GOOS} GOARCH=${GOARCH} go build ${FLAGS[*]} -ldflags "-s -w \
-X github.com/traefik/traefik/v3/pkg/version.Version=$(VERSION) \
-X github.com/traefik/traefik/v3/pkg/version.Codename=$(CODENAME) \
-X github.com/traefik/traefik/v3/pkg/version.BuildDate=$(DATE)" \
@@ -101,7 +102,7 @@ test-integration: binary
#? test-gateway-api-conformance: Run the conformance tests
test-gateway-api-conformance: build-image-dirty
# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.2" $(TESTFLAGS)
GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.4" $(TESTFLAGS)
.PHONY: test-ui-unit
#? test-ui-unit: Run the unit tests for the webui
@@ -175,7 +176,7 @@ docs-pull-images:
.PHONY: generate-crd
#? generate-crd: Generate CRD clientset and CRD manifests
generate-crd:
@$(CURDIR)/script/code-gen-docker.sh
@$(CURDIR)/script/code-gen.sh
.PHONY: generate-genconf
#? generate-genconf: Generate code from dynamic configuration github.com/traefik/genconf

4
README.md
View File

@@ -59,7 +59,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
- Continuously updates its configuration (No restarts!)
- Supports multiple load balancing algorithms
- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support)
- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support)
- Circuit breakers, retry
- See the magic through its clean web UI
- WebSocket, HTTP/2, gRPC ready
@@ -90,8 +90,6 @@ You can access the simple HTML frontend of Traefik.
You can find the complete documentation of Traefik v3 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
## Support
To get community support, you can:

30
cmd/traefik/logger.go
View File

@@ -1,6 +1,8 @@
package main
import (
"errors"
"fmt"
"io"
stdlog "log"
"os"
@@ -20,12 +22,21 @@ func init() {
zerolog.SetGlobalLevel(zerolog.ErrorLevel)
}
func setupLogger(staticConfiguration *static.Configuration) {
func setupLogger(staticConfiguration *static.Configuration) error {
// Validate that the experimental flag is set up at this point,
// rather than validating the static configuration before the setupLogger call.
// This ensures that validation messages are not logged using an un-configured logger.
if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil &&
(staticConfiguration.Experimental == nil || !staticConfiguration.Experimental.OTLPLogs) {
return errors.New("the experimental OTLPLogs feature must be enabled to use OTLP logging")
}
// configure log format
w := getLogWriter(staticConfiguration)
// configure log level
logLevel := getLogLevel(staticConfiguration)
zerolog.SetGlobalLevel(logLevel)
// create logger
logCtx := zerolog.New(w).With().Timestamp()
@@ -34,8 +45,16 @@ func setupLogger(staticConfiguration *static.Configuration) {
}
log.Logger = logCtx.Logger().Level(logLevel)
if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
var err error
log.Logger, err = logs.SetupOTelLogger(log.Logger, staticConfiguration.Log.OTLP)
if err != nil {
return fmt.Errorf("setting up OpenTelemetry logger: %w", err)
}
}
zerolog.DefaultContextLogger = &log.Logger
zerolog.SetGlobalLevel(logLevel)
// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
@@ -43,11 +62,16 @@ func setupLogger(staticConfiguration *static.Configuration) {
// configure default standard log.
stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
return nil
}
func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
var w io.Writer = os.Stdout
if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
return io.Discard
}
var w io.Writer = os.Stdout
if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
_, _ = os.OpenFile(staticConfiguration.Log.FilePath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)
w = &lumberjack.Logger{

30
cmd/traefik/traefik.go
View File

@@ -7,10 +7,11 @@ import (
"fmt"
"io"
stdlog "log"
"maps"
"net/http"
"os"
"os/signal"
"sort"
"slices"
"strings"
"syscall"
"time"
@@ -48,7 +49,6 @@ import (
"github.com/traefik/traefik/v3/pkg/tracing"
"github.com/traefik/traefik/v3/pkg/types"
"github.com/traefik/traefik/v3/pkg/version"
"golang.org/x/exp/maps"
)
func main() {
@@ -90,7 +90,9 @@ Complete documentation is available at https://traefik.io`,
}
func runCmd(staticConfiguration *static.Configuration) error {
setupLogger(staticConfiguration)
if err := setupLogger(staticConfiguration); err != nil {
return fmt.Errorf("setting up logger: %w", err)
}
http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
@@ -189,7 +191,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
return nil, err
}
acmeProviders := initACMEProvider(staticConfiguration, providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
acmeProviders := initACMEProvider(staticConfiguration, providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider, routinesPool)
// Tailscale
@@ -230,14 +232,17 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
pluginLogger := log.Ctx(ctx).With().Logger()
hasPlugins := staticConfiguration.Experimental != nil && (staticConfiguration.Experimental.Plugins != nil || staticConfiguration.Experimental.LocalPlugins != nil)
if hasPlugins {
pluginsList := maps.Keys(staticConfiguration.Experimental.Plugins)
pluginsList = append(pluginsList, maps.Keys(staticConfiguration.Experimental.LocalPlugins)...)
pluginsList := slices.Collect(maps.Keys(staticConfiguration.Experimental.Plugins))
pluginsList = append(pluginsList, slices.Collect(maps.Keys(staticConfiguration.Experimental.LocalPlugins))...)
pluginLogger = pluginLogger.With().Strs("plugins", pluginsList).Logger()
pluginLogger.Info().Msg("Loading plugins...")
}
pluginBuilder, err := createPluginBuilder(staticConfiguration)
if err != nil && staticConfiguration.Experimental != nil && staticConfiguration.Experimental.AbortOnPluginFailure {
return nil, fmt.Errorf("plugin: failed to create plugin builder: %w", err)
}
if err != nil {
pluginLogger.Err(err).Msg("Plugins are disabled because an error has occurred.")
} else if hasPlugins {
@@ -296,7 +301,10 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
// Router factory
routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, observabilityMgr, pluginBuilder, dialerManager)
routerFactory, err := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, observabilityMgr, pluginBuilder, dialerManager)
if err != nil {
return nil, fmt.Errorf("creating router factory: %w", err)
}
// Watcher
@@ -422,7 +430,7 @@ func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string
}
}
sort.Strings(defaultEntryPoints)
slices.Sort(defaultEntryPoints)
return defaultEntryPoints
}
@@ -438,7 +446,7 @@ func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP serv
}
// initACMEProvider creates and registers acme.Provider instances corresponding to the configured ACME certificate resolvers.
func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider, routinesPool *safe.Pool) []*acme.Provider {
localStores := map[string]*acme.LocalStore{}
var resolvers []*acme.Provider
@@ -448,7 +456,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
}
if localStores[resolver.ACME.Storage] == nil {
localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage, routinesPool)
}
p := &acme.Provider{
@@ -563,7 +571,7 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
}
func appendCertMetric(gauge gokitmetrics.Gauge, certificate *x509.Certificate) {
sort.Strings(certificate.DNSNames)
slices.Sort(certificate.DNSNames)
labels := []string{
"cn", certificate.Subject.CommonName,

8
docs/check.Dockerfile
View File

@@ -1,4 +1,4 @@
FROM alpine:3.20
FROM alpine:3.22
RUN apk --no-cache --no-progress add \
build-base \
@@ -9,13 +9,11 @@ RUN apk --no-cache --no-progress add \
ruby \
ruby-bigdecimal \
ruby-dev \
ruby-etc \
ruby-ffi \
ruby-json \
zlib-dev
RUN gem install nokogiri --version 1.15.3 --no-document -- --use-system-libraries
RUN gem install html-proofer --version 5.0.7 --no-document -- --use-system-libraries
RUN gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
RUN gem install html-proofer --version 5.0.10 --no-document -- --use-system-libraries
# After Ruby, some NodeJS YAY!
RUN apk --no-cache --no-progress add \

BIN
docs/content/assets/img/getting-started/docker-router.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 520 KiB

BIN
docs/content/assets/img/getting-started/kubernetes-gateway.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 610 KiB

BIN
docs/content/assets/img/getting-started/providers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 80 KiB

BIN
docs/content/assets/img/getting-started/traefik-dashboard-docker.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 878 KiB

BIN
docs/content/assets/img/getting-started/traefik-dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 791 KiB

BIN
docs/content/assets/img/getting-started/whoami-localhost.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 603 KiB

BIN
docs/content/assets/img/traefik-architecture.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 452 KiB

After

Width:  |  Height:  |  Size: 1010 KiB

1
docs/content/contributing/maintainers.md
View File

@@ -22,6 +22,7 @@ description: "Traefik Proxy is an open source software with a thriving community
* Landry Benguigui [@lbenguigui](https://github.com/lbenguigui)
* Simon Delicata [@sdelicata](https://github.com/sdelicata)
* Baptiste Mayelle [@youkoulayley](https://github.com/youkoulayley)
* Jesper Noordsij [@jnoordsij](https://github.com/jnoordsij)
## Past Maintainers

43
docs/content/deprecation/releases.md
View File

@@ -4,23 +4,32 @@
Below is a non-exhaustive list of versions and their maintenance status:
| Version | Release Date | Community Support |
|---------|--------------|--------------------|
| 3.1 | Jul 15, 2024 | Yes |
| 3.0 | Apr 29, 2024 | Ended Jul 15, 2024 |
| 2.11 | Feb 12, 2024 | Ends Apr 29, 2025 |
| 2.10 | Apr 24, 2023 | Ended Feb 12, 2024 |
| 2.9 | Oct 03, 2022 | Ended Apr 24, 2023 |
| 2.8 | Jun 29, 2022 | Ended Oct 03, 2022 |
| 2.7 | May 24, 2022 | Ended Jun 29, 2022 |
| 2.6 | Jan 24, 2022 | Ended May 24, 2022 |
| 2.5 | Aug 17, 2021 | Ended Jan 24, 2022 |
| 2.4 | Jan 19, 2021 | Ended Aug 17, 2021 |
| 2.3 | Sep 23, 2020 | Ended Jan 19, 2021 |
| 2.2 | Mar 25, 2020 | Ended Sep 23, 2020 |
| 2.1 | Dec 11, 2019 | Ended Mar 25, 2020 |
| 2.0 | Sep 16, 2019 | Ended Dec 11, 2019 |
| 1.7 | Sep 24, 2018 | Ended Dec 31, 2021 |
| Version | Release Date | Active Support | Security Support |
|---------|--------------|--------------------|-------------------|
| 3.4 | May 05, 2025 | Yes | Yes |
| 3.3 | Jan 06, 2025 | Ended May 05, 2025 | No |
| 3.2 | Oct 28, 2024 | Ended Jan 06, 2025 | No |
| 3.1 | Jul 15, 2024 | Ended Oct 28, 2024 | No |
| 3.0 | Apr 29, 2024 | Ended Jul 15, 2024 | No |
| 2.11 | Feb 12, 2024 | Ended Apr 29, 2025 | Ends Feb 01, 2026 |
| 2.10 | Apr 24, 2023 | Ended Feb 12, 2024 | No |
| 2.9 | Oct 03, 2022 | Ended Apr 24, 2023 | No |
| 2.8 | Jun 29, 2022 | Ended Oct 03, 2022 | No |
| 2.7 | May 24, 2022 | Ended Jun 29, 2022 | No |
| 2.6 | Jan 24, 2022 | Ended May 24, 2022 | No |
| 2.5 | Aug 17, 2021 | Ended Jan 24, 2022 | No |
| 2.4 | Jan 19, 2021 | Ended Aug 17, 2021 | No |
| 2.3 | Sep 23, 2020 | Ended Jan 19, 2021 | No |
| 2.2 | Mar 25, 2020 | Ended Sep 23, 2020 | No |
| 2.1 | Dec 11, 2019 | Ended Mar 25, 2020 | No |
| 2.0 | Sep 16, 2019 | Ended Dec 11, 2019 | No |
| 1.7 | Sep 24, 2018 | Ended Dec 31, 2021 | No |
??? example "Active Support / Security Support"
- **Active support**: Receives any bug fixes.
- **Security support**: Receives only critical bug and security fixes.
This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.

2
docs/content/getting-started/configuration-overview.md
View File

@@ -79,7 +79,7 @@ traefik --help
# or
docker run traefik[:version] --help
# ex: docker run traefik:v3.2 --help
# ex: docker run traefik:v3.4 --help
```
Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.

162
docs/content/getting-started/docker.md Normal file
View File

@@ -0,0 +1,162 @@
---
title: "Docker and Traefik Quick Start"
description: "Deploy Traefik in Docker and expose your first service"
---
# Getting Started with Docker and Traefik
Docker is a first-class citizen in Traefik, offering native support for Docker containers and services.
Whether you're using Docker Compose or running containers directly, Traefik provides a seamless experience for managing your Docker traffic.
This guide shows you how to:
- Install Traefik using Docker
- Expose the Traefik dashboard
- Deploy a sample application
- Configure basic routing
## Prerequisites
- Docker
- Docker Compose (optional)
## Install Traefik
### Using Docker Compose
Create a Docker Compose file.
This configuration:
- Exposes ports 80 and 8080.
- Enables the Docker provider
- Configures the dashboard with basic settings. Port 8080 serves the dashboard because we enabled `--api.insecure=true` (development use only)
- Mounts the Docker socket for container discovery
```yaml
# docker-compose.yml
services:
traefik:
image: traefik:v3.4
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--entrypoints.web.address=:80"
ports:
- "80:80"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
```
Start Traefik:
```bash
docker-compose up -d
```
### Using Docker CLI
Alternatively, you can run Traefik directly with Docker.
This command:
- Exposes ports 80 and 8080 for web traffic and dashboard access
- Mounts the configuration file and Docker socket
- Uses the same configuration as the Docker Compose example
Create a configuration file:
```yaml
# traefik.yml
api:
insecure: true
entryPoints:
web:
address: ":80"
providers:
docker: {}
```
Start Traefik:
```bash
docker run -d \
-p 80:80 \
-p 8080:8080 \
-v $PWD/traefik.yml:/etc/traefik/traefik.yml \
-v /var/run/docker.sock:/var/run/docker.sock \
traefik:v3.4
```
## Expose the Dashboard
Because we explicitly enabled insecure mode, the [dashboard](../reference/install-configuration/api-dashboard.md) is reachable on port 8080 without authentication.
**Do not enable this flag in production**.
You can access the dashboard at:
[http://localhost:8080/dashboard/](http://localhost:8080/dashboard/)
![Traefik Dashboard Screenshot](../assets/img/getting-started/traefik-dashboard.png)
## Deploy a Sample Application
Create a whoami service:
```yaml
# whoami.yml
services:
whoami:
image: traefik/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
```
Apply the configuration:
```bash
docker-compose -f whoami.yml up -d
```
## Test Your Setup
You can use the following curl command to verify that the application is correctly exposed:
```bash
curl http://whoami.localhost
Hostname: 068c0a29a8b7
IP: 127.0.0.1
IP: ::1
IP: 192.168.147.3
RemoteAddr: 192.168.147.2:56006
GET / HTTP/1.1
Host: whoami.localhost
User-Agent: curl/8.7.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 192.168.147.1
X-Forwarded-Host: whoami.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 9232cdd4fd6c
X-Real-Ip: 192.168.147.1
```
You can also open [http://whoami.localhost](http://whoami.localhost) in a browser to test the application:
![whoami application Screenshot](../assets/img/getting-started/whoami-localhost.png)
If you navigate to the **HTTP Routers** section of the Traefik dashboard, you can see that the `whoami.localhost` route is managed by the Traefik Docker provider:
![Traefik Dashboard HTTP Routers Section Screenshot](../assets/img/getting-started/docker-router.png)
That's it! You've successfully deployed Traefik and configured routing in Docker.
## Next Steps
- [Configure TLS](../reference/routing-configuration/http/tls/overview.md)
- [Set up Middlewares](../reference/routing-configuration/http/middlewares/overview.md)
- [Enable Metrics](../reference/install-configuration/observability/metrics.md)
- [Learn more about Docker provider](../reference/install-configuration/providers/docker.md)
{!traefik-for-business-applications.md!}

25
docs/content/getting-started/index.md Normal file
View File

@@ -0,0 +1,25 @@
---
title: "Getting Started with Traefik"
description: "Quick start guides for deploying Traefik in Kubernetes and Docker environments"
---
# Getting Started with Traefik
Traefik can be deployed in various environments. Choose your preferred deployment method:
- [Kubernetes Quick Start](./kubernetes.md) - Deploy Traefik using Helm
- [Docker Quick Start](./docker.md) - Deploy Traefik using Docker
Each guide will help you:
- Install Traefik
- Expose the dashboard
- Deploy a sample application
- Configure basic routing
## Before You Begin
Make sure you have the necessary prerequisites for your chosen environment:
- **Kubernetes**: A running Kubernetes cluster, Helm 3, and kubectl
- **Docker**: Docker and optionally Docker Compose

8
docs/content/getting-started/install-traefik.md
View File

@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:
Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.2/traefik.sample.yml)
* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.2/traefik.sample.toml)
* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.yml)
* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.toml)
```shell
docker run -d -p 8080:8080 -p 80:80 \
-v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.2
-v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.4
```
For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
!!! tip
* Prefer a fixed version than the latest that could be an unexpected version.
ex: `traefik:v3.2`
ex: `traefik:v3.4`
* Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
* Any orchestrator using docker images can fetch the official Traefik docker image.

331
docs/content/getting-started/kubernetes.md Normal file
View File

@@ -0,0 +1,331 @@
---
title: "Kubernetes and Traefik Quick Start"
description: "Deploy Traefik in Kubernetes using Helm and expose your first service"
slug: quick-start-with-kubernetes
---
# Getting Started with Kubernetes and Traefik
Kubernetes is a first-class citizen in Traefik, offering native support for Kubernetes resources and the latest Kubernetes standards.
Whether you're using Traefik's [IngressRoute CRD](../reference/routing-configuration/kubernetes/crd/http/ingressroute.md), [Ingress](../reference/routing-configuration/kubernetes/ingress.md) or the [Kubernetes Gateway API](../reference/routing-configuration/kubernetes/gateway-api.md),
Traefik provides a seamless experience for managing your Kubernetes traffic.
This guide shows you how to:
- Create a Kubernetes cluster using k3d
- Install Traefik using Helm
- Expose the Traefik dashboard
- Deploy a sample application
- Configure basic routing with IngressRoute and Gateway API
## Prerequisites
- Kubernetes
- Helm 3
- kubectl
- k3d (for local cluster creation)
## Create a Kubernetes Cluster
### Using k3d
Create a cluster with the following command. This command:
- Creates a k3d cluster named "traefik"
- Maps ports 80, 443, and 8000 to the loadbalancer for accessing services
- Disables the built-in Traefik ingress controller to avoid conflicts
```bash
k3d cluster create traefik \
--port 80:80@loadbalancer \
--port 443:443@loadbalancer \
--port 8000:8000@loadbalancer \
--k3s-arg "--disable=traefik@server:0"
```
Configure kubectl:
```bash
kubectl cluster-info --context k3d-traefik
```
## Install Traefik
### Using Helm Values File
Add the Traefik Helm repository:
```bash
helm repo add traefik https://traefik.github.io/charts
helm repo update
```
Create a values file. This configuration:
- Maps ports 80 and 443 to the web and websecure [entrypoints](../reference/install-configuration/entrypoints.md)
- Enables the [dashboard](../reference/install-configuration/api-dashboard.md) with a specific hostname rule
- Enables the [Kubernetes Gateway API provider](../reference/routing-configuration/kubernetes/gateway-api.md)
- Allows the Gateway to expose [HTTPRoutes](https://gateway-api.sigs.k8s.io/api-types/httproute/) from all namespaces
```yaml
# values.yaml
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`dashboard.localhost`)
entryPoints:
- web
providers:
kubernetesGateway:
enabled: true
gateway:
namespacePolicy: All
```
!!! info
The [KubernetesCRD](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md) provider is enabled by default when using the Helm chart so we don't need to set it in the values file.
Install Traefik:
```bash
helm install traefik traefik/traefik -f values.yaml --wait
```
### Using Helm CLI Arguments
Alternatively, you can install Traefik using CLI arguments. This command:
- Maps ports `30000` and `30001` to the web and websecure entrypoints
- Enables the dashboard with a specific hostname rule
- Enables the [Kubernetes Gateway API provider](../reference/routing-configuration/kubernetes/gateway-api.md)
- Allows the Gateway to expose HTTPRoutes from all namespaces
```bash
helm install traefik traefik/traefik --wait \
--set ingressRoute.dashboard.enabled=true \
--set ingressRoute.dashboard.matchRule='Host(`dashboard.localhost`)' \
--set ingressRoute.dashboard.entryPoints={web} \
--set providers.kubernetesGateway.enabled=true \
--set gateway.namespacePolicy=All
```
!!! info
The [KubernetesCRD](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md) provider is enabled by default when using the Helm chart so we don't need to set it in the CLI arguments.
When Traefik is installed with the Gateway API provider enabled, it automatically creates a default GatewayClass named **traefik**:
```bash
kubectl describe GatewayClass traefik
```
## Expose the Dashboard
The dashboard is exposed with an [IngressRoute](../reference/routing-configuration/kubernetes/crd/http/ingressroute.md) provided by the Chart, as we defined in the helm values during installation.
Access it at:
[http://dashboard.localhost/dashboard/](http://dashboard.localhost/dashboard/)
![Traefik Dashboard Screenshot](../assets/img/getting-started/traefik-dashboard.png)
## Deploy a Sample Application
Create a deployment:
```yaml
# whoami.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
spec:
replicas: 2
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- containerPort: 80
```
Create a service:
```yaml
# whoami-service.yaml
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- port: 80
selector:
app: whoami
```
Apply the manifests:
```bash
kubectl apply -f whoami.yaml
kubectl apply -f whoami-service.yaml
```
## Exposing the Application Using an IngressRoute (CRD)
Create an IngressRoute:
```yaml
# whoami-ingressroute.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: whoami
spec:
entryPoints:
- web
routes:
- match: Host(`whoami.localhost`)
kind: Rule
services:
- name: whoami
port: 80
```
Apply the manifest:
```bash
kubectl apply -f whoami-ingressroute.yaml
```
### Test Your Setup
You can use the following curl command to verify that the application is correctly exposed:
```bash
curl http://whoami.localhost
Hostname: whoami-76c9859cfc-6v8hh
IP: 127.0.0.1
IP: ::1
IP: 10.42.0.11
IP: fe80::20ad:eeff:fe44:a63
RemoteAddr: 10.42.0.9:38280
GET / HTTP/1.1
Host: whoami.localhost
User-Agent: curl/8.7.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: whoami.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-598946cd7-zds59
X-Real-Ip: 127.0.0.1
```
You can also visit [http://whoami.localhost](http://whoami.localhost) in a browser to verify that the application is exposed correctly:
![whoami application Screenshot](../assets/img/getting-started/whoami-localhost.png)
## Exposing the Application Using the Gateway API
Traefik supports the Kubernetes Gateway API specification, which provides a more standardized way to configure ingress in Kubernetes.
When we installed Traefik earlier, we enabled the Gateway API provider.
You can verify this in the providers section of the Traefik dashboard.
![Providers Section Screenshot](../assets/img/getting-started/providers.png)
To use the Gateway API:
Install the Gateway API CRDs in your cluster:
```bash
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
```
Create an HTTPRoute. This configuration:
- Creates an HTTPRoute named "whoami"
- Attaches it to the default Gateway that Traefik created during installation
- Configures routing for the hostname "whoami-gatewayapi.localhost"
- Routes all traffic to the whoami service on port 80
```yaml
# httproute.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: whoami
spec:
parentRefs:
- name: traefik-gateway
hostnames:
- "whoami-gatewayapi.localhost"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: whoami
port: 80
```
Apply the manifest:
```bash
kubectl apply -f httproute.yaml
```
### Test Your Setup
You can use the following curl command to verify that the application is correctly exposed:
```bash
curl http://whoami-gatewayapi.localhost
Hostname: whoami-76c9859cfc-6v8hh
IP: 127.0.0.1
IP: ::1
IP: 10.42.0.11
IP: fe80::20ad:eeff:fe44:a63
RemoteAddr: 10.42.0.9:38280
GET / HTTP/1.1
Host: whoami.localhost
User-Agent: curl/8.7.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: whoami.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-598946cd7-zds59
X-Real-Ip: 127.0.0.1
```
You can now visit [http://whoami.localhost](http://whoami.localhost) in your browser to verify that the application is exposed correctly:
![whoami application Screenshot](../assets/img/getting-started/whoami-localhost.png)
If you navigate to the **HTTP Routes** section of the traefik dashboard, you can see that the `whoami.localhost` route is managed by the Traefik Kubernetes Gateway API provider:
![Traefik Dashboard HTTP Routes Section Screenshot](../assets/img/getting-started/kubernetes-gateway.png)
That's it! You've successfully deployed Traefik and configured routing in a Kubernetes cluster.
## Next Steps
- [Configure TLS](../reference/routing-configuration/http/tls/overview.md)
- [Set up Middlewares](../reference/routing-configuration/http/middlewares/overview.md)
- [Enable Metrics](../reference/install-configuration/observability/metrics.md)
- [Learn more about Kubernetes CRD provider](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md)
- [Learn more about Kubernetes Gateway API provider](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md)
{!traefik-for-business-applications.md!}

340
docs/content/getting-started/quick-start-with-kubernetes.md
View File

@@ -3,342 +3,4 @@ title: "Traefik Getting Started With Kubernetes"
description: "Get started with Traefik Proxy and Kubernetes."
---
# Quick Start
A Use Case of Traefik Proxy and Kubernetes
{: .subtitle }
This guide is an introduction to using Traefik Proxy in a Kubernetes environment.
The objective is to learn how to run an application behind a Traefik reverse proxy in Kubernetes.
It presents and explains the basic blocks required to start with Traefik such as Ingress Controller, Ingresses, Deployments, static, and dynamic configuration.
## Permissions and Accesses
Traefik uses the Kubernetes API to discover running services.
To use the Kubernetes API, Traefik needs some permissions.
This [permission mechanism](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) is based on roles defined by the cluster administrator.
The role is then bound to an account used by an application, in this case, Traefik Proxy.
The first step is to create the role.
The [`ClusterRole`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole) resource enumerates the resources and actions available for the role.
In a file called `00-role.yml`, put the following `ClusterRole`:
```yaml tab="00-role.yml"
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role
rules:
- apiGroups:
- ""
resources:
- services
- secrets
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.io
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
- serverstransporttcps
verbs:
- get
- list
- watch
```
!!! info "You can find the reference for this file [there](../../reference/dynamic-configuration/kubernetes-crd/#rbac)."
The next step is to create a dedicated service account for Traefik.
In a file called `00-account.yml`, put the following [`ServiceAccount`](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/#ServiceAccount) resource:
```yaml tab="00-account.yml"
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-account
```
And then, bind the role on the account to apply the permissions and rules on the latter. In a file called `01-role-binding.yml`, put the
following [`ClusterRoleBinding`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/#ClusterRoleBinding) resource:
```yaml tab="01-role-binding.yml"
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-role
subjects:
- kind: ServiceAccount
name: traefik-account
namespace: default # This tutorial uses the "default" K8s namespace.
```
!!! info "`roleRef` is the Kubernetes reference to the role created in `00-role.yml`."
!!! info "`subjects` is the list of accounts reference."
In this guide, it only contains the account created in `00-account.yml`
## Deployment and Exposition
!!! info "This section can be managed with the help of the [Traefik Helm chart](../install-traefik/#use-the-helm-chart)."
The [ingress controller](https://traefik.io/glossary/kubernetes-ingress-and-ingress-controller-101/#what-is-a-kubernetes-ingress-controller)
is a software that runs in the same way as any other application on a cluster.
To start Traefik on the Kubernetes cluster,
a [`Deployment`](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/) resource must exist to describe how to configure
and scale containers horizontally to support larger workloads.
Start by creating a file called `02-traefik.yml` and paste the following `Deployment` resource:
```yaml tab="02-traefik.yml"
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v3.2
args:
- --api.insecure
- --providers.kubernetesingress
ports:
- name: web
containerPort: 80
- name: dashboard
containerPort: 8080
```
The deployment contains an important attribute for customizing Traefik: `args`.
These arguments are the static configuration for Traefik.
From here, it is possible to enable the dashboard,
configure entry points,
select dynamic configuration providers,
and [more](../reference/static-configuration/cli.md).
In this deployment,
the static configuration enables the Traefik dashboard,
and uses Kubernetes native Ingress resources as router definitions to route incoming requests.
!!! info "When there is no entry point in the static configuration"
Traefik creates a default one called `web` using the port `80` routing HTTP requests.
!!! info "When enabling the [`api.insecure`](../../operations/api/#insecure) mode, Traefik exposes the dashboard on the port `8080`."
A deployment manages scaling and then can create lots of containers, called [Pods](https://kubernetes.io/docs/concepts/workloads/pods/).
Each Pod is configured following the `spec` field in the deployment.
Given that, a Deployment can run multiple Traefik Proxy Pods,
a piece is required to forward the traffic to any of the instance:
namely a [`Service`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#Service).
Create a file called `02-traefik-services.yml` and insert the two `Service` resources:
```yaml tab="02-traefik-services.yml"
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard-service
spec:
type: LoadBalancer
ports:
- port: 8080
targetPort: dashboard
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-service
spec:
type: LoadBalancer
ports:
- targetPort: web
port: 80
selector:
app: traefik
```
!!! warning "It is possible to expose a service in different ways."
Depending on your working environment and use case, the `spec.type` might change.
It is strongly recommended to understand the available [service types](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) before proceeding to the next step.
It is now time to apply those files on your cluster to start Traefik.
```shell
kubectl apply -f 00-role.yml \
-f 00-account.yml \
-f 01-role-binding.yml \
-f 02-traefik.yml \
-f 02-traefik-services.yml
```
## Proxying applications
The only part still missing is the business application behind the reverse proxy.
For this guide, we use the example application [traefik/whoami](https://github.com/traefik/whoami),
but the principles are applicable to any other application.
The `whoami` application is an HTTP server running on port 80 which answers host-related information to the incoming requests.
As usual, start by creating a file called `03-whoami.yml` and paste the following `Deployment` resource:
```yaml tab="03-whoami.yml"
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- name: web
containerPort: 80
```
And continue by creating the following `Service` resource in a file called `03-whoami-services.yml`:
```yaml tab="03-whoami-services.yml"
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- name: web
port: 80
targetPort: web
selector:
app: whoami
```
Thanks to the Kubernetes API,
Traefik is notified when an Ingress resource is created, updated, or deleted.
This makes the process dynamic.
The ingresses are, in a way, the [dynamic configuration](../../providers/kubernetes-ingress/) for Traefik.
!!! tip
Find more information on [ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/),
and [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the official Kubernetes documentation.
Create a file called `04-whoami-ingress.yml` and insert the `Ingress` resource:
```yaml tab="04-whoami-ingress.yml"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami-ingress
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
name: web
```
This `Ingress` configures Traefik to redirect any incoming requests starting with `/` to the `whoami:80` service.
At this point, all the configurations are ready.
It is time to apply those new files:
```shell
kubectl apply -f 03-whoami.yml \
-f 03-whoami-services.yml \
-f 04-whoami-ingress.yml
```
Now you should be able to access the `whoami` application and the Traefik dashboard.
Load the dashboard on a web browser: [`http://localhost:8080`](http://localhost:8080).
And now access the `whoami` application:
```shell
curl -v http://localhost/
```
!!! question "Going further"
- [Filter the ingresses](../providers/kubernetes-ingress.md#ingressclass) to use with [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)
- Use [IngressRoute CRD](../providers/kubernetes-crd.md)
- Protect [ingresses with TLS](../routing/providers/kubernetes-ingress.md#enabling-tls-via-annotations)
{!traefik-for-business-applications.md!}
--8<-- "content/getting-started/kubernetes.md"

120
docs/content/getting-started/quick-start.md
View File

@@ -3,122 +3,4 @@ title: "Traefik Getting Started Quickly"
description: "Get started with Traefik Proxy and Docker."
---
# Quick Start
A Use Case Using Docker
{: .subtitle }
![quickstart-diagram](../assets/img/quickstart-diagram.png)
## Launch Traefik With the Docker Provider
Create a `docker-compose.yml` file where you will define a `reverse-proxy` service that uses the official Traefik image:
```yaml
version: '3'
services:
reverse-proxy:
# The official v3 Traefik docker image
image: traefik:v3.2
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
```
**That's it. Now you can launch Traefik!**
Start your `reverse-proxy` with the following command:
```shell
docker-compose up -d reverse-proxy
```
You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (you'll go back there once you have launched a service in step 2).
## Traefik Detects New Services and Creates the Route for You
Now that you have a Traefik instance up and running, you will deploy new services.
Edit your `docker-compose.yml` file and add the following at the end of your file.
```yaml
version: '3'
services:
...
whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
```
The above defines `whoami`: a web service that outputs information about the machine it is deployed on (its IP address, host, and others).
Start the `whoami` service with the following command:
```shell
docker-compose up -d whoami
```
Browse `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new container and updated its own configuration.
When Traefik detects new services, it creates the corresponding routes, so you can call them ... _let's see!_ (Here, you're using curl)
```shell
curl -H Host:whoami.docker.localhost http://127.0.0.1
```
_Shows the following output:_
```yaml
Hostname: a656c8ddca6c
IP: 172.27.0.3
#...
```
## More Instances? Traefik Load Balances Them
Run more instances of your `whoami` service with the following command:
```shell
docker-compose up -d --scale whoami=2
```
Browse to `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new instance of the container.
Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:
```shell
curl -H Host:whoami.docker.localhost http://127.0.0.1
```
The output will show alternatively one of the following:
```yaml
Hostname: a656c8ddca6c
IP: 172.27.0.3
#...
```
```yaml
Hostname: s458f154e1f1
IP: 172.27.0.4
# ...
```
!!! question "Where to Go Next?"
Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the user guides](../../user-guides/docker-compose/basic-example/ "Link to the user guides") and [the documentation](/ "Link to the docs landing page") and let Traefik work for you!
{!traefik-for-business-applications.md!}
--8<-- "content/getting-started/docker.md"

183
docs/content/https/acme.md
View File

@@ -13,7 +13,7 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
!!! warning "Let's Encrypt and Rate Limiting"
Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and cannot be overridden.
When running Traefik in a container this file should be persisted across restarts.
When running Traefik in a container the `acme.json` file should be persisted across restarts.
If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
To configure where certificates are stored, please take a look at the [storage](#storage) configuration.
@@ -316,16 +316,20 @@ For complete details, refer to your provider's _Additional configuration_ link.
| Provider Name | Provider Code | Environment Variables | |
|------------------------------------------------------------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
| [ACME DNS](https://github.com/joohoi/acme-dns) | `acme-dns` | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH` | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns) |
| [ACME DNS](https://github.com/joohoi/acme-dns) | `acme-dns` | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`, `ACME_DNS_STORAGE_BASE_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns) |
| [Active24](https://www.active24.cz) | `active24` | `ACTIVE24_API_KEY`, `ACTIVE24_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/active24) |
| [Alibaba Cloud](https://www.alibabacloud.com) | `alidns` | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/alidns) |
| [all-inkl](https://all-inkl.com) | `allinkl` | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl) |
| [ArvanCloud](https://www.arvancloud.ir/en) | `arvancloud` | `ARVANCLOUD_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud) |
| [Auroradns](https://www.pcextreme.com/dns-health-checks) | `auroradns` | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT` | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns) |
| [Autodns](https://www.internetx.com/domains/autodns/) | `autodns` | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/autodns) |
| [Axelname](https://axelname.ru) | `axelname` | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/axelname) |
| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED) | `azure` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]` | [Additional configuration](https://go-acme.github.io/lego/dns/azure) |
| [AzureDNS](https://azure.microsoft.com/services/dns/) | `azuredns` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns) |
| [Baidu Cloud](https://cloud.baidu.com) | `baiducloud` | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud) |
| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook) | `bindman` | `BINDMAN_MANAGER_ADDRESS` | [Additional configuration](https://go-acme.github.io/lego/dns/bindman) |
| [Blue Cat](https://www.bluecatnetworks.com/) | `bluecat` | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW` | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat) |
| [BookMyName](https://www.bookmyname.com) | `bookmyname` | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname) |
| [Brandit](https://www.brandit.com) (DEPRECATED) | `brandit` | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/brandit) |
| [Bunny](https://bunny.net) | `bunny` | `BUNNY_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/bunny) |
| [Checkdomain](https://www.checkdomain.de/) | `checkdomain` | `CHECKDOMAIN_TOKEN`, | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
@@ -358,6 +362,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [Efficient IP](https://efficientip.com) | `efficientip` | `EFFICIENTIP_USERNAME`, `EFFICIENTIP_PASSWORD`, `EFFICIENTIP_HOSTNAME`, `EFFICIENTIP_DNS_NAME` | [Additional configuration](https://go-acme.github.io/lego/dns/efficientip) |
| [Epik](https://www.epik.com) | `epik` | `EPIK_SIGNATURE` | [Additional configuration](https://go-acme.github.io/lego/dns/epik) |
| [Exoscale](https://www.exoscale.com) | `exoscale` | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT` | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale) |
| [F5 XC](https://www.f5.com/products/distributed-cloud-services) | `f5xc` | `F5XC_API_TOKEN`, `F5XC_TENANT_NAME`, `F5XC_GROUP_NAME` | [Additional configuration](https://go-acme.github.io/lego/dns/f5xc) |
| [Fast DNS](https://www.akamai.com/) | `fastdns` | `AKAMAI_CLIENT_TOKEN`, `AKAMAI_CLIENT_SECRET`, `AKAMAI_ACCESS_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns) |
| [Freemyip.com](https://freemyip.com) | `freemyip` | `FREEMYIP_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip) |
| [G-Core](https://gcore.com/dns/) | `gcore` | `GCORE_PERMANENT_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/gcore) |
@@ -393,9 +398,12 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [Loopia](https://loopia.com/) | `loopia` | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER` | [Additional configuration](https://go-acme.github.io/lego/dns/loopia) |
| [LuaDNS](https://luadns.com) | `luadns` | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/luadns) |
| [Mail-in-a-Box](https://mailinabox.email) | `mailinabox` | `MAILINABOX_EMAIL`, `MAILINABOX_PASSWORD`, `MAILINABOX_BASE_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/mailinabox) |
| [ManageEngine CloudDNS](https://clouddns.manageengine.com) | `manageengine` | `MANAGEENGINE_CLIENT_ID`, `MANAGEENGINE_CLIENT_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/manageengine) |
| [Metaname](https://metaname.net) | `metaname` | `METANAME_ACCOUNT_REFERENCE`, `METANAME_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/metaname) |
| [Metaregistrar](https://metaregistrar.com) | `metaregistrar` | `METAREGISTRAR_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/metaregistrar) |
| [mijn.host](https://mijn.host/) | `mijnhost` | `MIJNHOST_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/mijnhost) |
| [Mittwald](https://www.mittwald.de) | `mittwald` | `MITTWALD_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/mittwald) |
| [myaddr.{tools,dev,io}](https://myaddr.tools/) | `myaddr` | `MYADDR_PRIVATE_KEYS_MAPPING` | [Additional configuration](https://go-acme.github.io/lego/dns/myaddr) |
| [MyDNS.jp](https://www.mydns.jp/) | `mydnsjp` | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp) |
| [Mythic Beasts](https://www.mythic-beasts.com) | `mythicbeasts` | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts) |
| [name.com](https://www.name.com/) | `namedotcom` | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER` | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom) |
@@ -417,6 +425,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [Porkbun](https://porkbun.com/) | `porkbun` | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun) |
| [PowerDNS](https://www.powerdns.com) | `pdns` | `PDNS_API_KEY`, `PDNS_API_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/pdns) |
| [Rackspace](https://www.rackspace.com/cloud/dns) | `rackspace` | `RACKSPACE_USER`, `RACKSPACE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace) |
| [Rainyun/雨云](https://www.rainyun.com) | `rainyun` | `RAINYUN_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/rainyun) |
| [RcodeZero](https://www.rcodezero.at) | `rcodezero` | `RCODEZERO_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/rcodezero) |
| [reg.ru](https://www.reg.ru) | `regru` | `REGRU_USERNAME`, `REGRU_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/regru) |
| [Regfish](https://regfish.de) | `regfish` | `regfish` | [Additional configuration](https://go-acme.github.io/lego/dns/regfish) |
@@ -432,6 +441,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [Shellrent](https://www.shellrent.com) | `shellrent` | `SHELLRENT_USERNAME`, `SHELLRENT_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/shellrent) |
| [Simply.com](https://www.simply.com/en/domains/) | `simply` | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/simply) |
| [Sonic](https://www.sonic.com/) | `sonic` | `SONIC_USER_ID`, `SONIC_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/sonic) |
| [Spaceship](https://spaceship.com) | `spaceship` | `SPACESHIP_API_KEY`, `SPACESHIP_API_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/spaceship) |
| [Stackpath](https://www.stackpath.com/) | `stackpath` | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath) |
| [Technitium](https://technitium.com) | `technitium` | `TECHNITIUM_SERVER_BASE_URL`, `TECHNITIUM_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/technitium) |
| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns) | `tencentcloud` | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud) |
@@ -451,6 +461,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [Webnames](https://www.webnames.ru/) | `webnames` | `WEBNAMES_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/webnames) |
| [Websupport](https://websupport.sk) | `websupport` | `WEBSUPPORT_API_KEY`, `WEBSUPPORT_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/websupport) |
| [WEDOS](https://www.wedos.com) | `wedos` | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/wedos) |
| [West.cn/西部数码](https://www.west.cn) | `westcn` | `WESTCN_USERNAME`, `WESTCN_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/westcn) |
| [Yandex 360](https://360.yandex.ru) | `yandex360` | `YANDEX360_OAUTH_TOKEN`, `YANDEX360_ORG_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/yandex360) |
| [Yandex Cloud](https://cloud.yandex.com/en/) | `yandexcloud` | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud) |
| [Yandex](https://yandex.com) | `yandex` | `YANDEX_PDD_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/yandex) |
@@ -496,11 +507,11 @@ certificatesResolvers:
--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
```
#### `delayBeforeCheck`
#### `propagation.delayBeforeChecks`
By default, the `provider` verifies the TXT record _before_ letting ACME verify.
You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
You can delay this operation by specifying a delay (in seconds) with `delayBeforeChecks` (value must be greater than zero).
This option is useful when internal networks block external DNS queries.
@@ -511,7 +522,9 @@ certificatesResolvers:
# ...
dnsChallenge:
# ...
delayBeforeCheck: 2s
propagation:
# ...
delayBeforeChecks: 2s
```
```toml tab="File (TOML)"
@@ -519,19 +532,21 @@ certificatesResolvers:
# ...
[certificatesResolvers.myresolver.acme.dnsChallenge]
# ...
delayBeforeCheck = "2s"
[certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
# ...
delayBeforeChecks = "2s"
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=2s
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.delayBeforeChecks=2s
```
#### `disablePropagationCheck`
#### `propagation.disableChecks`
**Not recommended**
Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready.
Disable the TXT records propagation checks before notifying ACME that the DNS challenge is ready.
Please note that disabling checks can prevent the challenge from succeeding.
```yaml tab="File (YAML)"
certificatesResolvers:
@@ -540,7 +555,9 @@ certificatesResolvers:
# ...
dnsChallenge:
# ...
disablePropagationCheck: true
propagation:
# ...
disableChecks: true
```
```toml tab="File (TOML)"
@@ -548,12 +565,90 @@ certificatesResolvers:
# ...
[certificatesResolvers.myresolver.acme.dnsChallenge]
# ...
disablePropagationCheck = true
[certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
# ...
disableChecks = true
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.dnschallenge.disablePropagationCheck=true
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableChecks=true
```
#### `propagation.requireAllRNS`
Requires the challenge TXT record to be propagated to all recursive nameservers.
!!! note
If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`),
it is recommended to check all recursive nameservers instead.
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
dnsChallenge:
# ...
propagation:
# ...
requireAllRNS: true
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.dnsChallenge]
# ...
[certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
# ...
requireAllRNS = true
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.requireAllRNS=true
```
#### `propagation.disableANSChecks`
Disables the challenge TXT record propagation checks against authoritative nameservers.
This option will skip the propagation check against the nameservers of the authority (SOA).
It should be used only if the nameservers of the authority are not reachable.
!!! note
If you have disabled authoritative nameservers checks,
it is recommended to check all recursive nameservers instead.
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
dnsChallenge:
# ...
propagation:
# ...
disableANSChecks: true
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.dnsChallenge]
# ...
[certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
# ...
disableANSChecks = true
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableANSChecks=true
```
#### Wildcard Domains
@@ -672,6 +767,8 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
_Optional, Default=2160_
`certificatesDuration` specifies the duration (in hours) of the certificates issued by the CA server. It is used to determine when to renew the certificate, but it **doesn't** define the duration of the certificates, that is up to the CA server.
`certificatesDuration` is used to calculate two durations:
- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
@@ -743,6 +840,66 @@ certificatesResolvers:
# ...
```
### `profile`
_Optional, Default=""_
Certificate profile to use.
For more information, please check out the [Let's Encrypt blog post](https://letsencrypt.org/2025/01/09/acme-profiles/) about certificate profile selection.
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
profile: tlsserver
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
profile = "tlsserver"
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.profile=tlsserver
# ...
```
### `emailAddresses`
_Optional, Default=""_
CSR email addresses to use.
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
emailAddresses:
- foo@example.com
- bar@example.org
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
emailAddresses = ["foo@example.com", "bar@example.org"]
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.emailaddresses=foo@example.com,bar@example.org
# ...
```
### `keyType`
_Optional, Default="RSA4096"_

34
docs/content/https/tls.md
View File

@@ -553,4 +553,38 @@ spec:
clientAuthType: RequireAndVerifyClientCert
```
### Disable Session Tickets
_Optional, Default="false"_
When set to true, Traefik disables the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
disableSessionTickets: true
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
disableSessionTickets = true
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
disableSessionTickets: true
```
{!traefik-for-business-applications.md!}

37
docs/content/index.md
View File

@@ -1,28 +1,53 @@
---
title: "Traefik Proxy Documentation"
description: "Traefik Proxy, an open source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
description: "Traefik Proxy, an open-source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
---
# Welcome
# What is Traefik?
![Architecture](assets/img/traefik-architecture.png)
Traefik is an [open-source](https://github.com/traefik/traefik) *Application Proxy* that makes publishing your services a fun and easy experience.
It receives requests on behalf of your system and identifies which components are responsible for handling them, and routes them securely.
It receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely.
What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services.
The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request.
Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, and [the list goes on](./reference/install-configuration/providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.
And if your needs change, you can add API gateway and API management capabilities seamlessly to your existing Traefik deployments. It takes less than a minute, theres no rip-and-replace, and all your configurations are preserved. See this in action in [our API gateway demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=docs).
Developing Traefik, our main goal is to make it effortless to use, and we're sure you'll enjoy it.
!!! quote "From the Traefik Maintainer Team"
When developing Traefik, our main goal is to make it easy to use, and we're sure you'll enjoy it.
-- The Traefik Maintainer Team
## Personas
Traefik supports different needs depending on your background. We keep three user personas in mind as we build and organize these docs:
- **Beginners**: You are new to Traefik or new to reverse proxies. You want simple, guided steps to set things up without diving too deep into advanced topics.
- **DevOps Engineers**: You manage infrastructure or clusters (Docker, Kubernetes, or other orchestrators). You integrate Traefik into your environment and value reliability, performance, and streamlined deployments.
- **Developers**: You create and deploy applications or APIs. You focus on how to expose your services through Traefik, apply routing rules, and integrate it with your development workflow.
## Core Concepts
Traefiks main concepts help you understand how requests flow to your services:
- [Entrypoints](./reference/install-configuration/entrypoints.md) are the network entry points into Traefik. They define the port that will receive the packets and whether to listen for TCP or UDP.
- [Routers](./reference/routing-configuration/http/router/rules-and-priority.md) are in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of [middleware](./reference/routing-configuration/http/middlewares/overview.md) to update the request or act before forwarding the request to the service.
- [Services](./reference/routing-configuration/http/load-balancing/service.md) are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
- [Providers](./reference/install-configuration/providers/overview.md) are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. The idea is that Traefik queries the provider APIs in order to find relevant information about routing, and when Traefik detects a change, it dynamically updates the routes.
These concepts work together to manage your traffic from the moment a request arrives until it reaches your application.
## How to Use the Documentation
- **Navigation**: Each main section focuses on a specific stage of working with Traefik - installing, exposing services, observing, extending & migrating.
Use the sidebar to navigate to the section that is most appropriate for your needs.
- **Practical Examples**: You will see code snippets and configuration examples for different environments (YAML/TOML, Labels, & Tags).
- **Reference**: When you need to look up technical details, our reference section provides a deep dive into configuration options and key terms.
!!! info

3
docs/content/middlewares/http/basicauth.md
View File

@@ -21,7 +21,7 @@ The BasicAuth middleware grants access to services to authorized users only.
# To create user:password pair, it's possible to use this command:
# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
#
# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
# Also note that dollar signs should NOT be doubled when they are not being evaluated (e.g. Ansible docker_container module).
labels:
- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
```
@@ -341,4 +341,5 @@ http:
[http.middlewares.test-auth.basicAuth]
removeHeader = true
```
{!traefik-for-business-applications.md!}

4
docs/content/middlewares/http/buffering.md
View File

@@ -264,3 +264,7 @@ The retry expression is defined as a logical combination of the functions below
- `Attempts()` number of attempts (the first one counts)
- `ResponseCode()` response code of the service
- `IsNetworkError()` whether the response code is related to networking error
### Content-Length
See [Best Practices: ContentLength](../../security/content-length.md)

4
docs/content/middlewares/http/circuitbreaker.md
View File

@@ -160,8 +160,8 @@ Here is the list of supported operators:
### Fallback mechanism
The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
This behavior cannot be configured.
By default the fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
The response code can be configured.
### `CheckPeriod`

12
docs/content/middlewares/http/compress.md
View File

@@ -179,9 +179,15 @@ http:
_Optional, Default=1024_
`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
Responses smaller than the specified values will not be compressed.
!!! tip "Streaming"
When data is sent to the client on flush, the `minResponseBodyBytes` configuration is ignored and the data is compressed.
This is particularly the case when data is streamed to the client when using `Transfer-encoding: chunked` response.
When chunked data is sent to the client on flush, it will be compressed by default even if the received data has not reached
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
@@ -258,10 +264,10 @@ http:
### `encodings`
_Optional, Default="zstd, br, gzip"_
_Optional, Default="gzip, br, zstd"_
`encodings` specifies the list of supported compression encodings.
At least one encoding value must be specified, and valid entries are `zstd` (Zstandard), `br` (Brotli), and `gzip` (Gzip).
At least one encoding value must be specified, and valid entries are `gzip` (Gzip), `br` (Brotli), and `zstd` (Zstandard).
The order of the list also sets the priority, the top entry has the highest priority.
```yaml tab="Docker & Swarm"

22
docs/content/middlewares/http/errorpages.md
View File

@@ -102,6 +102,19 @@ The status code ranges are inclusive (`505-599` will trigger with every code bet
The comma-separated syntax is only available for label-based providers.
The examples above demonstrate which syntax is appropriate for each provider.
### `statusRewrites`
An optional mapping of status codes to be rewritten. For example, if a service returns a 418, you might want to rewrite it to a 404.
You can map individual status codes or even ranges to a different status code. The syntax for ranges follows the same rules as the `status` option.
Here is an example:
```yml
statusRewrites:
"500-503": 500
"418": 404
```
### `service`
The service that will serve the new requested error page.
@@ -123,7 +136,8 @@ There are multiple variables that can be placed in the `query` option to insert
The table below lists all the available variables and their associated values.
| Variable | Value |
|------------|--------------------------------------------------------------------|
| `{status}` | The response status code. |
| `{url}` | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL. |
| Variable | Value |
|--------------------|--------------------------------------------------------------------------------------------|
| `{status}` | The response status code. It may be rewritten when using the `statusRewrites` option. |
| `{originalStatus}` | The original response status code, if it has been modified by the `statusRewrites` option. |
| `{url}` | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL. |

174
docs/content/middlewares/http/forwardauth.md
View File

@@ -334,6 +334,98 @@ http:
addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
```
### `forwardBody`
_Optional, Default=false_
Set the `forwardBody` option to `true` to send Body.
!!! info
As body is read inside Traefik before forwarding, this breaks streaming.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
forwardAuth:
address: https://example.com/auth
forwardBody: true
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
forwardBody: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
forwardBody = true
```
### `maxBodySize`
_Optional, Default=-1_
Set the `maxBodySize` to limit the body size in bytes.
If body is bigger than this, it returns a 401 (unauthorized).
Default is `-1`, which means no limit.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
forwardAuth:
address: https://example.com/auth
forwardBody: true
maxBodySize: 1000
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
maxBodySize: 1000
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
forwardBody = true
maxBodySize = 1000
```
### `tls`
_Optional_
@@ -613,4 +705,86 @@ http:
headerField = "X-WebAuth-User"
```
### `preserveLocationHeader`
_Optional, Default=false_
`preserveLocationHeader` defines whether to forward the `Location` header to the client as is or prefix it with the domain name of the authentication server.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
forwardAuth:
# ...
preserveLocationHeader: true
```
```json tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-auth:
forwardAuth:
# ...
preserveLocationHeader: true
```
```toml tab="File (TOML)"
[http.middlewares.test-auth.forwardAuth]
# ...
preserveLocationHeader = true
```
### `preserveRequestMethod`
_Optional, Default=false_
`preserveRequestMethod` defines whether to preserve the original request method while forwarding the request to the authentication server. By default, when this option is set to `false`, incoming requests are always forwarded as `GET` requests to the authentication server.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-auth.forwardauth.preserveRequestMethod=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
forwardAuth:
# ...
preserveRequestMethod: true
```
```json tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.preserveRequestMethod=true"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-auth:
forwardAuth:
# ...
preserveRequestMethod: true
```
```toml tab="File (TOML)"
[http.middlewares.test-auth.forwardAuth]
# ...
preserveRequestMethod = true
```
{!traefik-for-business-applications.md!}

715
docs/content/middlewares/http/ratelimit.md
View File

@@ -496,3 +496,718 @@ http:
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHost = true
```
### `redis`
Enables distributed rate limit using `redis` to store the tokens.
If not set, Traefik's in-memory storage is used by default.
#### `redis.endpoints`
_Required, Default="127.0.0.1:6379"_
Defines how to connect to the Redis server.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.endpoints=127.0.0.1:6379"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
endpoints:
- "127.0.0.1:6379"
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.endpoints=127.0.0.1:6379"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
endpoints:
- "127.0.0.1:6379"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
endpoints = ["127.0.0.1:6379"]
```
#### `redis.username`
_Optional, Default=""_
Defines the username used to authenticate with the Redis server.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.username=user"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
secret: mysecret
---
apiVersion: v1
kind: Secret
metadata:
name: mysecret
namespace: default
data:
username: dXNlcm5hbWU=
password: cGFzc3dvcmQ=
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.username=user"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
username: user
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
username = "user"
```
#### `redis.password`
_Optional, Default=""_
Defines the password to authenticate against the Redis server.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.password=password"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
secret: mysecret
---
apiVersion: v1
kind: Secret
metadata:
name: mysecret
namespace: default
data:
username: dXNlcm5hbWU=
password: cGFzc3dvcmQ=
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.password=password"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
password: password
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
password = "password"
```
#### `redis.db`
_Optional, Default=0_
Defines the database to select after connecting to the Redis.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.db=0"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
db: 0
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.db=0"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
db: 0
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
db = 0
```
#### `redis.tls`
Same as this [config](https://doc.traefik.io/traefik/providers/redis/#tls)
_Optional_
Defines the TLS configuration used for the secure connection to Redis.
##### `redis.tls.ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to Redis,
it defaults to the system bundle.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.ca=path/to/ca.crt"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
tls:
caSecret: mycasercret
---
apiVersion: v1
kind: Secret
metadata:
name: mycasercret
namespace: default
data:
# Must contain a certificate under either a `tls.ca` or a `ca.crt` key.
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.ca=path/to/ca.crt"
```
```yaml tab="File (YAML)"
http:
middlewares:
rateLimit:
# ...
redis:
tls:
ca: path/to/ca.crt
```
```toml tab="File (TOML)"
[providers.redis.tls]
ca = "path/to/ca.crt"
```
##### `redis.tls.cert`
_Optional_
`cert` is the path to the public certificate used for the secure connection to Redis.
When this option is set, the `key` option is required.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
tls:
certSecret: mytlscert
---
apiVersion: v1
kind: Secret
metadata:
name: mytlscert
namespace: default
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
redis:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
[http.middlewares.test-ratelimit.rateLimit.redis.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
##### `redis.tls.key`
_Optional_
`key` is the path to the private key used for the secure connection to Redis.
When this option is set, the `cert` option is required.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
tls:
certSecret: mytlscert
---
apiVersion: v1
kind: Secret
metadata:
name: mytlscert
namespace: default
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
redis:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
[http.middlewares.test-ratelimit.rateLimit.redis.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
##### `redis.tls.insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.insecureSkipVerify=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
tls:
insecureSkipVerify: true
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.insecureSkipVerify=true"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
tls:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
[http.middlewares.test-ratelimit.rateLimit.redis.tls]
insecureSkipVerify = true
```
#### `redis.poolSize`
_Optional, Default=0_
Defines the base number of socket connections.
If there are not enough connections in the pool, new connections will be allocated beyond `redis.poolSize`.
You can limit this using `redis.maxActiveConns`.
Zero means 10 connections per every available CPU as reported by runtime.GOMAXPROCS.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.poolSize=42"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
poolSize: 42
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.poolSize=42"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
poolSize: 42
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
poolSize = 42
```
#### `redis.minIdleConns`
_Optional, Default=0_
Defines the minimum number of idle connections, which is useful when establishing new connections is slow.
Zero means that idle connections are not closed.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.minIdleConns=42"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
minIdleConns: 42
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.minIdleConns=42"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
minIdleConns: 42
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
minIdleConns = 42
```
#### `redis.maxActiveConns`
_Optional, Default=0_
Defines the maximum number of connections the pool can allocate at a given time.
Zero means no limit.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.maxActiveConns=42"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
maxActiveConns: 42
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.maxActiveConns=42"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
maxActiveConns: 42
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
maxActiveConns = 42
```
#### `redis.readTimeout`
_Optional, Default=3s_
Defines the timeout for socket reads.
If reached, commands will fail with a timeout instead of blocking.
Zero means no timeout.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.readTimeout=42s"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
readTimeout: 42s
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.readTimeout=42s"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
readTimeout: 42s
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
readTimeout = "42s"
```
#### `redis.writeTimeout`
_Optional, Default=3s_
Defines the timeout for socket writes.
If reached, commands will fail with a timeout instead of blocking.
Zero means no timeout.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.writeTimeout=42s"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
writeTimeout: 42s
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.writeTimeout=42s"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
writeTimeout: 42s
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
writeTimeout = "42s"
```
#### `redis.dialTimeout`
_Optional, Default=5s_
Defines the dial timeout for establishing new connections.
Zero means no timeout.
```yaml tab="Docker & Swarm"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.dialTimeout=42s"
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
# ...
redis:
dialTimeout: 42s
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.dialTimeout=42s"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
# ...
redis:
dialTimeout: 42s
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.redis]
dialTimeout = "42s"
```

7
docs/content/middlewares/http/retry.md
View File

@@ -12,8 +12,11 @@ Retrying until it Succeeds
TODO: add schema
-->
The Retry middleware reissues requests a given number of times to a backend server if that server does not reply.
As soon as the server answers, the middleware stops retrying, regardless of the response status.
The Retry middleware reissues requests a given number of times when it cannot contact the backend service.
This applies at the transport level (TCP).
If the service does not respond to the initial connection attempt, the middleware retries.
However, once the service responds, regardless of the HTTP status code, the middleware considers it operational and stops retrying.
This means that the retry mechanism does not handle HTTP errors; it only retries when there is no response at the TCP level.
The Retry middleware has an optional configuration to enable an exponential backoff.
## Configuration Examples

47
docs/content/migration/v2.md
View File

@@ -659,3 +659,50 @@ Please check out the [entrypoint forwarded headers connection option configurati
In `v2.11.14`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
## v2.11.24
### Request Path Sanitization
Since `v2.11.24`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
If you want to disable this behavior, you can set the [`sanitizePath` option](../routing/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
For example, as base64 uses the “/” character internally,
if it's not url encoded,
it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
!!! warning "Security"
Setting the `sanitizePath` option to `false` is not safe.
Ensure every request is properly url encoded instead.
## v2.11.25
### Request Path Normalization
Since `v2.11.25`, the request path is now normalized by decoding unreserved characters in the request path,
and also uppercasing the percent-encoded characters.
This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2),
and [RFC 3986 case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1).
The normalization happens before the request path is sanitized,
and cannot be disabled.
This notably helps with encoded dots characters (which are unreserved characters) to be sanitized properly.
### Routing Path
Since `v2.11.25`, the reserved characters [(as per RFC 3986)](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) are kept encoded in the request path when matching the router rules.
Those characters, when decoded, change the meaning of the request path for routing purposes,
and Traefik now keeps them encoded to avoid any ambiguity.
### Request Path Matching Examples
| Request Path | Router Rule | Traefik v2.11.24 | Traefik v2.11.25 |
|-------------------|------------------------|------------------|------------------|
| `/foo%2Fbar` | PathPrefix(`/foo/bar`) | Match | No match |
| `/foo/../bar` | PathPrefix(`/foo`) | No match | No match |
| `/foo/../bar` | PathPrefix(`/bar`) | Match | Match |
| `/foo/%2E%2E/bar` | PathPrefix(`/foo`) | Match | No match |
| `/foo/%2E%2E/bar` | PathPrefix(`/bar`) | No match | Match |

171
docs/content/migration/v3.md
View File

@@ -80,20 +80,20 @@ Please use the `disableClusterScopeResources` option instead to avoid cluster sc
### Kubernetes CRD Provider
Starting with v3.2, the CRDs has been updated on [TraefikService](../routing/services#mirroring-service) (PR [#11032](https://github.com/traefik/traefik/pull/11032)), on [RateLimit](../middlewares/http/ratelimit) & [InFlightReq](../middlewares/http/inflightreq) middlewares (PR [#9747](https://github.com/traefik/traefik/pull/9747)) and on [Compress](../middlewares/http/compress) middleware (PR [#10943](https://github.com/traefik/traefik/pull/10943)).
Starting with v3.2, the CRDs has been updated on [TraefikService](../../routing/services#mirroring-service) (PR [#11032](https://github.com/traefik/traefik/pull/11032)), on [RateLimit](../../middlewares/http/ratelimit) & [InFlightReq](../../middlewares/http/inflightreq) middlewares (PR [#9747](https://github.com/traefik/traefik/pull/9747)) and on [Compress](../../middlewares/http/compress) middleware (PR [#10943](https://github.com/traefik/traefik/pull/10943)).
This update adds only new optional fields.
CRDs can be updated with this command:
```shell
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
```
### Kubernetes Gateway Provider Standard Channel
Starting with v3.2, the Kubernetes Gateway Provider now supports [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/).
Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) provider RBACs),
Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
the `grcroutes` and `grpcroutes/status` rights have to be added.
```yaml
@@ -120,12 +120,12 @@ the `grcroutes` and `grpcroutes/status` rights have to be added.
!!! warning "Breaking changes"
Because of a breaking change introduced in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1),
Traefik v3.2 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
Traefik v3.3 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
Starting with v3.2, the Kubernetes Gateway Provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/).
Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) provider RBACs),
the `configmaps`, `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
```yaml
...
@@ -160,3 +160,162 @@ the `configmaps`, `backendtlspolicies` and `backendtlspolicies/status` rights ha
In `v3.2.1`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
## v3.2.2
### Swarm Provider
In `v3.2.2`, the `traefik.docker.network` and `traefik.docker.lbswarm` labels have been deprecated,
please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instead.
## v3.2 to v3.3
### ACME DNS Certificate Resolver
In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated,
please use respectively `acme.dnsChallenge.propagation.delayBeforeChecks` and `acme.dnsChallenge.propagation.disableChecks` options instead.
### Tracing Global Attributes
In `v3.3`, the `tracing.globalAttributes` option has been deprecated, please use the `tracing.resourceAttributes` option instead.
The `tracing.globalAttributes` option is misleading as its name does not reflect the operation of adding resource attributes to be sent to the collector,
and will be removed in the next major version.
## v3.3.4
### OpenTelemetry Request Duration metric
In `v3.3.4`, the OpenTelemetry Request Duration metric (named `traefik_(entrypoint|router|service)_request_duration_seconds`) unit has been changed from milliseconds to seconds.
To be consistent with the naming and other metrics providers, the metric now reports the duration in seconds.
## v3.3.5
### Compress Middleware
In `v3.3.5`, the compress middleware `encodings` option default value is now `gzip, br, zstd`.
This change helps the algorithm selection to favor the `gzip` algorithm over the other algorithms.
It impacts requests that do not specify their preferred algorithm,
or has no order preference, in the `Accept-Encoding` header.
## v3.3.6
### Request Path Sanitization
Since `v3.3.6`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
If you want to disable this behavior, you can set the [`sanitizePath` option](../reference/install-configuration/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
For example, as base64 uses the “/” character internally,
if it's not url encoded,
it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
!!! warning "Security"
Setting the `sanitizePath` option to `false` is not safe.
Ensure every request is properly url encoded instead.
## v3.3 to v3.4
### Kubernetes CRD Provider
#### Load-Balancing
In `v3.4`, the HTTP service definition has been updated.
The strategy field now supports two new values: `wrr` and `p2c` (please refer to the [HTTP Services Load Balancing documentation](../../routing/services/#load-balancing-strategy) for more details).
CRDs can be updated with this command:
```shell
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
```
Please note that the `RoundRobin` strategy value is now deprecated, but still supported and equivalent to `wrr`, and will be removed in the next major release.
#### ServersTransport CA Certificate
In `v3.4`, a new `rootCAs` option has been added to the `ServersTransport` and `ServersTransportTCP` CRDs.
It allows the configuration of CA certificates from both `ConfigMaps` and `Secrets`,
and replaces the `rootCAsSecrets` option, as shown below:
CRDs can be updated with this command:
```shell
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
```
RBACs need to be updated with this command:
```shell
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
```
```yaml
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: foo
namespace: bar
spec:
rootCAs:
- configMap: ca-config-map
- secret: ca-secret
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransportTCP
metadata:
name: foo
namespace: bar
spec:
rootCAs:
- configMap: ca-config-map
- secret: ca-secret
```
The `rootCAsSecrets` option, which allows only `Secrets` references,
is still supported, but is now deprecated,
and will be removed in the next major release.
### Rule Syntax
In `v3.4.0`, the `core.defaultRuleSyntax` static configuration option and the `ruleSyntax` router option have been deprecated,
and will be removed in the next major version.
This `core.defaultRuleSyntax` option was used to switch between the v2 and v3 syntax for the router's rules,
and to help with the migration from v2 to v3.
The `ruleSyntax` router's option was used to override the default rule syntax for a specific router.
In preparation for the next major release, please remove any use of these two options and use the v3 syntax for writing the router's rules.
## v3.4.1
### Request Path Normalization
Since `v3.4.1`, the request path is now normalized by decoding unreserved characters in the request path,
and also uppercasing the percent-encoded characters.
This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2),
and [RFC 3986 case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1).
The normalization happens before the request path is sanitized,
and cannot be disabled.
This notably helps with encoded dots characters (which are unreserved characters) to be sanitized properly.
### Routing Path
Since `v3.4.1`, the reserved characters [(as per RFC 3986)](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) are kept encoded in the request path when matching the router rules.
Those characters, when decoded, change the meaning of the request path for routing purposes,
and Traefik now keeps them encoded to avoid any ambiguity.
### Request Path Matching Examples
| Request Path | Router Rule | Traefik v3.4.0 | Traefik v3.4.1 |
|-------------------|------------------------|----------------|----------------|
| `/foo%2Fbar` | PathPrefix(`/foo/bar`) | Match | No match |
| `/foo/../bar` | PathPrefix(`/foo`) | No match | No match |
| `/foo/../bar` | PathPrefix(`/bar`) | Match | Match |
| `/foo/%2E%2E/bar` | PathPrefix(`/foo`) | Match | No match |
| `/foo/%2E%2E/bar` | PathPrefix(`/bar`) | No match | Match |

422
docs/content/observability/access-logs.md
View File

@@ -30,7 +30,7 @@ accessLog: {}
_Optional, Default="false"_
Enables accessLogs for internal resources (e.g.: `ping@internal`).
Enables access logs for internal resources (e.g.: `ping@internal`).
```yaml tab="File (YAML)"
accesslog:
@@ -256,9 +256,7 @@ accessLog:
| `OriginDuration` | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. |
| `OriginContentSize` | The content length specified by the origin server, or 0 if unspecified. |
| `OriginStatus` | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0). |
| `OriginStatusLine` | `OriginStatus` + Status code explanation |
| `DownstreamStatus` | The HTTP status code returned to the client. |
| `DownstreamStatusLine` | `DownstreamStatus` + Status code explanation |
| `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
| `RequestCount` | The number of requests received since the Traefik instance started. |
| `GzipRatio` | The response body compression ratio achieved. |
@@ -290,11 +288,9 @@ It is possible to configure the Traefik to timestamp in a specific timezone by e
Example utilizing Docker Compose:
```yaml
version: "3.7"
services:
traefik:
image: traefik:v3.2
image: traefik:v3.4
environment:
- TZ=US/Alaska
command:
@@ -306,4 +302,418 @@ services:
- /var/run/docker.sock:/var/run/docker.sock
```
## OpenTelemetry
!!! warning "Experimental Feature"
The OpenTelemetry access logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
```yaml tab="File (YAML)"
experimental:
otlpLogs: true
```
```toml tab="File (TOML)"
[experimental.otlpLogs]
```
```bash tab="CLI"
--experimental.otlpLogs=true
```
To enable the OpenTelemetry Logger for access logs:
```yaml tab="File (YAML)"
accesslog:
otlp: {}
```
```toml tab="File (TOML)"
[accesslog.otlp]
```
```bash tab="CLI"
--accesslog.otlp=true
```
!!! info "Default protocol"
The OpenTelemetry Logger exporter will export access logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
### HTTP configuration
_Optional_
This instructs the exporter to send access logs to the OpenTelemetry Collector using HTTP.
```yaml tab="File (YAML)"
accesslog:
otlp:
http: {}
```
```toml tab="File (TOML)"
[accesslog.otlp.http]
```
```bash tab="CLI"
--accesslog.otlp.http=true
```
#### `endpoint`
_Optional, Default="`https://localhost:4318/v1/logs`", Format="`<scheme>://<host>:<port><path>`"_
URL of the OpenTelemetry Collector to send access logs to.
!!! info "Insecure mode"
To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
```yaml tab="File (YAML)"
accesslog:
otlp:
http:
endpoint: https://collector:4318/v1/logs
```
```toml tab="File (TOML)"
[accesslog.otlp.http]
endpoint = "https://collector:4318/v1/logs"
```
```bash tab="CLI"
--accesslog.otlp.http.endpoint=https://collector:4318/v1/logs
```
#### `headers`
_Optional, Default={}_
Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
```yaml tab="File (YAML)"
accesslog:
otlp:
http:
headers:
foo: bar
baz: buz
```
```toml tab="File (TOML)"
[accesslog.otlp.http.headers]
foo = "bar"
baz = "buz"
```
```bash tab="CLI"
--accesslog.otlp.http.headers.foo=bar --accesslog.otlp.http.headers.baz=buz
```
#### `tls`
_Optional_
Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
##### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
it defaults to the system bundle.
```yaml tab="File (YAML)"
accesslog:
otlp:
http:
tls:
ca: path/to/ca.crt
```
```toml tab="File (TOML)"
[accesslog.otlp.http.tls]
ca = "path/to/ca.crt"
```
```bash tab="CLI"
--accesslog.otlp.http.tls.ca=path/to/ca.crt
```
##### `cert`
_Optional_
`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
accesslog:
otlp:
http:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File (TOML)"
[accesslog.otlp.http.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--accesslog.otlp.http.tls.cert=path/to/foo.cert
--accesslog.otlp.http.tls.key=path/to/foo.key
```
##### `key`
_Optional_
`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
accesslog:
otlp:
http:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File (TOML)"
[accesslog.otlp.http.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--accesslog.otlp.http.tls.cert=path/to/foo.cert
--accesslog.otlp.http.tls.key=path/to/foo.key
```
##### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`,
the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
```yaml tab="File (YAML)"
accesslog:
otlp:
http:
tls:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
[accesslog.otlp.http.tls]
insecureSkipVerify = true
```
```bash tab="CLI"
--accesslog.otlp.http.tls.insecureSkipVerify=true
```
### gRPC configuration
_Optional_
This instructs the exporter to send access logs to the OpenTelemetry Collector using gRPC.
```yaml tab="File (YAML)"
accesslog:
otlp:
grpc: {}
```
```toml tab="File (TOML)"
[accesslog.otlp.grpc]
```
```bash tab="CLI"
--accesslog.otlp.grpc=true
```
#### `endpoint`
_Required, Default="localhost:4317", Format="`<host>:<port>`"_
Address of the OpenTelemetry Collector to send access logs to.
```yaml tab="File (YAML)"
accesslog:
otlp:
grpc:
endpoint: localhost:4317
```
```toml tab="File (TOML)"
[accesslog.otlp.grpc]
endpoint = "localhost:4317"
```
```bash tab="CLI"
--accesslog.otlp.grpc.endpoint=localhost:4317
```
#### `insecure`
_Optional, Default=false_
Allows exporter to send access logs to the OpenTelemetry Collector without using a secured protocol.
```yaml tab="File (YAML)"
accesslog:
otlp:
grpc:
insecure: true
```
```toml tab="File (TOML)"
[accesslog.otlp.grpc]
insecure = true
```
```bash tab="CLI"
--accesslog.otlp.grpc.insecure=true
```
#### `headers`
_Optional, Default={}_
Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
```yaml tab="File (YAML)"
accesslog:
otlp:
grpc:
headers:
foo: bar
baz: buz
```
```toml tab="File (TOML)"
[accesslog.otlp.grpc.headers]
foo = "bar"
baz = "buz"
```
```bash tab="CLI"
--accesslog.otlp.grpc.headers.foo=bar --accesslog.otlp.grpc.headers.baz=buz
```
#### `tls`
_Optional_
Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
##### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
it defaults to the system bundle.
```yaml tab="File (YAML)"
accesslog:
otlp:
grpc:
tls:
ca: path/to/ca.crt
```
```toml tab="File (TOML)"
[accesslog.otlp.grpc.tls]
ca = "path/to/ca.crt"
```
```bash tab="CLI"
--accesslog.otlp.grpc.tls.ca=path/to/ca.crt
```
##### `cert`
_Optional_
`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
accesslog:
otlp:
grpc:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File (TOML)"
[accesslog.otlp.grpc.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--accesslog.otlp.grpc.tls.cert=path/to/foo.cert
--accesslog.otlp.grpc.tls.key=path/to/foo.key
```
##### `key`
_Optional_
`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
accesslog:
otlp:
grpc:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File (TOML)"
[accesslog.otlp.grpc.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--accesslog.otlp.grpc.tls.cert=path/to/foo.cert
--accesslog.otlp.grpc.tls.key=path/to/foo.key
```
##### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`,
the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
```yaml tab="File (YAML)"
accesslog:
otlp:
grpc:
tls:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
[accesslog.otlp.grpc.tls]
insecureSkipVerify = true
```
```bash tab="CLI"
--accesslog.otlp.grpc.tls.insecureSkipVerify=true
```
{!traefik-for-business-applications.md!}

414
docs/content/observability/logs.md
View File

@@ -181,4 +181,418 @@ log:
--log.compress=true
```
## OpenTelemetry
!!! warning "Experimental Feature"
The OpenTelemetry logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
```yaml tab="File (YAML)"
experimental:
otlpLogs: true
```
```toml tab="File (TOML)"
[experimental.otlpLogs]
```
```bash tab="CLI"
--experimental.otlpLogs=true
```
To enable the OpenTelemetry Logger for logs:
```yaml tab="File (YAML)"
log:
otlp: {}
```
```toml tab="File (TOML)"
[log.otlp]
```
```bash tab="CLI"
--log.otlp=true
```
!!! info "Default protocol"
The OpenTelemetry Logger exporter will export logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
### HTTP configuration
_Optional_
This instructs the exporter to send logs to the OpenTelemetry Collector using HTTP.
```yaml tab="File (YAML)"
log:
otlp:
http: {}
```
```toml tab="File (TOML)"
[log.otlp.http]
```
```bash tab="CLI"
--log.otlp.http=true
```
#### `endpoint`
_Optional, Default="`https://localhost:4318/v1/logs`", Format="`<scheme>://<host>:<port><path>`"_
URL of the OpenTelemetry Collector to send logs to.
!!! info "Insecure mode"
To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
```yaml tab="File (YAML)"
log:
otlp:
http:
endpoint: https://collector:4318/v1/logs
```
```toml tab="File (TOML)"
[log.otlp.http]
endpoint = "https://collector:4318/v1/logs"
```
```bash tab="CLI"
--log.otlp.http.endpoint=https://collector:4318/v1/logs
```
#### `headers`
_Optional, Default={}_
Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
```yaml tab="File (YAML)"
log:
otlp:
http:
headers:
foo: bar
baz: buz
```
```toml tab="File (TOML)"
[log.otlp.http.headers]
foo = "bar"
baz = "buz"
```
```bash tab="CLI"
--log.otlp.http.headers.foo=bar --log.otlp.http.headers.baz=buz
```
#### `tls`
_Optional_
Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
##### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
it defaults to the system bundle.
```yaml tab="File (YAML)"
log:
otlp:
http:
tls:
ca: path/to/ca.crt
```
```toml tab="File (TOML)"
[log.otlp.http.tls]
ca = "path/to/ca.crt"
```
```bash tab="CLI"
--log.otlp.http.tls.ca=path/to/ca.crt
```
##### `cert`
_Optional_
`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
log:
otlp:
http:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File (TOML)"
[log.otlp.http.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--log.otlp.http.tls.cert=path/to/foo.cert
--log.otlp.http.tls.key=path/to/foo.key
```
##### `key`
_Optional_
`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
log:
otlp:
http:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File (TOML)"
[log.otlp.http.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--log.otlp.http.tls.cert=path/to/foo.cert
--log.otlp.http.tls.key=path/to/foo.key
```
##### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`,
the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
```yaml tab="File (YAML)"
log:
otlp:
http:
tls:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
[log.otlp.http.tls]
insecureSkipVerify = true
```
```bash tab="CLI"
--log.otlp.http.tls.insecureSkipVerify=true
```
### gRPC configuration
_Optional_
This instructs the exporter to send logs to the OpenTelemetry Collector using gRPC.
```yaml tab="File (YAML)"
log:
otlp:
grpc: {}
```
```toml tab="File (TOML)"
[log.otlp.grpc]
```
```bash tab="CLI"
--log.otlp.grpc=true
```
#### `endpoint`
_Required, Default="localhost:4317", Format="`<host>:<port>`"_
Address of the OpenTelemetry Collector to send logs to.
```yaml tab="File (YAML)"
log:
otlp:
grpc:
endpoint: localhost:4317
```
```toml tab="File (TOML)"
[log.otlp.grpc]
endpoint = "localhost:4317"
```
```bash tab="CLI"
--log.otlp.grpc.endpoint=localhost:4317
```
#### `insecure`
_Optional, Default=false_
Allows exporter to send logs to the OpenTelemetry Collector without using a secured protocol.
```yaml tab="File (YAML)"
log:
otlp:
grpc:
insecure: true
```
```toml tab="File (TOML)"
[log.otlp.grpc]
insecure = true
```
```bash tab="CLI"
--log.otlp.grpc.insecure=true
```
#### `headers`
_Optional, Default={}_
Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
```yaml tab="File (YAML)"
log:
otlp:
grpc:
headers:
foo: bar
baz: buz
```
```toml tab="File (TOML)"
[log.otlp.grpc.headers]
foo = "bar"
baz = "buz"
```
```bash tab="CLI"
--log.otlp.grpc.headers.foo=bar --log.otlp.grpc.headers.baz=buz
```
#### `tls`
_Optional_
Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
##### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
it defaults to the system bundle.
```yaml tab="File (YAML)"
log:
otlp:
grpc:
tls:
ca: path/to/ca.crt
```
```toml tab="File (TOML)"
[log.otlp.grpc.tls]
ca = "path/to/ca.crt"
```
```bash tab="CLI"
--log.otlp.grpc.tls.ca=path/to/ca.crt
```
##### `cert`
_Optional_
`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
log:
otlp:
grpc:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File (TOML)"
[log.otlp.grpc.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--log.otlp.grpc.tls.cert=path/to/foo.cert
--log.otlp.grpc.tls.key=path/to/foo.key
```
##### `key`
_Optional_
`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
log:
otlp:
grpc:
tls:
cert: path/to/foo.cert
key: path/to/foo.key
```
```toml tab="File (TOML)"
[log.otlp.grpc.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--log.otlp.grpc.tls.cert=path/to/foo.cert
--log.otlp.grpc.tls.key=path/to/foo.key
```
##### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`,
the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
```yaml tab="File (YAML)"
log:
otlp:
grpc:
tls:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
[log.otlp.grpc.tls]
insecureSkipVerify = true
```
```bash tab="CLI"
--log.otlp.grpc.tls.insecureSkipVerify=true
```
{!traefik-for-business-applications.md!}

1
docs/content/observability/metrics/datadog.md
View File

@@ -68,6 +68,7 @@ metrics:
```bash tab="CLI"
--metrics.datadog.addEntryPointsLabels=true
```
#### `addRoutersLabels`
_Optional, Default=false_

14
docs/content/observability/metrics/opentelemetry.md
View File

@@ -23,7 +23,7 @@ metrics:
!!! info "Default protocol"
The OpenTelemetry exporter will export metrics to the collector using HTTP by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.
The OpenTelemetry exporter will export metrics to the collector using HTTPS by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.
#### `addEntryPointsLabels`
@@ -184,25 +184,29 @@ metrics:
#### `endpoint`
_Required, Default="http://localhost:4318/v1/metrics", Format="`<scheme>://<host>:<port><path>`"_
_Optional, Default="https://localhost:4318/v1/metrics", Format="`<scheme>://<host>:<port><path>`"_
URL of the OpenTelemetry Collector to send metrics to.
!!! info "Insecure mode"
To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
```yaml tab="File (YAML)"
metrics:
otlp:
http:
endpoint: http://localhost:4318/v1/metrics
endpoint: https://collector:4318/v1/metrics
```
```toml tab="File (TOML)"
[metrics]
[metrics.otlp.http]
endpoint = "http://localhost:4318/v1/metrics"
endpoint = "https://collector:4318/v1/metrics"
```
```bash tab="CLI"
--metrics.otlp.http.endpoint=http://localhost:4318/v1/metrics
--metrics.otlp.http.endpoint=https://collector:4318/v1/metrics
```
#### `headers`

76
docs/content/observability/overview.md
View File

@@ -5,16 +5,80 @@ description: "Traefik provides Logs, Access Logs, Metrics and Tracing. Read the
# Overview
Traefik's Observability system
{: .subtitle }
Traefiks observability features include logs, access logs, metrics, and tracing. You can configure these options globally or at more specific levels, such as per router or per entry point.
## Logs
## Configuration Example
Enable access logs, metrics, and tracing globally
```yaml tab="File (YAML)"
accessLog: {}
metrics:
otlp: {}
tracing: {}
```
```yaml tab="File (TOML)"
[accessLog]
[metrics]
[metrics.otlp]
[tracing]
```
```bash tab="CLI"
--accesslog=true
--metrics.otlp=true
--tracing=true
```
You can disable access logs, metrics, and tracing for a specific entrypoint attached to a router:
```yaml tab="File (YAML)"
# Static Configuration
entryPoints:
EntryPoint0:
address: ':8000/udp'
observability:
accessLogs: false
tracing: false
metrics: false
```
```toml tab="File (TOML)"
# Static Configuration
[entryPoints.EntryPoint0]
address = ":8000/udp"
[entryPoints.EntryPoint0.observability]
accessLogs = false
tracing = false
metrics = false
```
```bash tab="CLI"
# Static Configuration
--entryPoints.EntryPoint0.address=:8000/udp
--entryPoints.EntryPoint0.observability.accessLogs=false
--entryPoints.EntryPoint0.observability.metrics=false
--entryPoints.EntryPoint0.observability.tracing=false
```
!!!note "Default Behavior"
A router with its own observability configuration will override the global default.
## Configuration Options
### Logs
Traefik logs informs about everything that happens within Traefik (startup, configuration, events, shutdown, and so on).
Read the [Logs documentation](./logs.md) to learn how to configure it.
## Access Logs
### Access Logs
Access logs are a key part of observability in Traefik.
@@ -24,7 +88,7 @@ including the source IP address, requested URL, response status code, and more.
Read the [Access Logs documentation](./access-logs.md) to learn how to configure it.
## Metrics
### Metrics
Traefik offers a metrics feature that provides valuable insights about the performance and usage.
These metrics include the number of requests received, the requests duration, and more.
@@ -33,7 +97,7 @@ On top of supporting metrics in the OpenTelemetry format, Traefik supports the f
Read the [Metrics documentation](./metrics/overview.md) to learn how to configure it.
## Tracing
### Tracing
The Traefik tracing system allows developers to gain deep visibility into the flow of requests through their infrastructure.

14
docs/content/observability/tracing/opentelemetry.md
View File

@@ -25,7 +25,7 @@ tracing:
!!! info "Default protocol"
The OpenTelemetry trace exporter will export traces to the collector using HTTP by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.
The OpenTelemetry trace exporter will export traces to the collector using HTTPS by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.
!!! info "Trace sampling"
@@ -72,25 +72,29 @@ tracing:
#### `endpoint`
_Required, Default="http://localhost:4318/v1/traces", Format="`<scheme>://<host>:<port><path>`"_
_Optional, Default="https://localhost:4318/v1/traces", Format="`<scheme>://<host>:<port><path>`"_
URL of the OpenTelemetry Collector to send spans to.
!!! info "Insecure mode"
To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
```yaml tab="File (YAML)"
tracing:
otlp:
http:
endpoint: http://localhost:4318/v1/traces
endpoint: https://collector:4318/v1/traces
```
```toml tab="File (TOML)"
[tracing]
[tracing.otlp.http]
endpoint = "http://localhost:4318/v1/traces"
endpoint = "https://collector:4318/v1/traces"
```
```bash tab="CLI"
--tracing.otlp.http.endpoint=http://localhost:4318/v1/traces
--tracing.otlp.http.endpoint=https://collector:4318/v1/traces
```
#### `headers`

24
docs/content/observability/tracing/overview.md
View File

@@ -92,29 +92,29 @@ tracing:
--tracing.sampleRate=0.2
```
#### `globalAttributes`
#### `resourceAttributes`
_Optional, Default=empty_
Applies a list of shared key:value attributes on all spans.
Defines additional resource attributes to be sent to the collector.
```yaml tab="File (YAML)"
tracing:
globalAttributes:
resourceAttributes:
attr1: foo
attr2: bar
```
```toml tab="File (TOML)"
[tracing]
[tracing.globalAttributes]
[tracing.resourceAttributes]
attr1 = "foo"
attr2 = "bar"
```
```bash tab="CLI"
--tracing.globalAttributes.attr1=foo
--tracing.globalAttributes.attr2=bar
--tracing.resourceAttributes.attr1=foo
--tracing.resourceAttributes.attr2=bar
```
#### `capturedRequestHeaders`
@@ -128,15 +128,16 @@ It applies to client and server kind spans.
tracing:
capturedRequestHeaders:
- X-CustomHeader
- X-OtherHeader
```
```toml tab="File (TOML)"
[tracing]
capturedRequestHeaders = ["X-CustomHeader"]
capturedRequestHeaders = ["X-CustomHeader", "X-OtherHeader"]
```
```bash tab="CLI"
--tracing.capturedRequestHeaders[0]=X-CustomHeader
--tracing.capturedRequestHeaders="X-CustomHeader,X-OtherHeader"
```
#### `capturedResponseHeaders`
@@ -150,20 +151,21 @@ It applies to client and server kind spans.
tracing:
capturedResponseHeaders:
- X-CustomHeader
- X-OtherHeader
```
```toml tab="File (TOML)"
[tracing]
capturedResponseHeaders = ["X-CustomHeader"]
capturedResponseHeaders = ["X-CustomHeader", "X-OtherHeader"]
```
```bash tab="CLI"
--tracing.capturedResponseHeaders[0]=X-CustomHeader
--tracing.capturedResponseHeaders="X-CustomHeader,X-OtherHeader"
```
#### `safeQueryParams`
_Optional, Default={}_
_Optional, Default=[]_
By default, all query parameters are redacted.
Defines the list of query parameters to not redact.

179
docs/content/observe/logs-and-access-logs.md Normal file
View File

@@ -0,0 +1,179 @@
---
title: "Logs and Access Logs"
description: "Logs and Access Logs in Traefik Proxy provide real-time insight into the health of your system. They enable swift error detection and intervention through alerts. By centralizing logs, you can streamline the debugging process during incident resolution."
---
## Logs
Logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
### Configuration Example
To enable and configure logs in Traefik Proxy, you can use the static configuration file or Helm values if you are using the [Helm chart](https://github.com/traefik/traefik-helm-chart).
```yaml tab="Structured (YAML)"
log:
filePath: "/path/to/log-file.log"
format: json
level: INFO
```
```toml tab="Structured (TOML)"
[log]
filePath = "/path/to/log-file.log"
format = "json"
level = "INFO"
```
```yaml tab="Helm Chart Values"
logs:
general:
filePath: "/path/to/log-file.log"
format: json
level: INFO
```
## Access Logs
Access logs concern everything that happens to the requests handled by Traefik.
### Configuration Example
To enable and configure access logs in Traefik Proxy, you can use the static configuration file or Helm values if you are using the [Helm chart](https://github.com/traefik/traefik-helm-chart).
The following example enables access logs in JSON format, filters them to only include specific status codes, and customizes the fields that are kept or dropped.
```yaml tab="Structured (YAML)"
accessLog:
format: json
filters:
statusCodes:
- "200"
- "400-404"
- "500-503"
fields:
names:
ClientUsername: drop
headers:
defaultMode: keep
names:
User-Agent: redact
Content-Type: keep
```
```toml tab="Structured (TOML)"
[accessLog]
format = "json"
[accessLog.filters]
statusCodes = ["200", "400-404", "500-503"]
[accessLog.fields]
[accessLog.fields.names]
ClientUsername = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Content-Type" = "keep"
```
```yaml tab="Helm Chart Values"
# values.yaml
logs:
access:
enabled: true
format: json
filters:
statusCodes:
- "200"
- "400-404"
- "500-503"
fields:
names:
ClientUsername: drop
headers:
defaultMode: keep
names:
User-Agent: redact
Content-Type: keep
```
## Per-Router Access Logs
You can enable or disable access logs for a specific router. This is useful for turning off logging for noisy routes while keeping it on globally.
Here's an example of disabling access logs on a specific router:
```yaml tab="Structured (YAML)"
http:
routers:
my-router:
rule: "Host(`example.com`)"
service: my-service
observability:
accessLogs: false
```
```toml tab="Structured (TOML)"
[http.routers.my-router.observability]
accessLogs = false
```
```yaml tab="Kubernetes"
# ingressroute.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: my-router
spec:
routes:
- kind: Rule
match: Host(`example.com`)
services:
- name: my-service
port: 80
observability:
accessLogs: false
```
```bash tab="Labels"
labels:
- "traefik.http.routers.my-router.observability.accesslogs=false"
```
```json tab="Tags"
{
// ...
"Tags": [
"traefik.http.routers.my-router.observability.accesslogs=false"
]
}
```
When the `observability` options are not defined on a router, it inherits the behavior from the [entrypoint's observability configuration](./overview.md), or the global one.
## Log Formats
Traefik Proxy supports the following log formats:
- Common Log Format (CLF)
- JSON
## Access Log Filters
You can configure Traefik Proxy to only record access logs for requests that match certain criteria. This is useful for reducing the volume of logs and focusing on specific events.
The available filters are:
- **Status Codes:** Keep logs only for requests with specific HTTP status codes or ranges (e.g., `200`, `400-404`).
- **Retry Attempts:** Keep logs only when a request retry has occurred.
- **Minimum Duration:** Keep logs only for requests that take longer than a specified duration.
## Log Fields Customization
When using the `json` format, you can customize which fields are included in your access logs.
- **Request Fields:** You can choose to `keep`, `drop`, or `redact` any of the standard request fields. A complete list of available fields like `ClientHost`, `RequestMethod`, and `Duration` can be found in the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md#available-fields).
- **Request Headers:** You can also specify which request headers should be included in the logs, and whether their values should be `kept`, `dropped`, or `redacted`.
!!! info
For detailed configuration options, refer to the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md).

104
docs/content/observe/metrics.md Normal file
View File

@@ -0,0 +1,104 @@
---
title: "Metrics"
description: "Metrics in Traefik Proxy offer a comprehensive view of your infrastructure's health. They allow you to monitor critical indicators like incoming traffic volume. Metrics graphs and visualizations are helpful during incident triage in understanding the causes and implementing proactive measures."
---
# Metrics
Metrics in Traefik Proxy offer a comprehensive view of your infrastructure's health. They allow you to monitor critical indicators like incoming traffic volume. Metrics graphs and visualizations are helpful during incident triage in understanding the causes and implementing proactive measures.
## Available Metrics Providers
Traefik Proxy supports the following metrics providers:
- OpenTelemetry
- Prometheus
- Datadog
- InfluxDB 2.X
- StatsD
## Configuration
To enable metrics in Traefik Proxy, you need to configure the metrics provider in your static configuration file or helm values if you are using the [Helm chart](https://github.com/traefik/traefik-helm-chart). The following example shows how to configure the OpenTelemetry provider to send metrics to a collector.
```yaml tab="Structured (YAML)"
metrics:
otlp:
http:
endpoint: http://myotlpcollector:4318/v1/metrics
```
```toml tab="Structured (TOML)"
[metrics.otlp.http]
endpoint = "http://myotlpcollector:4318/v1/metrics"
```
```yaml tab="Helm Chart Values"
# values.yaml
metrics:
# Disable Prometheus (enabled by default)
prometheus: null
# Enable providing OTel metrics
otlp:
enabled: true
http:
enabled: true
endpoint: http://myotlpcollector:4318/v1/metrics
```
## Per-Router Metrics
You can enable or disable metrics collection for a specific router. This can be useful for excluding certain routes from your metrics data.
Here's an example of disabling metrics on a specific router:
```yaml tab="Structured (YAML)"
http:
routers:
my-router:
rule: "Host(`example.com`)"
service: my-service
observability:
metrics: false
```
```toml tab="Structured (TOML)"
[http.routers.my-router.observability]
metrics = false
```
```yaml tab="Kubernetes"
# ingressroute.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: my-router
spec:
routes:
- kind: Rule
match: Host(`example.com`)
services:
- name: my-service
port: 80
observability:
metrics: false
```
```bash tab="Labels"
labels:
- "traefik.http.routers.my-router.observability.metrics=false"
```
```json tab="Tags"
{
// ...
"Tags": [
"traefik.http.routers.my-router.observability.metrics=false"
]
}
```
When the `observability` options are not defined on a router, it inherits the behavior from the [entrypoint's observability configuration](./overview.md), or the global one.
!!! info
For detailed configuration options, refer to the [reference documentation](../reference/install-configuration/observability/metrics.md).

80
docs/content/observe/overview.md Normal file
View File

@@ -0,0 +1,80 @@
---
title: "Observability Overview"
description: "Traefik Proxy provides comprehensive monitoring and observability capabilities to maintain reliability and efficiency."
---
# Observability Overview
Traefik Proxy provides comprehensive monitoring and observability capabilities to maintain reliability and efficiency:
- [Logs and Access Logs](./logs-and-access-logs.md) provide real-time insight into the health of your system. They enable swift error detection and intervention through alerts. By centralizing logs, you can streamline the debugging process during incident resolution.
- [Metrics](./metrics.md) offer a comprehensive view of your infrastructure's health. They allow you to monitor critical indicators like incoming traffic volume. Metrics graphs and visualizations are helpful during incident triage in understanding the causes and implementing proactive measures.
- [Tracing](./tracing.md) enables tracking the flow of operations within your system. Using traces and spans, you can identify performance bottlenecks and pinpoint applications causing slowdowns to optimize response times effectively.
## Configuration Example
You can enable access logs, metrics, and tracing globally:
```yaml tab="Structured (YAML)"
accessLog: {}
metrics:
otlp: {}
tracing: {}
```
```toml tab="Structured (TOML)"
[accessLog]
[metrics.otlp]
[tracing.otlp]
```
```yaml tab="Helm Chart Values"
# values.yaml
accessLog:
enabled: true
metrics:
otlp:
enabled: true
tracing:
otlp:
enabled: true
```
You can disable access logs, metrics, and tracing for a specific [entrypoint](../reference/install-configuration/entrypoints.md):
```yaml tab="Structured (YAML)"
entryPoints:
EntryPoint0:
address: ':8000/udp'
observability:
accessLogs: false
tracing: false
metrics: false
```
```toml tab="Structured (TOML)"
[entryPoints.EntryPoint0.observability]
accessLogs = false
tracing = false
metrics = false
```
```yaml tab="Helm Chart Values"
additionalArguments:
- "--entrypoints.entrypoint0.observability.accesslogs=false"
- "--entrypoints.entrypoint0.observability.tracing=false"
- "--entrypoints.entrypoint0.observability.metrics=false"
```
!!! note
A router with its own observability configuration will override the global default.
{!traefik-for-business-applications.md!}

93
docs/content/observe/tracing.md Normal file
View File

@@ -0,0 +1,93 @@
---
title: "Tracing"
description: "Tracing in Traefik Proxy allows you to track the flow of operations within your system. Using traces and spans, you can identify performance bottlenecks and pinpoint applications causing slowdowns to optimize response times effectively."
---
# Tracing
Tracing in Traefik Proxy allows you to track the flow of operations within your system. Using traces and spans, you can identify performance bottlenecks and pinpoint applications causing slowdowns to optimize response times effectively.
Traefik Proxy uses [OpenTelemetry](https://opentelemetry.io/) to export traces. OpenTelemetry is an open-source observability framework. You can send traces to an OpenTelemetry collector, which can then export them to a variety of backends like Jaeger, Zipkin, or Datadog.
## Configuration
To enable tracing in Traefik Proxy, you need to configure it in your static configuration file or Helm values if you are using the [Helm chart](https://github.com/traefik/traefik-helm-chart). The following example shows how to configure the OpenTelemetry provider to send traces to a collector via HTTP.
```yaml tab="Structured (YAML)"
tracing:
otlp:
http:
endpoint: http://myotlpcollector:4318/v1/traces
```
```toml tab="Structured (TOML)"
[tracing.otlp.http]
endpoint = "http://myotlpcollector:4318/v1/traces"
```
```yaml tab="Helm Chart Values"
# values.yaml
tracing:
otlp:
enabled: true
http:
enabled: true
endpoint: http://myotlpcollector:4318/v1/traces
```
!!! info
For detailed configuration options, refer to the [tracing reference documentation](../reference/install-configuration/observability/tracing.md).
## Per-Router Tracing
You can enable or disable tracing for a specific router. This is useful for turning off tracing for specific routes while keeping it on globally.
Here's an example of disabling tracing on a specific router:
```yaml tab="Structured (YAML)"
http:
routers:
my-router:
rule: "Host(`example.com`)"
service: my-service
observability:
tracing: false
```
```toml tab="Structured (TOML)"
[http.routers.my-router.observability]
tracing = false
```
```yaml tab="Kubernetes"
# ingressoute.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: my-router
spec:
routes:
- kind: Rule
match: Host(`example.com`)
services:
- name: my-service
port: 80
observability:
tracing: false
```
```yaml tab="Labels"
labels:
- "traefik.http.routers.my-router.observability.tracing=false"
```
```json tab="Tags"
{
// ...
"Tags": [
"traefik.http.routers.my-router.observability.tracing=false"
]
}
```
When the `observability` options are not defined on a router, it inherits the behavior from the [entrypoint's observability configuration](./overview.md), or the global one.

59
docs/content/operations/api.md
View File

@@ -145,34 +145,35 @@ All the following endpoints must be accessed with a `GET` HTTP request.
curl https://traefik.example.com:8080/api/http/routers?page=2&per_page=20
```
| Path | Description |
|--------------------------------|---------------------------------------------------------------------------------------------|
| `/api/http/routers` | Lists all the HTTP routers information. |
| `/api/http/routers/{name}` | Returns the information of the HTTP router specified by `name`. |
| `/api/http/services` | Lists all the HTTP services information. |
| `/api/http/services/{name}` | Returns the information of the HTTP service specified by `name`. |
| `/api/http/middlewares` | Lists all the HTTP middlewares information. |
| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`. |
| `/api/tcp/routers` | Lists all the TCP routers information. |
| `/api/tcp/routers/{name}` | Returns the information of the TCP router specified by `name`. |
| `/api/tcp/services` | Lists all the TCP services information. |
| `/api/tcp/services/{name}` | Returns the information of the TCP service specified by `name`. |
| `/api/tcp/middlewares` | Lists all the TCP middlewares information. |
| `/api/tcp/middlewares/{name}` | Returns the information of the TCP middleware specified by `name`. |
| `/api/udp/routers` | Lists all the UDP routers information. |
| `/api/udp/routers/{name}` | Returns the information of the UDP router specified by `name`. |
| `/api/udp/services` | Lists all the UDP services information. |
| `/api/udp/services/{name}` | Returns the information of the UDP service specified by `name`. |
| `/api/entrypoints` | Lists all the entry points information. |
| `/api/entrypoints/{name}` | Returns the information of the entry point specified by `name`. |
| `/api/overview` | Returns statistic information about http and tcp as well as enabled features and providers. |
| `/api/rawdata` | Returns information about dynamic configurations, errors, status and dependency relations. |
| `/api/version` | Returns information about Traefik version. |
| `/debug/vars` | See the [expvar](https://golang.org/pkg/expvar/) Go documentation. |
| `/debug/pprof/` | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation. |
| `/debug/pprof/cmdline` | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation. |
| `/debug/pprof/profile` | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation. |
| `/debug/pprof/symbol` | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation. |
| `/debug/pprof/trace` | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation. |
| Path | Description |
|--------------------------------|-----------------------------------------------------------------------------------------------------|
| `/api/http/routers` | Lists all the HTTP routers information. |
| `/api/http/routers/{name}` | Returns the information of the HTTP router specified by `name`. |
| `/api/http/services` | Lists all the HTTP services information. |
| `/api/http/services/{name}` | Returns the information of the HTTP service specified by `name`. |
| `/api/http/middlewares` | Lists all the HTTP middlewares information. |
| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`. |
| `/api/tcp/routers` | Lists all the TCP routers information. |
| `/api/tcp/routers/{name}` | Returns the information of the TCP router specified by `name`. |
| `/api/tcp/services` | Lists all the TCP services information. |
| `/api/tcp/services/{name}` | Returns the information of the TCP service specified by `name`. |
| `/api/tcp/middlewares` | Lists all the TCP middlewares information. |
| `/api/tcp/middlewares/{name}` | Returns the information of the TCP middleware specified by `name`. |
| `/api/udp/routers` | Lists all the UDP routers information. |
| `/api/udp/routers/{name}` | Returns the information of the UDP router specified by `name`. |
| `/api/udp/services` | Lists all the UDP services information. |
| `/api/udp/services/{name}` | Returns the information of the UDP service specified by `name`. |
| `/api/entrypoints` | Lists all the entry points information. |
| `/api/entrypoints/{name}` | Returns the information of the entry point specified by `name`. |
| `/api/overview` | Returns statistic information about http and tcp as well as enabled features and providers. |
| `/api/support-dump` | Returns an archive that contains the anonymized static configuration and the runtime configuration. |
| `/api/rawdata` | Returns information about dynamic configurations, errors, status and dependency relations. |
| `/api/version` | Returns information about Traefik version. |
| `/debug/vars` | See the [expvar](https://golang.org/pkg/expvar/) Go documentation. |
| `/debug/pprof/` | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation. |
| `/debug/pprof/cmdline` | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation. |
| `/debug/pprof/profile` | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation. |
| `/debug/pprof/symbol` | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation. |
| `/debug/pprof/trace` | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation. |
{!traefik-for-business-applications.md!}

36
docs/content/operations/dashboard.md
View File

@@ -87,8 +87,44 @@ rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashb
??? example "Dashboard Dynamic Configuration Examples"
--8<-- "content/operations/include-dashboard-examples.md"
### Custom API Base Path
As shown above, by default Traefik exposes its API and Dashboard under the `/` base path,
which means that respectively the API is served under the `/api` path,
and the dashboard under the `/dashboard` path.
However, it is possible to configure this base path:
```yaml tab="File (YAML)"
api:
# Customizes the base path:
# - Serving API under `/traefik/api`
# - Serving Dashboard under `/traefik/dashboard`
basePath: /traefik
```
```toml tab="File (TOML)"
[api]
# Customizes the base path:
# - Serving API under `/traefik/api`
# - Serving Dashboard under `/traefik/dashboard`
basePath = "/traefik"
```
```bash tab="CLI"
# Customizes the base path:
# - Serving API under `/traefik/api`
# - Serving Dashboard under `/traefik/dashboard`
--api.basePath=/traefik
```
??? example "Dashboard Under Custom Path Dynamic Configuration Examples"
--8<-- "content/operations/include-dashboard-custom-path-examples.md"
## Insecure Mode
!!! warning "Please note that this mode is incompatible with the [custom API base path option](#custom-api-base-path)."
When _insecure_ mode is enabled, one can access the dashboard on the `traefik` port (default: `8080`) of the Traefik instance,
at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).

83
docs/content/operations/include-dashboard-custom-path-examples.md Normal file
View File

@@ -0,0 +1,83 @@
```yaml tab="Docker & Swarm"
# Dynamic Configuration
labels:
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
```
```yaml tab="Docker (Swarm)"
# Dynamic Configuration
deploy:
labels:
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# Dummy service for Swarm port detection. The port can be any valid integer value.
- "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
```
```yaml tab="Kubernetes CRD"
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
spec:
routes:
- match: Host(`traefik.example.com`) && PathPrefix(`/traefik`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: auth
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: auth
spec:
basicAuth:
secret: secretName # Kubernetes secret named "secretName"
```
```yaml tab="Consul Catalog"
# Dynamic Configuration
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
```
```yaml tab="File (YAML)"
# Dynamic Configuration
http:
routers:
dashboard:
rule: Host(`traefik.example.com`) && PathPrefix(`/traefik`)
service: api@internal
middlewares:
- auth
middlewares:
auth:
basicAuth:
users:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
# Dynamic Configuration
[http.routers.my-api]
rule = "Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
service = "api@internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```

5
docs/content/providers/docker.md
View File

@@ -40,7 +40,6 @@ This provider works with [Docker (standalone) Engine](https://docs.docker.com/en
Attaching labels to containers (in your docker compose file)
```yaml
version: "3"
services:
my-container:
# ...
@@ -162,11 +161,9 @@ See the [Docker API Access](#docker-api-access) section for more information.
The docker-compose file shares the docker sock with the Traefik container
```yaml
version: '3'
services:
traefik:
image: traefik:v3.2 # The official v3 Traefik docker image
image: traefik:v3.4 # The official v3 Traefik docker image
ports:
- "80:80"
volumes:

3
docs/content/providers/ecs.md
View File

@@ -325,7 +325,8 @@ _Optional_
If `region` is not provided, it is resolved from the EC2 metadata endpoint for EC2 tasks.
In a FARGATE context it is resolved from the `AWS_REGION` environment variable.
If `accessKeyID` and `secretAccessKey` are not provided, credentials are resolved in the following order:
If `accessKeyID` and `secretAccessKey` are not provided, credentials are resolved in the order specified by the
[default credential chain of AWS SDK for Go V2](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html#specifying-credentials):
- Using the environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
- Using shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.

4
docs/content/providers/kubernetes-crd.md
View File

@@ -31,10 +31,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
```bash
# Install Traefik Resource Definitions:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
# Install RBAC for Traefik:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
```
## Resource Configuration

22
docs/content/providers/kubernetes-gateway.md
View File

@@ -5,14 +5,14 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
# Traefik & Kubernetes with Gateway API
The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
specification from the Kubernetes Special Interest Groups (SIGs).
This provider supports Standard version [v1.2.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0) of the Gateway API specification.
This provider supports Standard version [v1.2.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.1) of the Gateway API specification.
It fully supports all HTTP core and some extended features, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.2.0/traefik-traefik).
For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.2.1/traefik-traefik).
## Requirements
@@ -20,25 +20,25 @@ For more details, check out the conformance [report](https://github.com/kubernet
!!! info "Helm Chart"
When using the Traefik [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
When using the Traefik [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L130).
1. Install/update the Kubernetes Gateway API CRDs.
```bash
# Install Gateway API CRDs from the Standard channel.
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
```
2. Install the additional Traefik RBAC required for Gateway API.
```bash
# Install Traefik RBACs.
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
```
3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:
```yaml tab="File (YAML)"
providers:
kubernetesGateway: {}
@@ -54,9 +54,9 @@ For more details, check out the conformance [report](https://github.com/kubernet
## Routing Configuration
When using the Kubernetes Gateway API provider, Traefik uses the Gateway API CRDs to retrieve its routing configuration.
Check out the Gateway API concepts [documentation](https://gateway-api.sigs.k8s.io/concepts/api-overview/),
and the dedicated [routing section](../routing/providers/kubernetes-gateway.md) in the Traefik documentation.
When using the Kubernetes Gateway API provider, Traefik uses the Gateway API CRDs to retrieve its routing configuration.
Check out the Gateway API concepts [documentation](https://gateway-api.sigs.k8s.io/concepts/api-overview/),
and the dedicated [routing section](../routing/providers/kubernetes-gateway.md) in the Traefik documentation.
## Provider Configuration
@@ -275,7 +275,7 @@ providers:
```bash
# Install Gateway API CRDs from the Experimental channel.
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/experimental-install.yaml
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/experimental-install.yaml
```
### `labelselector`

14
docs/content/providers/kubernetes-ingress.md
View File

@@ -398,11 +398,17 @@ providers:
_Optional, Default: ""_
The Kubernetes service to copy status from.
When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the ingresses.
Format: `namespace/servicename`.
The Kubernetes service to copy status from,
depending on the service type:
- **ClusterIP:** The ExternalIPs of the service will be propagated to the ingress status.
- **NodePort:** The ExternalIP addresses of the nodes in the cluster will be propagated to the ingress status.
- **LoadBalancer:** The IPs from the service's `loadBalancer.status` field (which contains the endpoints provided by the load balancer) will be propagated to the ingress status.
When using third-party tools such as External-DNS, this option enables the copying of external service IPs to the ingress resources.
```yaml tab="File (YAML)"
providers:
kubernetesIngress:
@@ -526,6 +532,6 @@ providers:
### Further
To learn more about the various aspects of the Ingress specification that Traefik supports,
many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.2/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.4/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
{!traefik-for-business-applications.md!}

6
docs/content/providers/redis.md
View File

@@ -10,6 +10,12 @@ A Story of KV store & Containers
Store your configuration in Redis and let Traefik do the rest!
!!! tip "Dynamic configuration updates"
Dynamic configuration updates require Redis [keyspace notifications](https://redis.io/docs/latest/develop/use/keyspace-notifications) to be enabled.
Cloud-managed Redis services (e.g., GCP Memorystore, AWS ElastiCache) may disable this by default due to CPU performance issues.
For more information, see the [Redis](https://redis.io/docs/latest/develop/use/keyspace-notifications/) documentation or refer to your cloud provider's documentation for specific configuration steps.
## Routing Configuration
See the dedicated section in [routing](../routing/providers/kv.md).

9
docs/content/providers/swarm.md
View File

@@ -53,7 +53,6 @@ This provider works with [Docker Swarm Mode](https://docs.docker.com/engine/swar
then that service is automatically assigned to the router.
```yaml
version: "3"
services:
my-container:
deploy:
@@ -176,8 +175,6 @@ docker service create \
```
```yml tab="With Docker Compose"
version: '3'
services:
traefik:
# ...
@@ -208,11 +205,9 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
The docker-compose file shares the docker sock with the Traefik container
```yaml
version: '3'
services:
traefik:
image: traefik:v3.2 # The official v3 Traefik docker image
image: traefik:v3.4 # The official v3 Traefik docker image
ports:
- "80:80"
volumes:
@@ -247,7 +242,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
```yaml tab="File (YAML)"
providers:
docker:
swarm:
endpoint: "ssh://traefik@192.168.2.5:2022"
# ...
```

31
docs/content/reference/dynamic-configuration/docker-labels.yml
View File

@@ -33,12 +33,18 @@
- "traefik.http.middlewares.middleware09.errors.query=foobar"
- "traefik.http.middlewares.middleware09.errors.service=foobar"
- "traefik.http.middlewares.middleware09.errors.status=foobar, foobar"
- "traefik.http.middlewares.middleware09.errors.statusrewrites.name0=42"
- "traefik.http.middlewares.middleware09.errors.statusrewrites.name1=42"
- "traefik.http.middlewares.middleware10.forwardauth.addauthcookiestoresponse=foobar, foobar"
- "traefik.http.middlewares.middleware10.forwardauth.address=foobar"
- "traefik.http.middlewares.middleware10.forwardauth.authrequestheaders=foobar, foobar"
- "traefik.http.middlewares.middleware10.forwardauth.authresponseheaders=foobar, foobar"
- "traefik.http.middlewares.middleware10.forwardauth.authresponseheadersregex=foobar"
- "traefik.http.middlewares.middleware10.forwardauth.forwardbody=true"
- "traefik.http.middlewares.middleware10.forwardauth.headerfield=foobar"
- "traefik.http.middlewares.middleware10.forwardauth.maxbodysize=42"
- "traefik.http.middlewares.middleware10.forwardauth.preservelocationheader=true"
- "traefik.http.middlewares.middleware10.forwardauth.preserverequestmethod=true"
- "traefik.http.middlewares.middleware10.forwardauth.tls.ca=foobar"
- "traefik.http.middlewares.middleware10.forwardauth.tls.caoptional=true"
- "traefik.http.middlewares.middleware10.forwardauth.tls.cert=foobar"
@@ -126,6 +132,20 @@
- "traefik.http.middlewares.middleware18.ratelimit.average=42"
- "traefik.http.middlewares.middleware18.ratelimit.burst=42"
- "traefik.http.middlewares.middleware18.ratelimit.period=42s"
- "traefik.http.middlewares.middleware18.ratelimit.redis.db=42"
- "traefik.http.middlewares.middleware18.ratelimit.redis.dialtimeout=42s"
- "traefik.http.middlewares.middleware18.ratelimit.redis.endpoints=foobar, foobar"
- "traefik.http.middlewares.middleware18.ratelimit.redis.maxactiveconns=42"
- "traefik.http.middlewares.middleware18.ratelimit.redis.minidleconns=42"
- "traefik.http.middlewares.middleware18.ratelimit.redis.password=foobar"
- "traefik.http.middlewares.middleware18.ratelimit.redis.poolsize=42"
- "traefik.http.middlewares.middleware18.ratelimit.redis.readtimeout=42s"
- "traefik.http.middlewares.middleware18.ratelimit.redis.tls.ca=foobar"
- "traefik.http.middlewares.middleware18.ratelimit.redis.tls.cert=foobar"
- "traefik.http.middlewares.middleware18.ratelimit.redis.tls.insecureskipverify=true"
- "traefik.http.middlewares.middleware18.ratelimit.redis.tls.key=foobar"
- "traefik.http.middlewares.middleware18.ratelimit.redis.username=foobar"
- "traefik.http.middlewares.middleware18.ratelimit.redis.writetimeout=42s"
- "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.depth=42"
- "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
- "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.ipv6subnet=42"
@@ -147,6 +167,9 @@
- "traefik.http.middlewares.middleware25.stripprefixregex.regex=foobar, foobar"
- "traefik.http.routers.router0.entrypoints=foobar, foobar"
- "traefik.http.routers.router0.middlewares=foobar, foobar"
- "traefik.http.routers.router0.observability.accesslogs=true"
- "traefik.http.routers.router0.observability.metrics=true"
- "traefik.http.routers.router0.observability.tracing=true"
- "traefik.http.routers.router0.priority=42"
- "traefik.http.routers.router0.rule=foobar"
- "traefik.http.routers.router0.rulesyntax=foobar"
@@ -160,6 +183,9 @@
- "traefik.http.routers.router0.tls.options=foobar"
- "traefik.http.routers.router1.entrypoints=foobar, foobar"
- "traefik.http.routers.router1.middlewares=foobar, foobar"
- "traefik.http.routers.router1.observability.accesslogs=true"
- "traefik.http.routers.router1.observability.metrics=true"
- "traefik.http.routers.router1.observability.tracing=true"
- "traefik.http.routers.router1.priority=42"
- "traefik.http.routers.router1.rule=foobar"
- "traefik.http.routers.router1.rulesyntax=foobar"
@@ -188,13 +214,18 @@
- "traefik.http.services.service02.loadbalancer.serverstransport=foobar"
- "traefik.http.services.service02.loadbalancer.sticky=true"
- "traefik.http.services.service02.loadbalancer.sticky.cookie=true"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.domain=foobar"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.httponly=true"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.maxage=42"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.name=foobar"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.path=foobar"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.samesite=foobar"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.secure=true"
- "traefik.http.services.service02.loadbalancer.strategy=foobar"
- "traefik.http.services.service02.loadbalancer.server.port=foobar"
- "traefik.http.services.service02.loadbalancer.server.preservepath=true"
- "traefik.http.services.service02.loadbalancer.server.scheme=foobar"
- "traefik.http.services.service02.loadbalancer.server.url=foobar"
- "traefik.http.services.service02.loadbalancer.server.weight=42"
- "traefik.tcp.middlewares.tcpmiddleware01.ipallowlist.sourcerange=foobar, foobar"
- "traefik.tcp.middlewares.tcpmiddleware02.ipwhitelist.sourcerange=foobar, foobar"

38
docs/content/reference/dynamic-configuration/file.toml
View File

@@ -20,6 +20,10 @@
[[http.routers.Router0.tls.domains]]
main = "foobar"
sans = ["foobar", "foobar"]
[http.routers.Router0.observability]
accessLogs = true
tracing = true
metrics = true
[http.routers.Router1]
entryPoints = ["foobar", "foobar"]
middlewares = ["foobar", "foobar"]
@@ -38,6 +42,10 @@
[[http.routers.Router1.tls.domains]]
main = "foobar"
sans = ["foobar", "foobar"]
[http.routers.Router1.observability]
accessLogs = true
tracing = true
metrics = true
[http.services]
[http.services.Service01]
[http.services.Service01.failover]
@@ -46,6 +54,7 @@
[http.services.Service01.failover.healthCheck]
[http.services.Service02]
[http.services.Service02.loadBalancer]
strategy = "foobar"
passHostHeader = true
serversTransport = "foobar"
[http.services.Service02.loadBalancer.sticky]
@@ -55,6 +64,8 @@
httpOnly = true
sameSite = "foobar"
maxAge = 42
path = "foobar"
domain = "foobar"
[[http.services.Service02.loadBalancer.servers]]
url = "foobar"
@@ -112,6 +123,8 @@
httpOnly = true
sameSite = "foobar"
maxAge = 42
path = "foobar"
domain = "foobar"
[http.services.Service04.weighted.healthCheck]
[http.middlewares]
[http.middlewares.Middleware01]
@@ -163,6 +176,9 @@
status = ["foobar", "foobar"]
service = "foobar"
query = "foobar"
[http.middlewares.Middleware09.errors.statusRewrites]
name0 = 42
name1 = 42
[http.middlewares.Middleware10]
[http.middlewares.Middleware10.forwardAuth]
address = "foobar"
@@ -172,6 +188,10 @@
authRequestHeaders = ["foobar", "foobar"]
addAuthCookiesToResponse = ["foobar", "foobar"]
headerField = "foobar"
forwardBody = true
maxBodySize = 42
preserveLocationHeader = true
preserveRequestMethod = true
[http.middlewares.Middleware10.forwardAuth.tls]
ca = "foobar"
cert = "foobar"
@@ -292,6 +312,22 @@
depth = 42
excludedIPs = ["foobar", "foobar"]
ipv6Subnet = 42
[http.middlewares.Middleware18.rateLimit.redis]
endpoints = ["foobar", "foobar"]
username = "foobar"
password = "foobar"
db = 42
poolSize = 42
minIdleConns = 42
maxActiveConns = 42
readTimeout = "42s"
writeTimeout = "42s"
dialTimeout = "42s"
[http.middlewares.Middleware18.rateLimit.redis.tls]
ca = "foobar"
cert = "foobar"
key = "foobar"
insecureSkipVerify = true
[http.middlewares.Middleware19]
[http.middlewares.Middleware19.redirectRegex]
regex = "foobar"
@@ -534,6 +570,7 @@
curvePreferences = ["foobar", "foobar"]
sniStrict = true
alpnProtocols = ["foobar", "foobar"]
disableSessionTickets = true
preferServerCipherSuites = true
[tls.options.Options0.clientAuth]
caFiles = ["foobar", "foobar"]
@@ -545,6 +582,7 @@
curvePreferences = ["foobar", "foobar"]
sniStrict = true
alpnProtocols = ["foobar", "foobar"]
disableSessionTickets = true
preferServerCipherSuites = true
[tls.options.Options1.clientAuth]
caFiles = ["foobar", "foobar"]

40
docs/content/reference/dynamic-configuration/file.yaml
View File

@@ -25,6 +25,10 @@ http:
sans:
- foobar
- foobar
observability:
accessLogs: true
tracing: true
metrics: true
Router1:
entryPoints:
- foobar
@@ -48,6 +52,10 @@ http:
sans:
- foobar
- foobar
observability:
accessLogs: true
tracing: true
metrics: true
services:
Service01:
failover:
@@ -63,6 +71,8 @@ http:
httpOnly: true
sameSite: foobar
maxAge: 42
path: foobar
domain: foobar
servers:
- url: foobar
weight: 42
@@ -70,6 +80,7 @@ http:
- url: foobar
weight: 42
preservePath: true
strategy: foobar
healthCheck:
scheme: foobar
mode: foobar
@@ -113,6 +124,8 @@ http:
httpOnly: true
sameSite: foobar
maxAge: 42
path: foobar
domain: foobar
healthCheck: {}
middlewares:
Middleware01:
@@ -176,6 +189,9 @@ http:
status:
- foobar
- foobar
statusRewrites:
name0: 42
name1: 42
service: foobar
query: foobar
Middleware10:
@@ -199,6 +215,10 @@ http:
- foobar
- foobar
headerField: foobar
forwardBody: true
maxBodySize: 42
preserveLocationHeader: true
preserveRequestMethod: true
Middleware11:
grpcWeb:
allowOrigins:
@@ -341,6 +361,24 @@ http:
ipv6Subnet: 42
requestHeaderName: foobar
requestHost: true
redis:
endpoints:
- foobar
- foobar
tls:
ca: foobar
cert: foobar
key: foobar
insecureSkipVerify: true
username: foobar
password: foobar
db: 42
poolSize: 42
minIdleConns: 42
maxActiveConns: 42
readTimeout: 42s
writeTimeout: 42s
dialTimeout: 42s
Middleware19:
redirectRegex:
regex: foobar
@@ -606,6 +644,7 @@ tls:
alpnProtocols:
- foobar
- foobar
disableSessionTickets: true
preferServerCipherSuites: true
Options1:
minVersion: foobar
@@ -625,6 +664,7 @@ tls:
alpnProtocols:
- foobar
- foobar
disableSessionTickets: true
preferServerCipherSuites: true
stores:
Store0:

519
docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
View File

File diff suppressed because it is too large Load Diff

1
docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
View File

@@ -10,6 +10,7 @@ rules:
- services
- secrets
- nodes
- configmaps
verbs:
- get
- list

2
docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
View File

@@ -25,7 +25,7 @@ spec:
serviceAccountName: traefik-controller
containers:
- name: traefik
image: traefik:v3.2
image: traefik:v3.4
args:
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443

37
docs/content/reference/dynamic-configuration/kv-ref.md
View File

@@ -2,6 +2,9 @@
CODE GENERATED AUTOMATICALLY
THIS FILE MUST NOT BE EDITED BY HAND
-->
| Key (Path) | Value |
|------------|-------|
| `traefik/http/middlewares/Middleware01/addPrefix/prefix` | `foobar` |
| `traefik/http/middlewares/Middleware02/basicAuth/headerField` | `foobar` |
| `traefik/http/middlewares/Middleware02/basicAuth/realm` | `foobar` |
@@ -40,6 +43,8 @@ THIS FILE MUST NOT BE EDITED BY HAND
| `traefik/http/middlewares/Middleware09/errors/service` | `foobar` |
| `traefik/http/middlewares/Middleware09/errors/status/0` | `foobar` |
| `traefik/http/middlewares/Middleware09/errors/status/1` | `foobar` |
| `traefik/http/middlewares/Middleware09/errors/statusRewrites/name0` | `42` |
| `traefik/http/middlewares/Middleware09/errors/statusRewrites/name1` | `42` |
| `traefik/http/middlewares/Middleware10/forwardAuth/addAuthCookiesToResponse/0` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/addAuthCookiesToResponse/1` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/address` | `foobar` |
@@ -48,7 +53,11 @@ THIS FILE MUST NOT BE EDITED BY HAND
| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/0` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/1` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeadersRegex` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/forwardBody` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/headerField` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/maxBodySize` | `42` |
| `traefik/http/middlewares/Middleware10/forwardAuth/preserveLocationHeader` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/preserveRequestMethod` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/ca` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/caOptional` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/cert` | `foobar` |
@@ -147,6 +156,21 @@ THIS FILE MUST NOT BE EDITED BY HAND
| `traefik/http/middlewares/Middleware18/rateLimit/average` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/burst` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/period` | `42s` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/db` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/dialTimeout` | `42s` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/endpoints/0` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/endpoints/1` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/maxActiveConns` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/minIdleConns` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/password` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/poolSize` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/readTimeout` | `42s` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/ca` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/cert` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/insecureSkipVerify` | `true` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/key` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/username` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/writeTimeout` | `42s` |
| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/1` | `foobar` |
@@ -173,6 +197,9 @@ THIS FILE MUST NOT BE EDITED BY HAND
| `traefik/http/routers/Router0/entryPoints/1` | `foobar` |
| `traefik/http/routers/Router0/middlewares/0` | `foobar` |
| `traefik/http/routers/Router0/middlewares/1` | `foobar` |
| `traefik/http/routers/Router0/observability/accessLogs` | `true` |
| `traefik/http/routers/Router0/observability/metrics` | `true` |
| `traefik/http/routers/Router0/observability/tracing` | `true` |
| `traefik/http/routers/Router0/priority` | `42` |
| `traefik/http/routers/Router0/rule` | `foobar` |
| `traefik/http/routers/Router0/ruleSyntax` | `foobar` |
@@ -189,6 +216,9 @@ THIS FILE MUST NOT BE EDITED BY HAND
| `traefik/http/routers/Router1/entryPoints/1` | `foobar` |
| `traefik/http/routers/Router1/middlewares/0` | `foobar` |
| `traefik/http/routers/Router1/middlewares/1` | `foobar` |
| `traefik/http/routers/Router1/observability/accessLogs` | `true` |
| `traefik/http/routers/Router1/observability/metrics` | `true` |
| `traefik/http/routers/Router1/observability/tracing` | `true` |
| `traefik/http/routers/Router1/priority` | `42` |
| `traefik/http/routers/Router1/rule` | `foobar` |
| `traefik/http/routers/Router1/ruleSyntax` | `foobar` |
@@ -263,11 +293,14 @@ THIS FILE MUST NOT BE EDITED BY HAND
| `traefik/http/services/Service02/loadBalancer/servers/1/url` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/servers/1/weight` | `42` |
| `traefik/http/services/Service02/loadBalancer/serversTransport` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/domain` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/httpOnly` | `true` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/maxAge` | `42` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/name` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/path` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/sameSite` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/secure` | `true` |
| `traefik/http/services/Service02/loadBalancer/strategy` | `foobar` |
| `traefik/http/services/Service03/mirroring/healthCheck` | `` |
| `traefik/http/services/Service03/mirroring/maxBodySize` | `42` |
| `traefik/http/services/Service03/mirroring/mirrorBody` | `true` |
@@ -281,9 +314,11 @@ THIS FILE MUST NOT BE EDITED BY HAND
| `traefik/http/services/Service04/weighted/services/0/weight` | `42` |
| `traefik/http/services/Service04/weighted/services/1/name` | `foobar` |
| `traefik/http/services/Service04/weighted/services/1/weight` | `42` |
| `traefik/http/services/Service04/weighted/sticky/cookie/domain` | `foobar` |
| `traefik/http/services/Service04/weighted/sticky/cookie/httpOnly` | `true` |
| `traefik/http/services/Service04/weighted/sticky/cookie/maxAge` | `42` |
| `traefik/http/services/Service04/weighted/sticky/cookie/name` | `foobar` |
| `traefik/http/services/Service04/weighted/sticky/cookie/path` | `foobar` |
| `traefik/http/services/Service04/weighted/sticky/cookie/sameSite` | `foobar` |
| `traefik/http/services/Service04/weighted/sticky/cookie/secure` | `true` |
| `traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/0` | `foobar` |
@@ -383,6 +418,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
| `traefik/tls/options/Options0/clientAuth/clientAuthType` | `foobar` |
| `traefik/tls/options/Options0/curvePreferences/0` | `foobar` |
| `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
| `traefik/tls/options/Options0/disableSessionTickets` | `true` |
| `traefik/tls/options/Options0/maxVersion` | `foobar` |
| `traefik/tls/options/Options0/minVersion` | `foobar` |
| `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
@@ -396,6 +432,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
| `traefik/tls/options/Options1/clientAuth/clientAuthType` | `foobar` |
| `traefik/tls/options/Options1/curvePreferences/0` | `foobar` |
| `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
| `traefik/tls/options/Options1/disableSessionTickets` | `true` |
| `traefik/tls/options/Options1/maxVersion` | `foobar` |
| `traefik/tls/options/Options1/minVersion` | `foobar` |
| `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |

2
docs/content/reference/dynamic-configuration/kv.md
View File

@@ -8,6 +8,4 @@ description: "Read the technical documentation to learn the Traefik Dynamic Conf
Dynamic configuration with KV stores.
{: .subtitle }
| Key (Path) | Value |
|----------------------------------------------------------------------------------------------|-------------|
--8<-- "content/reference/dynamic-configuration/kv-ref.md"

4
docs/content/reference/dynamic-configuration/swarm.yml
View File

@@ -1,3 +1,3 @@
- "traefik.enable=true"
- "traefik.docker.network=foobar"
- "traefik.docker.lbswarm=true"
- "traefik.swarm.network=foobar"
- "traefik.swarm.lbswarm=true"

69
docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
View File

@@ -43,7 +43,7 @@ spec:
description: |-
EntryPoints defines the list of entry point names to bind to.
Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
Default: all.
items:
type: string
@@ -57,18 +57,19 @@ spec:
description: |-
Kind defines the kind of the route.
Rule is the only supported kind.
If not defined, defaults to Rule.
enum:
- Rule
type: string
match:
description: |-
Match defines the router's rule.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rule
type: string
middlewares:
description: |-
Middlewares defines the list of references to Middleware resources.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-middleware
items:
description: MiddlewareRef is a reference to a Middleware
resource.
@@ -85,10 +86,23 @@ spec:
- name
type: object
type: array
observability:
description: |-
Observability defines the observability configuration for a router.
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#observability
properties:
accessLogs:
type: boolean
metrics:
type: boolean
tracing:
type: boolean
type: object
priority:
description: |-
Priority defines the router's priority.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#priority
maximum: 9223372036854775000
type: integer
services:
description: |-
@@ -229,11 +243,16 @@ spec:
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
domain:
description: |-
Domain defines the host to which the cookie will be sent.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
type: string
httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as
@@ -241,17 +260,27 @@ spec:
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
MaxAge defines the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
path:
description: |-
Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
When not provided the cookie will be sent on every request to the domain.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
enum:
- none
- lax
- strict
type: string
secure:
description: Secure defines whether the cookie
@@ -263,12 +292,18 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
RoundRobin is the only supported value at the moment.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- RoundRobin
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
minimum: 0
type: integer
required:
- name
@@ -277,28 +312,28 @@ spec:
syntax:
description: |-
Syntax defines the router's rule syntax.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rulesyntax
Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
type: string
required:
- kind
- match
type: object
type: array
tls:
description: |-
TLS defines the TLS configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#tls
properties:
certResolver:
description: |-
CertResolver defines the name of the certificate resolver to use.
Cert resolvers have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
More info: https://doc.traefik.io/traefik/v3.4/https/acme/#certificate-resolvers
type: string
domains:
description: |-
Domains defines the list of domains that will be used to issue certificates.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#domains
items:
description: Domain holds a domain name with SANs.
properties:
@@ -317,17 +352,17 @@ spec:
description: |-
Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
If not defined, the `default` TLSOption is used.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
properties:
name:
description: |-
Name defines the name of the referenced TLSOption.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsoption
type: string
namespace:
description: |-
Namespace defines the namespace of the referenced TLSOption.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsoption
type: string
required:
- name
@@ -344,12 +379,12 @@ spec:
name:
description: |-
Name defines the name of the referenced TLSStore.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsstore
type: string
namespace:
description: |-
Namespace defines the namespace of the referenced TLSStore.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsstore
type: string
required:
- name

26
docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
View File

@@ -43,7 +43,7 @@ spec:
description: |-
EntryPoints defines the list of entry point names to bind to.
Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
Default: all.
items:
type: string
@@ -56,7 +56,7 @@ spec:
match:
description: |-
Match defines the router's rule.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rule_1
type: string
middlewares:
description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +80,8 @@ spec:
priority:
description: |-
Priority defines the router's priority.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#priority_1
maximum: 9223372036854775000
type: integer
services:
description: Services defines the list of TCP services.
@@ -121,11 +122,13 @@ spec:
proxyProtocol:
description: |-
ProxyProtocol defines the PROXY protocol configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
More info: https://doc.traefik.io/traefik/v3.4/routing/services/#proxy-protocol
properties:
version:
description: Version defines the PROXY Protocol version
to use.
maximum: 2
minimum: 1
type: integer
type: object
serversTransport:
@@ -150,6 +153,7 @@ spec:
weight:
description: Weight defines the weight used when balancing
requests between multiple Kubernetes Service.
minimum: 0
type: integer
required:
- name
@@ -159,7 +163,11 @@ spec:
syntax:
description: |-
Syntax defines the router's rule syntax.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rulesyntax_1
Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
enum:
- v3
- v2
type: string
required:
- match
@@ -168,18 +176,18 @@ spec:
tls:
description: |-
TLS defines the TLS configuration on a layer 4 / TCP Route.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#tls_1
properties:
certResolver:
description: |-
CertResolver defines the name of the certificate resolver to use.
Cert resolvers have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
More info: https://doc.traefik.io/traefik/v3.4/https/acme/#certificate-resolvers
type: string
domains:
description: |-
Domains defines the list of domains that will be used to issue certificates.
More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#domains
items:
description: Domain holds a domain name with SANs.
properties:
@@ -198,7 +206,7 @@ spec:
description: |-
Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
If not defined, the `default` TLSOption is used.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
properties:
name:
description: Name defines the name of the referenced Traefik

3
docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml
View File

@@ -43,7 +43,7 @@ spec:
description: |-
EntryPoints defines the list of entry point names to bind to.
Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
Default: all.
items:
type: string
@@ -92,6 +92,7 @@ spec:
weight:
description: Weight defines the weight used when balancing
requests between multiple Kubernetes Service.
minimum: 0
type: integer
required:
- name

229
docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
View File

@@ -19,7 +19,7 @@ spec:
openAPIV3Schema:
description: |-
Middleware is the CRD implementation of a Traefik Middleware.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/overview/
properties:
apiVersion:
description: |-
@@ -45,24 +45,27 @@ spec:
description: |-
AddPrefix holds the add prefix middleware configuration.
This middleware updates the path of a request before forwarding it.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/addprefix/
properties:
prefix:
description: |-
Prefix is the string to add before the current path in the requested URL.
It should include a leading slash (/).
type: string
x-kubernetes-validations:
- message: must start with a '/'
rule: self.startsWith('/')
type: object
basicAuth:
description: |-
BasicAuth holds the basic auth middleware configuration.
This middleware restricts access to your services to known users.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/
properties:
headerField:
description: |-
HeaderField defines a header field to store the authenticated user.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/#headerfield
type: string
realm:
description: |-
@@ -83,7 +86,7 @@ spec:
description: |-
Buffering holds the buffering middleware configuration.
This middleware retries or limits the size of requests that can be forwarded to backends.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytes
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/buffering/#maxrequestbodybytes
properties:
maxRequestBodyBytes:
description: |-
@@ -115,14 +118,14 @@ spec:
description: |-
RetryExpression defines the retry conditions.
It is a logical combination of functions with operators AND (&&) and OR (||).
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpression
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/buffering/#retryexpression
type: string
type: object
chain:
description: |-
Chain holds the configuration of the chain middleware.
This middleware enables to define reusable combinations of other pieces of middleware.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/chain/
properties:
middlewares:
description: Middlewares is the list of MiddlewareRef which composes
@@ -152,6 +155,7 @@ spec:
- type: string
description: CheckPeriod is the interval between successive checks
of the circuit breaker condition (when in standby state).
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
expression:
description: Expression is the condition that triggers the tripped
@@ -171,17 +175,20 @@ spec:
description: RecoveryDuration is the duration for which the circuit
breaker will try to recover (as soon as it is in recovering
state).
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
responseCode:
description: ResponseCode is the status code that the circuit
breaker will return while it is in the open state.
maximum: 599
minimum: 100
type: integer
type: object
compress:
description: |-
Compress holds the compress middleware configuration.
This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/compress/
properties:
defaultEncoding:
description: DefaultEncoding specifies the default encoding if
@@ -212,6 +219,7 @@ spec:
description: |-
MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed.
Default: 1024.
minimum: 0
type: integer
type: object
contentType:
@@ -230,12 +238,12 @@ spec:
description: |-
DigestAuth holds the digest auth middleware configuration.
This middleware restricts access to your services to known users.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/digestauth/
properties:
headerField:
description: |-
HeaderField defines a header field to store the authenticated user.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/#headerfield
type: string
realm:
description: |-
@@ -255,17 +263,19 @@ spec:
description: |-
ErrorPage holds the custom error middleware configuration.
This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/errorpages/
properties:
query:
description: |-
Query defines the URL for the error page (hosted by service).
The {status} variable can be used in order to insert the status code in the URL.
The {originalStatus} variable can be used in order to insert the upstream status code in the URL.
The {url} variable can be used in order to insert the escaped request URL.
type: string
service:
description: |-
Service defines the reference to a Kubernetes Service that will serve the error page.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#service
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/errorpages/#service
properties:
healthCheck:
description: Healthcheck defines health checks for ExternalName
@@ -398,28 +408,43 @@ spec:
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
domain:
description: |-
Domain defines the host to which the cookie will be sent.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
type: string
httpOnly:
description: HTTPOnly defines whether the cookie can
be accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
MaxAge defines the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
path:
description: |-
Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
When not provided the cookie will be sent on every request to the domain.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
enum:
- none
- lax
- strict
type: string
secure:
description: Secure defines whether the cookie can
@@ -431,12 +456,18 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
RoundRobin is the only supported value at the moment.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- RoundRobin
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
minimum: 0
type: integer
required:
- name
@@ -449,14 +480,22 @@ spec:
as ranges by separating two codes with a dash (500-599),
or a combination of the two (404,418,500-599).
items:
pattern: ^([1-5][0-9]{2}[,-]?)+$
type: string
type: array
statusRewrites:
additionalProperties:
type: integer
description: |-
StatusRewrites defines a mapping of status codes that should be returned instead of the original error status codes.
For example: "418": 404 or "410-418": 404
type: object
type: object
forwardAuth:
description: |-
ForwardAuth holds the forward auth middleware configuration.
This middleware delegates the request authentication to a Service.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/
properties:
addAuthCookiesToResponse:
description: AddAuthCookiesToResponse defines the list of cookies
@@ -484,8 +523,32 @@ spec:
authResponseHeadersRegex:
description: |-
AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/#authresponseheadersregex
type: string
forwardBody:
description: ForwardBody defines whether to send the request body
to the authentication server.
type: boolean
headerField:
description: |-
HeaderField defines a header field to store the authenticated user.
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/#headerfield
type: string
maxBodySize:
description: MaxBodySize defines the maximum body size in bytes
allowed to be forwarded to the authentication server.
format: int64
type: integer
preserveLocationHeader:
description: PreserveLocationHeader defines whether to forward
the Location header to the client as is or prefix it with the
domain name of the authentication server.
type: boolean
preserveRequestMethod:
description: PreserveRequestMethod defines whether to preserve
the original request method while forwarding the request to
the authentication server.
type: boolean
tls:
description: TLS defines the configuration used to secure the
connection to the authentication server.
@@ -531,7 +594,7 @@ spec:
description: |-
Headers holds the headers middleware configuration.
This middleware manages the requests and responses headers.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheaders
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/headers/#customrequestheaders
properties:
accessControlAllowCredentials:
description: AccessControlAllowCredentials defines whether the
@@ -696,36 +759,39 @@ spec:
STSSeconds defines the max-age of the Strict-Transport-Security header.
If set to 0, the header is not set.
format: int64
minimum: 0
type: integer
type: object
inFlightReq:
description: |-
InFlightReq holds the in-flight request middleware configuration.
This middleware limits the number of requests being processed and served concurrently.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/inflightreq/
properties:
amount:
description: |-
Amount defines the maximum amount of allowed simultaneous in-flight request.
The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy).
format: int64
minimum: 0
type: integer
sourceCriterion:
description: |-
SourceCriterion defines what criterion is used to group requests as originating from a common source.
If several strategies are defined at the same time, an error will be raised.
If none are set, the default is to use the requestHost.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterion
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/inflightreq/#sourcecriterion
properties:
ipStrategy:
description: |-
IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth position
(starting from the right).
minimum: 0
type: integer
excludedIPs:
description: ExcludedIPs configures Traefik to scan the
@@ -755,17 +821,18 @@ spec:
description: |-
IPAllowList holds the IP allowlist middleware configuration.
This middleware limits allowed requests based on the client IP.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/
properties:
ipStrategy:
description: |-
IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth position (starting
from the right).
minimum: 0
type: integer
excludedIPs:
description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
@@ -797,12 +864,13 @@ spec:
ipStrategy:
description: |-
IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth position (starting
from the right).
minimum: 0
type: integer
excludedIPs:
description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
@@ -827,7 +895,7 @@ spec:
description: |-
PassTLSClientCert holds the pass TLS client cert middleware configuration.
This middleware adds the selected data from the passed client TLS certificate to a header.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/passtlsclientcert/
properties:
info:
description: Info selects the specific client certificate details
@@ -936,7 +1004,7 @@ spec:
description: |-
RateLimit holds the rate limit configuration.
This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ratelimit/
properties:
average:
description: |-
@@ -945,12 +1013,14 @@ spec:
The rate is actually defined by dividing Average by Period. So for a rate below 1req/s,
one needs to define a Period larger than a second.
format: int64
minimum: 0
type: integer
burst:
description: |-
Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time.
It defaults to 1.
format: int64
minimum: 0
type: integer
period:
anyOf:
@@ -960,6 +1030,90 @@ spec:
Period, in combination with Average, defines the actual maximum rate, such as:
r = Average / Period. It defaults to a second.
x-kubernetes-int-or-string: true
redis:
description: Redis hold the configs of Redis as bucket in rate
limiter.
properties:
db:
description: DB defines the Redis database that will be selected
after connecting to the server.
type: integer
dialTimeout:
anyOf:
- type: integer
- type: string
description: |-
DialTimeout sets the timeout for establishing new connections.
Default value is 5 seconds.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
endpoints:
description: |-
Endpoints contains either a single address or a seed list of host:port addresses.
Default value is ["localhost:6379"].
items:
type: string
type: array
maxActiveConns:
description: |-
MaxActiveConns defines the maximum number of connections allocated by the pool at a given time.
Default value is 0, meaning there is no limit.
type: integer
minIdleConns:
description: |-
MinIdleConns defines the minimum number of idle connections.
Default value is 0, and idle connections are not closed by default.
type: integer
poolSize:
description: |-
PoolSize defines the initial number of socket connections.
If the pool runs out of available connections, additional ones will be created beyond PoolSize.
This can be limited using MaxActiveConns.
// Default value is 0, meaning 10 connections per every available CPU as reported by runtime.GOMAXPROCS.
type: integer
readTimeout:
anyOf:
- type: integer
- type: string
description: |-
ReadTimeout defines the timeout for socket read operations.
Default value is 3 seconds.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
secret:
description: Secret defines the name of the referenced Kubernetes
Secret containing Redis credentials.
type: string
tls:
description: |-
TLS defines TLS-specific configurations, including the CA, certificate, and key,
which can be provided as a file path or file content.
properties:
caSecret:
description: |-
CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate.
The CA certificate is extracted from key `tls.ca` or `ca.crt`.
type: string
certSecret:
description: |-
CertSecret is the name of the referenced Kubernetes Secret containing the client certificate.
The client certificate is extracted from the keys `tls.crt` and `tls.key`.
type: string
insecureSkipVerify:
description: InsecureSkipVerify defines whether the server
certificates should be validated.
type: boolean
type: object
writeTimeout:
anyOf:
- type: integer
- type: string
description: |-
WriteTimeout defines the timeout for socket write operations.
Default value is 3 seconds.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
type: object
sourceCriterion:
description: |-
SourceCriterion defines what criterion is used to group requests as originating from a common source.
@@ -969,12 +1123,13 @@ spec:
ipStrategy:
description: |-
IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
properties:
depth:
description: Depth tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth position
(starting from the right).
minimum: 0
type: integer
excludedIPs:
description: ExcludedIPs configures Traefik to scan the
@@ -1004,11 +1159,11 @@ spec:
description: |-
RedirectRegex holds the redirect regex middleware configuration.
This middleware redirects a request using regex matching and replacement.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regex
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/redirectregex/#regex
properties:
permanent:
description: Permanent defines whether the redirection is permanent
(301).
(308).
type: boolean
regex:
description: Regex defines the regex used to match and capture
@@ -1023,11 +1178,11 @@ spec:
description: |-
RedirectScheme holds the redirect scheme middleware configuration.
This middleware redirects requests from a scheme/port to another.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/redirectscheme/
properties:
permanent:
description: Permanent defines whether the redirection is permanent
(301).
(308).
type: boolean
port:
description: Port defines the port of the new URL.
@@ -1040,7 +1195,7 @@ spec:
description: |-
ReplacePath holds the replace path middleware configuration.
This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/replacepath/
properties:
path:
description: Path defines the path to use as replacement in the
@@ -1051,7 +1206,7 @@ spec:
description: |-
ReplacePathRegex holds the replace path regex middleware configuration.
This middleware replaces the path of a URL using regex matching and replacement.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/replacepathregex/
properties:
regex:
description: Regex defines the regular expression used to match
@@ -1067,11 +1222,12 @@ spec:
Retry holds the retry middleware configuration.
This middleware reissues requests a given number of times to a backend server if that server does not reply.
As soon as the server answers, the middleware stops retrying, regardless of the response status.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/retry/
properties:
attempts:
description: Attempts defines how many times the request should
be retried.
minimum: 0
type: integer
initialInterval:
anyOf:
@@ -1083,13 +1239,14 @@ spec:
If unspecified, requests will be retried immediately.
The value of initialInterval should be provided in seconds or as a valid duration format,
see https://pkg.go.dev/time#ParseDuration.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
type: object
stripPrefix:
description: |-
StripPrefix holds the strip prefix middleware configuration.
This middleware removes the specified prefixes from the URL path.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/stripprefix/
properties:
forceSlash:
description: |-
@@ -1108,7 +1265,7 @@ spec:
description: |-
StripPrefixRegex holds the strip prefix regex middleware configuration.
This middleware removes the matching prefixes from the URL path.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/stripprefixregex/
properties:
regex:
description: Regex defines the regular expression to match the

7
docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml
View File

@@ -19,7 +19,7 @@ spec:
openAPIV3Schema:
description: |-
MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/overview/
properties:
apiVersion:
description: |-
@@ -49,13 +49,14 @@ spec:
Amount defines the maximum amount of allowed simultaneous connections.
The middleware closes the connection if there are already amount connections opened.
format: int64
minimum: 0
type: integer
type: object
ipAllowList:
description: |-
IPAllowList defines the IPAllowList middleware configuration.
This middleware accepts/refuses connections based on the client IP.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/tcp/ipallowlist/
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
@@ -69,7 +70,7 @@ spec:
IPWhiteList defines the IPWhiteList middleware configuration.
This middleware accepts/refuses connections based on the client IP.
Deprecated: please use IPAllowList instead.
More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
More info: https://doc.traefik.io/traefik/v3.4/middlewares/tcp/ipwhitelist/
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of

36
docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
View File

@@ -21,7 +21,7 @@ spec:
ServersTransport is the CRD implementation of a ServersTransport.
If no serversTransport is specified, the default@internal will be used.
The default@internal serversTransport is created from the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
More info: https://doc.traefik.io/traefik/v3.4/routing/services/#serverstransport_1
properties:
apiVersion:
description: |-
@@ -63,6 +63,7 @@ spec:
- type: string
description: DialTimeout is the amount of time to wait until a
connection to a backend server can be established.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
idleConnTimeout:
anyOf:
@@ -71,6 +72,7 @@ spec:
description: IdleConnTimeout is the maximum period for which an
idle HTTP keep-alive connection will remain open before closing
itself.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
pingTimeout:
anyOf:
@@ -78,6 +80,7 @@ spec:
- type: string
description: PingTimeout is the timeout after which the HTTP/2
connection will be closed if a response to ping is not received.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
readIdleTimeout:
anyOf:
@@ -86,6 +89,7 @@ spec:
description: ReadIdleTimeout is the timeout after which a health
check using ping frame will be carried out if no frame is received
on the HTTP/2 connection.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
responseHeaderTimeout:
anyOf:
@@ -94,6 +98,7 @@ spec:
description: ResponseHeaderTimeout is the amount of time to wait
for a server's response headers after fully writing the request
(including its body, if any).
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
type: object
insecureSkipVerify:
@@ -102,14 +107,39 @@ spec:
maxIdleConnsPerHost:
description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
to keep per-host.
minimum: 0
type: integer
peerCertURI:
description: PeerCertURI defines the peer cert URI used to match against
SAN URI during the peer certificate verification.
type: string
rootCAs:
description: RootCAs defines a list of CA certificate Secrets or ConfigMaps
used to validate server certificates.
items:
description: |-
RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
properties:
configMap:
description: |-
ConfigMap defines the name of a ConfigMap that holds a CA certificate.
The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
type: string
secret:
description: |-
Secret defines the name of a Secret that holds a CA certificate.
The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
type: string
type: object
x-kubernetes-validations:
- message: RootCA cannot have both Secret and ConfigMap defined.
rule: '!has(self.secret) || !has(self.configMap)'
type: array
rootCAsSecrets:
description: RootCAsSecrets defines a list of CA secret used to validate
self-signed certificate.
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
type: array

33
docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
View File

@@ -21,7 +21,7 @@ spec:
ServersTransportTCP is the CRD implementation of a TCPServersTransport.
If no tcpServersTransport is specified, a default one named default@internal will be used.
The default@internal tcpServersTransport can be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
More info: https://doc.traefik.io/traefik/v3.4/routing/services/#serverstransport_3
properties:
apiVersion:
description: |-
@@ -53,6 +53,7 @@ spec:
the protocol and operating system. Network protocols or operating
systems that do not support keep-alives ignore this field. If negative,
keep-alive probes are disabled.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
dialTimeout:
anyOf:
@@ -60,6 +61,7 @@ spec:
- type: string
description: DialTimeout is the amount of time to wait until a connection
to a backend server can be established.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
terminationDelay:
anyOf:
@@ -68,6 +70,7 @@ spec:
description: TerminationDelay defines the delay to wait before fully
terminating the connection, after one connected peer has closed
its writing capability.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
tls:
description: TLS defines the TLS configuration
@@ -86,9 +89,33 @@ spec:
MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
type: string
rootCAs:
description: RootCAs defines a list of CA certificate Secrets
or ConfigMaps used to validate server certificates.
items:
description: |-
RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
properties:
configMap:
description: |-
ConfigMap defines the name of a ConfigMap that holds a CA certificate.
The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
type: string
secret:
description: |-
Secret defines the name of a Secret that holds a CA certificate.
The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
type: string
type: object
x-kubernetes-validations:
- message: RootCA cannot have both Secret and ConfigMap defined.
rule: '!has(self.secret) || !has(self.configMap)'
type: array
rootCAsSecrets:
description: RootCAsSecrets defines a list of CA secret used to
validate self-signed certificates.
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
type: array

12
docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
View File

@@ -19,7 +19,7 @@ spec:
openAPIV3Schema:
description: |-
TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
properties:
apiVersion:
description: |-
@@ -44,14 +44,14 @@ spec:
alpnProtocols:
description: |-
ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
More info: https://doc.traefik.io/traefik/v3.4/https/tls/#alpn-protocols
items:
type: string
type: array
cipherSuites:
description: |-
CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
More info: https://doc.traefik.io/traefik/v3.4/https/tls/#cipher-suites
items:
type: string
type: array
@@ -79,10 +79,14 @@ spec:
curvePreferences:
description: |-
CurvePreferences defines the preferred elliptic curves in a specific order.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
More info: https://doc.traefik.io/traefik/v3.4/https/tls/#curve-preferences
items:
type: string
type: array
disableSessionTickets:
description: DisableSessionTickets disables TLS session resumption
via session tickets.
type: boolean
maxVersion:
description: |-
MaxVersion defines the maximum TLS version that Traefik will accept.

2
docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml
View File

@@ -21,7 +21,7 @@ spec:
TLSStore is the CRD implementation of a Traefik TLS Store.
For the time being, only the TLSStore named default is supported.
This means that you cannot have two stores that are named default in different Kubernetes namespaces.
More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
More info: https://doc.traefik.io/traefik/v3.4/https/tls/#certificates-stores
properties:
apiVersion:
description: |-

102
docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
View File

@@ -22,7 +22,7 @@ spec:
TraefikService object allows to:
- Apply weight to Services on load-balancing
- Mirror traffic on services
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-traefikservice
properties:
apiVersion:
description: |-
@@ -268,28 +268,43 @@ spec:
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
domain:
description: |-
Domain defines the host to which the cookie will be sent.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
type: string
httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
MaxAge defines the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
path:
description: |-
Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
When not provided the cookie will be sent on every request to the domain.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
enum:
- none
- lax
- strict
type: string
secure:
description: Secure defines whether the cookie can
@@ -301,12 +316,18 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
RoundRobin is the only supported value at the moment.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- RoundRobin
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
minimum: 0
type: integer
required:
- name
@@ -375,28 +396,43 @@ spec:
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
domain:
description: |-
Domain defines the host to which the cookie will be sent.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
type: string
httpOnly:
description: HTTPOnly defines whether the cookie can be
accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
MaxAge defines the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
path:
description: |-
Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
When not provided the cookie will be sent on every request to the domain.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
enum:
- none
- lax
- strict
type: string
secure:
description: Secure defines whether the cookie can only
@@ -407,12 +443,18 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
RoundRobin is the only supported value at the moment.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- RoundRobin
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
minimum: 0
type: integer
required:
- name
@@ -558,28 +600,43 @@ spec:
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
domain:
description: |-
Domain defines the host to which the cookie will be sent.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
type: string
httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
MaxAge defines the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
path:
description: |-
Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
When not provided the cookie will be sent on every request to the domain.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
enum:
- none
- lax
- strict
type: string
secure:
description: Secure defines whether the cookie can
@@ -591,12 +648,18 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
RoundRobin is the only supported value at the moment.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- RoundRobin
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
minimum: 0
type: integer
required:
- name
@@ -605,28 +668,43 @@ spec:
sticky:
description: |-
Sticky defines whether sticky sessions are enabled.
More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
domain:
description: |-
Domain defines the host to which the cookie will be sent.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
type: string
httpOnly:
description: HTTPOnly defines whether the cookie can be
accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge indicates the number of seconds until the cookie expires.
MaxAge defines the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
path:
description: |-
Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
When not provided the cookie will be sent on every request to the domain.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
enum:
- none
- lax
- strict
type: string
secure:
description: Secure defines whether the cookie can only

235
docs/content/reference/install-configuration/api-dashboard.md Normal file
View File

@@ -0,0 +1,235 @@
---
title: "Traefik API & Dashboard Documentation"
description: "Traefik Proxy exposes information through API handlers and showcase them on the Dashboard. Learn about the security, configuration, and endpoints of the APIs and Dashboard. Read the technical documentation."
---
The dashboard is the central place that shows you the current active routes handled by Traefik.
<figure>
<img src="../../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
<figcaption>The dashboard in action</figcaption>
</figure>
## Configuration Example
Enable the dashboard:
```yaml tab="File(YAML)"
api: {}
```
```toml tab="File(TOML)"
[api]
```
```cli tab="CLI"
--api=true
```
Expose the dashboard:
```yaml tab="Kubernetes CRD"
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
spec:
routes:
- match: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: auth
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: auth
spec:
basicAuth:
secret: secretName # Kubernetes secret named "secretName"
```
```yaml tab="Helm Chart Values (values.yaml)"
# Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
enabled: true
# Custom match rule with host domain
matchRule: Host(`traefik.example.com`)
entryPoints: ["websecure"]
# Add custom middlewares : authentication and redirection
middlewares:
- name: traefik-dashboard-auth
# Create the custom middlewares used by the IngressRoute dashboard (can also be created in another way).
# /!\ Yes, you need to replace "changeme" password with a better one. /!\
extraObjects:
- apiVersion: v1
kind: Secret
metadata:
name: traefik-dashboard-auth-secret
type: kubernetes.io/basic-auth
stringData:
username: admin
password: changeme
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-auth
spec:
basicAuth:
secret: traefik-dashboard-auth-secret
```
```yaml tab="Docker"
# Dynamic Configuration
labels:
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
```
```yaml tab="Swarm"
# Dynamic Configuration
deploy:
labels:
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# Dummy service for Swarm port detection. The port can be any valid integer value.
- "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
```
```yaml tab="Consul Catalog"
# Dynamic Configuration
- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
```
```yaml tab="File (YAML)"
# Dynamic Configuration
http:
routers:
dashboard:
rule: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
service: api@internal
middlewares:
- auth
middlewares:
auth:
basicAuth:
users:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
# Dynamic Configuration
[http.routers.my-api]
rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
service = "api@internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
## Configuration Options
The API and the dashboard can be configured:
- In the Helm Chart: You can find the options to customize the Traefik installation
enabing the dashboard [here](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L155).
- In the Traefik Static Configuration as described below.
| Field | Description | Default | Required |
|:-----------|:---------------------------------|:--------|:---------|
| `api` | Enable api/dashboard. When set to `true`, its sub option `api.dashboard` is also set to true.| false | No |
| `api.dashboard` | Enable dashboard. | false | No |
| `api.debug` | Enable additional endpoints for debugging and profiling. | false | No |
| `api.disabledashboardad` | Disable the advertisement from the dashboard. | false | No |
| `api.insecure` | Enable the API and the dashboard on the entryPoint named traefik.| false | No |
## Endpoints
All the following endpoints must be accessed with a `GET` HTTP request.
| Path | Description |
|--------------------------------|---------------------------------------------------------------------------------------------|
| `/api/http/routers` | Lists all the HTTP routers information. |
| `/api/http/routers/{name}` | Returns the information of the HTTP router specified by `name`. |
| `/api/http/services` | Lists all the HTTP services information. |
| `/api/http/services/{name}` | Returns the information of the HTTP service specified by `name`. |
| `/api/http/middlewares` | Lists all the HTTP middlewares information. |
| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`. |
| `/api/tcp/routers` | Lists all the TCP routers information. |
| `/api/tcp/routers/{name}` | Returns the information of the TCP router specified by `name`. |
| `/api/tcp/services` | Lists all the TCP services information. |
| `/api/tcp/services/{name}` | Returns the information of the TCP service specified by `name`. |
| `/api/tcp/middlewares` | Lists all the TCP middlewares information. |
| `/api/tcp/middlewares/{name}` | Returns the information of the TCP middleware specified by `name`. |
| `/api/udp/routers` | Lists all the UDP routers information. |
| `/api/udp/routers/{name}` | Returns the information of the UDP router specified by `name`. |
| `/api/udp/services` | Lists all the UDP services information. |
| `/api/udp/services/{name}` | Returns the information of the UDP service specified by `name`. |
| `/api/entrypoints` | Lists all the entry points information. |
| `/api/entrypoints/{name}` | Returns the information of the entry point specified by `name`. |
| `/api/overview` | Returns statistic information about HTTP, TCP and about enabled features and providers. |
| `/api/rawdata` | Returns information about dynamic configurations, errors, status and dependency relations. |
| `/api/version` | Returns information about Traefik version. |
| `/debug/vars` | See the [expvar](https://golang.org/pkg/expvar/) Go documentation. |
| `/debug/pprof/` | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation. |
| `/debug/pprof/cmdline` | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation. |
| `/debug/pprof/profile` | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation. |
| `/debug/pprof/symbol` | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation. |
| `/debug/pprof/trace` | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation. |
## Dashboard
The dashboard is available at the same location as the [API](../../operations/api.md), but by default on the path `/dashboard/`.
!!! note
- The trailing slash `/` in `/dashboard/` is mandatory. This limitation can be mitigated using the the [RedirectRegex Middleware](../../middlewares/http/redirectregex.md).
- There is also a redirect from the path `/` to `/dashboard/`, but you should not rely on this behavior, as it is subject to change and may complicate routing rules.
To securely access the dashboard, you need to define a routing configuration within Traefik. This involves setting up a router attached to the service `api@internal`, which allows you to:
- Implement security features using [middlewares](../../middlewares/overview.md), such as authentication ([basicAuth](../../middlewares/http/basicauth.md), [digestAuth](../../middlewares/http/digestauth.md),
[forwardAuth](../../middlewares/http/forwardauth.md)) or [allowlisting](../../middlewares/http/ipallowlist.md).
- Define a [router rule](#dashboard-router-rule) for accessing the dashboard through Traefik.
### Dashboard Router Rule
To ensure proper access to the dashboard, the [router rule](../../routing/routers/index.md#rule) you define must match requests intended for the `/api` and `/dashboard` paths.
We recommend using either a *Host-based rule* to match all requests on the desired domain or explicitly defining a rule that includes both path prefixes.
Here are some examples:
```bash tab="Host Rule"
# The dashboard can be accessed on http://traefik.example.com/dashboard/
rule = "Host(`traefik.example.com`)"
```
```bash tab="Path Prefix Rule"
# The dashboard can be accessed on http://example.com/dashboard/ or http://traefik.example.com/dashboard/
rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
```
```bash tab="Combination of Rules"
# The dashboard can be accessed on http://traefik.example.com/dashboard/
rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
```
{!traefik-for-business-applications.md!}

134
docs/content/reference/install-configuration/boot-environment.md Normal file
View File

@@ -0,0 +1,134 @@
---
title: "Traefik Configuration Overview"
description: "Read the official Traefik documentation to get started with configuring the Traefik Proxy."
---
# Boot Environment
Traefik Proxys configuration is divided into two main categories:
- **Static Configuration**: Defines parameters that require Traefik to restart when changed. This includes entry points, providers, API/dashboard settings, and logging levels.
- **Dynamic Configuration**: Involves elements that can be updated without restarting Traefik, such as routers, services, and middlewares.
This section focuses on setting up the static configuration, which is essential for Traefiks initial boot.
## Configuration Methods
Traefik offers multiple methods to define static configuration.
!!! warning "Note"
Its crucial to choose one method and stick to it, as mixing different configuration options is not supported and can lead to unexpected behavior.
Here are the methods available for configuring the Traefik proxy:
- [File](#file)
- [CLI](#cli)
- [Environment Variables](#environment-variables)
- [Helm](#helm)
## File
You can define the static configuration in a file using formats like YAML or TOML.
### Configuration Example
```yaml tab="traefik.yml (YAML)"
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
docker: {}
api:
dashboard: true
log:
level: INFO
```
```toml tab="traefik.toml (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[providers]
[providers.docker]
[api]
dashboard = true
[log]
level = "INFO"
```
### Configuration File
At startup, Traefik searches for static configuration in a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in the following directories:
- `/etc/traefik/`
- `$XDG_CONFIG_HOME/`
- `$HOME/.config/`
- `.` (the current working directory).
You can override this behavior using the `configFile` argument like this:
```bash
traefik --configFile=foo/bar/myconfigfile.yml
```
## CLI
Using the CLI, you can pass static configuration directly as command-line arguments when starting Traefik.
### Configuration Example
```sh tab="CLI"
traefik \
--entryPoints.web.address=":80" \
--entryPoints.websecure.address=":443" \
--providers.docker \
--api.dashboard \
--log.level=INFO
```
## Environment Variables
You can also set the static configuration using environment variables. Each option corresponds to an environment variable prefixed with `TRAEFIK_`.
### Configuration Example
```sh tab="ENV"
TRAEFIK_ENTRYPOINTS_WEB_ADDRESS=":80" TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS=":443" TRAEFIK_PROVIDERS_DOCKER=true TRAEFIK_API_DASHBOARD=true TRAEFIK_LOG_LEVEL="INFO" traefik
```
## Helm
When deploying Traefik Proxy using Helm in a Kubernetes cluster, the static configuration is defined in a `values.yaml` file.
You can find the official Traefik Helm chart on [GitHub](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/VALUES.md)
### Configuration Example
```yaml tab="values.yaml"
ports:
web:
exposedPort: 80
websecure:
exposedPort: 443
additionalArguments:
- "--providers.kubernetescrd.ingressClass"
- "--log.level=INFO"
```
```sh tab="Helm Commands"
helm repo add traefik https://traefik.github.io/charts
helm repo update
helm install traefik traefik/traefik -f values.yaml
```

0
docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml → docs/content/reference/install-configuration/cli-options-list.md
View File

273
docs/content/reference/install-configuration/entrypoints.md Normal file
View File

@@ -0,0 +1,273 @@
---
title: "Traefik EntryPoints Documentation"
description: "For routing and load balancing in Traefik Proxy, EntryPoints define which port will receive packets and whether they are TCP or UDP. Read the technical documentation."
---
Listening for Incoming Connections/Requests
{: .subtitle }
### Configuration Example
```yaml tab="File (YAML)"
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
observability:
accessLogs: false
metrics: false
tracing: false
websecure:
address: :443
tls: {}
middlewares:
- auth@kubernetescrd
- strip@kubernetescrd
```
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
entryPoint = "websecure"
scheme = "https"
permanent = true
[entryPoints.web.observability]
accessLogs = false
metrics = false
tracing = false
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
[entryPoints.websecure.middlewares]
- auth@kubernetescrd
- strip@kubernetescrd
```
```yaml tab="Helm Chart Values"
## Values file
ports:
web:
port: :80
websecure:
port: :443
tls:
enabled: true
middlewares:
- auth@kubernetescrd
- strip@kubernetescrd
additionalArguments:
- --entryPoints.web.http.redirections.to=websecure
- --entryPoints.web.http.redirections.scheme=https
- --entryPoints.web.http.redirections.permanent=true
- --entryPoints.web.observability.accessLogs=false
- --entryPoints.web.observability.metrics=false
- --entryPoints.web.observability.tracing=false
```
!!! tip
In the Helm Chart, the entryPoints `web` (port 80), `websecure` (port 443), `traefik` (port 8080) and `metrics` (port 9100) are created by default.
The entryPoints `web`, `websecure` are exposed by default using a Service.
The default behaviors can be overridden in the Helm Chart.
## Configuration Options
| Field | Description | Default | Required |
|:-----------------|:--------|:--------|:---------|
| `address` | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp] | - | Yes |
| `asDefault` | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault). | false | No |
| `forwardedHeaders.trustedIPs` | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
| `forwardedHeaders.insecure` | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production. | false | No |
| `http.redirections.`<br />`entryPoint.to` | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`). | - | Yes |
| `http.redirections.`<br />`entryPoint.scheme` | The target scheme to use for (permanent) redirection of all incoming requests. | https | No |
| `http.redirections.`<br />`entryPoint.permanent` | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`). | false | No |
| `http.redirections.`<br />`entryPoint.priority` | Default priority applied to the routers attached to the `entryPoint`.| MaxInt32-1 (2147483646) | No |
| `http.encodeQuerySemicolons` | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons). | false | No |
| `http.sanitizePath` | Defines whether to enable the request path sanitization.<br /> More information [here](#sanitizepath). | false | No |
| `http.middlewares` | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares). | - | No |
| `http.tls` | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generates by Traefik. <br /> We recommend to not use self signed certificates in production.| - | No |
| `http.tls.options` | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption). | - | No |
| `http.tls.certResolver` | Apply a certificate resolver on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md). | - | No |
| `http2.maxConcurrentStreams` | Set the number of concurrent streams per connection that each client is allowed to initiate. <br /> The value must be greater than zero. | 250 | No |
| `http3` | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3. | - | No |
| `http3.advertisedPort` | Set the UDP port to advertise as the HTTP/3 authority. <br /> It defaults to the entryPoint's address port. <br /> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening. | - | No |
| `observability.accessLogs` | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| `observability.metrics` | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| `observability.tracing` | Defines whether a router attached to this EntryPoint produces traces by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| `proxyProtocol.trustedIPs` | Enable PROXY protocol with Trusted IPs. <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br /> More information [here](#proxyprotocol-and-load-balancers). | - | No |
| `proxyProtocol.insecure` | Enable PROXY protocol trusting every incoming connection. <br /> Every remote client address will be replaced (`trustedIPs`) won't have any effect). <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br />We recommend to use this option only for tests purposes, not in production.<br /> More information [here](#proxyprotocol-and-load-balancers). | - | No |
| `reusePort` | Enable `entryPoints` from the same or different processes listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option. <br /> It also allows the kernel to act like a load balancer to distribute incoming connections between entry points..<br /> More information [here](#reuseport). | false | No |
| `transport.`<br />`respondingTimeouts.`<br />`readTimeout` | Set the timeouts for incoming requests to the Traefik instance. This is the maximum duration for reading the entire request, including the body. Setting them has no effect for UDP `entryPoints`.<br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds. | 60s (seconds) | No |
| `transport.`<br />`respondingTimeouts.`<br />`writeTimeout` | Maximum duration before timing out writes of the response. <br /> It covers the time from the end of the request header read to the end of the response write. <br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds. | 0s (seconds) | No |
| `transport.`<br />`respondingTimeouts.`<br />`idleTimeout` | Maximum duration an idle (keep-alive) connection will remain idle before closing itself. <br /> If zero, no timeout exists <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds | 180s (seconds) | No |
| `transport.`<br />`lifeCycle.`<br />`graceTimeOut` | Set the duration to give active requests a chance to finish before Traefik stops. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds <br /> In this time frame no new requests are accepted. | 10s (seconds) | No |
| `transport.`<br />`lifeCycle.`<br />`requestAcceptGraceTimeout` | Set the duration to keep accepting requests prior to initiating the graceful termination period (as defined by the `transportlifeCycle.graceTimeOut` option). <br /> This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds | 0s (seconds) | No |
| `transport.`<br />`keepAliveMaxRequests` | Set the maximum number of requests Traefik can handle before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). <br /> Zero means no limit. | 0 | No |
| `transport.`<br />`keepAliveMaxTime` | Set the maximum duration Traefik can handle requests before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). Zero means no limit. | 0s (seconds) | No |
| `udp.timeout` | Define how long to wait on an idle session before releasing the related resources. <br />The Timeout value must be greater than zero. | 3s (seconds)| No |
### asDefault
If there is no entryPoint with the `asDefault` option set to `true`, then the
list of default entryPoints includes all HTTP/TCP entryPoints.
If at least one entryPoint has the `asDefault` option set to `true`,
then the list of default entryPoints includes only entryPoints that have the
`asDefault` option set to `true`.
Some built-in entryPoints are always excluded from the list, namely: `traefik`.
The `asDefault` option has no effect on UDP entryPoints.
When a UDP router does not define the entryPoints option, it is attached to all
available UDP entryPoints.
### http.middlewares
- You can attach a list of [middlewares](../../middlewares/http/overview.md)
to each entryPoint.
- The middlewares will take effect only if the rule matches, and before forwarding
the request to the service.
- Middlewares are applied in the same order as their declaration.
- Middlewares are applied by default to every router exposed through the EntryPoint
(the Middlewares declared on the [IngressRoute](../../routing/routers/index.md#middlewares)
or the [Ingress](../../routing/providers/kubernetes-ingress.md#on-ingress)
are applied after the ones declared on the Entrypoint)
- The option allows attaching a list of middleware using the format
`middlewarename@providername` as described in the example below:
```yaml tab="File (YAML)"
entryPoints:
web:
address: :80
middlewares:
- auth@kubernetescrd
- strip@file
```
```yaml tab="Helm Chart Values"
ports:
web:
port: :80
middlewares:
- auth@kubernetescrd
- strip@file
```
### encodeQuerySemicolons
Behavior examples:
| EncodeQuerySemicolons | Request Query | Resulting Request Query |
|-----------------------|---------------------|-------------------------|
| false | foo=bar;baz=bar | foo=bar&baz=bar |
| true | foo=bar;baz=bar | foo=bar%3Bbaz=bar |
| false | foo=bar&baz=bar;foo | foo=bar&baz=bar&foo |
| true | foo=bar&baz=bar;foo | foo=bar&baz=bar%3Bfoo |
### SanitizePath
The `sanitizePath` option defines whether to enable the request path sanitization.
When disabled, the incoming request path is passed to the backend as is.
This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
For example, as base64 uses the “/” character internally,
if it's not url encoded,
it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
!!! warning "Security"
Setting the sanitizePath option to false is not safe.
Ensure every request is properly url encoded instead.
#### Examples
| SanitizePath | Request Path | Resulting Request Path |
|--------------|-----------------|------------------------|
| false | /./foo/bar | /./foo/bar |
| true | /./foo/bar | /foo/bar |
| false | /foo/../bar | /foo/../bar |
| true | /foo/../bar | /bar |
| false | /foo/bar// | /foo/bar// |
| true | /foo/bar// | /foo/bar/ |
| false | /./foo/../bar// | /./foo/../bar// |
| true | /./foo/../bar// | /bar/ |
### HTTP3
As HTTP/3 actually uses UDP, when Traefik is configured with a TCP `entryPoint`
on port N with HTTP/3 enabled, the underlying HTTP/3 server that is started
automatically listens on UDP port N too. As a consequence,
it means port N cannot be used by another UDP `entryPoint`.
Since HTTP/3 requires the use of TLS,
only routers with TLS enabled will be usable with HTTP/3.
### ProxyProtocol and Load-Balancers
The replacement of the remote client address will occur only for IP addresses listed in `trustedIPs`. This is where yoåu specify your load balancer IPs or CIDR ranges.
When queuing Traefik behind another load-balancer, make sure to configure
PROXY protocol on both sides.
Not doing so could introduce a security risk in your system (enabling request forgery).
### reusePort
#### Examples
Many processes on the same EntryPoint:
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
reusePort: true
```
```yaml tab="Helm Chart Values"
## Values file
additionalArguments:
- --entryPoints.web.reusePort=true
```
Many processes on the same EntryPoint on another host:
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
reusePort: true
privateWeb:
address: "192.168.1.2:80"
reusePort: true
```
```yaml tab="Helm Chart Values"
additionalArguments:
- --entryPoints.web.reusePort=true
- --entryPoints.privateWeb.address=192.168.1.2:80
- --entryPoints.privateWeb.reusePort=true
```
#### Supported platforms
The `reusePort` option currently works only on Linux, FreeBSD, OpenBSD and Darwin.
It will be ignored on other platforms.
There is a known bug in the Linux kernel that may cause unintended TCP connection
failures when using the `reusePort` option. For more details, see [here](https://lwn.net/Articles/853637/).
#### Canary deployment
Use the `reusePort` option with the other option `transport.lifeCycle.gracetimeout`
to do
canary deployments against Traefik itself. Like upgrading Traefik version
or reloading the static configuration without any service downtime.

87
docs/content/reference/install-configuration/observability/healthcheck.md Normal file
View File

@@ -0,0 +1,87 @@
---
title: "Traefik Health Check Documentation"
description: "In Traefik Proxy, CLI & Ping lets you check the health of your Traefik instances. Read the technical documentation for configuration examples and options."
---
# CLI & Ping
Checking the Health of your Traefik Instances
{: .subtitle }
## CLI
The CLI can be used to make a request to the `/ping` endpoint to check the health of Traefik. Its exit status is `0` if Traefik is healthy and `1` otherwise.
This can be used with [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism.
### Usage
```sh
traefik healthcheck [command] [flags] [arguments]
```
Example:
```sh
$ traefik healthcheck
OK: http://:8082/ping
```
## Ping
The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
The entryPoint where the `/ping` is active can be customized with the `entryPoint` option,
whose default value is `traefik` (port `8080`).
| Path | Method | Description |
|---------|---------------|-----------------------------------------------------------------------------------------------------|
| `/ping` | `GET`, `HEAD` | An endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
### Configuration Example
To enable the API handler:
```yaml tab="File (YAML)"
ping: {}
```
```toml tab="File (TOML)"
[ping]
```
```bash tab="CLI"
--ping=true
```
### Configuration Options
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `ping.entryPoint` | Enables `/ping` on a dedicated EntryPoint. | traefik | No |
| `ping.manualRouting` | Disables the default internal router in order to allow one to create a custom router for the `ping@internal` service when set to `true`. | false | No |
| `ping.terminatingStatusCode` | Defines the status code for the ping handler during a graceful shut down. See more information [here](#terminatingstatuscode) | 503 | No |
#### `terminatingStatusCode`
During the period in which Traefik is gracefully shutting down, the ping handler
returns a `503` status code by default.
If Traefik is behind, for example a load-balancer
doing health checks (such as the Kubernetes LivenessProbe), another code might
be expected as the signal for graceful termination.
In that case, the terminatingStatusCode can be used to set the code returned by the ping
handler during termination.
```yaml tab="File (YAML)"
ping:
terminatingStatusCode: 204
```
```toml tab="File (TOML)"
[ping]
terminatingStatusCode = 204
```
```bash tab="CLI"
--ping.terminatingStatusCode=204
```

216
docs/content/reference/install-configuration/observability/logs-and-accesslogs.md Normal file
View File

@@ -0,0 +1,216 @@
---
title: "Traefik Logs Documentation"
description: "Logs are a key part of observability in Traefik Proxy. Read the technical documentation to learn their configurations, rotations, and time zones."
---
## Logs
Logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
### Configuration Example
```yaml tab="File (YAML)"
log:
filePath: "/path/to/log-file.log"
format: json
level: INFO
```
```toml tab="File (TOML)"
[log]
filePath = "/path/to/log-file.log"
format = "json"
level = "INFO"
```
```sh tab="CLI"
--log.filePath=/path/to/log-file.log
--log.format=json
--log.level=INFO
```
### Configuration Options
The section below describe how to configure Traefik logs using the static configuration.
| Field | Description | Default | Required |
|:-----------|:----------------------------|:--------|:---------|
| `log.filePath` | By default, the logs are written to the standard output.<br />You can configure a file path instead using the `filePath` option.| - | No |
| `log.format` | Log format (`common`or `json`).<br /> The fields displayed with the format `common` cannot be customized. | "common" | No |
| `log.level` | Log level (`TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`)| ERROR | No |
| `log.noColor` | When using the format `common`, disables the colorized output. | false | No |
| `log.maxSize` | Maximum size in megabytes of the log file before it gets rotated. | 100MB | No |
| `log.maxAge` | Maximum number of days to retain old log files based on the timestamp encoded in their filename.<br /> A day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.<br />By default files are not removed based on their age. | 0 | No |
| `log.maxBackups` | Maximum number of old log files to retain.<br />The default is to retain all old log files. | 0 | No |
| `log.compress` | Compress log files in gzip after rotation. | false | No |
## AccessLogs
### Configuration Example
```yaml tab="File (YAML)"
accessLog:
# JSON format
format: json
# Filter on status codes, retry attempts and minimal duration
filters:
statusCodes:
- "200"
- "300-302"
retryAttempts: true
minDuration: "10ms"
fields:
# Keep all the fields by default
defaultMode: keep
names:
# Drop the Field ClientUserName
ClientUsername: drop
headers:
# Keep all the headers by default
defaultMode: keep
names:
# Redact the User-Agent header value
User-Agent: redact
# Drop the Authorization header value
Authorization: drop
```
```toml tab="File (TOML)"
[accessLog]
format = "json"
[accessLog.filters]
statusCodes = [ "200", "300-302" ]
retryAttempts = true
minDuration = "10ms"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
ClientUsername = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
User-Agent = "redact"
Authorization = "drop"
```
```sh tab="CLI"
--accesslog=true
--accesslog.format=json
--accesslog.filters.statuscodes=200,300-302
--accesslog.filters.retryattempts
--accesslog.filters.minduration=10ms
--accesslog.fields.defaultmode=keep
--accesslog.fields.names.ClientUsername=drop
--accesslog.fields.headers.defaultmode=keep
--accesslog.fields.headers.names.User-Agent=redact
--accesslog.fields.headers.names.Authorization=drop
```
### Configuration Options
The section below describes how to configure Traefik access logs using the static configuration.
| Field | Description | Default | Required |
|:-----------|:--------------------------|:--------|:---------|
| `accesslog.filePath` | By default, the access logs are written to the standard output.<br />You can configure a file path instead using the `filePath` option.| | No |
| `accesslog.format` | By default, logs are written using the Common Log Format (CLF).<br />To write logs in JSON, use `json` in the `format` option.<br />If the given format is unsupported, the default (CLF) is used instead.<br />More information about CLF fields [here](#clf-format-fields). | "common" | No |
| `accesslog.bufferingSize` | To write the logs in an asynchronous fashion, specify a `bufferingSize` option.<br />This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.<br />In some cases, this option can greatly help performances.| 0 | No |
| `accesslog.addInternals` | Enables access logs for internal resources (e.g.: `ping@internal`). | false | No |
| `accesslog.filters.statusCodes` | Limit the access logs to requests with a status codes in the specified range. | false | No |
| `accesslog.filters.retryAttempts` | Keep the access logs when at least one retry has happened. | false | No |
| `accesslog.filters.minDuration` | Keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)). | 0 | No |
| `accesslog.fields.defaultMode` | Mode to apply by default to the access logs fields (`keep`, `redact` or `drop`). | keep | No |
| `accesslog.fields.names` | Set the fields list to display in the access logs (format `name:mode`).<br /> Available fields list [here](#available-fields). | - | No |
| `accesslog.headers.defaultMode` | Mode to apply by default to the access logs headers (`keep`, `redact` or `drop`). | drop | No |
| `accesslog.headers.names` | Set the headers list to display in the access logs (format `name:mode`). | - | No |
#### CLF format fields
Below the fields displayed with the CLF format:
```html
<remote_IP_address> - <client_user_name_if_available> [<timestamp>]
"<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length>
"<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started>
"<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
```
#### Available Fields
| Field | Description |
|-------------------------|------------------|
| `StartUTC` | The time at which request processing started. |
| `StartLocal` | The local time at which request processing started. |
| `Duration` | The total time taken (in nanoseconds) by processing the response, including the origin server's time but not the log writing time. |
| `RouterName` | The name of the Traefik router. |
| `ServiceName` | The name of the Traefik backend. |
| `ServiceURL` | The URL of the Traefik backend. |
| `ServiceAddr` | The IP:port of the Traefik backend (extracted from `ServiceURL`). |
| `ClientAddr` | The remote address in its original form (usually IP:port). |
| `ClientHost` | The remote IP address from which the client request was received. |
| `ClientPort` | The remote TCP port from which the client request was received. |
| `ClientUsername` | The username provided in the URL, if present. |
| `RequestAddr` | The HTTP Host header (usually IP:port). This is treated as not a header by the Go API. |
| `RequestHost` | The HTTP Host server name (not including port). |
| `RequestPort` | The TCP port from the HTTP Host. |
| `RequestMethod` | The HTTP method. |
| `RequestPath` | The HTTP request URI, not including the scheme, host or port. |
| `RequestProtocol` | The version of HTTP requested. |
| `RequestScheme` | The HTTP scheme requested `http` or `https`. |
| `RequestLine` | The `RequestMethod`, + `RequestPath` and `RequestProtocol`. |
| `RequestContentSize` | The number of bytes in the request entity (a.k.a. body) sent by the client. |
| `OriginDuration` | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. |
| `OriginContentSize` | The content length specified by the origin server, or 0 if unspecified. |
| `OriginStatus` | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0). |
| `OriginStatusLine` | `OriginStatus` + Status code explanation |
| `DownstreamStatus` | The HTTP status code returned to the client. |
| `DownstreamStatusLine` | The `DownstreamStatus` and status code explanation. |
| `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
| `RequestCount` | The number of requests received since the Traefik instance started. |
| `GzipRatio` | The response body compression ratio achieved. |
| `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. |
| `RetryAttempts` | The amount of attempts the request was retried. |
| `TLSVersion` | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS). |
| `TLSCipher` | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS). |
| `TLSClientSubject` | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`). |
#### Log Rotation
Traefik close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
This allows the logs to be rotated and processed by an external program, such as `logrotate`.
!!! warning
This does not work on Windows due to the lack of USR signals.
#### Time Zones
Traefik will timestamp each log line in UTC time by default.
It is possible to configure the Traefik to timestamp in a specific timezone by ensuring the following configuration has been made in your environment:
1. Provide time zone data to `/etc/localtime` or `/usr/share/zoneinfo` (based on your distribution) or set the environment variable TZ to the desired timezone.
2. Specify the field `StartLocal` by dropping the field named `StartUTC` (available on the default Common Log Format (CLF) as well as JSON): `accesslog.fields.names.StartUTC=drop`.
Example utilizing Docker Compose:
```yaml
services:
traefik:
image: traefik:v3.4
environment:
- TZ=US/Alaska
command:
- --accesslog.fields.names.StartUTC=drop
- --providers.docker
ports:
- 80:80
volumes:
- /var/run/docker.sock:/var/run/docker.sock
```
{!traefik-for-business-applications.md!}

601
docs/content/reference/install-configuration/observability/metrics.md Normal file
View File

@@ -0,0 +1,601 @@
---
title: "Traefik Metrics Overview"
description: "Traefik Proxy supports these metrics backend systems: OpenTelemetry, Datadog, InfluxDB 2.X, Prometheus, and StatsD. Read the full documentation to get started."
---
# Metrics
Traefik provides metrics in the [OpenTelemetry](#open-telemetry) format as well as the following vendor specific backends:
- [Datadog](#datadog)
- [InfluxDB2](#influxdb-v2)
- [Prometheus](#prometheus)
- [StatsD](#statsd)
Traefik Proxy has an official Grafana dashboard for both [on-premises](https://grafana.com/grafana/dashboards/17346)
and [Kubernetes](https://grafana.com/grafana/dashboards/17347) deployments.
---
## Open Telemetry
!!! info "Default protocol"
The OpenTelemetry exporter will export metrics to the collector using HTTP by default to https://localhost:4318/v1/metrics.
### Configuration Example
To enable the OpenTelemetry metrics:
```yaml tab="File (YAML)"
metrics:
otlp: {}
```
```toml tab="File (TOML)"
[metrics]
[metrics.otlp]
```
```bash tab="CLI"
--metrics.otlp=true
```
```yaml tab="Helm Chart Values"
# values.yaml
metrics:
# Disable Prometheus (enabled by default)
prometheus: null
# Enable providing OTel metrics
otlp:
enabled: true
http:
enabled: true
```
!!! tip "Helm Chart Configuration"
Traefik can be configured to provide metrics in the OpenTelemetry format using the Helm Chart values.
To know more about the Helm Chart options, refer to the [Helm Chart](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/VALUES.md) (Find options `metrics.otlp`).
### Configuration Options
| Field | Description | Default | Required |
|:-----------|---------------|:--------|:---------|
| `metrics.addInternals` | Enables metrics for internal resources (e.g.: `ping@internal`). | false | No |
| `metrics.otlp.addEntryPointsLabels` | Enable metrics on entry points. | true | No |
| `metrics.otlp.addRoutersLabels` | Enable metrics on routers. | false | No |
| `metrics.otlp.addServicesLabels` | Enable metrics on services.| true | No |
| `metrics.otlp.explicitBoundaries` | Explicit boundaries for Histogram data points. | ".005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10" | No |
| `metrics.otlp.pushInterval` | Interval at which metrics are sent to the OpenTelemetry Collector. | 10s | No |
| `metrics.otlp.http` | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| `metrics.otlp.http.endpoint` | URL of the OpenTelemetry Collector to send metrics to.<br /> Format="`<scheme>://<host>:<port><path>`" | "http://localhost:4318/v1/metrics" | Yes |
| `metrics.otlp.http.headers` | Additional headers sent with metrics by the exporter to the OpenTelemetry Collector. | - | No |
| `metrics.otlp.http.tls.ca` | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector,<br />it defaults to the system bundle. | "" | No |
| `metrics.otlp.http.tls.cert` | Path to the public certificate used for the secure connection to the OpenTelemetry Collector.<br />When using this option, setting the `key` option is required. | "" | No |
| `metrics.otlp.http.tls.key` | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| `metrics.otlp.http.tls.insecureskipverify` | Allow the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |
| `metrics.otlp.grpc` | This instructs the exporter to send metrics to the OpenTelemetry Collector using gRPC. | null/false | No |
| `metrics.otlp.grpc.endpoint` | Address of the OpenTelemetry Collector to send metrics to.<br /> Format="`<host>:<port>`" | "localhost:4317" | Yes |
| `metrics.otlp.grpc.headers` | Additional headers sent with metrics by the exporter to the OpenTelemetry Collector. | - | No |
| `metrics.otlp.http.grpc.insecure` |Allows exporter to send metrics to the OpenTelemetry Collector without using a secured protocol. | false | Yes |
| `metrics.otlp.grpc.tls.ca` | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector,<br />it defaults to the system bundle. | - | No |
| `metrics.otlp.grpc.tls.cert` | Path to the public certificate used for the secure connection to the OpenTelemetry Collector.<br />When using this option, setting the `key` option is required. | - | No |
| `metrics.otlp.grpc.tls.key` | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| `metrics.otlp.grpc.tls.insecureskipverify` | Allow the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |
## Vendors
### Datadog
#### Configuration Example
To enable the Datadog:
```yaml tab="File (YAML)"
metrics:
datadog: {}
```
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
```
```bash tab="CLI"
--metrics.datadog=true
```
#### Configuration Options
| Field | Description | Default | Required |
|:------|:-------------------------------|:---------------------|:---------|
| `metrics.addInternals` | Enables metrics for internal resources (e.g.: `ping@internal`). | false | No |
| `datadog.address` | Defines the address for the exporter to send metrics to datadog-agent. More information [here](#address)| `127.0.0.1:8125` | Yes |
| `datadog.addEntryPointsLabels` | Enable metrics on entry points. | true | No |
| `datadog.addRoutersLabels` | Enable metrics on routers. | false | No |
| `datadog.addServicesLabels` | Enable metrics on services. | true | No |
| `datadog.pushInterval` | Defines the interval used by the exporter to push metrics to datadog-agent. | 10s | No |
| `datadog.prefix` | Defines the prefix to use for metrics collection. | "traefik" | No |
##### `address`
Address instructs exporter to send metrics to datadog-agent at this address.
This address can be a Unix Domain Socket (UDS) in the following format: `unix:///path/to/datadog.socket`.
When the prefix is set to `unix`, the socket type will be automatically determined.
To explicitly define the socket type and avoid automatic detection, you can use the prefixes `unixgram` for `SOCK_DGRAM` (datagram sockets) and `unixstream` for `SOCK_STREAM` (stream sockets), respectively.
```yaml tab="File (YAML)"
metrics:
datadog:
address: 127.0.0.1:8125
```
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
address = "127.0.0.1:8125"
```
```bash tab="CLI"
--metrics.datadog.address=127.0.0.1:8125
```
### InfluxDB v2
#### Configuration Example
To enable the InfluxDB2:
```yaml tab="File (YAML)"
metrics:
influxDB2:
address: http://localhost:8086
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB2]
address: http://localhost:8086
```
```bash tab="CLI"
--metrics.influxdb2=true
```
#### Configuration Options
| Field | Description | Default | Required |
|:-----------|-------------------------|:--------|:---------|
| `metrics.addInternal` | Enables metrics for internal resources (e.g.: `ping@internal`). | false | No |
| `metrics.influxDB2.addEntryPointsLabels` | Enable metrics on entry points. | true | No |
| `metrics.influxDB2.addRoutersLabels` | Enable metrics on routers. | false | No |
| `metrics.influxDB2.addServicesLabels` | Enable metrics on services.| true | No |
| `metrics.influxDB2.additionalLabels` | Additional labels (InfluxDB tags) on all metrics. | - | No |
| `metrics.influxDB2.pushInterval` | The interval used by the exporter to push metrics to InfluxDB server. | 10s | No |
| `metrics.influxDB2.address` | Address of the InfluxDB v2 instance. | "http://localhost:8086" | Yes |
| `metrics.influxDB2.token` | Token with which to connect to InfluxDB v2. | - | Yes |
| `metrics.influxDB2.org` | Organisation where metrics will be stored. | - | Yes |
| `metrics.influxDB2.bucket` | Bucket where metrics will be stored. | - | Yes |
### Prometheus
#### Configuration Example
To enable the Prometheus:
```yaml tab="File (YAML)"
metrics:
prometheus:
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
```
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
[metrics.prometheus.buckets]
- 0.1
- 0.3
- 1.2
- 5.0
```
```bash tab="CLI"
--metrics.prometheus=true
```
#### Configuration Options
| Field | Description | Default | Required |
|:-----------|---------------------|:--------|:---------|
| `metrics.prometheus.addInternals` | Enables metrics for internal resources (e.g.: `ping@internals`). | false | No |
| `metrics.prometheus.addEntryPointsLabels` | Enable metrics on entry points. | true | No |
| `metrics.prometheus.addRoutersLabels` | Enable metrics on routers. | false | No |
| `metrics.prometheus.addServicesLabels` | Enable metrics on services.| true | No |
| `metrics.prometheus.buckets` | Buckets for latency metrics. |"0.100000, 0.300000, 1.200000, 5.000000" | No |
| `metrics.prometheus.manualRouting` | Set to _true_, it disables the default internal router in order to allow creating a custom router for the `prometheus@internal` service. | false | No |
| `metrics.prometheus.entryPoint` | Traefik Entrypoint name used to expose metrics. | "traefik" | No |
| `metrics.prometheus.headerLabels` | Defines extra labels extracted from request headers for the `requests_total` metrics.<br />More information [here](#headerlabels). | | Yes |
##### headerLabels
Defines the extra labels for the `requests_total` metrics, and for each of them, the request header containing the value for this label.
If the header is not present in the request it will be added nonetheless with an empty value.
The label must be a valid label name for Prometheus metrics, otherwise, the Prometheus metrics provider will fail to serve any Traefik-related metric.
!!! note "How to provide the `Host` header value"
The `Host` header is never present in the Header map of a request, as per go documentation says:
```Golang
// For incoming requests, the Host header is promoted to the
// Request.Host field and removed from the Header map.
```
As a workaround, to obtain the Host of a request as a label, use instead the `X-Forwarded-Host` header.
###### Configuration Example
Here is an example of the entryPoint `requests_total` metric with an additional "useragent" label.
When configuring the label in Static Configuration:
```yaml tab="Configuration"
# static_configuration.yaml
metrics:
prometheus:
headerLabels:
useragent: User-Agent
```
```bash tab="Request"
curl -H "User-Agent: foobar" http://localhost
```
```bash tab="Metric"
traefik_entrypoint_requests_total\{code="200",entrypoint="web",method="GET",protocol="http",useragent="foobar"\} 1
```
### StatsD
#### Configuration Example
To enable the Statsd:
```yaml tab="File (YAML)"
metrics:
statsD:
address: localhost:8125
```
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
address: localhost:8125
```
```bash tab="CLI"
--metrics.statsd=true
```
#### Configuration Options
| Field | Description | Default | Required |
|:-----------|:-------------------------|:--------|:---------|
| `metrics.addInternals` | Enables metrics for internal resources (e.g.: `ping@internals`). | false | No |
| `metrics.statsD.addEntryPointsLabels` | Enable metrics on entry points. | true | No |
| `metrics.statsD.addRoutersLabels` | Enable metrics on routers. | false | No |
| `metrics.statsD.addServicesLabels` | Enable metrics on services.| true | No |
| `metrics.statsD.pushInterval` | The interval used by the exporter to push metrics to DataDog server. | 10s | No |
| `metrics.statsD.address` | Address instructs exporter to send metrics to statsd at this address. | "127.0.0.1:8125" | Yes |
| `metrics.statsD.prefix` | The prefix to use for metrics collection. | "traefik" | No |
## Metrics Provided
### Global Metrics
=== "OpenTelemetry"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `traefik_config_reloads_total` | Count | | The total count of configuration reloads. |
| `traefik_config_last_reload_success` | Gauge | | The timestamp of the last configuration reload success. |
| `traefik_open_connections` | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| `traefik_tls_certs_not_after` | Gauge | | The expiration date of certificates. |
=== "Prometheus"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `traefik_config_reloads_total` | Count | | The total count of configuration reloads. |
| `traefik_config_last_reload_success` | Gauge | | The timestamp of the last configuration reload success. |
| `traefik_open_connections` | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| `traefik_tls_certs_not_after` | Gauge | | The expiration date of certificates. |
=== "Datadog"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `config.reload.total` | Count | | The total count of configuration reloads. |
| `config.reload.lastSuccessTimestamp` | Gauge | | The timestamp of the last configuration reload success. |
| `open.connections` | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| `tls.certs.notAfterTimestamp` | Gauge | | The expiration date of certificates. |
=== "InfluxDB2"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `traefik.config.reload.total` | Count | | The total count of configuration reloads. |
| `traefik.config.reload.lastSuccessTimestamp` | Gauge | | The timestamp of the last configuration reload success. |
| `traefik.open.connections` | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| `traefik.tls.certs.notAfterTimestamp` | Gauge | | The expiration date of certificates. |
=== "StatsD"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `{prefix}.config.reload.total` | Count | | The total count of configuration reloads. |
| `{prefix}.config.reload.lastSuccessTimestamp` | Gauge | | The timestamp of the last configuration reload success. |
| `{prefix}.open.connections` | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| `{prefix}.tls.certs.notAfterTimestamp` | Gauge | | The expiration date of certificates. |
!!! note "\{prefix\} Default Value"
By default, \{prefix\} value is `traefik`.
#### Labels
Here is a comprehensive list of labels that are provided by the global metrics:
| Label | Description | example |
|--------------|----------------------------------------|----------------------|
| `entrypoint` | Entrypoint that handled the connection | "example_entrypoint" |
| `protocol` | Connection protocol | "TCP" |
### OpenTelemetry Semantic Conventions
Traefik Proxy follows [official OpenTelemetry semantic conventions v1.23.1](https://github.com/open-telemetry/semantic-conventions/blob/v1.23.1/docs/http/http-metrics.md).
#### HTTP Server
| Metric | Type | [Labels](#labels) | Description |
|----------|-----------|-------------------------|------------------|
| `http.server.request.duration` | Histogram | `error.type`, `http.request.method`, `http.response.status_code`, `network.protocol.name`, `server.address`, `server.port`, `url.scheme` | Duration of HTTP server requests |
##### Labels
Here is a comprehensive list of labels that are provided by the metrics:
| Label | Description | example |
|-----------------------------|--------|---------------|
| `error.type` | Describes a class of error the operation ended with | "500" |
| `http.request.method` | HTTP request method | "GET" |
| `http.response.status_code` | HTTP response status code | "200" |
| `network.protocol.name` | OSI application layer or non-OSI equivalent | "http/1.1" |
| `network.protocol.version` | Version of the protocol specified in `network.protocol.name` | "1.1" |
| `server.address` | Name of the local HTTP server that received the request | "example.com" |
| `server.port` | Port of the local HTTP server that received the request | "80" |
| `url.scheme` | The URI scheme component identifying the used protocol | "http" |
#### HTTP Client
| Metric | Type | [Labels](#labels) | Description |
|-------------------------------|-----------|-----------------|--------|
| `http.client.request.duration` | Histogram | `error.type`, `http.request.method`, `http.response.status_code`, `network.protocol.name`, `server.address`, `server.port`, `url.scheme` | Duration of HTTP client requests |
##### Labels
Here is a comprehensive list of labels that are provided by the metrics:
| Label | Description | example |
|------ -----|------------|---------------|
| `error.type` | Describes a class of error the operation ended with | "500" |
| `http.request.method` | HTTP request method | "GET" |
| `http.response.status_code` | HTTP response status code | "200" |
| `network.protocol.name` | OSI application layer or non-OSI equivalent | "http/1.1" |
| `network.protocol.version` | Version of the protocol specified in `network.protocol.name` | "1.1" |
| `server.address` | Name of the local HTTP server that received the request | "example.com" |
| `server.port` | Port of the local HTTP server that received the request | "80" |
| `url.scheme` | The URI scheme component identifying the used protocol | "http" |
### HTTP Metrics
On top of the official OpenTelemetry semantic conventions, Traefik provides its own metrics to monitor the incoming traffic.
#### EntryPoint Metrics
=== "OpenTelemetry"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|--------------------|--------------------------|
| `traefik_entrypoint_requests_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| `traefik_entrypoint_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| `traefik_entrypoint_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| `traefik_entrypoint_requests_bytes_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| `traefik_entrypoint_responses_bytes_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
=== "Prometheus"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|------------------------|-------------------------|
| `traefik_entrypoint_requests_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| `traefik_entrypoint_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| `traefik_entrypoint_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| `traefik_entrypoint_requests_bytes_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| `traefik_entrypoint_responses_bytes_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
=== "Datadog"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|------------------|---------------------------|
| `entrypoint.requests.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| `entrypoint.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| `entrypoint.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| `entrypoint.requests.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| `entrypoint.responses.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
=== "InfluxDB2"
| Metric | Type | [Labels](#labels) | Description |
|------------|-----------|-------------------|-----------------|
| `traefik.entrypoint.requests.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| `traefik.entrypoint.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| `traefik.entrypoint.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| `traefik.entrypoint.requests.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| `traefik.entrypoint.responses.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
=== "StatsD"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `{prefix}.entrypoint.requests.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| `{prefix}.entrypoint.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| `{prefix}.entrypoint.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| `{prefix}.entrypoint.requests.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| `{prefix}.entrypoint.responses.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
!!! note "\{prefix\} Default Value"
By default, \{prefix\} value is `traefik`.
#### Router Metrics
=== "OpenTelemetry"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|----------------------|--------------------------------|
| `traefik_router_requests_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| `traefik_router_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| `traefik_router_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| `traefik_router_requests_bytes_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| `traefik_router_responses_bytes_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
=== "Prometheus"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
| `traefik_router_requests_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| `traefik_router_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| `traefik_router_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| `traefik_router_requests_bytes_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| `traefik_router_responses_bytes_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
=== "Datadog"
| Metric | Type | [Labels](#labels) | Description |
|-------------|-----------|---------------|---------------------|
| `router.requests.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| `router.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| `router.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| `router.requests.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| `router.responses.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
=== "InfluxDB2"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
| `traefik.router.requests.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| `traefik.router.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| `traefik.router.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| `traefik.router.requests.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| `traefik.router.responses.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
=== "StatsD"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|---------------|-------------|
| `{prefix}.router.requests.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| `{prefix}.router.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| `{prefix}.router.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| `{prefix}.router.requests.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| `{prefix}.router.responses.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
!!! note "\{prefix\} Default Value"
By default, \{prefix\} value is `traefik`.
#### Service Metrics
=== "OpenTelemetry"
| Metric | Type | Labels | Description |
|-----------------------|-----------|------------|------------|
| `traefik_service_requests_total` | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| `traefik_service_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| `traefik_service_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| `traefik_service_retries_total` | Count | `service` | The count of requests retries on a service. |
| `traefik_service_server_up` | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| `traefik_service_requests_bytes_total` | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| `traefik_service_responses_bytes_total` | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
=== "Prometheus"
| Metric | Type | Labels | Description |
|-----------------------|-----------|-------|------------|
| `traefik_service_requests_total` | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| `traefik_service_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| `traefik_service_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| `traefik_service_retries_total` | Count | `service` | The count of requests retries on a service. |
| `traefik_service_server_up` | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| `traefik_service_requests_bytes_total` | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| `traefik_service_responses_bytes_total` | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
=== "Datadog"
| Metric | Type | Labels | Description |
|-----------------------|-----------|--------|------------------|
| `service.requests.total` | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| `router.service.tls.total` | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| `service.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| `service.retries.total` | Count | `service` | The count of requests retries on a service. |
| `service.server.up` | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| `service.requests.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| `service.responses.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
=== "InfluxDB2"
| Metric | Type | Labels | Description |
|-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
| `traefik.service.requests.total` | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| `traefik.service.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| `traefik.service.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| `traefik.service.retries.total` | Count | `service` | The count of requests retries on a service. |
| `traefik.service.server.up` | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| `traefik.service.requests.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| `traefik.service.responses.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
=== "StatsD"
| Metric | Type | Labels | Description |
|-----------------------|-----------|-----|---------|
| `{prefix}.service.requests.total` | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| `{prefix}.service.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| `{prefix}.service.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| `{prefix}.service.retries.total` | Count | `service` | The count of requests retries on a service. |
| `{prefix}.service.server.up` | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| `{prefix}.service.requests.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| `{prefix}.service.responses.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
!!! note "\{prefix\} Default Value"
By default, \{prefix\} value is `traefik`.
##### Labels
Here is a comprehensive list of labels that are provided by the metrics:
| Label | Description | example |
|---------------|-------------------|----------------------------|
| `cn` | Certificate Common Name | "example.com" |
| `code` | Request code | "200" |
| `entrypoint` | Entrypoint that handled the request | "example_entrypoint" |
| `method` | Request Method | "GET" |
| `protocol` | Request protocol | "http" |
| `router` | Router that handled the request | "example_router" |
| `sans` | Certificate Subject Alternative NameS | "example.com" |
| `serial` | Certificate Serial Number | "123..." |
| `service` | Service that handled the request | "example_service@provider" |
| `tls_cipher` | TLS cipher used for the request | "TLS_FALLBACK_SCSV" |
| `tls_version` | TLS version used for the request | "1.0" |
| `url` | Service server url | "http://example.com" |
!!! info "`method` label value"
If the HTTP method verb on a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
then the value for the method label becomes `EXTENSION_METHOD`.

0
docs/content/routing/providers/marathon.md → docs/content/reference/install-configuration/observability/options-list.md
View File

62
docs/content/reference/install-configuration/observability/tracing.md Normal file
View File

@@ -0,0 +1,62 @@
---
title: "Traefik Tracing Overview"
description: "The Traefik Proxy tracing system allows developers to visualize call flows in their infrastructure. Read the full documentation."
---
# Tracing
Visualize the Requests Flow
{: .subtitle }
The tracing system allows developers to visualize call flows in their infrastructure.
Traefik uses [OpenTelemetry](https://opentelemetry.io/ "Link to website of OTel"), an open standard designed for distributed tracing.
## Configuration Example
To enable the tracing:
```yaml tab="File (YAML)"
tracing: {}
```
```toml tab="File (TOML)"
[tracing]
```
```bash tab="CLI"
--tracing=true
```
```yaml tab="Helm Chart Values"
tracing:
otlp:
enabled: true
```
## Configuration Options
| Field | Description | Default | Required |
|:-------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------|:---------|
| `tracing.addInternals` | Enables tracing for internal resources (e.g.: `ping@internal`). | false | No |
| `tracing.serviceName` | Service name used in selected backend. | "traefik" | No |
| `tracing.sampleRate` | The proportion of requests to trace, specified between 0.0 and 1.0. | 1.0 | No |
| `tracing.resourceAttributes` | Defines additional resource attributes to be sent to the collector. | [] | No |
| `tracing.capturedRequestHeaders` | Defines the list of request headers to add as attributes.<br />It applies to client and server kind spans.| [] | No |
| `tracing.capturedResponseHeaders` | Defines the list of response headers to add as attributes.<br />It applies to client and server kind spans.| [] |False |
| `tracing.safeQueryParams` | By default, all query parameters are redacted.<br />Defines the list of query parameters to not redact. | [] | No |
| `tracing.otlp.http` | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| `tracing.otlp.http.endpoint` | URL of the OpenTelemetry Collector to send tracing to.<br /> Format="`<scheme>://<host>:<port><path>`" | "http://localhost:4318/v1/tracing" | Yes |
| `tracing.otlp.http.headers` | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector. | | No |
| `tracing.otlp.http.tls.ca` | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | "" | No |
| `tracing.otlp.http.tls.cert` | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required. | "" | No |
| `tracing.otlp.http.tls.key` | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | ""null/false "" | No |
| `tracing.otlp.http.tls.insecureskipverify` |If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |
| `tracing.otlp.grpc` | This instructs the exporter to send tracing to the OpenTelemetry Collector using gRPC. | false | No |
| `tracing.otlp.grpc.endpoint` | Address of the OpenTelemetry Collector to send tracing to.<br /> Format="`<host>:<port>`" | "localhost:4317" | Yes |
| `tracing.otlp.grpc.headers` | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector. | [] | No |
| `tracing.otlp.grpc.insecure` |Allows exporter to send tracing to the OpenTelemetry Collector without using a secured protocol. | false | Yes |
| `tracing.otlp.grpc.tls.ca` | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | "" | No |
| `tracing.otlp.grpc.tls.cert` | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required. | "" | No |
| `tracing.otlp.grpc.tls.key` | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | ""null/false "" | No |
| `tracing.otlp.grpc.tls.insecureskipverify` |If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |

426
docs/content/reference/install-configuration/providers/docker.md Normal file
View File

@@ -0,0 +1,426 @@
---
title: "Traefik Docker Documentation"
description: "Learn how to achieve configuration discovery in Traefik through Docker. Read the technical documentation."
---
# Traefik & Docker
!!! tip "The Quick Start Uses Docker"
If you have not already read it, maybe you would like to go through the [quick start guide](../../../getting-started/quick-start.md) that uses the Docker provider.
## Configuration Example
You can enable the Docker provider as detailed below:
```yaml tab="File (YAML)"
providers:
docker: {}
```
```toml tab="File (TOML)"
[providers.docker]
```
```bash tab="CLI"
--providers.docker=true
```
Attach labels to containers (in your Docker compose file)
```yaml
services:
my-container:
# ...
labels:
- traefik.http.routers.my-container.rule=Host(`example.com`)
```
## Configuration Options
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.docker.endpoint` | Specifies the Docker API endpoint. See [here](#endpoint) for more information| "unix:///var/run/docker.sock" | Yes |
| `providers.docker.username` | Defines the username for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.| "" | No |
| `providers.docker.password` | Defines the password for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.| "" | No |
| `providers.docker.useBindPortIP` | Instructs Traefik to use the IP/Port attached to the container's binding instead of its inner network IP/Port. See [here](#usebindportip) for more information | false | No |
| `providers.docker.exposedByDefault` | Expose containers by default through Traefik. See [here](./overview.md#restrict-the-scope-of-service-discovery) for additional information | true | No |
| `providers.docker.network` | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.docker.network` label.| "" | No |
| `providers.docker.defaultRule` | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information. | ```"Host(`{{ normalize .Name }}`)"``` | No |
| `providers.docker.httpClientTimeout` | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set. | 0 | No |
| `providers.docker.watch` | Instructs Traefik to watch Docker events or not. | True | No |
| `providers.docker.constraints` | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| `providers.docker.allowEmptyServices` | Instructs the provider to create any [servers load balancer](../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| `providers.docker.tls.ca` | Defines the path to the certificate authority used for the secure connection to Docker, it defaults to the system bundle. | "" | No |
| `providers.docker.tls.cert` | Defines the path to the public certificate used for the secure connection to Docker. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.docker.tls.key` | Defines the path to the private key used for the secure connection to Docker. When using this option, setting the `cert` option is required. | "" | Yes |
| `providers.docker.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by the Docker server when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
### `endpoint`
See the [Docker API Access](#docker-api-access) section for more information.
??? example "Using the docker.sock"
The docker-compose file shares the docker sock with the Traefik container
```yaml
services:
traefik:
image: traefik:v3.1 # The official v3 Traefik docker image
ports:
- "80:80"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
```
We specify the docker.sock in traefik's configuration file.
```yaml tab="File (YAML)"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
# ...
```
```toml tab="File (TOML)"
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
# ...
```
```bash tab="CLI"
--providers.docker.endpoint=unix:///var/run/docker.sock
# ...
```
??? example "Using SSH"
Using Docker 18.09+ you can connect Traefik to daemon using SSH.
We specify the SSH host and user in Traefik's configuration file.
Note that if the server requires public keys for authentication, you must have them accessible for the user running Traefik.
```yaml tab="File (YAML)"
providers:
docker:
endpoint: "ssh://traefik@192.168.2.5:2022"
# ...
```
```toml tab="File (TOML)"
[providers.docker]
endpoint = "ssh://traefik@192.168.2.5:2022"
# ...
```
```bash tab="CLI"
--providers.docker.endpoint=ssh://traefik@192.168.2.5:2022
# ...
```
??? example "Using HTTP"
Using Docker Engine API you can connect Traefik to remote daemon using HTTP.
```yaml tab="File (YAML)"
providers:
docker:
endpoint: "http://127.0.0.1:2375"
# ...
```
```toml tab="File (TOML)"
[providers.docker]
endpoint = "http://127.0.0.1:2375"
# ...
```
```bash tab="CLI"
--providers.docker.endpoint=http://127.0.0.1:2375
# ...
```
??? example "Using TCP"
Using Docker Engine API you can connect Traefik to remote daemon using TCP.
```yaml tab="File (YAML)"
providers:
docker:
endpoint: "tcp://127.0.0.1:2375"
# ...
```
```toml tab="File (TOML)"
[providers.docker]
endpoint = "tcp://127.0.0.1:2375"
# ...
```
```bash tab="CLI"
--providers.docker.endpoint=tcp://127.0.0.1:2375
# ...
```
```yaml tab="File (YAML)"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
```
```toml tab="File (TOML)"
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
```
```bash tab="CLI"
--providers.docker.endpoint=unix:///var/run/docker.sock
```
### `useBindPortIP`
Traefik routes requests to the IP/port of the matching container.
When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
When used in conjunction with the `traefik.http.services.<name>.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
Traefik tries to find a binding on port `traefik.http.services.<name>.loadbalancer.server.port`.
If it cannot find such a binding, Traefik falls back on the internal network IP of the container,
but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that is set in the label.
??? example "Examples of `usebindportip` in different situations."
| port label | Container's binding | Routes to |
|--------------------|----------------------------------------------------|----------------|
| - | - | IntIP:IntPort |
| - | ExtPort:IntPort | IntIP:IntPort |
| - | ExtIp:ExtPort:IntPort | ExtIp:ExtPort |
| LblPort | - | IntIp:LblPort |
| LblPort | ExtIp:ExtPort:LblPort | ExtIp:ExtPort |
| LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort |
| LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
!!! info ""
In the above table:
- `ExtIp` stands for "external IP found in the binding"
- `IntIp` stands for "internal network container's IP",
- `ExtPort` stands for "external Port found in the binding"
- `IntPort` stands for "internal network container's port."
```yaml tab="File (YAML)"
providers:
docker:
useBindPortIP: true
# ...
```
```toml tab="File (TOML)"
[providers.docker]
useBindPortIP = true
# ...
```
```bash tab="CLI"
--providers.docker.useBindPortIP=true
# ...
```
### `defaultRule`
The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
It must be a valid [Go template](https://pkg.go.dev/text/template/),
and can use [sprig template functions](https://masterminds.github.io/sprig/).
The container name can be accessed with the `ContainerName` identifier.
The service name can be accessed with the `Name` identifier.
The template has access to all the labels defined on this container with the `Labels` identifier.
```yaml tab="File (YAML)"
providers:
docker:
defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
```toml tab="File (TOML)"
[providers.docker]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
```bash tab="CLI"
--providers.docker.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
# ...
```
??? info "Default rule and Traefik service"
The exposure of the Traefik container, combined with the default rule mechanism,
can lead to create a router targeting itself in a loop.
In this case, to prevent an infinite loop,
Traefik adds an internal middleware to refuse the request if it comes from the same router.
### `constraints`
The `constraints` option can be set to an expression that Traefik matches against the container labels to determine whether
to create any route for that container. If none of the container labels match the expression, no route for that container is
created. If the expression is empty, all detected containers are included.
The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions,
as well as the usual boolean logic, as shown in examples below.
??? example "Constraints Expression Examples"
```toml
# Includes only containers having a label with key `a.label.name` and value `foo`
constraints = "Label(`a.label.name`, `foo`)"
```
```toml
# Excludes containers having any label with key `a.label.name` and value `foo`
constraints = "!Label(`a.label.name`, `value`)"
```
```toml
# With logical AND.
constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
```
```toml
# With logical OR.
constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
```
```toml
# With logical AND and OR, with precedence set by parentheses.
constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
```
```toml
# Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
constraints = "LabelRegex(`a.label.name`, `a.+`)"
```
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
```yaml tab="File (YAML)"
providers:
docker:
constraints: "Label(`a.label.name`,`foo`)"
# ...
```
```toml tab="File (TOML)"
[providers.docker]
constraints = "Label(`a.label.name`,`foo`)"
# ...
```
```bash tab="CLI"
--providers.docker.constraints=Label(`a.label.name`,`foo`)
# ...
```
## Routing Configuration
When using Docker as a [provider](./overview.md),
Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#label) to retrieve its routing configuration.
See the list of labels in the dedicated [routing](../../../routing/providers/docker.md) section.
### Routing Configuration with Labels
By default, Traefik watches for [container level labels](https://docs.docker.com/config/labels-custom-metadata/) on a standalone Docker Engine.
When using Docker Compose, labels are specified by the directive
[`labels`](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels) from the
["services" objects](https://docs.docker.com/compose/compose-file/compose-file-v3/#service-configuration-reference).
!!! tip "Not Only Docker"
Please note that any tool like Nomad, Terraform, Ansible, etc.
that is able to define a Docker container with labels can work
with Traefik and the Docker provider.
### Port Detection
Traefik retrieves the private IP and port of containers from the Docker API.
Port detection for private communication works as follows:
- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) a single port,
then Traefik uses this port.
- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports,
then Traefik uses the lowest port. E.g. if `80` and `8080` are exposed, Traefik will use `80`.
- If a container does not expose any port, or the selection from multiple ports does not fit,
then you must manually specify which port Traefik should use for communication
by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
(Read more on this label in the dedicated section in [routing](../../../routing/providers/docker.md#services)).
### Host networking
When exposing containers that are configured with [host networking](https://docs.docker.com/network/host/),
the IP address of the host is resolved as follows:
- try a lookup of `host.docker.internal`
- if the lookup was unsuccessful, try a lookup of `host.containers.internal`, ([Podman](https://docs.podman.io/en/latest/) equivalent of `host.docker.internal`)
- if that lookup was also unsuccessful, fall back to `127.0.0.1`
On Linux, for versions of Docker older than 20.10.0, for `host.docker.internal` to be defined, it should be provided
as an `extra_host` to the Traefik container, using the `--add-host` flag. For example, to set it to the IP address of
the bridge interface (`docker0` by default): `--add-host=host.docker.internal:172.17.0.1`.
### IPv4 & IPv6
When using a docker stack that uses IPv6,
Traefik will use the IPv4 container IP before its IPv6 counterpart.
Therefore, on an IPv6 Docker stack,
Traefik will use the IPv6 container IP.
### Docker API Access
Traefik requires access to the docker socket to get its dynamic configuration.
You can specify which Docker API Endpoint to use with the directive [`endpoint`](#endpoint).
!!! warning "Security Note"
Accessing the Docker API without any restriction is a security concern:
If Traefik is attacked, then the attacker might get access to the underlying host.
{: #security-note }
As explained in the [Docker Daemon Attack Surface documentation](https://docs.docker.com/engine/security/#docker-daemon-attack-surface):
!!! quote
[...] only **trusted** users should be allowed to control your Docker daemon [...]
??? success "Solutions"
Expose the Docker socket over TCP or SSH, instead of the default Unix socket file.
It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
- Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/protect-access/)
- Authorize and filter requests to restrict possible actions with [the TecnativaDocker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy).
- Authorization with the [Docker Authorization Plugin Mechanism](https://web.archive.org/web/20190920092526/https://docs.docker.com/engine/extend/plugins_authorization/)
- Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
- Accounting at container level, by exposing the socket on a another container than Traefik's.
- Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
- SSH public key authentication (SSH is supported with Docker > 18.09)
- Authentication using HTTP Basic authentication through an HTTP proxy that exposes the Docker daemon socket.
??? info "More Resources and Examples"
- ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
- [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
- [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
- [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
- [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
- [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
- [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
- [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
- [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
{!traefik-for-business-applications.md!}

205
docs/content/reference/install-configuration/providers/hashicorp/consul-catalog.md Normal file
View File

@@ -0,0 +1,205 @@
---
title: "Traefik Consul Catalog Documentation"
description: "Learn how to use Consul Catalog as a provider for configuration discovery in Traefik Proxy. Read the technical documentation."
---
# Traefik & Consul Catalog
## Configuration Example
You can enable the Consul Catalog provider as detailed below:
```yaml tab="File (YAML)"
providers:
consulCatalog: {}
```
```toml tab="File (TOML)"
[providers.consulCatalog]
```
```bash tab="CLI"
--providers.consulcatalog=true
```
Attaching tags to services:
```yaml
- traefik.http.routers.my-router.rule=Host(`example.com`)
```
## Configuration Options
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.consulCatalog.refreshInterval` | Defines the polling interval.| 15s | No |
| `providers.consulCatalog.prefix` | Defines the prefix for Consul Catalog tags defining Traefik labels.| traefik | yes |
| `providers.consulCatalog.requireConsistent` | Forces the read to be fully consistent. See [here](#requireconsistent) for more information.| false | yes |
| `providers.consulCatalog.exposedByDefault` | Expose Consul Catalog services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#restrict-the-scope-of-service-discovery). | true | no |
| `providers.consulCatalog.defaultRule` | The Default Host rule for all services. See [here](#defaultrule) for more information. | ```"Host(`{{ normalize .Name }}`)"``` | No |
| `providers.consulCatalog.connectAware` | Enable Consul Connect support. If set to `true`, Traefik will be enabled to communicate with Connect services. | false | No |
| `providers.consulCatalog.connectByDefault` | Consider every service as Connect capable by default. If set to true, Traefik will consider every Consul Catalog service to be Connect capable by default. The option can be overridden on an instance basis with the traefik.consulcatalog.connect tag. | false | No |
| `providers.consulCatalog.serviceName` | Defines the name of the Traefik service in Consul Catalog. | "traefik" | No |
| `providers.consulCatalog.constraints` | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| `providers.consulCatalog.namespaces` | Defines the namespaces to query. See [here](#namespaces) for more information. | "" | no |
| `providers.consulCatalog.stale` | Instruct Traefik to use stale consistency for catalog reads. | false | no |
| `providers.consulCatalog.cache` | Instruct Traefik to use local agent caching for catalog reads. | false | no |
| `providers.consulCatalog.endpoint` | Defines the Consul server endpoint. | - | yes |
| `providers.consulCatalog.endpoint.address` | Defines the address of the Consul server. | 127.0.0.1:8500 | no |
| `providers.consulCatalog.endpoint.scheme` | Defines the URI scheme for the Consul server. | "" | no |
| `providers.consulCatalog.endpoint.datacenter` | Defines the datacenter to use. If not provided in Traefik, Consul uses the default agent datacenter. | "" | no |
| `providers.consulCatalog.endpoint.token` | Defines a per-request ACL token which overwrites the agent's default token. | "" | no |
| `providers.consulCatalog.endpoint.endpointWaitTime` | Defines a duration for which a `watch` can block. If not provided, the agent default values will be used. | "" | no |
| `providers.consulCatalog.endpoint.httpAuth` | Defines authentication settings for the HTTP client using HTTP Basic Authentication. | N/A | no |
| `providers.consulCatalog.endpoint.httpAuth.username` | Defines the username to use for HTTP Basic Authentication. | "" | no |
| `providers.consulCatalog.endpoint.httpAuth.password` | Defines the password to use for HTTP Basic Authentication. | "" | no |
| `providers.consulCatalog.strictChecks` | Define which [Consul Service health checks](https://developer.hashicorp.com/consul/docs/services/usage/checks#define-initial-health-check-status) are allowed to take on traffic. | "passing,warning" | no |
| `providers.consulCatalog.tls.ca` | Defines the path to the certificate authority used for the secure connection to Consul Calatog, it defaults to the system bundle. | "" | No |
| `providers.consulCatalog.tls.cert` | Defines the path to the public certificate used for the secure connection to Consul Calatog. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.consulCatalog.tls.key` | Defines the path to the private key used for the secure connection to Consul Catalog. When using this option, setting the `cert` option is required. | "" | Yes |
| `providers.consulCatalog.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by Consul Catalog when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| `providers.consulCatalog.watch` | When set to `true`, watches for Consul changes ([Consul watches checks](https://www.consul.io/docs/dynamic-app-config/watches#checks)). | false | No |
### `requireConsistent`
Forces the read to be fully consistent. Setting this option can be expensive due to an extra round-trip but prevents ever performing a stale read.
For more information, see the Consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
### `defaultRule`
The default host rule for all services.
For a given service, if no routing rule was defined by a tag, it is defined by this `defaultRule` instead.
The `defaultRule` must be set to a valid [Go template](https://pkg.go.dev/text/template/),
and can include [sprig template functions](https://masterminds.github.io/sprig/).
The service name can be accessed with the `Name` identifier,
and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
```yaml tab="File (YAML)"
providers:
consulCatalog:
defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
```
??? info "Default rule and Traefik service"
The exposure of the Traefik container, combined with the default rule mechanism,
can lead to create a router targeting itself in a loop.
In this case, to prevent an infinite loop,
Traefik adds an internal middleware to refuse the request if it comes from the same router.
### `constraints`
The `constraints` option can be set to an expression that Traefik matches against the service tags to determine whether
to create any route for that service. If none of the service tags match the expression, no route for that service is
created. If the expression is empty, all detected services are included.
The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
as well as the usual boolean logic, as shown in examples below.
??? example "Constraints Expression Examples"
```toml
# Includes only services having the tag `a.tag.name=foo`
constraints = "Tag(`a.tag.name=foo`)"
```
```toml
# Excludes services having any tag `a.tag.name=foo`
constraints = "!Tag(`a.tag.name=foo`)"
```
```toml
# With logical AND.
constraints = "Tag(`a.tag.name`) && Tag(`another.tag.name`)"
```
```toml
# With logical OR.
constraints = "Tag(`a.tag.name`) || Tag(`another.tag.name`)"
```
```toml
# With logical AND and OR, with precedence set by parentheses.
constraints = "Tag(`a.tag.name`) && (Tag(`another.tag.name`) || Tag(`yet.another.tag.name`))"
```
```toml
# Includes only services having a tag matching the `a\.tag\.t.+` regular expression.
constraints = "TagRegex(`a\.tag\.t.+`)"
```
```yaml tab="File (YAML)"
providers:
consulCatalog:
constraints: "Tag(`a.tag.name`)"
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
constraints = "Tag(`a.tag.name`)"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.constraints="Tag(`a.tag.name`)"
# ...
```
For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#restrict-the-scope-of-service-discovery).
### `namespaces`
The `namespaces` option defines the namespaces in which the consul catalog services will be discovered.
When using the `namespaces` option, the discovered configuration object names will be suffixed as shown below:
```text
<resource-name>@consulcatalog-<namespace>
```
!!! warning
- The namespaces option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
- One should only define either the `namespaces` option or the `namespace` option.
```yaml tab="File (YAML)"
providers:
consulCatalog:
namespaces:
- "ns1"
- "ns2"
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
namespaces = ["ns1", "ns2"]
# ...
```
```bash tab="CLI"
--providers.consulcatalog.namespaces=ns1,ns2
# ...
```
## Routing Configuration
See the dedicated section in [routing](../../../../routing/providers/consul-catalog.md).

Some files were not shown because too many files have changed in this diff Show More