shaba/traefik
1
0
Fork 0
mirror of https://github.com/containous/traefik.git synced 2025-09-20 05:44:23 +03:00
Code Releases Activity

Compare commits

base: shaba:v3.5.1
Branches Tags
shaba:master shaba:v3.5 shaba:v2.11 shaba:v3.4 shaba:v3.3 shaba:v3.2 shaba:v3.1 shaba:v3.0 shaba:v1.0 shaba:v1.1 shaba:v1.2 shaba:v1.3 shaba:v1.4 shaba:v2.10 shaba:v1.5 shaba:v1.6 shaba:v1.7 shaba:v2.0 shaba:v2.1 shaba:v2.2 shaba:v2.6 shaba:v2.7 shaba:v2.8 shaba:v2.9 shaba:v2.3 shaba:v2.4 shaba:v2.5
shaba:v3.5.2 shaba:v3.5.1 shaba:v2.11.29 shaba:v3.5.0 shaba:v3.4.5 shaba:v2.11.28 shaba:v3.5.0-rc2 shaba:v3.4.4 shaba:v2.11.27 shaba:v3.5.0-rc1 shaba:v3.4.3 shaba:v3.4.2 shaba:v2.11.26 shaba:v3.4.1 shaba:v2.11.25 shaba:v3.4.0 shaba:v3.3.7 shaba:v3.4.0-rc2 shaba:v3.3.6 shaba:v2.11.24 shaba:v2.11.23 shaba:v3.4.0-rc1 shaba:v3.3.5 shaba:v2.11.22 shaba:v3.3.4 shaba:v2.11.21 shaba:v3.3.3 shaba:v2.11.20 shaba:v2.11.19 shaba:v3.3.2 shaba:v2.11.18 shaba:v3.3.1 shaba:v3.2.5 shaba:v3.3.0 shaba:v3.2.4 shaba:v2.11.17 shaba:v3.3.0-rc2 shaba:v3.3.0-rc1 shaba:v3.2.3 shaba:v2.11.16 shaba:v3.2.2 shaba:v2.11.15 shaba:v3.2.1 shaba:v2.11.14 shaba:v3.2.0 shaba:v3.1.7 shaba:v2.11.13 shaba:v3.2.0-rc2 shaba:v3.1.6 shaba:v2.11.12 shaba:v3.2.0-rc1 shaba:v3.1.5 shaba:v2.11.11 shaba:v3.1.4 shaba:v2.11.10 shaba:v3.1.3 shaba:v2.11.9 shaba:v3.1.2 shaba:v2.11.8 shaba:v3.1.1 shaba:v2.11.7 shaba:v3.1.0 shaba:v3.1.0-rc3 shaba:v3.0.4 shaba:v2.11.6 shaba:v3.1.0-rc2 shaba:v3.1.0-rc1 shaba:v3.0.3 shaba:v2.11.5 shaba:v3.0.2 shaba:v2.11.4 shaba:v3.0.1 shaba:v2.11.3 shaba:v3.0.0 shaba:v3.0.0-rc5 shaba:v2.11.2 shaba:v3.0.0-rc4 shaba:v2.11.1 shaba:v3.0.0-rc3 shaba:v3.0.0-rc2 shaba:v3.0.0-rc1 shaba:v2.11.0 shaba:v2.11.0-rc2 shaba:v2.11.0-rc1 shaba:v2.10.7 shaba:v3.0.0-beta5 shaba:v2.10.6 shaba:v3.0.0-beta4 shaba:v2.10.5 shaba:v2.10.4 shaba:v3.0.0-beta3 shaba:v2.10.3 shaba:v2.10.2 shaba:v2.10.1 shaba:v2.10.0 shaba:v2.10.0-rc2 shaba:v2.9.10 shaba:v2.10.0-rc1 shaba:v2.9.9 shaba:v2.9.8 shaba:v2.9.7 shaba:v3.0.0-beta2 shaba:v2.9.6 shaba:v3.0.0-beta1 shaba:v2.9.5 shaba:v2.9.4 shaba:v2.9.3 shaba:v2.9.2 shaba:v2.9.1 shaba:v2.9.0-rc5 shaba:v2.8.8 shaba:v2.8.7 shaba:v2.9.0-rc4 shaba:v2.8.6 shaba:v2.9.0-rc3 shaba:v2.9.0-rc2 shaba:v2.9.0-rc1 shaba:v2.8.5 shaba:v2.8.4 shaba:v2.8.3 shaba:v2.8.2 shaba:v2.8.1 shaba:v2.8.0 shaba:v2.7.3 shaba:v2.8.0-rc2 shaba:v2.7.2 shaba:v2.8.0-rc1 shaba:v2.7.1 shaba:v2.7.0 shaba:v2.6.7 shaba:v2.6.6 shaba:v2.6.5 shaba:v2.6.4 shaba:v2.7.0-rc2 shaba:v2.6.3 shaba:v2.7.0-rc1 shaba:v2.6.2 shaba:v2.6.1 shaba:v2.6.0 shaba:v2.6.0-rc3 shaba:v2.5.7 shaba:v2.6.0-rc2 shaba:v2.5.6 shaba:v2.6.0-rc1 shaba:v1.7.34 shaba:v2.5.5 shaba:v2.5.4 shaba:v1.7.33 shaba:v1.7.32 shaba:v1.7.31 shaba:v2.5.3 shaba:v2.5.2 shaba:v2.5.1 shaba:v2.5.0 shaba:v2.4.14 shaba:v2.5.0-rc6 shaba:v2.5.0-rc5 shaba:v2.5.0-rc4 shaba:v2.4.13 shaba:v2.4.12 shaba:v2.5.0-rc3 shaba:v2.4.11 shaba:v2.4.10 shaba:v2.5.0-rc2 shaba:v2.5.0-rc1 shaba:v2.4.9 shaba:v1.7.30 shaba:v1.7.29 shaba:v2.4.8 shaba:v2.4.7 shaba:v2.4.6 shaba:v2.4.5 shaba:v2.4.4 shaba:v2.4.3 shaba:v2.4.2 shaba:v2.4.1 shaba:v2.4.0 shaba:v1.7.28 shaba:v1.7.27 shaba:v2.4.0-rc2 shaba:v2.3.7 shaba:v2.3.6 shaba:v2.4.0-rc1 shaba:v2.3.5 shaba:v2.3.4 shaba:v2.3.3 shaba:v2.3.2 shaba:v2.3.1 shaba:v2.3.0 shaba:v2.3.0-rc7 shaba:v2.3.0-rc6 shaba:v2.3.0-rc5 shaba:v2.2.11 shaba:v2.2.10 shaba:v2.3.0-rc4 shaba:v2.3.0-rc3 shaba:v2.2.8 shaba:v1.7.26 shaba:v2.2.7 shaba:v2.2.6 shaba:v2.3.0-rc2 shaba:v2.3.0-rc1 shaba:v1.7.25 shaba:v2.2.5 shaba:v2.2.4 shaba:v2.2.3 shaba:v2.2.2 shaba:v2.2.1 shaba:v2.2.0 shaba:v1.7.24 shaba:v2.1.9 shaba:v1.7.23 shaba:v2.2.0-rc4 shaba:v2.1.8 shaba:v2.2.0-rc3 shaba:v2.1.7 shaba:v1.7.22 shaba:v2.2.0-rc2 shaba:v2.2.0-rc1 shaba:v2.1.6 shaba:v2.1.5 shaba:v1.7.21 shaba:v2.1.4 shaba:v2.1.3 shaba:v2.1.2 shaba:v2.1.1 shaba:v2.1.0 shaba:v1.7.20 shaba:v2.0.7 shaba:v2.1.0-rc3 shaba:v2.0.6 shaba:v2.1.0-rc2 shaba:v2.1.0-rc1 shaba:v2.0.5 shaba:v2.0.4 shaba:v2.0.3 shaba:v1.7.19 shaba:v2.0.2 shaba:v2.0.1 shaba:v1.7.18 shaba:v1.7.17 shaba:v2.0.0 shaba:v2.0.0-rc4 shaba:v1.7.16 shaba:v1.7.15 shaba:v2.0.0-rc3 shaba:v2.0.0-rc2 shaba:v2.0.0-rc1 shaba:v1.7.14 shaba:v1.7.13 shaba:v2.0.0-beta1 shaba:v2.0.0-alpha8 shaba:v2.0.0-alpha7 shaba:v2.0.0-alpha6 shaba:v2.0.0-alpha5 shaba:v1.7.12 shaba:v1.7.11 shaba:v2.0.0-alpha4 shaba:v2.0.0-alpha3 shaba:v1.7.10 shaba:v2.0.0-alpha2 shaba:v2.0.0-alpha1 shaba:v1.7.9 shaba:v1.7.8 shaba:v1.7.7 shaba:v1.7.6 shaba:v1.7.5 shaba:v1.7.4 shaba:v1.7.3 shaba:v1.7.2 shaba:v1.7.1 shaba:v1.7.0 shaba:v1.7.0-rc5 shaba:v1.7.0-rc4 shaba:v1.6.6 shaba:v1.7.0-rc3 shaba:v1.7.0-rc2 shaba:v1.6.5 shaba:v1.7.0-rc1 shaba:v1.6.4 shaba:v1.6.3 shaba:v1.6.2 shaba:v1.6.1 shaba:v1.6.0 shaba:v1.6.0-rc6 shaba:v1.6.0-rc5 shaba:v1.6.0-rc4 shaba:v1.6.0-rc3 shaba:v1.6.0-rc2 shaba:v1.6.0-rc1 shaba:v1.5.4 shaba:v1.5.3 shaba:v1.5.2 shaba:v1.5.1 shaba:v1.5.0 shaba:v1.5.0-rc5 shaba:v1.5.0-rc4 shaba:v1.4.6 shaba:v1.5.0-rc3 shaba:v1.5.0-rc2 shaba:v1.4.5 shaba:v1.5.0-rc1 shaba:v1.4.4 shaba:v1.4.3 shaba:v1.4.2 shaba:v1.4.1 shaba:v1.4.0 shaba:v1.4.0-rc5 shaba:v1.4.0-rc4 shaba:v1.4.0-rc3 shaba:v1.4.0-rc2 shaba:v1.3.8 shaba:v1.4.0-rc1 shaba:v1.3.7 shaba:v1.3.6 shaba:v1.3.5 shaba:v1.3.4 shaba:v1.3.3 shaba:v1.3.2 shaba:v1.3.1 shaba:v1.3.0 shaba:v1.3.0-rc3 shaba:v1.3.0-rc2 shaba:v1.3.0-rc1 shaba:v1.2.3 shaba:v1.2.2 shaba:v1.2.1 shaba:v1.2.0 shaba:v1.2.0-rc2 shaba:v1.2.0-rc1 shaba:v1.1.2 shaba:v1.1.1 shaba:v1.1.0 shaba:v1.1.0-rc4 shaba:v1.1.0-rc3 shaba:v1.1.0-rc2 shaba:v1.1.0-rc1 shaba:v1.0.3 shaba:v1.0.2 shaba:v1.0.1 shaba:v1.0.0 shaba:v1.0.0-rc3 shaba:v1.0.0-rc2 shaba:v1.0.0-rc1 shaba:v1.0.0-beta.809 shaba:v1.0.0-beta.804 shaba:v1.0.0-beta.794 shaba:v1.0.0-beta.784 shaba:v1.0.0-beta.771 shaba:v1.0.0-beta.767 shaba:v1.0.0-beta.756 shaba:v1.0.0-beta.754 shaba:v1.0.0-beta.744 shaba:v1.0.0-beta.732 shaba:v1.0.0-beta.723 shaba:v1.0.0-beta.721 shaba:v1.0.0-beta.712 shaba:v1.0.0-beta.704 shaba:v1.0.0-beta.695 shaba:v1.0.0-beta.692 shaba:v1.0.0-beta.682 shaba:v1.0.0-beta.676 shaba:v1.0.0-beta.673 shaba:v1.0.0-beta.666 shaba:v1.0.0-beta.652 shaba:v1.0.0-beta.644 shaba:v1.0.0-beta.621 shaba:v1.0.0-beta.614 shaba:v1.0.0-beta.610 shaba:v1.0.0-beta.601 shaba:v1.0.0-beta.582 shaba:v1.0.0-beta.576 shaba:v1.0.0-beta.573 shaba:v1.0.0-beta.555 shaba:v1.0.0-beta.548 shaba:v1.0.0-beta.545 shaba:v1.0.0-beta.524 shaba:v1.0.0-beta.513 shaba:v1.0.0-beta.508 shaba:v1.0.0-beta.505 shaba:v1.0.0-beta.484 shaba:v1.0.0-beta.481 shaba:v1.0.0-beta.475 shaba:v1.0.0-beta.470 shaba:v1.0.0-beta.453 shaba:v1.0.0-beta.442 shaba:v1.0.0-beta.440 shaba:v1.0.0-beta.436 shaba:v1.0.0-beta.433 shaba:v1.0.0-beta.427 shaba:v1.0.0-beta.421 shaba:v1.0.0-beta.416 shaba:v1.0.0-beta.408 shaba:v1.0.0-beta.404 shaba:v1.0.0-beta.395 shaba:v1.0.0-beta.392 shaba:v1.0.0-beta.374 shaba:v1.0.0-beta.366 shaba:v1.0.0-beta.355 shaba:v1.0.0-beta.352 shaba:v1.0.0-beta.341 shaba:v1.0.0-beta.339 shaba:v1.0.0-beta.324 shaba:v1.0.0-beta.300 shaba:v1.0.0-beta.291 shaba:v1.0.0-beta.289 shaba:v1.0.0-beta.287 shaba:v1.0.0-beta.280 shaba:v1.0.0-beta.277 shaba:v1.0.0-beta.254 shaba:v1.0.0-beta.247 shaba:v1.0.0-beta.224 shaba:v1.0.0-beta.220 shaba:v1.0.0-beta.212 shaba:v1.0.0-beta.211 shaba:v1.0.alpha.4c447985b63f8c90dcbde70b2eaef19d9a8c5ad2 shaba:v1.0.alpha.9830086790caf40ce30eb9ed5d317917f8157708 shaba:v1.0.alpha.3af21612b65fc578585a98c30090d1e613f791eb shaba:v1.0.alpha.a458018aa2ccb637abacfc696157e00321cf982f shaba:v1.0.alpha.4ded2682d2831ed703282b2f4585e17a62ee258e shaba:v1.0.alpha.0e683cc5355bc507dabac68bbc7559d3f179e185 shaba:v1.0.alpha.11781087cadf9068d1d0b43902b6161ee10ea458 shaba:v1.0.alpha.b42b170ad29a0f042ddee0f5a5098aa9a59a9c8e shaba:v1.0.alpha.a00eb81f0301f5e61024dea3b92ba632d6a61a8b shaba:v1.0.alpha.6c3c5578c64125838abbc437a0242e1742d6f47a shaba:v1.0.alpha.b84b95fe97df5c0f234d8693fbff03fa0d6a441b shaba:v1.0.alpha.1a5668377cc840a35d233a0eb817ee9bacf0ba3e shaba:v1.0.alpha.331cd173ce8ad858d767510fbcbc653e2dde657d shaba:v1.0.alpha.e0872b61579c8e6b8fc6124c8836660c11840f5d shaba:v1.0.alpha.99646544953d5793f18ccb22dae2458be4ba0e05 shaba:v1.0.alpha.7acc2beae0f0235d9408e8ed7a51f0ef3dae3aff shaba:v1.0.alpha.ac56c1310c46f9c18dcad9d7ec680926fae821bb shaba:v1.0.alpha.71b0e27517841ec7b911bafb109846ee96109f30 shaba:v1.0.alpha.60e9282f0adac48cbf283306ceb08ad7a31ac94b shaba:v1.0.alpha.522 shaba:v1.0.alpha.516 shaba:v1.0.alpha.506 shaba:v1.0.alpha.481 shaba:v1.0.alpha.477 shaba:v1.0.alpha.471 shaba:v1.0.alpha.469 shaba:v1.0.alpha.463 shaba:v1.0.alpha.450 shaba:v1.0.alpha.443 shaba:v1.0.alpha.439 shaba:v1.0.alpha.425 shaba:v1.0.alpha.421 shaba:v1.0.alpha.418 shaba:v1.0.alpha.412 shaba:v1.0.alpha.404 shaba:v1.0.alpha.392 shaba:v1.0.alpha.374 shaba:v1.0.alpha.367 shaba:v1.0.alpha.364 shaba:v1.0.alpha.361 shaba:v1.0.alpha.358 shaba:v1.0.alpha.357 shaba:v1.0.alpha.341 shaba:v1.0.alpha.338 shaba:v1.0.alpha.336 shaba:v1.0.alpha.333 shaba:v1.0.alpha.329 shaba:v1.0.alpha.311 shaba:v1.0.alpha.306 shaba:v1.0.alpha.302 shaba:v1.0.alpha.291 shaba:v1.0.alpha.290 shaba:v1.0.alpha.288 shaba:v1.0.alpha.285 shaba:v1.0.alpha.275 shaba:v1.0.alpha.274 shaba:v1.0.alpha.273 shaba:v1.0.alpha.272 shaba:v1.0.alpha.271 shaba:v1.0.alpha.270 shaba:v1.0.alpha.268 shaba:v1.0.alpha.269 shaba:v1.0.alpha.267 shaba:v1.0.alpha.266 shaba:v1.0.alpha.263 shaba:v1.0.alpha.257 shaba:v1.0.alpha.256 shaba:v1.0.alpha.251 shaba:v1.0.alpha.252 shaba:v1.0.alpha.250 shaba:v1.0.alpha.249 shaba:v1.0.alpha.247 shaba:v1.0.alpha.228 shaba:v1.0.alpha.217 shaba:v1.0.alpha.216 shaba:v1.0.alpha.215 shaba:v1.0.alpha.212 shaba:v1.0.alpha.200 shaba:v1.0.alpha.186 shaba:v1.0.alpha.182 shaba:v1.0.alpha.178 shaba:v1.0.alpha.176 shaba:v1.0.alpha.171 shaba:v1.0.alpha.170 shaba:v1.0.alpha.164 shaba:v1.0.alpha.157 shaba:v1.0
..
compare: shaba:master
Branches Tags
shaba:v3.5 shaba:master shaba:v2.11 shaba:v3.4 shaba:v3.3 shaba:v3.2 shaba:v3.1 shaba:v3.0 shaba:v1.0 shaba:v1.1 shaba:v1.2 shaba:v1.3 shaba:v1.4 shaba:v2.10 shaba:v1.5 shaba:v1.6 shaba:v1.7 shaba:v2.0 shaba:v2.1 shaba:v2.2 shaba:v2.6 shaba:v2.7 shaba:v2.8 shaba:v2.9 shaba:v2.3 shaba:v2.4 shaba:v2.5
shaba:v3.5.2 shaba:v3.5.1 shaba:v2.11.29 shaba:v3.5.0 shaba:v3.4.5 shaba:v2.11.28 shaba:v3.5.0-rc2 shaba:v3.4.4 shaba:v2.11.27 shaba:v3.5.0-rc1 shaba:v3.4.3 shaba:v3.4.2 shaba:v2.11.26 shaba:v3.4.1 shaba:v2.11.25 shaba:v3.4.0 shaba:v3.3.7 shaba:v3.4.0-rc2 shaba:v3.3.6 shaba:v2.11.24 shaba:v2.11.23 shaba:v3.4.0-rc1 shaba:v3.3.5 shaba:v2.11.22 shaba:v3.3.4 shaba:v2.11.21 shaba:v3.3.3 shaba:v2.11.20 shaba:v2.11.19 shaba:v3.3.2 shaba:v2.11.18 shaba:v3.3.1 shaba:v3.2.5 shaba:v3.3.0 shaba:v3.2.4 shaba:v2.11.17 shaba:v3.3.0-rc2 shaba:v3.3.0-rc1 shaba:v3.2.3 shaba:v2.11.16 shaba:v3.2.2 shaba:v2.11.15 shaba:v3.2.1 shaba:v2.11.14 shaba:v3.2.0 shaba:v3.1.7 shaba:v2.11.13 shaba:v3.2.0-rc2 shaba:v3.1.6 shaba:v2.11.12 shaba:v3.2.0-rc1 shaba:v3.1.5 shaba:v2.11.11 shaba:v3.1.4 shaba:v2.11.10 shaba:v3.1.3 shaba:v2.11.9 shaba:v3.1.2 shaba:v2.11.8 shaba:v3.1.1 shaba:v2.11.7 shaba:v3.1.0 shaba:v3.1.0-rc3 shaba:v3.0.4 shaba:v2.11.6 shaba:v3.1.0-rc2 shaba:v3.1.0-rc1 shaba:v3.0.3 shaba:v2.11.5 shaba:v3.0.2 shaba:v2.11.4 shaba:v3.0.1 shaba:v2.11.3 shaba:v3.0.0 shaba:v3.0.0-rc5 shaba:v2.11.2 shaba:v3.0.0-rc4 shaba:v2.11.1 shaba:v3.0.0-rc3 shaba:v3.0.0-rc2 shaba:v3.0.0-rc1 shaba:v2.11.0 shaba:v2.11.0-rc2 shaba:v2.11.0-rc1 shaba:v2.10.7 shaba:v3.0.0-beta5 shaba:v2.10.6 shaba:v3.0.0-beta4 shaba:v2.10.5 shaba:v2.10.4 shaba:v3.0.0-beta3 shaba:v2.10.3 shaba:v2.10.2 shaba:v2.10.1 shaba:v2.10.0 shaba:v2.10.0-rc2 shaba:v2.9.10 shaba:v2.10.0-rc1 shaba:v2.9.9 shaba:v2.9.8 shaba:v2.9.7 shaba:v3.0.0-beta2 shaba:v2.9.6 shaba:v3.0.0-beta1 shaba:v2.9.5 shaba:v2.9.4 shaba:v2.9.3 shaba:v2.9.2 shaba:v2.9.1 shaba:v2.9.0-rc5 shaba:v2.8.8 shaba:v2.8.7 shaba:v2.9.0-rc4 shaba:v2.8.6 shaba:v2.9.0-rc3 shaba:v2.9.0-rc2 shaba:v2.9.0-rc1 shaba:v2.8.5 shaba:v2.8.4 shaba:v2.8.3 shaba:v2.8.2 shaba:v2.8.1 shaba:v2.8.0 shaba:v2.7.3 shaba:v2.8.0-rc2 shaba:v2.7.2 shaba:v2.8.0-rc1 shaba:v2.7.1 shaba:v2.7.0 shaba:v2.6.7 shaba:v2.6.6 shaba:v2.6.5 shaba:v2.6.4 shaba:v2.7.0-rc2 shaba:v2.6.3 shaba:v2.7.0-rc1 shaba:v2.6.2 shaba:v2.6.1 shaba:v2.6.0 shaba:v2.6.0-rc3 shaba:v2.5.7 shaba:v2.6.0-rc2 shaba:v2.5.6 shaba:v2.6.0-rc1 shaba:v1.7.34 shaba:v2.5.5 shaba:v2.5.4 shaba:v1.7.33 shaba:v1.7.32 shaba:v1.7.31 shaba:v2.5.3 shaba:v2.5.2 shaba:v2.5.1 shaba:v2.5.0 shaba:v2.4.14 shaba:v2.5.0-rc6 shaba:v2.5.0-rc5 shaba:v2.5.0-rc4 shaba:v2.4.13 shaba:v2.4.12 shaba:v2.5.0-rc3 shaba:v2.4.11 shaba:v2.4.10 shaba:v2.5.0-rc2 shaba:v2.5.0-rc1 shaba:v2.4.9 shaba:v1.7.30 shaba:v1.7.29 shaba:v2.4.8 shaba:v2.4.7 shaba:v2.4.6 shaba:v2.4.5 shaba:v2.4.4 shaba:v2.4.3 shaba:v2.4.2 shaba:v2.4.1 shaba:v2.4.0 shaba:v1.7.28 shaba:v1.7.27 shaba:v2.4.0-rc2 shaba:v2.3.7 shaba:v2.3.6 shaba:v2.4.0-rc1 shaba:v2.3.5 shaba:v2.3.4 shaba:v2.3.3 shaba:v2.3.2 shaba:v2.3.1 shaba:v2.3.0 shaba:v2.3.0-rc7 shaba:v2.3.0-rc6 shaba:v2.3.0-rc5 shaba:v2.2.11 shaba:v2.2.10 shaba:v2.3.0-rc4 shaba:v2.3.0-rc3 shaba:v2.2.8 shaba:v1.7.26 shaba:v2.2.7 shaba:v2.2.6 shaba:v2.3.0-rc2 shaba:v2.3.0-rc1 shaba:v1.7.25 shaba:v2.2.5 shaba:v2.2.4 shaba:v2.2.3 shaba:v2.2.2 shaba:v2.2.1 shaba:v2.2.0 shaba:v1.7.24 shaba:v2.1.9 shaba:v1.7.23 shaba:v2.2.0-rc4 shaba:v2.1.8 shaba:v2.2.0-rc3 shaba:v2.1.7 shaba:v1.7.22 shaba:v2.2.0-rc2 shaba:v2.2.0-rc1 shaba:v2.1.6 shaba:v2.1.5 shaba:v1.7.21 shaba:v2.1.4 shaba:v2.1.3 shaba:v2.1.2 shaba:v2.1.1 shaba:v2.1.0 shaba:v1.7.20 shaba:v2.0.7 shaba:v2.1.0-rc3 shaba:v2.0.6 shaba:v2.1.0-rc2 shaba:v2.1.0-rc1 shaba:v2.0.5 shaba:v2.0.4 shaba:v2.0.3 shaba:v1.7.19 shaba:v2.0.2 shaba:v2.0.1 shaba:v1.7.18 shaba:v1.7.17 shaba:v2.0.0 shaba:v2.0.0-rc4 shaba:v1.7.16 shaba:v1.7.15 shaba:v2.0.0-rc3 shaba:v2.0.0-rc2 shaba:v2.0.0-rc1 shaba:v1.7.14 shaba:v1.7.13 shaba:v2.0.0-beta1 shaba:v2.0.0-alpha8 shaba:v2.0.0-alpha7 shaba:v2.0.0-alpha6 shaba:v2.0.0-alpha5 shaba:v1.7.12 shaba:v1.7.11 shaba:v2.0.0-alpha4 shaba:v2.0.0-alpha3 shaba:v1.7.10 shaba:v2.0.0-alpha2 shaba:v2.0.0-alpha1 shaba:v1.7.9 shaba:v1.7.8 shaba:v1.7.7 shaba:v1.7.6 shaba:v1.7.5 shaba:v1.7.4 shaba:v1.7.3 shaba:v1.7.2 shaba:v1.7.1 shaba:v1.7.0 shaba:v1.7.0-rc5 shaba:v1.7.0-rc4 shaba:v1.6.6 shaba:v1.7.0-rc3 shaba:v1.7.0-rc2 shaba:v1.6.5 shaba:v1.7.0-rc1 shaba:v1.6.4 shaba:v1.6.3 shaba:v1.6.2 shaba:v1.6.1 shaba:v1.6.0 shaba:v1.6.0-rc6 shaba:v1.6.0-rc5 shaba:v1.6.0-rc4 shaba:v1.6.0-rc3 shaba:v1.6.0-rc2 shaba:v1.6.0-rc1 shaba:v1.5.4 shaba:v1.5.3 shaba:v1.5.2 shaba:v1.5.1 shaba:v1.5.0 shaba:v1.5.0-rc5 shaba:v1.5.0-rc4 shaba:v1.4.6 shaba:v1.5.0-rc3 shaba:v1.5.0-rc2 shaba:v1.4.5 shaba:v1.5.0-rc1 shaba:v1.4.4 shaba:v1.4.3 shaba:v1.4.2 shaba:v1.4.1 shaba:v1.4.0 shaba:v1.4.0-rc5 shaba:v1.4.0-rc4 shaba:v1.4.0-rc3 shaba:v1.4.0-rc2 shaba:v1.3.8 shaba:v1.4.0-rc1 shaba:v1.3.7 shaba:v1.3.6 shaba:v1.3.5 shaba:v1.3.4 shaba:v1.3.3 shaba:v1.3.2 shaba:v1.3.1 shaba:v1.3.0 shaba:v1.3.0-rc3 shaba:v1.3.0-rc2 shaba:v1.3.0-rc1 shaba:v1.2.3 shaba:v1.2.2 shaba:v1.2.1 shaba:v1.2.0 shaba:v1.2.0-rc2 shaba:v1.2.0-rc1 shaba:v1.1.2 shaba:v1.1.1 shaba:v1.1.0 shaba:v1.1.0-rc4 shaba:v1.1.0-rc3 shaba:v1.1.0-rc2 shaba:v1.1.0-rc1 shaba:v1.0.3 shaba:v1.0.2 shaba:v1.0.1 shaba:v1.0.0 shaba:v1.0.0-rc3 shaba:v1.0.0-rc2 shaba:v1.0.0-rc1 shaba:v1.0.0-beta.809 shaba:v1.0.0-beta.804 shaba:v1.0.0-beta.794 shaba:v1.0.0-beta.784 shaba:v1.0.0-beta.771 shaba:v1.0.0-beta.767 shaba:v1.0.0-beta.756 shaba:v1.0.0-beta.754 shaba:v1.0.0-beta.744 shaba:v1.0.0-beta.732 shaba:v1.0.0-beta.723 shaba:v1.0.0-beta.721 shaba:v1.0.0-beta.712 shaba:v1.0.0-beta.704 shaba:v1.0.0-beta.695 shaba:v1.0.0-beta.692 shaba:v1.0.0-beta.682 shaba:v1.0.0-beta.676 shaba:v1.0.0-beta.673 shaba:v1.0.0-beta.666 shaba:v1.0.0-beta.652 shaba:v1.0.0-beta.644 shaba:v1.0.0-beta.621 shaba:v1.0.0-beta.614 shaba:v1.0.0-beta.610 shaba:v1.0.0-beta.601 shaba:v1.0.0-beta.582 shaba:v1.0.0-beta.576 shaba:v1.0.0-beta.573 shaba:v1.0.0-beta.555 shaba:v1.0.0-beta.548 shaba:v1.0.0-beta.545 shaba:v1.0.0-beta.524 shaba:v1.0.0-beta.513 shaba:v1.0.0-beta.508 shaba:v1.0.0-beta.505 shaba:v1.0.0-beta.484 shaba:v1.0.0-beta.481 shaba:v1.0.0-beta.475 shaba:v1.0.0-beta.470 shaba:v1.0.0-beta.453 shaba:v1.0.0-beta.442 shaba:v1.0.0-beta.440 shaba:v1.0.0-beta.436 shaba:v1.0.0-beta.433 shaba:v1.0.0-beta.427 shaba:v1.0.0-beta.421 shaba:v1.0.0-beta.416 shaba:v1.0.0-beta.408 shaba:v1.0.0-beta.404 shaba:v1.0.0-beta.395 shaba:v1.0.0-beta.392 shaba:v1.0.0-beta.374 shaba:v1.0.0-beta.366 shaba:v1.0.0-beta.355 shaba:v1.0.0-beta.352 shaba:v1.0.0-beta.341 shaba:v1.0.0-beta.339 shaba:v1.0.0-beta.324 shaba:v1.0.0-beta.300 shaba:v1.0.0-beta.291 shaba:v1.0.0-beta.289 shaba:v1.0.0-beta.287 shaba:v1.0.0-beta.280 shaba:v1.0.0-beta.277 shaba:v1.0.0-beta.254 shaba:v1.0.0-beta.247 shaba:v1.0.0-beta.224 shaba:v1.0.0-beta.220 shaba:v1.0.0-beta.212 shaba:v1.0.0-beta.211 shaba:v1.0.alpha.4c447985b63f8c90dcbde70b2eaef19d9a8c5ad2 shaba:v1.0.alpha.9830086790caf40ce30eb9ed5d317917f8157708 shaba:v1.0.alpha.3af21612b65fc578585a98c30090d1e613f791eb shaba:v1.0.alpha.a458018aa2ccb637abacfc696157e00321cf982f shaba:v1.0.alpha.4ded2682d2831ed703282b2f4585e17a62ee258e shaba:v1.0.alpha.0e683cc5355bc507dabac68bbc7559d3f179e185 shaba:v1.0.alpha.11781087cadf9068d1d0b43902b6161ee10ea458 shaba:v1.0.alpha.b42b170ad29a0f042ddee0f5a5098aa9a59a9c8e shaba:v1.0.alpha.a00eb81f0301f5e61024dea3b92ba632d6a61a8b shaba:v1.0.alpha.6c3c5578c64125838abbc437a0242e1742d6f47a shaba:v1.0.alpha.b84b95fe97df5c0f234d8693fbff03fa0d6a441b shaba:v1.0.alpha.1a5668377cc840a35d233a0eb817ee9bacf0ba3e shaba:v1.0.alpha.331cd173ce8ad858d767510fbcbc653e2dde657d shaba:v1.0.alpha.e0872b61579c8e6b8fc6124c8836660c11840f5d shaba:v1.0.alpha.99646544953d5793f18ccb22dae2458be4ba0e05 shaba:v1.0.alpha.7acc2beae0f0235d9408e8ed7a51f0ef3dae3aff shaba:v1.0.alpha.ac56c1310c46f9c18dcad9d7ec680926fae821bb shaba:v1.0.alpha.71b0e27517841ec7b911bafb109846ee96109f30 shaba:v1.0.alpha.60e9282f0adac48cbf283306ceb08ad7a31ac94b shaba:v1.0.alpha.522 shaba:v1.0.alpha.516 shaba:v1.0.alpha.506 shaba:v1.0.alpha.481 shaba:v1.0.alpha.477 shaba:v1.0.alpha.471 shaba:v1.0.alpha.469 shaba:v1.0.alpha.463 shaba:v1.0.alpha.450 shaba:v1.0.alpha.443 shaba:v1.0.alpha.439 shaba:v1.0.alpha.425 shaba:v1.0.alpha.421 shaba:v1.0.alpha.418 shaba:v1.0.alpha.412 shaba:v1.0.alpha.404 shaba:v1.0.alpha.392 shaba:v1.0.alpha.374 shaba:v1.0.alpha.367 shaba:v1.0.alpha.364 shaba:v1.0.alpha.361 shaba:v1.0.alpha.358 shaba:v1.0.alpha.357 shaba:v1.0.alpha.341 shaba:v1.0.alpha.338 shaba:v1.0.alpha.336 shaba:v1.0.alpha.333 shaba:v1.0.alpha.329 shaba:v1.0.alpha.311 shaba:v1.0.alpha.306 shaba:v1.0.alpha.302 shaba:v1.0.alpha.291 shaba:v1.0.alpha.290 shaba:v1.0.alpha.288 shaba:v1.0.alpha.285 shaba:v1.0.alpha.275 shaba:v1.0.alpha.274 shaba:v1.0.alpha.273 shaba:v1.0.alpha.272 shaba:v1.0.alpha.271 shaba:v1.0.alpha.270 shaba:v1.0.alpha.268 shaba:v1.0.alpha.269 shaba:v1.0.alpha.267 shaba:v1.0.alpha.266 shaba:v1.0.alpha.263 shaba:v1.0.alpha.257 shaba:v1.0.alpha.256 shaba:v1.0.alpha.251 shaba:v1.0.alpha.252 shaba:v1.0.alpha.250 shaba:v1.0.alpha.249 shaba:v1.0.alpha.247 shaba:v1.0.alpha.228 shaba:v1.0.alpha.217 shaba:v1.0.alpha.216 shaba:v1.0.alpha.215 shaba:v1.0.alpha.212 shaba:v1.0.alpha.200 shaba:v1.0.alpha.186 shaba:v1.0.alpha.182 shaba:v1.0.alpha.178 shaba:v1.0.alpha.176 shaba:v1.0.alpha.171 shaba:v1.0.alpha.170 shaba:v1.0.alpha.164 shaba:v1.0.alpha.157 shaba:v1.0

22 Commits
v3.5.1 ... master

Author SHA1 Message Date
Landry Benguigui
634f892370 feat: add highest random weight in kubernetes CRD 2025-09-19 10:18:04 +02:00
romain
c09d3fb03c Merge branch v3.5 into master 2025-09-09 17:47:13 +02:00
Ludovic Fernandez
a090452807 Add new certificatesresolvers options 2025-09-09 17:36:05 +02:00
Nicolas Mengin
c294b87a45 Add an anchor on the options names. 2025-09-09 17:26:05 +02:00
Romain
0b240ca97a Prepare release v3.5.2 2025-09-09 12:12:04 +02:00
Dorian Allen
ff848c74f9 Fix customerrors query url replacement 2025-09-09 09:54:04 +02:00
mathieuHa
02443545e7 Add HighestRandomWeight Loadbalancing Algorithm 2025-09-08 12:00:42 +02:00
Simon Delicata
e2282b1379 Add GenericCLF log format for access logs 2025-09-08 11:24:05 +02:00
Sheddy
a051f20876 Add redis options to ratelimit middleware & Include distributed rate limit middleware 2025-09-05 11:16:04 +02:00
Sheddy
e96034f494 Fix broken links in KV store documentation 2025-09-04 11:16:04 +02:00
Bilal Budhani
f685b3f258 Fixes typo for Swarm mode in CLI example 2025-09-04 09:22:04 +02:00
Michel Loiseleur
7ab17d228f Fixes typo for OCSP in CLI example 2025-09-03 10:28:04 +02:00
Baptiste Mayelle
5f28c56437 Restore empty webui/static to use traefik as library 2025-09-01 16:30:09 +02:00
Nicolas Mengin
2023ffe2d3 Fix migration path in documentation 2025-09-01 11:10:05 +02:00
Chris Gatt
cc7f409d46 Fix path for access-logs header config 2025-09-01 10:50:04 +02:00
Vincent Bernat
19ed2346cb Fix link to HTTP3 section in documentation 2025-09-01 09:25:04 +02:00
Romain
f9fbcfbb42 Send proxy protocol header before TLS handshake 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
 2025-08-29 12:30:04 +02:00
0slb
9b42b5b930 Fix broken link to migration guide on readme 2025-08-27 15:20:04 +02:00
Nelson Isioma
fc0fac8543 Add passive health checks 2025-08-21 11:40:06 +02:00
kevinpollet
c20802b07e Merge branch v3.5 into master 2025-08-05 15:17:05 +02:00
kevinpollet
24cede62ee Merge branch v3.5 into master 2025-07-24 09:03:26 +02:00
kevinpollet
5c94bbf122 Merge branch v3.5 into master 2025-07-11 16:17:14 +02:00
157 changed files with 7009 additions and 3075 deletions
Expand all files Collapse all files

2
.github/workflows/release.yaml vendored
View File

@@ -130,7 +130,7 @@ jobs:
--exclude dist .
chown -R "$(id -u)":"$(id -g)" dist/
gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=true
gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=false
./script/deploy.sh

5
.github/workflows/test-conformance.yaml vendored
View File

@@ -30,11 +30,6 @@ jobs:
with:
go-version: ${{ env.GO_VERSION }}
- name: Avoid generating webui
run: |
mkdir webui/static
touch webui/static/index.html
- name: K8s Gateway API conformance test and report
run: |
make test-gateway-api-conformance

10
.github/workflows/test-integration.yaml vendored
View File

@@ -30,11 +30,6 @@ jobs:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Avoid generating webui
run: |
mkdir webui/static
touch webui/static/index.html
- name: Build binary
run: make binary-linux-amd64
@@ -74,11 +69,6 @@ jobs:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Avoid generating webui
run: |
mkdir webui/static
touch webui/static/index.html
- name: Download traefik binary
uses: actions/download-artifact@v4
with:

5
.github/workflows/test-unit.yaml vendored
View File

@@ -56,11 +56,6 @@ jobs:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Avoid generating webui
run: |
mkdir webui/static
touch webui/static/index.html
- name: Tests
run: |
go test -v -parallel 8 ${{ matrix.package.group }}

10
.github/workflows/validate.yaml vendored
View File

@@ -27,11 +27,6 @@ jobs:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: Avoid generating webui
run: |
mkdir webui/static
touch webui/static/index.html
- name: golangci-lint
uses: golangci/golangci-lint-action@v7
with:
@@ -55,11 +50,6 @@ jobs:
- name: Install misspell ${{ env.MISSPELL_VERSION }}
run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/HEAD/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}
- name: Avoid generating webui
run: |
mkdir webui/static
touch webui/static/index.html
- name: Validate
run: make validate-files

18
CHANGELOG.md
View File

@@ -1,3 +1,21 @@
## [v3.5.2](https://github.com/traefik/traefik/tree/v3.5.2) (2025-09-09)
[All Commits](https://github.com/traefik/traefik/compare/v3.5.1...v3.5.2)
**Bug fixes:**
- **[middleware,accesslogs]** Add GenericCLF log format for access logs ([#12033](https://github.com/traefik/traefik/pull/12033) by [sdelicata](https://github.com/sdelicata))
- **[middleware]** Fix customerrors query url replacement ([#11876](https://github.com/traefik/traefik/pull/11876) by [DorianBlues](https://github.com/DorianBlues))
- **[tls,service]** Send proxy protocol header before TLS handshake ([#11956](https://github.com/traefik/traefik/pull/11956) by [rtribotte](https://github.com/rtribotte))
- **[webui]** Restore empty webui/static to use traefik as library ([#12025](https://github.com/traefik/traefik/pull/12025) by [youkoulayley](https://github.com/youkoulayley))
**Documentation:**
- **[accesslogs]** Fix path for access-logs header config ([#12030](https://github.com/traefik/traefik/pull/12030) by [cgatt](https://github.com/cgatt))
- **[acme]** Fixes typo for OCSP in CLI example ([#12039](https://github.com/traefik/traefik/pull/12039) by [mloiseleur](https://github.com/mloiseleur))
- **[docker/swarm]** Fixes typo for Swarm mode in CLI example ([#12038](https://github.com/traefik/traefik/pull/12038) by [BilalBudhani](https://github.com/BilalBudhani))
- **[kv]** Fix broken links in KV store documentation ([#12040](https://github.com/traefik/traefik/pull/12040) by [sheddy-traefik](https://github.com/sheddy-traefik))
- **[middleware]** Add redis options to ratelimit middleware &amp; Include distributed rate limit middleware ([#12041](https://github.com/traefik/traefik/pull/12041) by [sheddy-traefik](https://github.com/sheddy-traefik))
- **[server]** Fix link to HTTP3 section in documentation ([#12028](https://github.com/traefik/traefik/pull/12028) by [vincentbernat](https://github.com/vincentbernat))
- Fix migration path in documentation ([#12032](https://github.com/traefik/traefik/pull/12032) by [nmengin](https://github.com/nmengin))
## [v3.5.1](https://github.com/traefik/traefik/tree/v3.5.1) (2025-08-27)
[All Commits](https://github.com/traefik/traefik/compare/v3.5.0...v3.5.1)

5
Makefile
View File

@@ -35,12 +35,15 @@ build-webui-image:
.PHONY: clean-webui
#? clean-webui: Clean WebUI static generated assets
clean-webui:
rm -rf webui/static
rm -r webui/static
mkdir -p webui/static
printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md
webui/static/index.html:
$(MAKE) build-webui-image
docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn build:prod
docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static
printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md
.PHONY: generate-webui
#? generate-webui: Generate WebUI

2
README.md
View File

@@ -34,7 +34,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo
---
:warning: When migrating to a new major version of Traefik, please refer to the [migration guide](https://doc.traefik.io/traefik/migration/v2-to-v3/) to ensure a smooth transition and to be aware of any breaking changes.
:warning: When migrating to a new major version of Traefik, please refer to the [migration guide](https://doc.traefik.io/traefik/migrate/v2-to-v3/) to ensure a smooth transition and to be aware of any breaking changes.
## Overview

65
docs/content/https/acme.md
View File

@@ -201,6 +201,36 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
--certificatesresolvers.myresolver.acme.tlschallenge=true
```
#### `Delay`
_Optional, Default=0_
The delay between the creation of the challenge and the validation.
A value lower than or equal to zero means no delay.
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
tlsChallenge:
# ...
delay: 12
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.tlsChallenge]
# ...
delay = 12
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.tlschallenge.delay=12
```
### `httpChallenge`
Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
@@ -252,6 +282,8 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
#### `Delay`
_Optional, Default=0_
The delay between the creation of the challenge and the validation.
A value lower than or equal to zero means no delay.
@@ -998,6 +1030,39 @@ certificatesResolvers:
# ...
```
### `disableCommonName`
_Optional, Default=false_
Disable common name inside CSR and certificates.
It's recommended to disable the common name and required to get a certificate for IP.
- https://letsencrypt.org/docs/profiles/#certificate-common-name
- https://community.letsencrypt.org/t/ip-san-error-csr-contains-ip-address-in-common-name/239012/7
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
acme:
# ...
disableCommonName: true
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
disableCommonName = true
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.disableCommonName=true
# ...
```
### `keyType`
_Optional, Default="RSA4096"_

2
docs/content/migrate/v2-to-v3-details.md
View File

@@ -730,7 +730,7 @@ In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing
### TCP LoadBalancer `terminationDelay` option
The TCP LoadBalancer `terminationDelay` option has been removed.
The TCP LoadBalancer `terminationDelay` option has been deprecated.
This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
### Kubernetes CRDs API Group `traefik.containo.us`

31
docs/content/migrate/v3.md
View File

@@ -413,12 +413,12 @@ Reserved characters change the meaning of request paths when decoded. Keeping th
The following table illustrates how path matching behavior has changed:
| Request Path | Router Rule | Traefik v3.4.0 | Traefik v3.4.1 | Explanation |
|-------------------|------------------------|----------------|----------------|-------------|
| `/foo%2Fbar` | ```PathPrefix(`/foo/bar`)``` | Match | No match | `%2F` (/) stays encoded, preventing false matches |
| `/foo/../bar` | ```PathPrefix(`/foo`)``` | No match | No match | Path traversal is sanitized away |
| `/foo/../bar` | ```PathPrefix(`/bar`)``` | Match | Match | Resolves to `/bar` after sanitization |
| `/foo/%2E%2E/bar` | ```PathPrefix(`/foo`)``` | Match | No match | Encoded dots normalized then sanitized |
| Request Path | Router Rule | Traefik v3.4.0 | Traefik v3.4.1 | Explanation |
|-------------------|------------------------------|----------------|----------------|-------------------------------------------------------|
| `/foo%2Fbar` | ```PathPrefix(`/foo/bar`)``` | Match | No match | `%2F` (/) stays encoded, preventing false matches |
| `/foo/../bar` | ```PathPrefix(`/foo`)``` | No match | No match | Path traversal is sanitized away |
| `/foo/../bar` | ```PathPrefix(`/bar`)``` | Match | Match | Resolves to `/bar` after sanitization |
| `/foo/%2E%2E/bar` | ```PathPrefix(`/foo`)``` | Match | No match | Encoded dots normalized then sanitized |
| `/foo/%2E%2E/bar` | ```PathPrefix(`/bar`)``` | No match | Match | Resolves to `/bar` after normalization + sanitization |
## v3.4.5
@@ -470,3 +470,22 @@ For that purpose, the following right has to be added to the Traefik Kubernetes
- get
...
```
---
## v3.5.2
### Deprecation of ProxyProtocol option
Starting with `v3.5.2`, the `proxyProtocol` option for TCP LoadBalancer is deprecated.
This option can now be configured at the `TCPServersTransport` level, please check out the [documentation](../reference/routing-configuration/tcp/serverstransport.md) for more details.
#### Kubernetes CRD Provider
To use the new `proxyprotocol` option in the Kubernetes CRD provider, you need to update your CRDs.
**Apply Updated CRDs:**
```shell
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
```

24
docs/content/observability/access-logs.md
View File

@@ -69,27 +69,43 @@ accessLog:
_Optional, Default="common"_
By default, logs are written using the Common Log Format (CLF).
To write logs in JSON, use `json` in the `format` option.
If the given format is unsupported, the default (CLF) is used instead.
By default, logs are written using the Traefik Common Log Format (CLF).
The available log formats are:
!!! info "Common Log Format"
- `common` - Traefik's extended CLF format (default)
- `genericCLF` - Generic CLF format compatible with standard log analyzers
- `json` - JSON format for structured logging
If the given format is unsupported, the default (`common`) is used instead.
!!! info "Traefik Common Log Format vs Generic CLF"
**Traefik Common Log Format (`common`):**
```html
<remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
```
**Generic CLF Format (`genericCLF`):**
```html
<remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>"
```
The `genericCLF` format omits Traefik-specific fields (request count, router name, service URL, and duration) for better compatibility with standard CLF parsers.
```yaml tab="File (YAML)"
# JSON format
accessLog:
format: "json"
```
```toml tab="File (TOML)"
# JSON format
[accessLog]
format = "json"
```
```bash tab="CLI"
# JSON format
--accesslog.format=json
```

5
docs/content/observe/logs-and-access-logs.md
View File

@@ -155,8 +155,9 @@ When the `observability` options are not defined on a router, it inherits the be
Traefik Proxy supports the following log formats:
- Common Log Format (CLF)
- JSON
- `common` - Traefik's extended CLF format (default)
- `genericCLF` - Generic CLF format compatible with standard log analyzers
- `json` - JSON format for structured logging
## Access Log Filters

64
docs/content/reference/dynamic-configuration/docker-labels.yml
View File

@@ -199,37 +199,39 @@
- "traefik.http.routers.router1.tls.domains[1].main=foobar"
- "traefik.http.routers.router1.tls.domains[1].sans=foobar, foobar"
- "traefik.http.routers.router1.tls.options=foobar"
- "traefik.http.services.service02.loadbalancer.healthcheck.followredirects=true"
- "traefik.http.services.service02.loadbalancer.healthcheck.headers.name0=foobar"
- "traefik.http.services.service02.loadbalancer.healthcheck.headers.name1=foobar"
- "traefik.http.services.service02.loadbalancer.healthcheck.hostname=foobar"
- "traefik.http.services.service02.loadbalancer.healthcheck.interval=42s"
- "traefik.http.services.service02.loadbalancer.healthcheck.method=foobar"
- "traefik.http.services.service02.loadbalancer.healthcheck.mode=foobar"
- "traefik.http.services.service02.loadbalancer.healthcheck.path=foobar"
- "traefik.http.services.service02.loadbalancer.healthcheck.port=42"
- "traefik.http.services.service02.loadbalancer.healthcheck.scheme=foobar"
- "traefik.http.services.service02.loadbalancer.healthcheck.status=42"
- "traefik.http.services.service02.loadbalancer.healthcheck.timeout=42s"
- "traefik.http.services.service02.loadbalancer.healthcheck.unhealthyinterval=42s"
- "traefik.http.services.service02.loadbalancer.passhostheader=true"
- "traefik.http.services.service02.loadbalancer.responseforwarding.flushinterval=42s"
- "traefik.http.services.service02.loadbalancer.serverstransport=foobar"
- "traefik.http.services.service02.loadbalancer.sticky=true"
- "traefik.http.services.service02.loadbalancer.sticky.cookie=true"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.domain=foobar"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.httponly=true"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.maxage=42"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.name=foobar"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.path=foobar"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.samesite=foobar"
- "traefik.http.services.service02.loadbalancer.sticky.cookie.secure=true"
- "traefik.http.services.service02.loadbalancer.strategy=foobar"
- "traefik.http.services.service02.loadbalancer.server.port=foobar"
- "traefik.http.services.service02.loadbalancer.server.preservepath=true"
- "traefik.http.services.service02.loadbalancer.server.scheme=foobar"
- "traefik.http.services.service02.loadbalancer.server.url=foobar"
- "traefik.http.services.service02.loadbalancer.server.weight=42"
- "traefik.http.services.service03.loadbalancer.healthcheck.followredirects=true"
- "traefik.http.services.service03.loadbalancer.healthcheck.headers.name0=foobar"
- "traefik.http.services.service03.loadbalancer.healthcheck.headers.name1=foobar"
- "traefik.http.services.service03.loadbalancer.healthcheck.hostname=foobar"
- "traefik.http.services.service03.loadbalancer.healthcheck.interval=42s"
- "traefik.http.services.service03.loadbalancer.healthcheck.method=foobar"
- "traefik.http.services.service03.loadbalancer.healthcheck.mode=foobar"
- "traefik.http.services.service03.loadbalancer.healthcheck.path=foobar"
- "traefik.http.services.service03.loadbalancer.healthcheck.port=42"
- "traefik.http.services.service03.loadbalancer.healthcheck.scheme=foobar"
- "traefik.http.services.service03.loadbalancer.healthcheck.status=42"
- "traefik.http.services.service03.loadbalancer.healthcheck.timeout=42s"
- "traefik.http.services.service03.loadbalancer.healthcheck.unhealthyinterval=42s"
- "traefik.http.services.service03.loadbalancer.passhostheader=true"
- "traefik.http.services.service03.loadbalancer.passivehealthcheck.failurewindow=42s"
- "traefik.http.services.service03.loadbalancer.passivehealthcheck.maxfailedattempts=42"
- "traefik.http.services.service03.loadbalancer.responseforwarding.flushinterval=42s"
- "traefik.http.services.service03.loadbalancer.serverstransport=foobar"
- "traefik.http.services.service03.loadbalancer.sticky=true"
- "traefik.http.services.service03.loadbalancer.sticky.cookie=true"
- "traefik.http.services.service03.loadbalancer.sticky.cookie.domain=foobar"
- "traefik.http.services.service03.loadbalancer.sticky.cookie.httponly=true"
- "traefik.http.services.service03.loadbalancer.sticky.cookie.maxage=42"
- "traefik.http.services.service03.loadbalancer.sticky.cookie.name=foobar"
- "traefik.http.services.service03.loadbalancer.sticky.cookie.path=foobar"
- "traefik.http.services.service03.loadbalancer.sticky.cookie.samesite=foobar"
- "traefik.http.services.service03.loadbalancer.sticky.cookie.secure=true"
- "traefik.http.services.service03.loadbalancer.strategy=foobar"
- "traefik.http.services.service03.loadbalancer.server.port=foobar"
- "traefik.http.services.service03.loadbalancer.server.preservepath=true"
- "traefik.http.services.service03.loadbalancer.server.scheme=foobar"
- "traefik.http.services.service03.loadbalancer.server.url=foobar"
- "traefik.http.services.service03.loadbalancer.server.weight=42"
- "traefik.tcp.middlewares.tcpmiddleware01.ipallowlist.sourcerange=foobar, foobar"
- "traefik.tcp.middlewares.tcpmiddleware02.ipwhitelist.sourcerange=foobar, foobar"
- "traefik.tcp.middlewares.tcpmiddleware03.inflightconn.amount=42"

74
docs/content/reference/dynamic-configuration/file.toml
View File

@@ -55,12 +55,23 @@
fallback = "foobar"
[http.services.Service01.failover.healthCheck]
[http.services.Service02]
[http.services.Service02.loadBalancer]
[http.services.Service02.highestRandomWeight]
[[http.services.Service02.highestRandomWeight.services]]
name = "foobar"
weight = 42
[[http.services.Service02.highestRandomWeight.services]]
name = "foobar"
weight = 42
[http.services.Service02.highestRandomWeight.healthCheck]
[http.services.Service03]
[http.services.Service03.loadBalancer]
strategy = "foobar"
passHostHeader = true
serversTransport = "foobar"
[http.services.Service02.loadBalancer.sticky]
[http.services.Service02.loadBalancer.sticky.cookie]
[http.services.Service03.loadBalancer.sticky]
[http.services.Service03.loadBalancer.sticky.cookie]
name = "foobar"
secure = true
httpOnly = true
@@ -69,16 +80,16 @@
path = "foobar"
domain = "foobar"
[[http.services.Service02.loadBalancer.servers]]
[[http.services.Service03.loadBalancer.servers]]
url = "foobar"
weight = 42
preservePath = true
[[http.services.Service02.loadBalancer.servers]]
[[http.services.Service03.loadBalancer.servers]]
url = "foobar"
weight = 42
preservePath = true
[http.services.Service02.loadBalancer.healthCheck]
[http.services.Service03.loadBalancer.healthCheck]
scheme = "foobar"
mode = "foobar"
path = "foobar"
@@ -90,37 +101,40 @@
timeout = "42s"
hostname = "foobar"
followRedirects = true
[http.services.Service02.loadBalancer.healthCheck.headers]
[http.services.Service03.loadBalancer.healthCheck.headers]
name0 = "foobar"
name1 = "foobar"
[http.services.Service02.loadBalancer.responseForwarding]
[http.services.Service03.loadBalancer.passiveHealthCheck]
failureWindow = "42s"
maxFailedAttempts = 42
[http.services.Service03.loadBalancer.responseForwarding]
flushInterval = "42s"
[http.services.Service03]
[http.services.Service03.mirroring]
[http.services.Service04]
[http.services.Service04.mirroring]
service = "foobar"
mirrorBody = true
maxBodySize = 42
[[http.services.Service03.mirroring.mirrors]]
[[http.services.Service04.mirroring.mirrors]]
name = "foobar"
percent = 42
[[http.services.Service03.mirroring.mirrors]]
[[http.services.Service04.mirroring.mirrors]]
name = "foobar"
percent = 42
[http.services.Service03.mirroring.healthCheck]
[http.services.Service04]
[http.services.Service04.weighted]
[http.services.Service04.mirroring.healthCheck]
[http.services.Service05]
[http.services.Service05.weighted]
[[http.services.Service04.weighted.services]]
[[http.services.Service05.weighted.services]]
name = "foobar"
weight = 42
[[http.services.Service04.weighted.services]]
[[http.services.Service05.weighted.services]]
name = "foobar"
weight = 42
[http.services.Service04.weighted.sticky]
[http.services.Service04.weighted.sticky.cookie]
[http.services.Service05.weighted.sticky]
[http.services.Service05.weighted.sticky.cookie]
name = "foobar"
secure = true
httpOnly = true
@@ -128,7 +142,7 @@
maxAge = 42
path = "foobar"
domain = "foobar"
[http.services.Service04.weighted.healthCheck]
[http.services.Service05.weighted.healthCheck]
[http.middlewares]
[http.middlewares.Middleware01]
[http.middlewares.Middleware01.addPrefix]
@@ -454,16 +468,16 @@
[tcp.services.TCPService01.loadBalancer]
serversTransport = "foobar"
terminationDelay = 42
[[tcp.services.TCPService01.loadBalancer.servers]]
address = "foobar"
tls = true
[[tcp.services.TCPService01.loadBalancer.servers]]
address = "foobar"
tls = true
[tcp.services.TCPService01.loadBalancer.proxyProtocol]
version = 42
[[tcp.services.TCPService01.loadBalancer.servers]]
address = "foobar"
tls = true
[[tcp.services.TCPService01.loadBalancer.servers]]
address = "foobar"
tls = true
[tcp.services.TCPService02]
[tcp.services.TCPService02.weighted]
@@ -489,6 +503,8 @@
dialKeepAlive = "42s"
dialTimeout = "42s"
terminationDelay = "42s"
[tcp.serversTransports.TCPServersTransport0.proxyProtocol]
version = 42
[tcp.serversTransports.TCPServersTransport0.tls]
serverName = "foobar"
insecureSkipVerify = true
@@ -509,6 +525,8 @@
dialKeepAlive = "42s"
dialTimeout = "42s"
terminationDelay = "42s"
[tcp.serversTransports.TCPServersTransport1.proxyProtocol]
version = 42
[tcp.serversTransports.TCPServersTransport1.tls]
serverName = "foobar"
insecureSkipVerify = true

23
docs/content/reference/dynamic-configuration/file.yaml
View File

@@ -65,6 +65,14 @@ http:
fallback: foobar
healthCheck: {}
Service02:
highestRandomWeight:
services:
- name: foobar
weight: 42
- name: foobar
weight: 42
healthCheck: {}
Service03:
loadBalancer:
sticky:
cookie:
@@ -98,11 +106,14 @@ http:
headers:
name0: foobar
name1: foobar
passiveHealthCheck:
failureWindow: 42s
maxFailedAttempts: 42
passHostHeader: true
responseForwarding:
flushInterval: 42s
serversTransport: foobar
Service03:
Service04:
mirroring:
service: foobar
mirrorBody: true
@@ -113,7 +124,7 @@ http:
- name: foobar
percent: 42
healthCheck: {}
Service04:
Service05:
weighted:
services:
- name: foobar
@@ -518,14 +529,14 @@ tcp:
services:
TCPService01:
loadBalancer:
proxyProtocol:
version: 42
servers:
- address: foobar
tls: true
- address: foobar
tls: true
serversTransport: foobar
proxyProtocol:
version: 42
terminationDelay: 42
TCPService02:
weighted:
@@ -552,6 +563,8 @@ tcp:
TCPServersTransport0:
dialKeepAlive: 42s
dialTimeout: 42s
proxyProtocol:
version: 42
terminationDelay: 42s
tls:
serverName: foobar
@@ -573,6 +586,8 @@ tcp:
TCPServersTransport1:
dialKeepAlive: 42s
dialTimeout: 42s
proxyProtocol:
version: 42
terminationDelay: 42s
tls:
serverName: foobar

357
docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
View File

@@ -227,6 +227,25 @@ spec:
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health
checks for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window
during which the failed attempts must occur for
the server to be marked as unhealthy. It also defines
for how long the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window
before marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
@@ -312,11 +331,12 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:
@@ -544,6 +564,7 @@ spec:
description: |-
ProxyProtocol defines the PROXY protocol configuration.
More info: https://doc.traefik.io/traefik/v3.5/routing/services/#proxy-protocol
Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
properties:
version:
description: Version defines the PROXY Protocol version
@@ -1169,6 +1190,25 @@ spec:
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health checks
for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window during
which the failed attempts must occur for the server
to be marked as unhealthy. It also defines for how long
the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window before
marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
@@ -1253,11 +1293,12 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:
@@ -2400,6 +2441,15 @@ spec:
to a backend server can be established.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
proxyProtocol:
description: ProxyProtocol holds the PROXY Protocol configuration.
properties:
version:
description: Version defines the PROXY Protocol version to use.
maximum: 2
minimum: 1
type: integer
type: object
terminationDelay:
anyOf:
- type: integer
@@ -2743,6 +2793,243 @@ spec:
spec:
description: TraefikServiceSpec defines the desired state of a TraefikService.
properties:
highestRandomWeight:
description: HighestRandomWeight defines the highest random weight
service configuration.
properties:
services:
description: Services defines the list of Kubernetes Service and/or
TraefikService to load-balance, with weight.
items:
description: Service defines an upstream HTTP service to proxy
traffic to.
properties:
healthCheck:
description: Healthcheck defines health checks for ExternalName
services.
properties:
followRedirects:
description: |-
FollowRedirects defines whether redirects should be followed during the health check calls.
Default: true
type: boolean
headers:
additionalProperties:
type: string
description: Headers defines custom headers to be sent
to the health check endpoint.
type: object
hostname:
description: Hostname defines the value of hostname
in the Host header of the health check request.
type: string
interval:
anyOf:
- type: integer
- type: string
description: |-
Interval defines the frequency of the health check calls for healthy targets.
Default: 30s
x-kubernetes-int-or-string: true
method:
description: Method defines the healthcheck method.
type: string
mode:
description: |-
Mode defines the health check mode.
If defined to grpc, will use the gRPC health check protocol to probe the server.
Default: http
type: string
path:
description: Path defines the server URL path for the
health check endpoint.
type: string
port:
description: Port defines the server URL port for the
health check endpoint.
type: integer
scheme:
description: Scheme replaces the server URL scheme for
the health check endpoint.
type: string
status:
description: Status defines the expected HTTP status
code of the response to the health check request.
type: integer
timeout:
anyOf:
- type: integer
- type: string
description: |-
Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
Default: 5s
x-kubernetes-int-or-string: true
unhealthyInterval:
anyOf:
- type: integer
- type: string
description: |-
UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
When UnhealthyInterval is not defined, it defaults to the Interval value.
Default: 30s
x-kubernetes-int-or-string: true
type: object
kind:
description: Kind defines the kind of the Service.
enum:
- Service
- TraefikService
type: string
name:
description: |-
Name defines the name of the referenced Kubernetes Service or TraefikService.
The differentiation between the two is specified in the Kind field.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
passHostHeader:
description: |-
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health checks
for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window during
which the failed attempts must occur for the server
to be marked as unhealthy. It also defines for how
long the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window
before marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding defines how Traefik forwards
the response from the upstream Kubernetes Service to the
client.
properties:
flushInterval:
description: |-
FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
A negative value means to flush immediately after each write to the client.
This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
for such responses, writes are flushed to the client immediately.
Default: 100ms
type: string
type: object
scheme:
description: |-
Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
It defaults to https when Kubernetes Service port is 443, http otherwise.
type: string
serversTransport:
description: |-
ServersTransport defines the name of ServersTransport resource to use.
It allows to configure the transport between Traefik and your servers.
Can only be used on a Kubernetes Service.
type: string
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
domain:
description: |-
Domain defines the host to which the cookie will be sent.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
type: string
httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge defines the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
path:
description: |-
Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
When not provided the cookie will be sent on every request to the domain.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
enum:
- none
- lax
- strict
type: string
secure:
description: Secure defines whether the cookie can
only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean
type: object
type: object
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
minimum: 0
type: integer
required:
- name
type: object
type: array
type: object
mirroring:
description: Mirroring defines the Mirroring service configuration.
properties:
@@ -2944,6 +3231,25 @@ spec:
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health checks
for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window during
which the failed attempts must occur for the server
to be marked as unhealthy. It also defines for how
long the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window
before marking the server as unhealthy.
type: integer
type: object
percent:
description: |-
Percent defines the part of the traffic to mirror.
@@ -3033,11 +3339,12 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:
@@ -3078,6 +3385,25 @@ spec:
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health checks
for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window during
which the failed attempts must occur for the server to be
marked as unhealthy. It also defines for how long the server
will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window before
marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
@@ -3160,11 +3486,12 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:
@@ -3290,6 +3617,25 @@ spec:
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health checks
for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window during
which the failed attempts must occur for the server
to be marked as unhealthy. It also defines for how
long the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window
before marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
@@ -3374,11 +3720,12 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:

925
docs/content/reference/dynamic-configuration/kv-ref.md
View File

@@ -5,462 +5,469 @@ THIS FILE MUST NOT BE EDITED BY HAND
| Key (Path) | Value |
|------------|-------|
| `traefik/http/middlewares/Middleware01/addPrefix/prefix` | `foobar` |
| `traefik/http/middlewares/Middleware02/basicAuth/headerField` | `foobar` |
| `traefik/http/middlewares/Middleware02/basicAuth/realm` | `foobar` |
| `traefik/http/middlewares/Middleware02/basicAuth/removeHeader` | `true` |
| `traefik/http/middlewares/Middleware02/basicAuth/users/0` | `foobar` |
| `traefik/http/middlewares/Middleware02/basicAuth/users/1` | `foobar` |
| `traefik/http/middlewares/Middleware02/basicAuth/usersFile` | `foobar` |
| `traefik/http/middlewares/Middleware03/buffering/maxRequestBodyBytes` | `42` |
| `traefik/http/middlewares/Middleware03/buffering/maxResponseBodyBytes` | `42` |
| `traefik/http/middlewares/Middleware03/buffering/memRequestBodyBytes` | `42` |
| `traefik/http/middlewares/Middleware03/buffering/memResponseBodyBytes` | `42` |
| `traefik/http/middlewares/Middleware03/buffering/retryExpression` | `foobar` |
| `traefik/http/middlewares/Middleware04/chain/middlewares/0` | `foobar` |
| `traefik/http/middlewares/Middleware04/chain/middlewares/1` | `foobar` |
| `traefik/http/middlewares/Middleware05/circuitBreaker/checkPeriod` | `42s` |
| `traefik/http/middlewares/Middleware05/circuitBreaker/expression` | `foobar` |
| `traefik/http/middlewares/Middleware05/circuitBreaker/fallbackDuration` | `42s` |
| `traefik/http/middlewares/Middleware05/circuitBreaker/recoveryDuration` | `42s` |
| `traefik/http/middlewares/Middleware05/circuitBreaker/responseCode` | `42` |
| `traefik/http/middlewares/Middleware06/compress/defaultEncoding` | `foobar` |
| `traefik/http/middlewares/Middleware06/compress/encodings/0` | `foobar` |
| `traefik/http/middlewares/Middleware06/compress/encodings/1` | `foobar` |
| `traefik/http/middlewares/Middleware06/compress/excludedContentTypes/0` | `foobar` |
| `traefik/http/middlewares/Middleware06/compress/excludedContentTypes/1` | `foobar` |
| `traefik/http/middlewares/Middleware06/compress/includedContentTypes/0` | `foobar` |
| `traefik/http/middlewares/Middleware06/compress/includedContentTypes/1` | `foobar` |
| `traefik/http/middlewares/Middleware06/compress/minResponseBodyBytes` | `42` |
| `traefik/http/middlewares/Middleware07/contentType/autoDetect` | `true` |
| `traefik/http/middlewares/Middleware08/digestAuth/headerField` | `foobar` |
| `traefik/http/middlewares/Middleware08/digestAuth/realm` | `foobar` |
| `traefik/http/middlewares/Middleware08/digestAuth/removeHeader` | `true` |
| `traefik/http/middlewares/Middleware08/digestAuth/users/0` | `foobar` |
| `traefik/http/middlewares/Middleware08/digestAuth/users/1` | `foobar` |
| `traefik/http/middlewares/Middleware08/digestAuth/usersFile` | `foobar` |
| `traefik/http/middlewares/Middleware09/errors/query` | `foobar` |
| `traefik/http/middlewares/Middleware09/errors/service` | `foobar` |
| `traefik/http/middlewares/Middleware09/errors/status/0` | `foobar` |
| `traefik/http/middlewares/Middleware09/errors/status/1` | `foobar` |
| `traefik/http/middlewares/Middleware09/errors/statusRewrites/name0` | `42` |
| `traefik/http/middlewares/Middleware09/errors/statusRewrites/name1` | `42` |
| `traefik/http/middlewares/Middleware10/forwardAuth/addAuthCookiesToResponse/0` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/addAuthCookiesToResponse/1` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/address` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/authRequestHeaders/0` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/authRequestHeaders/1` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/0` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/1` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeadersRegex` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/forwardBody` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/headerField` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/maxBodySize` | `42` |
| `traefik/http/middlewares/Middleware10/forwardAuth/preserveLocationHeader` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/preserveRequestMethod` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/ca` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/caOptional` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/cert` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/insecureSkipVerify` | `true` |
| `traefik/http/middlewares/Middleware10/forwardAuth/tls/key` | `foobar` |
| `traefik/http/middlewares/Middleware10/forwardAuth/trustForwardHeader` | `true` |
| `traefik/http/middlewares/Middleware11/grpcWeb/allowOrigins/0` | `foobar` |
| `traefik/http/middlewares/Middleware11/grpcWeb/allowOrigins/1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlAllowCredentials` | `true` |
| `traefik/http/middlewares/Middleware12/headers/accessControlAllowHeaders/0` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlAllowHeaders/1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlAllowMethods/0` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlAllowMethods/1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginList/0` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginList/1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginListRegex/0` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginListRegex/1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlExposeHeaders/0` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlExposeHeaders/1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/accessControlMaxAge` | `42` |
| `traefik/http/middlewares/Middleware12/headers/addVaryHeader` | `true` |
| `traefik/http/middlewares/Middleware12/headers/allowedHosts/0` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/allowedHosts/1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/browserXssFilter` | `true` |
| `traefik/http/middlewares/Middleware12/headers/contentSecurityPolicy` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/contentSecurityPolicyReportOnly` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/contentTypeNosniff` | `true` |
| `traefik/http/middlewares/Middleware12/headers/customBrowserXSSValue` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/customFrameOptionsValue` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/customRequestHeaders/name0` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/customRequestHeaders/name1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/customResponseHeaders/name0` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/customResponseHeaders/name1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/featurePolicy` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/forceSTSHeader` | `true` |
| `traefik/http/middlewares/Middleware12/headers/frameDeny` | `true` |
| `traefik/http/middlewares/Middleware12/headers/hostsProxyHeaders/0` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/hostsProxyHeaders/1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/isDevelopment` | `true` |
| `traefik/http/middlewares/Middleware12/headers/permissionsPolicy` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/publicKey` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/referrerPolicy` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/sslForceHost` | `true` |
| `traefik/http/middlewares/Middleware12/headers/sslHost` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/sslProxyHeaders/name0` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/sslProxyHeaders/name1` | `foobar` |
| `traefik/http/middlewares/Middleware12/headers/sslRedirect` | `true` |
| `traefik/http/middlewares/Middleware12/headers/sslTemporaryRedirect` | `true` |
| `traefik/http/middlewares/Middleware12/headers/stsIncludeSubdomains` | `true` |
| `traefik/http/middlewares/Middleware12/headers/stsPreload` | `true` |
| `traefik/http/middlewares/Middleware12/headers/stsSeconds` | `42` |
| `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/excludedIPs/0` | `foobar` |
| `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/excludedIPs/1` | `foobar` |
| `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/ipv6Subnet` | `42` |
| `traefik/http/middlewares/Middleware13/ipAllowList/rejectStatusCode` | `42` |
| `traefik/http/middlewares/Middleware13/ipAllowList/sourceRange/0` | `foobar` |
| `traefik/http/middlewares/Middleware13/ipAllowList/sourceRange/1` | `foobar` |
| `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/excludedIPs/0` | `foobar` |
| `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/excludedIPs/1` | `foobar` |
| `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/ipv6Subnet` | `42` |
| `traefik/http/middlewares/Middleware14/ipWhiteList/sourceRange/0` | `foobar` |
| `traefik/http/middlewares/Middleware14/ipWhiteList/sourceRange/1` | `foobar` |
| `traefik/http/middlewares/Middleware15/inFlightReq/amount` | `42` |
| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/1` | `foobar` |
| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/ipv6Subnet` | `42` |
| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/requestHeaderName` | `foobar` |
| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/requestHost` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/commonName` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/country` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/domainComponent` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/locality` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/organization` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/province` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/serialNumber` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/notAfter` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/notBefore` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/sans` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/serialNumber` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/commonName` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/country` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/domainComponent` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/locality` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/organization` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/organizationalUnit` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/province` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/serialNumber` | `true` |
| `traefik/http/middlewares/Middleware16/passTLSClientCert/pem` | `true` |
| `traefik/http/middlewares/Middleware17/plugin/PluginConf0/name0` | `foobar` |
| `traefik/http/middlewares/Middleware17/plugin/PluginConf0/name1` | `foobar` |
| `traefik/http/middlewares/Middleware17/plugin/PluginConf1/name0` | `foobar` |
| `traefik/http/middlewares/Middleware17/plugin/PluginConf1/name1` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/average` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/burst` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/period` | `42s` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/db` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/dialTimeout` | `42s` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/endpoints/0` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/endpoints/1` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/maxActiveConns` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/minIdleConns` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/password` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/poolSize` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/readTimeout` | `42s` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/ca` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/cert` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/insecureSkipVerify` | `true` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/key` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/username` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/redis/writeTimeout` | `42s` |
| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/depth` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/1` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/ipv6Subnet` | `42` |
| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/requestHeaderName` | `foobar` |
| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/requestHost` | `true` |
| `traefik/http/middlewares/Middleware19/redirectRegex/permanent` | `true` |
| `traefik/http/middlewares/Middleware19/redirectRegex/regex` | `foobar` |
| `traefik/http/middlewares/Middleware19/redirectRegex/replacement` | `foobar` |
| `traefik/http/middlewares/Middleware20/redirectScheme/permanent` | `true` |
| `traefik/http/middlewares/Middleware20/redirectScheme/port` | `foobar` |
| `traefik/http/middlewares/Middleware20/redirectScheme/scheme` | `foobar` |
| `traefik/http/middlewares/Middleware21/replacePath/path` | `foobar` |
| `traefik/http/middlewares/Middleware22/replacePathRegex/regex` | `foobar` |
| `traefik/http/middlewares/Middleware22/replacePathRegex/replacement` | `foobar` |
| `traefik/http/middlewares/Middleware23/retry/attempts` | `42` |
| `traefik/http/middlewares/Middleware23/retry/initialInterval` | `42s` |
| `traefik/http/middlewares/Middleware24/stripPrefix/forceSlash` | `true` |
| `traefik/http/middlewares/Middleware24/stripPrefix/prefixes/0` | `foobar` |
| `traefik/http/middlewares/Middleware24/stripPrefix/prefixes/1` | `foobar` |
| `traefik/http/middlewares/Middleware25/stripPrefixRegex/regex/0` | `foobar` |
| `traefik/http/middlewares/Middleware25/stripPrefixRegex/regex/1` | `foobar` |
| `traefik/http/routers/Router0/entryPoints/0` | `foobar` |
| `traefik/http/routers/Router0/entryPoints/1` | `foobar` |
| `traefik/http/routers/Router0/middlewares/0` | `foobar` |
| `traefik/http/routers/Router0/middlewares/1` | `foobar` |
| `traefik/http/routers/Router0/observability/accessLogs` | `true` |
| `traefik/http/routers/Router0/observability/metrics` | `true` |
| `traefik/http/routers/Router0/observability/traceVerbosity` | `foobar` |
| `traefik/http/routers/Router0/observability/tracing` | `true` |
| `traefik/http/routers/Router0/priority` | `42` |
| `traefik/http/routers/Router0/rule` | `foobar` |
| `traefik/http/routers/Router0/ruleSyntax` | `foobar` |
| `traefik/http/routers/Router0/service` | `foobar` |
| `traefik/http/routers/Router0/tls/certResolver` | `foobar` |
| `traefik/http/routers/Router0/tls/domains/0/main` | `foobar` |
| `traefik/http/routers/Router0/tls/domains/0/sans/0` | `foobar` |
| `traefik/http/routers/Router0/tls/domains/0/sans/1` | `foobar` |
| `traefik/http/routers/Router0/tls/domains/1/main` | `foobar` |
| `traefik/http/routers/Router0/tls/domains/1/sans/0` | `foobar` |
| `traefik/http/routers/Router0/tls/domains/1/sans/1` | `foobar` |
| `traefik/http/routers/Router0/tls/options` | `foobar` |
| `traefik/http/routers/Router1/entryPoints/0` | `foobar` |
| `traefik/http/routers/Router1/entryPoints/1` | `foobar` |
| `traefik/http/routers/Router1/middlewares/0` | `foobar` |
| `traefik/http/routers/Router1/middlewares/1` | `foobar` |
| `traefik/http/routers/Router1/observability/accessLogs` | `true` |
| `traefik/http/routers/Router1/observability/metrics` | `true` |
| `traefik/http/routers/Router1/observability/traceVerbosity` | `foobar` |
| `traefik/http/routers/Router1/observability/tracing` | `true` |
| `traefik/http/routers/Router1/priority` | `42` |
| `traefik/http/routers/Router1/rule` | `foobar` |
| `traefik/http/routers/Router1/ruleSyntax` | `foobar` |
| `traefik/http/routers/Router1/service` | `foobar` |
| `traefik/http/routers/Router1/tls/certResolver` | `foobar` |
| `traefik/http/routers/Router1/tls/domains/0/main` | `foobar` |
| `traefik/http/routers/Router1/tls/domains/0/sans/0` | `foobar` |
| `traefik/http/routers/Router1/tls/domains/0/sans/1` | `foobar` |
| `traefik/http/routers/Router1/tls/domains/1/main` | `foobar` |
| `traefik/http/routers/Router1/tls/domains/1/sans/0` | `foobar` |
| `traefik/http/routers/Router1/tls/domains/1/sans/1` | `foobar` |
| `traefik/http/routers/Router1/tls/options` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/certificates/0/certFile` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/certificates/0/keyFile` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/certificates/1/certFile` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/certificates/1/keyFile` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/disableHTTP2` | `true` |
| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/dialTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/idleConnTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/pingTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/readIdleTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/responseHeaderTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport0/insecureSkipVerify` | `true` |
| `traefik/http/serversTransports/ServersTransport0/maxIdleConnsPerHost` | `42` |
| `traefik/http/serversTransports/ServersTransport0/peerCertURI` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/rootCAs/0` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/rootCAs/1` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/serverName` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/spiffe/ids/0` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/spiffe/ids/1` | `foobar` |
| `traefik/http/serversTransports/ServersTransport0/spiffe/trustDomain` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/certificates/0/certFile` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/certificates/0/keyFile` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/certificates/1/certFile` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/certificates/1/keyFile` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/disableHTTP2` | `true` |
| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/dialTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/idleConnTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/pingTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/readIdleTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/responseHeaderTimeout` | `42s` |
| `traefik/http/serversTransports/ServersTransport1/insecureSkipVerify` | `true` |
| `traefik/http/serversTransports/ServersTransport1/maxIdleConnsPerHost` | `42` |
| `traefik/http/serversTransports/ServersTransport1/peerCertURI` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/rootCAs/0` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/rootCAs/1` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/serverName` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/spiffe/ids/0` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/spiffe/ids/1` | `foobar` |
| `traefik/http/serversTransports/ServersTransport1/spiffe/trustDomain` | `foobar` |
| `traefik/http/services/Service01/failover/fallback` | `foobar` |
| `traefik/http/services/Service01/failover/healthCheck` | `` |
| `traefik/http/services/Service01/failover/service` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/followRedirects` | `true` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/headers/name0` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/headers/name1` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/hostname` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/interval` | `42s` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/method` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/mode` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/path` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/port` | `42` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/scheme` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/status` | `42` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/timeout` | `42s` |
| `traefik/http/services/Service02/loadBalancer/healthCheck/unhealthyInterval` | `42s` |
| `traefik/http/services/Service02/loadBalancer/passHostHeader` | `true` |
| `traefik/http/services/Service02/loadBalancer/responseForwarding/flushInterval` | `42s` |
| `traefik/http/services/Service02/loadBalancer/servers/0/preservePath` | `true` |
| `traefik/http/services/Service02/loadBalancer/servers/0/url` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/servers/0/weight` | `42` |
| `traefik/http/services/Service02/loadBalancer/servers/1/preservePath` | `true` |
| `traefik/http/services/Service02/loadBalancer/servers/1/url` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/servers/1/weight` | `42` |
| `traefik/http/services/Service02/loadBalancer/serversTransport` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/domain` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/httpOnly` | `true` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/maxAge` | `42` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/name` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/path` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/sameSite` | `foobar` |
| `traefik/http/services/Service02/loadBalancer/sticky/cookie/secure` | `true` |
| `traefik/http/services/Service02/loadBalancer/strategy` | `foobar` |
| `traefik/http/services/Service03/mirroring/healthCheck` | `` |
| `traefik/http/services/Service03/mirroring/maxBodySize` | `42` |
| `traefik/http/services/Service03/mirroring/mirrorBody` | `true` |
| `traefik/http/services/Service03/mirroring/mirrors/0/name` | `foobar` |
| `traefik/http/services/Service03/mirroring/mirrors/0/percent` | `42` |
| `traefik/http/services/Service03/mirroring/mirrors/1/name` | `foobar` |
| `traefik/http/services/Service03/mirroring/mirrors/1/percent` | `42` |
| `traefik/http/services/Service03/mirroring/service` | `foobar` |
| `traefik/http/services/Service04/weighted/healthCheck` | `` |
| `traefik/http/services/Service04/weighted/services/0/name` | `foobar` |
| `traefik/http/services/Service04/weighted/services/0/weight` | `42` |
| `traefik/http/services/Service04/weighted/services/1/name` | `foobar` |
| `traefik/http/services/Service04/weighted/services/1/weight` | `42` |
| `traefik/http/services/Service04/weighted/sticky/cookie/domain` | `foobar` |
| `traefik/http/services/Service04/weighted/sticky/cookie/httpOnly` | `true` |
| `traefik/http/services/Service04/weighted/sticky/cookie/maxAge` | `42` |
| `traefik/http/services/Service04/weighted/sticky/cookie/name` | `foobar` |
| `traefik/http/services/Service04/weighted/sticky/cookie/path` | `foobar` |
| `traefik/http/services/Service04/weighted/sticky/cookie/sameSite` | `foobar` |
| `traefik/http/services/Service04/weighted/sticky/cookie/secure` | `true` |
| `traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/0` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/1` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware02/ipWhiteList/sourceRange/0` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware02/ipWhiteList/sourceRange/1` | `foobar` |
| `traefik/tcp/middlewares/TCPMiddleware03/inFlightConn/amount` | `42` |
| `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/middlewares/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/middlewares/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/priority` | `42` |
| `traefik/tcp/routers/TCPRouter0/rule` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/ruleSyntax` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/service` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/tls/certResolver` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/tls/domains/0/main` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/tls/domains/0/sans/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/tls/domains/0/sans/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/tls/domains/1/main` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/tls/domains/1/sans/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/tls/domains/1/sans/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/tls/options` | `foobar` |
| `traefik/tcp/routers/TCPRouter0/tls/passthrough` | `true` |
| `traefik/tcp/routers/TCPRouter1/entryPoints/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/entryPoints/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/middlewares/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/middlewares/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/priority` | `42` |
| `traefik/tcp/routers/TCPRouter1/rule` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/ruleSyntax` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/service` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/certResolver` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/domains/0/main` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/domains/0/sans/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/domains/0/sans/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/domains/1/main` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/domains/1/sans/0` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/domains/1/sans/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/options` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/passthrough` | `true` |
| `traefik/tcp/serversTransports/TCPServersTransport0/dialKeepAlive` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport0/dialTimeout` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport0/terminationDelay` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/certFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/keyFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/1/certFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/1/keyFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/insecureSkipVerify` | `true` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/peerCertURI` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/rootCAs/0` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/rootCAs/1` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/serverName` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/ids/0` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/ids/1` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/trustDomain` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/dialKeepAlive` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport1/dialTimeout` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport1/terminationDelay` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/certFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/keyFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/1/certFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/1/keyFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/insecureSkipVerify` | `true` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/peerCertURI` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/rootCAs/0` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/rootCAs/1` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/serverName` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/spiffe/ids/0` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/spiffe/ids/1` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/spiffe/trustDomain` | `foobar` |
| `traefik/tcp/services/TCPService01/loadBalancer/proxyProtocol/version` | `42` |
| `traefik/tcp/services/TCPService01/loadBalancer/servers/0/address` | `foobar` |
| `traefik/tcp/services/TCPService01/loadBalancer/servers/0/tls` | `true` |
| `traefik/tcp/services/TCPService01/loadBalancer/servers/1/address` | `foobar` |
| `traefik/tcp/services/TCPService01/loadBalancer/servers/1/tls` | `true` |
| `traefik/tcp/services/TCPService01/loadBalancer/serversTransport` | `foobar` |
| `traefik/tcp/services/TCPService01/loadBalancer/terminationDelay` | `42` |
| `traefik/tcp/services/TCPService02/weighted/services/0/name` | `foobar` |
| `traefik/tcp/services/TCPService02/weighted/services/0/weight` | `42` |
| `traefik/tcp/services/TCPService02/weighted/services/1/name` | `foobar` |
| `traefik/tcp/services/TCPService02/weighted/services/1/weight` | `42` |
| `traefik/tls/certificates/0/certFile` | `foobar` |
| `traefik/tls/certificates/0/keyFile` | `foobar` |
| `traefik/tls/certificates/0/stores/0` | `foobar` |
| `traefik/tls/certificates/0/stores/1` | `foobar` |
| `traefik/tls/certificates/1/certFile` | `foobar` |
| `traefik/tls/certificates/1/keyFile` | `foobar` |
| `traefik/tls/certificates/1/stores/0` | `foobar` |
| `traefik/tls/certificates/1/stores/1` | `foobar` |
| `traefik/tls/options/Options0/alpnProtocols/0` | `foobar` |
| `traefik/tls/options/Options0/alpnProtocols/1` | `foobar` |
| `traefik/tls/options/Options0/cipherSuites/0` | `foobar` |
| `traefik/tls/options/Options0/cipherSuites/1` | `foobar` |
| `traefik/tls/options/Options0/clientAuth/caFiles/0` | `foobar` |
| `traefik/tls/options/Options0/clientAuth/caFiles/1` | `foobar` |
| `traefik/tls/options/Options0/clientAuth/clientAuthType` | `foobar` |
| `traefik/tls/options/Options0/curvePreferences/0` | `foobar` |
| `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
| `traefik/tls/options/Options0/disableSessionTickets` | `true` |
| `traefik/tls/options/Options0/maxVersion` | `foobar` |
| `traefik/tls/options/Options0/minVersion` | `foobar` |
| `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
| `traefik/tls/options/Options0/sniStrict` | `true` |
| `traefik/tls/options/Options1/alpnProtocols/0` | `foobar` |
| `traefik/tls/options/Options1/alpnProtocols/1` | `foobar` |
| `traefik/tls/options/Options1/cipherSuites/0` | `foobar` |
| `traefik/tls/options/Options1/cipherSuites/1` | `foobar` |
| `traefik/tls/options/Options1/clientAuth/caFiles/0` | `foobar` |
| `traefik/tls/options/Options1/clientAuth/caFiles/1` | `foobar` |
| `traefik/tls/options/Options1/clientAuth/clientAuthType` | `foobar` |
| `traefik/tls/options/Options1/curvePreferences/0` | `foobar` |
| `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
| `traefik/tls/options/Options1/disableSessionTickets` | `true` |
| `traefik/tls/options/Options1/maxVersion` | `foobar` |
| `traefik/tls/options/Options1/minVersion` | `foobar` |
| `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
| `traefik/tls/options/Options1/sniStrict` | `true` |
| `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
| `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |
| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/main` | `foobar` |
| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/0` | `foobar` |
| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/1` | `foobar` |
| `traefik/tls/stores/Store0/defaultGeneratedCert/resolver` | `foobar` |
| `traefik/tls/stores/Store1/defaultCertificate/certFile` | `foobar` |
| `traefik/tls/stores/Store1/defaultCertificate/keyFile` | `foobar` |
| `traefik/tls/stores/Store1/defaultGeneratedCert/domain/main` | `foobar` |
| `traefik/tls/stores/Store1/defaultGeneratedCert/domain/sans/0` | `foobar` |
| `traefik/tls/stores/Store1/defaultGeneratedCert/domain/sans/1` | `foobar` |
| `traefik/tls/stores/Store1/defaultGeneratedCert/resolver` | `foobar` |
| `traefik/udp/routers/UDPRouter0/entryPoints/0` | `foobar` |
| `traefik/udp/routers/UDPRouter0/entryPoints/1` | `foobar` |
| `traefik/udp/routers/UDPRouter0/service` | `foobar` |
| `traefik/udp/routers/UDPRouter1/entryPoints/0` | `foobar` |
| `traefik/udp/routers/UDPRouter1/entryPoints/1` | `foobar` |
| `traefik/udp/routers/UDPRouter1/service` | `foobar` |
| `traefik/udp/services/UDPService01/loadBalancer/servers/0/address` | `foobar` |
| `traefik/udp/services/UDPService01/loadBalancer/servers/1/address` | `foobar` |
| `traefik/udp/services/UDPService02/weighted/services/0/name` | `foobar` |
| `traefik/udp/services/UDPService02/weighted/services/0/weight` | `42` |
| `traefik/udp/services/UDPService02/weighted/services/1/name` | `foobar` |
| `traefik/udp/services/UDPService02/weighted/services/1/weight` | `42` |
| <a id="traefikhttpmiddlewaresMiddleware01addPrefixprefix" href="#traefikhttpmiddlewaresMiddleware01addPrefixprefix" title="#traefikhttpmiddlewaresMiddleware01addPrefixprefix">`traefik/http/middlewares/Middleware01/addPrefix/prefix`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware02basicAuthheaderField" href="#traefikhttpmiddlewaresMiddleware02basicAuthheaderField" title="#traefikhttpmiddlewaresMiddleware02basicAuthheaderField">`traefik/http/middlewares/Middleware02/basicAuth/headerField`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware02basicAuthrealm" href="#traefikhttpmiddlewaresMiddleware02basicAuthrealm" title="#traefikhttpmiddlewaresMiddleware02basicAuthrealm">`traefik/http/middlewares/Middleware02/basicAuth/realm`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware02basicAuthremoveHeader" href="#traefikhttpmiddlewaresMiddleware02basicAuthremoveHeader" title="#traefikhttpmiddlewaresMiddleware02basicAuthremoveHeader">`traefik/http/middlewares/Middleware02/basicAuth/removeHeader`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware02basicAuthusers0" href="#traefikhttpmiddlewaresMiddleware02basicAuthusers0" title="#traefikhttpmiddlewaresMiddleware02basicAuthusers0">`traefik/http/middlewares/Middleware02/basicAuth/users/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware02basicAuthusers1" href="#traefikhttpmiddlewaresMiddleware02basicAuthusers1" title="#traefikhttpmiddlewaresMiddleware02basicAuthusers1">`traefik/http/middlewares/Middleware02/basicAuth/users/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware02basicAuthusersFile" href="#traefikhttpmiddlewaresMiddleware02basicAuthusersFile" title="#traefikhttpmiddlewaresMiddleware02basicAuthusersFile">`traefik/http/middlewares/Middleware02/basicAuth/usersFile`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware03bufferingmaxRequestBodyBytes" href="#traefikhttpmiddlewaresMiddleware03bufferingmaxRequestBodyBytes" title="#traefikhttpmiddlewaresMiddleware03bufferingmaxRequestBodyBytes">`traefik/http/middlewares/Middleware03/buffering/maxRequestBodyBytes`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware03bufferingmaxResponseBodyBytes" href="#traefikhttpmiddlewaresMiddleware03bufferingmaxResponseBodyBytes" title="#traefikhttpmiddlewaresMiddleware03bufferingmaxResponseBodyBytes">`traefik/http/middlewares/Middleware03/buffering/maxResponseBodyBytes`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware03bufferingmemRequestBodyBytes" href="#traefikhttpmiddlewaresMiddleware03bufferingmemRequestBodyBytes" title="#traefikhttpmiddlewaresMiddleware03bufferingmemRequestBodyBytes">`traefik/http/middlewares/Middleware03/buffering/memRequestBodyBytes`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware03bufferingmemResponseBodyBytes" href="#traefikhttpmiddlewaresMiddleware03bufferingmemResponseBodyBytes" title="#traefikhttpmiddlewaresMiddleware03bufferingmemResponseBodyBytes">`traefik/http/middlewares/Middleware03/buffering/memResponseBodyBytes`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware03bufferingretryExpression" href="#traefikhttpmiddlewaresMiddleware03bufferingretryExpression" title="#traefikhttpmiddlewaresMiddleware03bufferingretryExpression">`traefik/http/middlewares/Middleware03/buffering/retryExpression`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware04chainmiddlewares0" href="#traefikhttpmiddlewaresMiddleware04chainmiddlewares0" title="#traefikhttpmiddlewaresMiddleware04chainmiddlewares0">`traefik/http/middlewares/Middleware04/chain/middlewares/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware04chainmiddlewares1" href="#traefikhttpmiddlewaresMiddleware04chainmiddlewares1" title="#traefikhttpmiddlewaresMiddleware04chainmiddlewares1">`traefik/http/middlewares/Middleware04/chain/middlewares/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware05circuitBreakercheckPeriod" href="#traefikhttpmiddlewaresMiddleware05circuitBreakercheckPeriod" title="#traefikhttpmiddlewaresMiddleware05circuitBreakercheckPeriod">`traefik/http/middlewares/Middleware05/circuitBreaker/checkPeriod`</a> | `42s` |
| <a id="traefikhttpmiddlewaresMiddleware05circuitBreakerexpression" href="#traefikhttpmiddlewaresMiddleware05circuitBreakerexpression" title="#traefikhttpmiddlewaresMiddleware05circuitBreakerexpression">`traefik/http/middlewares/Middleware05/circuitBreaker/expression`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware05circuitBreakerfallbackDuration" href="#traefikhttpmiddlewaresMiddleware05circuitBreakerfallbackDuration" title="#traefikhttpmiddlewaresMiddleware05circuitBreakerfallbackDuration">`traefik/http/middlewares/Middleware05/circuitBreaker/fallbackDuration`</a> | `42s` |
| <a id="traefikhttpmiddlewaresMiddleware05circuitBreakerrecoveryDuration" href="#traefikhttpmiddlewaresMiddleware05circuitBreakerrecoveryDuration" title="#traefikhttpmiddlewaresMiddleware05circuitBreakerrecoveryDuration">`traefik/http/middlewares/Middleware05/circuitBreaker/recoveryDuration`</a> | `42s` |
| <a id="traefikhttpmiddlewaresMiddleware05circuitBreakerresponseCode" href="#traefikhttpmiddlewaresMiddleware05circuitBreakerresponseCode" title="#traefikhttpmiddlewaresMiddleware05circuitBreakerresponseCode">`traefik/http/middlewares/Middleware05/circuitBreaker/responseCode`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware06compressdefaultEncoding" href="#traefikhttpmiddlewaresMiddleware06compressdefaultEncoding" title="#traefikhttpmiddlewaresMiddleware06compressdefaultEncoding">`traefik/http/middlewares/Middleware06/compress/defaultEncoding`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware06compressencodings0" href="#traefikhttpmiddlewaresMiddleware06compressencodings0" title="#traefikhttpmiddlewaresMiddleware06compressencodings0">`traefik/http/middlewares/Middleware06/compress/encodings/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware06compressencodings1" href="#traefikhttpmiddlewaresMiddleware06compressencodings1" title="#traefikhttpmiddlewaresMiddleware06compressencodings1">`traefik/http/middlewares/Middleware06/compress/encodings/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware06compressexcludedContentTypes0" href="#traefikhttpmiddlewaresMiddleware06compressexcludedContentTypes0" title="#traefikhttpmiddlewaresMiddleware06compressexcludedContentTypes0">`traefik/http/middlewares/Middleware06/compress/excludedContentTypes/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware06compressexcludedContentTypes1" href="#traefikhttpmiddlewaresMiddleware06compressexcludedContentTypes1" title="#traefikhttpmiddlewaresMiddleware06compressexcludedContentTypes1">`traefik/http/middlewares/Middleware06/compress/excludedContentTypes/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware06compressincludedContentTypes0" href="#traefikhttpmiddlewaresMiddleware06compressincludedContentTypes0" title="#traefikhttpmiddlewaresMiddleware06compressincludedContentTypes0">`traefik/http/middlewares/Middleware06/compress/includedContentTypes/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware06compressincludedContentTypes1" href="#traefikhttpmiddlewaresMiddleware06compressincludedContentTypes1" title="#traefikhttpmiddlewaresMiddleware06compressincludedContentTypes1">`traefik/http/middlewares/Middleware06/compress/includedContentTypes/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware06compressminResponseBodyBytes" href="#traefikhttpmiddlewaresMiddleware06compressminResponseBodyBytes" title="#traefikhttpmiddlewaresMiddleware06compressminResponseBodyBytes">`traefik/http/middlewares/Middleware06/compress/minResponseBodyBytes`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware07contentTypeautoDetect" href="#traefikhttpmiddlewaresMiddleware07contentTypeautoDetect" title="#traefikhttpmiddlewaresMiddleware07contentTypeautoDetect">`traefik/http/middlewares/Middleware07/contentType/autoDetect`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware08digestAuthheaderField" href="#traefikhttpmiddlewaresMiddleware08digestAuthheaderField" title="#traefikhttpmiddlewaresMiddleware08digestAuthheaderField">`traefik/http/middlewares/Middleware08/digestAuth/headerField`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware08digestAuthrealm" href="#traefikhttpmiddlewaresMiddleware08digestAuthrealm" title="#traefikhttpmiddlewaresMiddleware08digestAuthrealm">`traefik/http/middlewares/Middleware08/digestAuth/realm`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware08digestAuthremoveHeader" href="#traefikhttpmiddlewaresMiddleware08digestAuthremoveHeader" title="#traefikhttpmiddlewaresMiddleware08digestAuthremoveHeader">`traefik/http/middlewares/Middleware08/digestAuth/removeHeader`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware08digestAuthusers0" href="#traefikhttpmiddlewaresMiddleware08digestAuthusers0" title="#traefikhttpmiddlewaresMiddleware08digestAuthusers0">`traefik/http/middlewares/Middleware08/digestAuth/users/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware08digestAuthusers1" href="#traefikhttpmiddlewaresMiddleware08digestAuthusers1" title="#traefikhttpmiddlewaresMiddleware08digestAuthusers1">`traefik/http/middlewares/Middleware08/digestAuth/users/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware08digestAuthusersFile" href="#traefikhttpmiddlewaresMiddleware08digestAuthusersFile" title="#traefikhttpmiddlewaresMiddleware08digestAuthusersFile">`traefik/http/middlewares/Middleware08/digestAuth/usersFile`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware09errorsquery" href="#traefikhttpmiddlewaresMiddleware09errorsquery" title="#traefikhttpmiddlewaresMiddleware09errorsquery">`traefik/http/middlewares/Middleware09/errors/query`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware09errorsservice" href="#traefikhttpmiddlewaresMiddleware09errorsservice" title="#traefikhttpmiddlewaresMiddleware09errorsservice">`traefik/http/middlewares/Middleware09/errors/service`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware09errorsstatus0" href="#traefikhttpmiddlewaresMiddleware09errorsstatus0" title="#traefikhttpmiddlewaresMiddleware09errorsstatus0">`traefik/http/middlewares/Middleware09/errors/status/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware09errorsstatus1" href="#traefikhttpmiddlewaresMiddleware09errorsstatus1" title="#traefikhttpmiddlewaresMiddleware09errorsstatus1">`traefik/http/middlewares/Middleware09/errors/status/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware09errorsstatusRewritesname0" href="#traefikhttpmiddlewaresMiddleware09errorsstatusRewritesname0" title="#traefikhttpmiddlewaresMiddleware09errorsstatusRewritesname0">`traefik/http/middlewares/Middleware09/errors/statusRewrites/name0`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware09errorsstatusRewritesname1" href="#traefikhttpmiddlewaresMiddleware09errorsstatusRewritesname1" title="#traefikhttpmiddlewaresMiddleware09errorsstatusRewritesname1">`traefik/http/middlewares/Middleware09/errors/statusRewrites/name1`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthaddAuthCookiesToResponse0" href="#traefikhttpmiddlewaresMiddleware10forwardAuthaddAuthCookiesToResponse0" title="#traefikhttpmiddlewaresMiddleware10forwardAuthaddAuthCookiesToResponse0">`traefik/http/middlewares/Middleware10/forwardAuth/addAuthCookiesToResponse/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthaddAuthCookiesToResponse1" href="#traefikhttpmiddlewaresMiddleware10forwardAuthaddAuthCookiesToResponse1" title="#traefikhttpmiddlewaresMiddleware10forwardAuthaddAuthCookiesToResponse1">`traefik/http/middlewares/Middleware10/forwardAuth/addAuthCookiesToResponse/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthaddress" href="#traefikhttpmiddlewaresMiddleware10forwardAuthaddress" title="#traefikhttpmiddlewaresMiddleware10forwardAuthaddress">`traefik/http/middlewares/Middleware10/forwardAuth/address`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthauthRequestHeaders0" href="#traefikhttpmiddlewaresMiddleware10forwardAuthauthRequestHeaders0" title="#traefikhttpmiddlewaresMiddleware10forwardAuthauthRequestHeaders0">`traefik/http/middlewares/Middleware10/forwardAuth/authRequestHeaders/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthauthRequestHeaders1" href="#traefikhttpmiddlewaresMiddleware10forwardAuthauthRequestHeaders1" title="#traefikhttpmiddlewaresMiddleware10forwardAuthauthRequestHeaders1">`traefik/http/middlewares/Middleware10/forwardAuth/authRequestHeaders/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthauthResponseHeaders0" href="#traefikhttpmiddlewaresMiddleware10forwardAuthauthResponseHeaders0" title="#traefikhttpmiddlewaresMiddleware10forwardAuthauthResponseHeaders0">`traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthauthResponseHeaders1" href="#traefikhttpmiddlewaresMiddleware10forwardAuthauthResponseHeaders1" title="#traefikhttpmiddlewaresMiddleware10forwardAuthauthResponseHeaders1">`traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthauthResponseHeadersRegex" href="#traefikhttpmiddlewaresMiddleware10forwardAuthauthResponseHeadersRegex" title="#traefikhttpmiddlewaresMiddleware10forwardAuthauthResponseHeadersRegex">`traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeadersRegex`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthforwardBody" href="#traefikhttpmiddlewaresMiddleware10forwardAuthforwardBody" title="#traefikhttpmiddlewaresMiddleware10forwardAuthforwardBody">`traefik/http/middlewares/Middleware10/forwardAuth/forwardBody`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthheaderField" href="#traefikhttpmiddlewaresMiddleware10forwardAuthheaderField" title="#traefikhttpmiddlewaresMiddleware10forwardAuthheaderField">`traefik/http/middlewares/Middleware10/forwardAuth/headerField`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthmaxBodySize" href="#traefikhttpmiddlewaresMiddleware10forwardAuthmaxBodySize" title="#traefikhttpmiddlewaresMiddleware10forwardAuthmaxBodySize">`traefik/http/middlewares/Middleware10/forwardAuth/maxBodySize`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthpreserveLocationHeader" href="#traefikhttpmiddlewaresMiddleware10forwardAuthpreserveLocationHeader" title="#traefikhttpmiddlewaresMiddleware10forwardAuthpreserveLocationHeader">`traefik/http/middlewares/Middleware10/forwardAuth/preserveLocationHeader`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthpreserveRequestMethod" href="#traefikhttpmiddlewaresMiddleware10forwardAuthpreserveRequestMethod" title="#traefikhttpmiddlewaresMiddleware10forwardAuthpreserveRequestMethod">`traefik/http/middlewares/Middleware10/forwardAuth/preserveRequestMethod`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthtlsca" href="#traefikhttpmiddlewaresMiddleware10forwardAuthtlsca" title="#traefikhttpmiddlewaresMiddleware10forwardAuthtlsca">`traefik/http/middlewares/Middleware10/forwardAuth/tls/ca`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthtlscaOptional" href="#traefikhttpmiddlewaresMiddleware10forwardAuthtlscaOptional" title="#traefikhttpmiddlewaresMiddleware10forwardAuthtlscaOptional">`traefik/http/middlewares/Middleware10/forwardAuth/tls/caOptional`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthtlscert" href="#traefikhttpmiddlewaresMiddleware10forwardAuthtlscert" title="#traefikhttpmiddlewaresMiddleware10forwardAuthtlscert">`traefik/http/middlewares/Middleware10/forwardAuth/tls/cert`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthtlsinsecureSkipVerify" href="#traefikhttpmiddlewaresMiddleware10forwardAuthtlsinsecureSkipVerify" title="#traefikhttpmiddlewaresMiddleware10forwardAuthtlsinsecureSkipVerify">`traefik/http/middlewares/Middleware10/forwardAuth/tls/insecureSkipVerify`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthtlskey" href="#traefikhttpmiddlewaresMiddleware10forwardAuthtlskey" title="#traefikhttpmiddlewaresMiddleware10forwardAuthtlskey">`traefik/http/middlewares/Middleware10/forwardAuth/tls/key`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware10forwardAuthtrustForwardHeader" href="#traefikhttpmiddlewaresMiddleware10forwardAuthtrustForwardHeader" title="#traefikhttpmiddlewaresMiddleware10forwardAuthtrustForwardHeader">`traefik/http/middlewares/Middleware10/forwardAuth/trustForwardHeader`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware11grpcWeballowOrigins0" href="#traefikhttpmiddlewaresMiddleware11grpcWeballowOrigins0" title="#traefikhttpmiddlewaresMiddleware11grpcWeballowOrigins0">`traefik/http/middlewares/Middleware11/grpcWeb/allowOrigins/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware11grpcWeballowOrigins1" href="#traefikhttpmiddlewaresMiddleware11grpcWeballowOrigins1" title="#traefikhttpmiddlewaresMiddleware11grpcWeballowOrigins1">`traefik/http/middlewares/Middleware11/grpcWeb/allowOrigins/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlAllowCredentials" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowCredentials" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowCredentials">`traefik/http/middlewares/Middleware12/headers/accessControlAllowCredentials`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlAllowHeaders0" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowHeaders0" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowHeaders0">`traefik/http/middlewares/Middleware12/headers/accessControlAllowHeaders/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlAllowHeaders1" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowHeaders1" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowHeaders1">`traefik/http/middlewares/Middleware12/headers/accessControlAllowHeaders/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlAllowMethods0" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowMethods0" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowMethods0">`traefik/http/middlewares/Middleware12/headers/accessControlAllowMethods/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlAllowMethods1" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowMethods1" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowMethods1">`traefik/http/middlewares/Middleware12/headers/accessControlAllowMethods/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginList0" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginList0" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginList0">`traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginList/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginList1" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginList1" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginList1">`traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginList/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginListRegex0" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginListRegex0" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginListRegex0">`traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginListRegex/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginListRegex1" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginListRegex1" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlAllowOriginListRegex1">`traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginListRegex/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlExposeHeaders0" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlExposeHeaders0" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlExposeHeaders0">`traefik/http/middlewares/Middleware12/headers/accessControlExposeHeaders/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlExposeHeaders1" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlExposeHeaders1" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlExposeHeaders1">`traefik/http/middlewares/Middleware12/headers/accessControlExposeHeaders/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaccessControlMaxAge" href="#traefikhttpmiddlewaresMiddleware12headersaccessControlMaxAge" title="#traefikhttpmiddlewaresMiddleware12headersaccessControlMaxAge">`traefik/http/middlewares/Middleware12/headers/accessControlMaxAge`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware12headersaddVaryHeader" href="#traefikhttpmiddlewaresMiddleware12headersaddVaryHeader" title="#traefikhttpmiddlewaresMiddleware12headersaddVaryHeader">`traefik/http/middlewares/Middleware12/headers/addVaryHeader`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headersallowedHosts0" href="#traefikhttpmiddlewaresMiddleware12headersallowedHosts0" title="#traefikhttpmiddlewaresMiddleware12headersallowedHosts0">`traefik/http/middlewares/Middleware12/headers/allowedHosts/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersallowedHosts1" href="#traefikhttpmiddlewaresMiddleware12headersallowedHosts1" title="#traefikhttpmiddlewaresMiddleware12headersallowedHosts1">`traefik/http/middlewares/Middleware12/headers/allowedHosts/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersbrowserXssFilter" href="#traefikhttpmiddlewaresMiddleware12headersbrowserXssFilter" title="#traefikhttpmiddlewaresMiddleware12headersbrowserXssFilter">`traefik/http/middlewares/Middleware12/headers/browserXssFilter`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headerscontentSecurityPolicy" href="#traefikhttpmiddlewaresMiddleware12headerscontentSecurityPolicy" title="#traefikhttpmiddlewaresMiddleware12headerscontentSecurityPolicy">`traefik/http/middlewares/Middleware12/headers/contentSecurityPolicy`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerscontentSecurityPolicyReportOnly" href="#traefikhttpmiddlewaresMiddleware12headerscontentSecurityPolicyReportOnly" title="#traefikhttpmiddlewaresMiddleware12headerscontentSecurityPolicyReportOnly">`traefik/http/middlewares/Middleware12/headers/contentSecurityPolicyReportOnly`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerscontentTypeNosniff" href="#traefikhttpmiddlewaresMiddleware12headerscontentTypeNosniff" title="#traefikhttpmiddlewaresMiddleware12headerscontentTypeNosniff">`traefik/http/middlewares/Middleware12/headers/contentTypeNosniff`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headerscustomBrowserXSSValue" href="#traefikhttpmiddlewaresMiddleware12headerscustomBrowserXSSValue" title="#traefikhttpmiddlewaresMiddleware12headerscustomBrowserXSSValue">`traefik/http/middlewares/Middleware12/headers/customBrowserXSSValue`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerscustomFrameOptionsValue" href="#traefikhttpmiddlewaresMiddleware12headerscustomFrameOptionsValue" title="#traefikhttpmiddlewaresMiddleware12headerscustomFrameOptionsValue">`traefik/http/middlewares/Middleware12/headers/customFrameOptionsValue`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerscustomRequestHeadersname0" href="#traefikhttpmiddlewaresMiddleware12headerscustomRequestHeadersname0" title="#traefikhttpmiddlewaresMiddleware12headerscustomRequestHeadersname0">`traefik/http/middlewares/Middleware12/headers/customRequestHeaders/name0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerscustomRequestHeadersname1" href="#traefikhttpmiddlewaresMiddleware12headerscustomRequestHeadersname1" title="#traefikhttpmiddlewaresMiddleware12headerscustomRequestHeadersname1">`traefik/http/middlewares/Middleware12/headers/customRequestHeaders/name1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerscustomResponseHeadersname0" href="#traefikhttpmiddlewaresMiddleware12headerscustomResponseHeadersname0" title="#traefikhttpmiddlewaresMiddleware12headerscustomResponseHeadersname0">`traefik/http/middlewares/Middleware12/headers/customResponseHeaders/name0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerscustomResponseHeadersname1" href="#traefikhttpmiddlewaresMiddleware12headerscustomResponseHeadersname1" title="#traefikhttpmiddlewaresMiddleware12headerscustomResponseHeadersname1">`traefik/http/middlewares/Middleware12/headers/customResponseHeaders/name1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersfeaturePolicy" href="#traefikhttpmiddlewaresMiddleware12headersfeaturePolicy" title="#traefikhttpmiddlewaresMiddleware12headersfeaturePolicy">`traefik/http/middlewares/Middleware12/headers/featurePolicy`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersforceSTSHeader" href="#traefikhttpmiddlewaresMiddleware12headersforceSTSHeader" title="#traefikhttpmiddlewaresMiddleware12headersforceSTSHeader">`traefik/http/middlewares/Middleware12/headers/forceSTSHeader`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headersframeDeny" href="#traefikhttpmiddlewaresMiddleware12headersframeDeny" title="#traefikhttpmiddlewaresMiddleware12headersframeDeny">`traefik/http/middlewares/Middleware12/headers/frameDeny`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headershostsProxyHeaders0" href="#traefikhttpmiddlewaresMiddleware12headershostsProxyHeaders0" title="#traefikhttpmiddlewaresMiddleware12headershostsProxyHeaders0">`traefik/http/middlewares/Middleware12/headers/hostsProxyHeaders/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headershostsProxyHeaders1" href="#traefikhttpmiddlewaresMiddleware12headershostsProxyHeaders1" title="#traefikhttpmiddlewaresMiddleware12headershostsProxyHeaders1">`traefik/http/middlewares/Middleware12/headers/hostsProxyHeaders/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersisDevelopment" href="#traefikhttpmiddlewaresMiddleware12headersisDevelopment" title="#traefikhttpmiddlewaresMiddleware12headersisDevelopment">`traefik/http/middlewares/Middleware12/headers/isDevelopment`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headerspermissionsPolicy" href="#traefikhttpmiddlewaresMiddleware12headerspermissionsPolicy" title="#traefikhttpmiddlewaresMiddleware12headerspermissionsPolicy">`traefik/http/middlewares/Middleware12/headers/permissionsPolicy`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerspublicKey" href="#traefikhttpmiddlewaresMiddleware12headerspublicKey" title="#traefikhttpmiddlewaresMiddleware12headerspublicKey">`traefik/http/middlewares/Middleware12/headers/publicKey`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headersreferrerPolicy" href="#traefikhttpmiddlewaresMiddleware12headersreferrerPolicy" title="#traefikhttpmiddlewaresMiddleware12headersreferrerPolicy">`traefik/http/middlewares/Middleware12/headers/referrerPolicy`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerssslForceHost" href="#traefikhttpmiddlewaresMiddleware12headerssslForceHost" title="#traefikhttpmiddlewaresMiddleware12headerssslForceHost">`traefik/http/middlewares/Middleware12/headers/sslForceHost`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headerssslHost" href="#traefikhttpmiddlewaresMiddleware12headerssslHost" title="#traefikhttpmiddlewaresMiddleware12headerssslHost">`traefik/http/middlewares/Middleware12/headers/sslHost`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerssslProxyHeadersname0" href="#traefikhttpmiddlewaresMiddleware12headerssslProxyHeadersname0" title="#traefikhttpmiddlewaresMiddleware12headerssslProxyHeadersname0">`traefik/http/middlewares/Middleware12/headers/sslProxyHeaders/name0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerssslProxyHeadersname1" href="#traefikhttpmiddlewaresMiddleware12headerssslProxyHeadersname1" title="#traefikhttpmiddlewaresMiddleware12headerssslProxyHeadersname1">`traefik/http/middlewares/Middleware12/headers/sslProxyHeaders/name1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware12headerssslRedirect" href="#traefikhttpmiddlewaresMiddleware12headerssslRedirect" title="#traefikhttpmiddlewaresMiddleware12headerssslRedirect">`traefik/http/middlewares/Middleware12/headers/sslRedirect`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headerssslTemporaryRedirect" href="#traefikhttpmiddlewaresMiddleware12headerssslTemporaryRedirect" title="#traefikhttpmiddlewaresMiddleware12headerssslTemporaryRedirect">`traefik/http/middlewares/Middleware12/headers/sslTemporaryRedirect`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headersstsIncludeSubdomains" href="#traefikhttpmiddlewaresMiddleware12headersstsIncludeSubdomains" title="#traefikhttpmiddlewaresMiddleware12headersstsIncludeSubdomains">`traefik/http/middlewares/Middleware12/headers/stsIncludeSubdomains`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headersstsPreload" href="#traefikhttpmiddlewaresMiddleware12headersstsPreload" title="#traefikhttpmiddlewaresMiddleware12headersstsPreload">`traefik/http/middlewares/Middleware12/headers/stsPreload`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware12headersstsSeconds" href="#traefikhttpmiddlewaresMiddleware12headersstsSeconds" title="#traefikhttpmiddlewaresMiddleware12headersstsSeconds">`traefik/http/middlewares/Middleware12/headers/stsSeconds`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware13ipAllowListipStrategydepth" href="#traefikhttpmiddlewaresMiddleware13ipAllowListipStrategydepth" title="#traefikhttpmiddlewaresMiddleware13ipAllowListipStrategydepth">`traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/depth`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware13ipAllowListipStrategyexcludedIPs0" href="#traefikhttpmiddlewaresMiddleware13ipAllowListipStrategyexcludedIPs0" title="#traefikhttpmiddlewaresMiddleware13ipAllowListipStrategyexcludedIPs0">`traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/excludedIPs/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware13ipAllowListipStrategyexcludedIPs1" href="#traefikhttpmiddlewaresMiddleware13ipAllowListipStrategyexcludedIPs1" title="#traefikhttpmiddlewaresMiddleware13ipAllowListipStrategyexcludedIPs1">`traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/excludedIPs/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware13ipAllowListipStrategyipv6Subnet" href="#traefikhttpmiddlewaresMiddleware13ipAllowListipStrategyipv6Subnet" title="#traefikhttpmiddlewaresMiddleware13ipAllowListipStrategyipv6Subnet">`traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/ipv6Subnet`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware13ipAllowListrejectStatusCode" href="#traefikhttpmiddlewaresMiddleware13ipAllowListrejectStatusCode" title="#traefikhttpmiddlewaresMiddleware13ipAllowListrejectStatusCode">`traefik/http/middlewares/Middleware13/ipAllowList/rejectStatusCode`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware13ipAllowListsourceRange0" href="#traefikhttpmiddlewaresMiddleware13ipAllowListsourceRange0" title="#traefikhttpmiddlewaresMiddleware13ipAllowListsourceRange0">`traefik/http/middlewares/Middleware13/ipAllowList/sourceRange/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware13ipAllowListsourceRange1" href="#traefikhttpmiddlewaresMiddleware13ipAllowListsourceRange1" title="#traefikhttpmiddlewaresMiddleware13ipAllowListsourceRange1">`traefik/http/middlewares/Middleware13/ipAllowList/sourceRange/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategydepth" href="#traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategydepth" title="#traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategydepth">`traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/depth`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategyexcludedIPs0" href="#traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategyexcludedIPs0" title="#traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategyexcludedIPs0">`traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/excludedIPs/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategyexcludedIPs1" href="#traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategyexcludedIPs1" title="#traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategyexcludedIPs1">`traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/excludedIPs/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategyipv6Subnet" href="#traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategyipv6Subnet" title="#traefikhttpmiddlewaresMiddleware14ipWhiteListipStrategyipv6Subnet">`traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/ipv6Subnet`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware14ipWhiteListsourceRange0" href="#traefikhttpmiddlewaresMiddleware14ipWhiteListsourceRange0" title="#traefikhttpmiddlewaresMiddleware14ipWhiteListsourceRange0">`traefik/http/middlewares/Middleware14/ipWhiteList/sourceRange/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware14ipWhiteListsourceRange1" href="#traefikhttpmiddlewaresMiddleware14ipWhiteListsourceRange1" title="#traefikhttpmiddlewaresMiddleware14ipWhiteListsourceRange1">`traefik/http/middlewares/Middleware14/ipWhiteList/sourceRange/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware15inFlightReqamount" href="#traefikhttpmiddlewaresMiddleware15inFlightReqamount" title="#traefikhttpmiddlewaresMiddleware15inFlightReqamount">`traefik/http/middlewares/Middleware15/inFlightReq/amount`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategydepth" href="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategydepth" title="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategydepth">`traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/depth`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategyexcludedIPs0" href="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategyexcludedIPs0" title="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategyexcludedIPs0">`traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategyexcludedIPs1" href="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategyexcludedIPs1" title="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategyexcludedIPs1">`traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategyipv6Subnet" href="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategyipv6Subnet" title="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionipStrategyipv6Subnet">`traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/ipv6Subnet`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionrequestHeaderName" href="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionrequestHeaderName" title="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionrequestHeaderName">`traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/requestHeaderName`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionrequestHost" href="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionrequestHost" title="#traefikhttpmiddlewaresMiddleware15inFlightReqsourceCriterionrequestHost">`traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/requestHost`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuercommonName" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuercommonName" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuercommonName">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/commonName`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuercountry" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuercountry" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuercountry">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/country`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerdomainComponent" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerdomainComponent" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerdomainComponent">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/domainComponent`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerlocality" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerlocality" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerlocality">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/locality`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerorganization" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerorganization" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerorganization">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/organization`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerprovince" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerprovince" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerprovince">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/province`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerserialNumber" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerserialNumber" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoissuerserialNumber">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/serialNumber`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfonotAfter" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfonotAfter" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfonotAfter">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/notAfter`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfonotBefore" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfonotBefore" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfonotBefore">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/notBefore`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosans" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosans" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosans">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/sans`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoserialNumber" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoserialNumber" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfoserialNumber">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/serialNumber`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectcommonName" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectcommonName" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectcommonName">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/commonName`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectcountry" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectcountry" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectcountry">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/country`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectdomainComponent" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectdomainComponent" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectdomainComponent">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/domainComponent`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectlocality" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectlocality" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectlocality">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/locality`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectorganization" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectorganization" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectorganization">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/organization`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectorganizationalUnit" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectorganizationalUnit" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectorganizationalUnit">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/organizationalUnit`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectprovince" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectprovince" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectprovince">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/province`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectserialNumber" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectserialNumber" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertinfosubjectserialNumber">`traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/serialNumber`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware16passTLSClientCertpem" href="#traefikhttpmiddlewaresMiddleware16passTLSClientCertpem" title="#traefikhttpmiddlewaresMiddleware16passTLSClientCertpem">`traefik/http/middlewares/Middleware16/passTLSClientCert/pem`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware17pluginPluginConf0name0" href="#traefikhttpmiddlewaresMiddleware17pluginPluginConf0name0" title="#traefikhttpmiddlewaresMiddleware17pluginPluginConf0name0">`traefik/http/middlewares/Middleware17/plugin/PluginConf0/name0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware17pluginPluginConf0name1" href="#traefikhttpmiddlewaresMiddleware17pluginPluginConf0name1" title="#traefikhttpmiddlewaresMiddleware17pluginPluginConf0name1">`traefik/http/middlewares/Middleware17/plugin/PluginConf0/name1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware17pluginPluginConf1name0" href="#traefikhttpmiddlewaresMiddleware17pluginPluginConf1name0" title="#traefikhttpmiddlewaresMiddleware17pluginPluginConf1name0">`traefik/http/middlewares/Middleware17/plugin/PluginConf1/name0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware17pluginPluginConf1name1" href="#traefikhttpmiddlewaresMiddleware17pluginPluginConf1name1" title="#traefikhttpmiddlewaresMiddleware17pluginPluginConf1name1">`traefik/http/middlewares/Middleware17/plugin/PluginConf1/name1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitaverage" href="#traefikhttpmiddlewaresMiddleware18rateLimitaverage" title="#traefikhttpmiddlewaresMiddleware18rateLimitaverage">`traefik/http/middlewares/Middleware18/rateLimit/average`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitburst" href="#traefikhttpmiddlewaresMiddleware18rateLimitburst" title="#traefikhttpmiddlewaresMiddleware18rateLimitburst">`traefik/http/middlewares/Middleware18/rateLimit/burst`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitperiod" href="#traefikhttpmiddlewaresMiddleware18rateLimitperiod" title="#traefikhttpmiddlewaresMiddleware18rateLimitperiod">`traefik/http/middlewares/Middleware18/rateLimit/period`</a> | `42s` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredisdb" href="#traefikhttpmiddlewaresMiddleware18rateLimitredisdb" title="#traefikhttpmiddlewaresMiddleware18rateLimitredisdb">`traefik/http/middlewares/Middleware18/rateLimit/redis/db`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredisdialTimeout" href="#traefikhttpmiddlewaresMiddleware18rateLimitredisdialTimeout" title="#traefikhttpmiddlewaresMiddleware18rateLimitredisdialTimeout">`traefik/http/middlewares/Middleware18/rateLimit/redis/dialTimeout`</a> | `42s` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredisendpoints0" href="#traefikhttpmiddlewaresMiddleware18rateLimitredisendpoints0" title="#traefikhttpmiddlewaresMiddleware18rateLimitredisendpoints0">`traefik/http/middlewares/Middleware18/rateLimit/redis/endpoints/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredisendpoints1" href="#traefikhttpmiddlewaresMiddleware18rateLimitredisendpoints1" title="#traefikhttpmiddlewaresMiddleware18rateLimitredisendpoints1">`traefik/http/middlewares/Middleware18/rateLimit/redis/endpoints/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredismaxActiveConns" href="#traefikhttpmiddlewaresMiddleware18rateLimitredismaxActiveConns" title="#traefikhttpmiddlewaresMiddleware18rateLimitredismaxActiveConns">`traefik/http/middlewares/Middleware18/rateLimit/redis/maxActiveConns`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredisminIdleConns" href="#traefikhttpmiddlewaresMiddleware18rateLimitredisminIdleConns" title="#traefikhttpmiddlewaresMiddleware18rateLimitredisminIdleConns">`traefik/http/middlewares/Middleware18/rateLimit/redis/minIdleConns`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredispassword" href="#traefikhttpmiddlewaresMiddleware18rateLimitredispassword" title="#traefikhttpmiddlewaresMiddleware18rateLimitredispassword">`traefik/http/middlewares/Middleware18/rateLimit/redis/password`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredispoolSize" href="#traefikhttpmiddlewaresMiddleware18rateLimitredispoolSize" title="#traefikhttpmiddlewaresMiddleware18rateLimitredispoolSize">`traefik/http/middlewares/Middleware18/rateLimit/redis/poolSize`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredisreadTimeout" href="#traefikhttpmiddlewaresMiddleware18rateLimitredisreadTimeout" title="#traefikhttpmiddlewaresMiddleware18rateLimitredisreadTimeout">`traefik/http/middlewares/Middleware18/rateLimit/redis/readTimeout`</a> | `42s` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredistlsca" href="#traefikhttpmiddlewaresMiddleware18rateLimitredistlsca" title="#traefikhttpmiddlewaresMiddleware18rateLimitredistlsca">`traefik/http/middlewares/Middleware18/rateLimit/redis/tls/ca`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredistlscert" href="#traefikhttpmiddlewaresMiddleware18rateLimitredistlscert" title="#traefikhttpmiddlewaresMiddleware18rateLimitredistlscert">`traefik/http/middlewares/Middleware18/rateLimit/redis/tls/cert`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredistlsinsecureSkipVerify" href="#traefikhttpmiddlewaresMiddleware18rateLimitredistlsinsecureSkipVerify" title="#traefikhttpmiddlewaresMiddleware18rateLimitredistlsinsecureSkipVerify">`traefik/http/middlewares/Middleware18/rateLimit/redis/tls/insecureSkipVerify`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredistlskey" href="#traefikhttpmiddlewaresMiddleware18rateLimitredistlskey" title="#traefikhttpmiddlewaresMiddleware18rateLimitredistlskey">`traefik/http/middlewares/Middleware18/rateLimit/redis/tls/key`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitredisusername" href="#traefikhttpmiddlewaresMiddleware18rateLimitredisusername" title="#traefikhttpmiddlewaresMiddleware18rateLimitredisusername">`traefik/http/middlewares/Middleware18/rateLimit/redis/username`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitrediswriteTimeout" href="#traefikhttpmiddlewaresMiddleware18rateLimitrediswriteTimeout" title="#traefikhttpmiddlewaresMiddleware18rateLimitrediswriteTimeout">`traefik/http/middlewares/Middleware18/rateLimit/redis/writeTimeout`</a> | `42s` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategydepth" href="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategydepth" title="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategydepth">`traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/depth`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategyexcludedIPs0" href="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategyexcludedIPs0" title="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategyexcludedIPs0">`traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategyexcludedIPs1" href="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategyexcludedIPs1" title="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategyexcludedIPs1">`traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategyipv6Subnet" href="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategyipv6Subnet" title="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionipStrategyipv6Subnet">`traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/ipv6Subnet`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionrequestHeaderName" href="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionrequestHeaderName" title="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionrequestHeaderName">`traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/requestHeaderName`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionrequestHost" href="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionrequestHost" title="#traefikhttpmiddlewaresMiddleware18rateLimitsourceCriterionrequestHost">`traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/requestHost`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware19redirectRegexpermanent" href="#traefikhttpmiddlewaresMiddleware19redirectRegexpermanent" title="#traefikhttpmiddlewaresMiddleware19redirectRegexpermanent">`traefik/http/middlewares/Middleware19/redirectRegex/permanent`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware19redirectRegexregex" href="#traefikhttpmiddlewaresMiddleware19redirectRegexregex" title="#traefikhttpmiddlewaresMiddleware19redirectRegexregex">`traefik/http/middlewares/Middleware19/redirectRegex/regex`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware19redirectRegexreplacement" href="#traefikhttpmiddlewaresMiddleware19redirectRegexreplacement" title="#traefikhttpmiddlewaresMiddleware19redirectRegexreplacement">`traefik/http/middlewares/Middleware19/redirectRegex/replacement`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware20redirectSchemepermanent" href="#traefikhttpmiddlewaresMiddleware20redirectSchemepermanent" title="#traefikhttpmiddlewaresMiddleware20redirectSchemepermanent">`traefik/http/middlewares/Middleware20/redirectScheme/permanent`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware20redirectSchemeport" href="#traefikhttpmiddlewaresMiddleware20redirectSchemeport" title="#traefikhttpmiddlewaresMiddleware20redirectSchemeport">`traefik/http/middlewares/Middleware20/redirectScheme/port`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware20redirectSchemescheme" href="#traefikhttpmiddlewaresMiddleware20redirectSchemescheme" title="#traefikhttpmiddlewaresMiddleware20redirectSchemescheme">`traefik/http/middlewares/Middleware20/redirectScheme/scheme`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware21replacePathpath" href="#traefikhttpmiddlewaresMiddleware21replacePathpath" title="#traefikhttpmiddlewaresMiddleware21replacePathpath">`traefik/http/middlewares/Middleware21/replacePath/path`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware22replacePathRegexregex" href="#traefikhttpmiddlewaresMiddleware22replacePathRegexregex" title="#traefikhttpmiddlewaresMiddleware22replacePathRegexregex">`traefik/http/middlewares/Middleware22/replacePathRegex/regex`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware22replacePathRegexreplacement" href="#traefikhttpmiddlewaresMiddleware22replacePathRegexreplacement" title="#traefikhttpmiddlewaresMiddleware22replacePathRegexreplacement">`traefik/http/middlewares/Middleware22/replacePathRegex/replacement`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware23retryattempts" href="#traefikhttpmiddlewaresMiddleware23retryattempts" title="#traefikhttpmiddlewaresMiddleware23retryattempts">`traefik/http/middlewares/Middleware23/retry/attempts`</a> | `42` |
| <a id="traefikhttpmiddlewaresMiddleware23retryinitialInterval" href="#traefikhttpmiddlewaresMiddleware23retryinitialInterval" title="#traefikhttpmiddlewaresMiddleware23retryinitialInterval">`traefik/http/middlewares/Middleware23/retry/initialInterval`</a> | `42s` |
| <a id="traefikhttpmiddlewaresMiddleware24stripPrefixforceSlash" href="#traefikhttpmiddlewaresMiddleware24stripPrefixforceSlash" title="#traefikhttpmiddlewaresMiddleware24stripPrefixforceSlash">`traefik/http/middlewares/Middleware24/stripPrefix/forceSlash`</a> | `true` |
| <a id="traefikhttpmiddlewaresMiddleware24stripPrefixprefixes0" href="#traefikhttpmiddlewaresMiddleware24stripPrefixprefixes0" title="#traefikhttpmiddlewaresMiddleware24stripPrefixprefixes0">`traefik/http/middlewares/Middleware24/stripPrefix/prefixes/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware24stripPrefixprefixes1" href="#traefikhttpmiddlewaresMiddleware24stripPrefixprefixes1" title="#traefikhttpmiddlewaresMiddleware24stripPrefixprefixes1">`traefik/http/middlewares/Middleware24/stripPrefix/prefixes/1`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware25stripPrefixRegexregex0" href="#traefikhttpmiddlewaresMiddleware25stripPrefixRegexregex0" title="#traefikhttpmiddlewaresMiddleware25stripPrefixRegexregex0">`traefik/http/middlewares/Middleware25/stripPrefixRegex/regex/0`</a> | `foobar` |
| <a id="traefikhttpmiddlewaresMiddleware25stripPrefixRegexregex1" href="#traefikhttpmiddlewaresMiddleware25stripPrefixRegexregex1" title="#traefikhttpmiddlewaresMiddleware25stripPrefixRegexregex1">`traefik/http/middlewares/Middleware25/stripPrefixRegex/regex/1`</a> | `foobar` |
| <a id="traefikhttproutersRouter0entryPoints0" href="#traefikhttproutersRouter0entryPoints0" title="#traefikhttproutersRouter0entryPoints0">`traefik/http/routers/Router0/entryPoints/0`</a> | `foobar` |
| <a id="traefikhttproutersRouter0entryPoints1" href="#traefikhttproutersRouter0entryPoints1" title="#traefikhttproutersRouter0entryPoints1">`traefik/http/routers/Router0/entryPoints/1`</a> | `foobar` |
| <a id="traefikhttproutersRouter0middlewares0" href="#traefikhttproutersRouter0middlewares0" title="#traefikhttproutersRouter0middlewares0">`traefik/http/routers/Router0/middlewares/0`</a> | `foobar` |
| <a id="traefikhttproutersRouter0middlewares1" href="#traefikhttproutersRouter0middlewares1" title="#traefikhttproutersRouter0middlewares1">`traefik/http/routers/Router0/middlewares/1`</a> | `foobar` |
| <a id="traefikhttproutersRouter0observabilityaccessLogs" href="#traefikhttproutersRouter0observabilityaccessLogs" title="#traefikhttproutersRouter0observabilityaccessLogs">`traefik/http/routers/Router0/observability/accessLogs`</a> | `true` |
| <a id="traefikhttproutersRouter0observabilitymetrics" href="#traefikhttproutersRouter0observabilitymetrics" title="#traefikhttproutersRouter0observabilitymetrics">`traefik/http/routers/Router0/observability/metrics`</a> | `true` |
| <a id="traefikhttproutersRouter0observabilitytraceVerbosity" href="#traefikhttproutersRouter0observabilitytraceVerbosity" title="#traefikhttproutersRouter0observabilitytraceVerbosity">`traefik/http/routers/Router0/observability/traceVerbosity`</a> | `foobar` |
| <a id="traefikhttproutersRouter0observabilitytracing" href="#traefikhttproutersRouter0observabilitytracing" title="#traefikhttproutersRouter0observabilitytracing">`traefik/http/routers/Router0/observability/tracing`</a> | `true` |
| <a id="traefikhttproutersRouter0priority" href="#traefikhttproutersRouter0priority" title="#traefikhttproutersRouter0priority">`traefik/http/routers/Router0/priority`</a> | `42` |
| <a id="traefikhttproutersRouter0rule" href="#traefikhttproutersRouter0rule" title="#traefikhttproutersRouter0rule">`traefik/http/routers/Router0/rule`</a> | `foobar` |
| <a id="traefikhttproutersRouter0ruleSyntax" href="#traefikhttproutersRouter0ruleSyntax" title="#traefikhttproutersRouter0ruleSyntax">`traefik/http/routers/Router0/ruleSyntax`</a> | `foobar` |
| <a id="traefikhttproutersRouter0service" href="#traefikhttproutersRouter0service" title="#traefikhttproutersRouter0service">`traefik/http/routers/Router0/service`</a> | `foobar` |
| <a id="traefikhttproutersRouter0tlscertResolver" href="#traefikhttproutersRouter0tlscertResolver" title="#traefikhttproutersRouter0tlscertResolver">`traefik/http/routers/Router0/tls/certResolver`</a> | `foobar` |
| <a id="traefikhttproutersRouter0tlsdomains0main" href="#traefikhttproutersRouter0tlsdomains0main" title="#traefikhttproutersRouter0tlsdomains0main">`traefik/http/routers/Router0/tls/domains/0/main`</a> | `foobar` |
| <a id="traefikhttproutersRouter0tlsdomains0sans0" href="#traefikhttproutersRouter0tlsdomains0sans0" title="#traefikhttproutersRouter0tlsdomains0sans0">`traefik/http/routers/Router0/tls/domains/0/sans/0`</a> | `foobar` |
| <a id="traefikhttproutersRouter0tlsdomains0sans1" href="#traefikhttproutersRouter0tlsdomains0sans1" title="#traefikhttproutersRouter0tlsdomains0sans1">`traefik/http/routers/Router0/tls/domains/0/sans/1`</a> | `foobar` |
| <a id="traefikhttproutersRouter0tlsdomains1main" href="#traefikhttproutersRouter0tlsdomains1main" title="#traefikhttproutersRouter0tlsdomains1main">`traefik/http/routers/Router0/tls/domains/1/main`</a> | `foobar` |
| <a id="traefikhttproutersRouter0tlsdomains1sans0" href="#traefikhttproutersRouter0tlsdomains1sans0" title="#traefikhttproutersRouter0tlsdomains1sans0">`traefik/http/routers/Router0/tls/domains/1/sans/0`</a> | `foobar` |
| <a id="traefikhttproutersRouter0tlsdomains1sans1" href="#traefikhttproutersRouter0tlsdomains1sans1" title="#traefikhttproutersRouter0tlsdomains1sans1">`traefik/http/routers/Router0/tls/domains/1/sans/1`</a> | `foobar` |
| <a id="traefikhttproutersRouter0tlsoptions" href="#traefikhttproutersRouter0tlsoptions" title="#traefikhttproutersRouter0tlsoptions">`traefik/http/routers/Router0/tls/options`</a> | `foobar` |
| <a id="traefikhttproutersRouter1entryPoints0" href="#traefikhttproutersRouter1entryPoints0" title="#traefikhttproutersRouter1entryPoints0">`traefik/http/routers/Router1/entryPoints/0`</a> | `foobar` |
| <a id="traefikhttproutersRouter1entryPoints1" href="#traefikhttproutersRouter1entryPoints1" title="#traefikhttproutersRouter1entryPoints1">`traefik/http/routers/Router1/entryPoints/1`</a> | `foobar` |
| <a id="traefikhttproutersRouter1middlewares0" href="#traefikhttproutersRouter1middlewares0" title="#traefikhttproutersRouter1middlewares0">`traefik/http/routers/Router1/middlewares/0`</a> | `foobar` |
| <a id="traefikhttproutersRouter1middlewares1" href="#traefikhttproutersRouter1middlewares1" title="#traefikhttproutersRouter1middlewares1">`traefik/http/routers/Router1/middlewares/1`</a> | `foobar` |
| <a id="traefikhttproutersRouter1observabilityaccessLogs" href="#traefikhttproutersRouter1observabilityaccessLogs" title="#traefikhttproutersRouter1observabilityaccessLogs">`traefik/http/routers/Router1/observability/accessLogs`</a> | `true` |
| <a id="traefikhttproutersRouter1observabilitymetrics" href="#traefikhttproutersRouter1observabilitymetrics" title="#traefikhttproutersRouter1observabilitymetrics">`traefik/http/routers/Router1/observability/metrics`</a> | `true` |
| <a id="traefikhttproutersRouter1observabilitytraceVerbosity" href="#traefikhttproutersRouter1observabilitytraceVerbosity" title="#traefikhttproutersRouter1observabilitytraceVerbosity">`traefik/http/routers/Router1/observability/traceVerbosity`</a> | `foobar` |
| <a id="traefikhttproutersRouter1observabilitytracing" href="#traefikhttproutersRouter1observabilitytracing" title="#traefikhttproutersRouter1observabilitytracing">`traefik/http/routers/Router1/observability/tracing`</a> | `true` |
| <a id="traefikhttproutersRouter1priority" href="#traefikhttproutersRouter1priority" title="#traefikhttproutersRouter1priority">`traefik/http/routers/Router1/priority`</a> | `42` |
| <a id="traefikhttproutersRouter1rule" href="#traefikhttproutersRouter1rule" title="#traefikhttproutersRouter1rule">`traefik/http/routers/Router1/rule`</a> | `foobar` |
| <a id="traefikhttproutersRouter1ruleSyntax" href="#traefikhttproutersRouter1ruleSyntax" title="#traefikhttproutersRouter1ruleSyntax">`traefik/http/routers/Router1/ruleSyntax`</a> | `foobar` |
| <a id="traefikhttproutersRouter1service" href="#traefikhttproutersRouter1service" title="#traefikhttproutersRouter1service">`traefik/http/routers/Router1/service`</a> | `foobar` |
| <a id="traefikhttproutersRouter1tlscertResolver" href="#traefikhttproutersRouter1tlscertResolver" title="#traefikhttproutersRouter1tlscertResolver">`traefik/http/routers/Router1/tls/certResolver`</a> | `foobar` |
| <a id="traefikhttproutersRouter1tlsdomains0main" href="#traefikhttproutersRouter1tlsdomains0main" title="#traefikhttproutersRouter1tlsdomains0main">`traefik/http/routers/Router1/tls/domains/0/main`</a> | `foobar` |
| <a id="traefikhttproutersRouter1tlsdomains0sans0" href="#traefikhttproutersRouter1tlsdomains0sans0" title="#traefikhttproutersRouter1tlsdomains0sans0">`traefik/http/routers/Router1/tls/domains/0/sans/0`</a> | `foobar` |
| <a id="traefikhttproutersRouter1tlsdomains0sans1" href="#traefikhttproutersRouter1tlsdomains0sans1" title="#traefikhttproutersRouter1tlsdomains0sans1">`traefik/http/routers/Router1/tls/domains/0/sans/1`</a> | `foobar` |
| <a id="traefikhttproutersRouter1tlsdomains1main" href="#traefikhttproutersRouter1tlsdomains1main" title="#traefikhttproutersRouter1tlsdomains1main">`traefik/http/routers/Router1/tls/domains/1/main`</a> | `foobar` |
| <a id="traefikhttproutersRouter1tlsdomains1sans0" href="#traefikhttproutersRouter1tlsdomains1sans0" title="#traefikhttproutersRouter1tlsdomains1sans0">`traefik/http/routers/Router1/tls/domains/1/sans/0`</a> | `foobar` |
| <a id="traefikhttproutersRouter1tlsdomains1sans1" href="#traefikhttproutersRouter1tlsdomains1sans1" title="#traefikhttproutersRouter1tlsdomains1sans1">`traefik/http/routers/Router1/tls/domains/1/sans/1`</a> | `foobar` |
| <a id="traefikhttproutersRouter1tlsoptions" href="#traefikhttproutersRouter1tlsoptions" title="#traefikhttproutersRouter1tlsoptions">`traefik/http/routers/Router1/tls/options`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0certificates0certFile" href="#traefikhttpserversTransportsServersTransport0certificates0certFile" title="#traefikhttpserversTransportsServersTransport0certificates0certFile">`traefik/http/serversTransports/ServersTransport0/certificates/0/certFile`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0certificates0keyFile" href="#traefikhttpserversTransportsServersTransport0certificates0keyFile" title="#traefikhttpserversTransportsServersTransport0certificates0keyFile">`traefik/http/serversTransports/ServersTransport0/certificates/0/keyFile`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0certificates1certFile" href="#traefikhttpserversTransportsServersTransport0certificates1certFile" title="#traefikhttpserversTransportsServersTransport0certificates1certFile">`traefik/http/serversTransports/ServersTransport0/certificates/1/certFile`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0certificates1keyFile" href="#traefikhttpserversTransportsServersTransport0certificates1keyFile" title="#traefikhttpserversTransportsServersTransport0certificates1keyFile">`traefik/http/serversTransports/ServersTransport0/certificates/1/keyFile`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0disableHTTP2" href="#traefikhttpserversTransportsServersTransport0disableHTTP2" title="#traefikhttpserversTransportsServersTransport0disableHTTP2">`traefik/http/serversTransports/ServersTransport0/disableHTTP2`</a> | `true` |
| <a id="traefikhttpserversTransportsServersTransport0forwardingTimeoutsdialTimeout" href="#traefikhttpserversTransportsServersTransport0forwardingTimeoutsdialTimeout" title="#traefikhttpserversTransportsServersTransport0forwardingTimeoutsdialTimeout">`traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/dialTimeout`</a> | `42s` |
| <a id="traefikhttpserversTransportsServersTransport0forwardingTimeoutsidleConnTimeout" href="#traefikhttpserversTransportsServersTransport0forwardingTimeoutsidleConnTimeout" title="#traefikhttpserversTransportsServersTransport0forwardingTimeoutsidleConnTimeout">`traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/idleConnTimeout`</a> | `42s` |
| <a id="traefikhttpserversTransportsServersTransport0forwardingTimeoutspingTimeout" href="#traefikhttpserversTransportsServersTransport0forwardingTimeoutspingTimeout" title="#traefikhttpserversTransportsServersTransport0forwardingTimeoutspingTimeout">`traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/pingTimeout`</a> | `42s` |
| <a id="traefikhttpserversTransportsServersTransport0forwardingTimeoutsreadIdleTimeout" href="#traefikhttpserversTransportsServersTransport0forwardingTimeoutsreadIdleTimeout" title="#traefikhttpserversTransportsServersTransport0forwardingTimeoutsreadIdleTimeout">`traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/readIdleTimeout`</a> | `42s` |
| <a id="traefikhttpserversTransportsServersTransport0forwardingTimeoutsresponseHeaderTimeout" href="#traefikhttpserversTransportsServersTransport0forwardingTimeoutsresponseHeaderTimeout" title="#traefikhttpserversTransportsServersTransport0forwardingTimeoutsresponseHeaderTimeout">`traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/responseHeaderTimeout`</a> | `42s` |
| <a id="traefikhttpserversTransportsServersTransport0insecureSkipVerify" href="#traefikhttpserversTransportsServersTransport0insecureSkipVerify" title="#traefikhttpserversTransportsServersTransport0insecureSkipVerify">`traefik/http/serversTransports/ServersTransport0/insecureSkipVerify`</a> | `true` |
| <a id="traefikhttpserversTransportsServersTransport0maxIdleConnsPerHost" href="#traefikhttpserversTransportsServersTransport0maxIdleConnsPerHost" title="#traefikhttpserversTransportsServersTransport0maxIdleConnsPerHost">`traefik/http/serversTransports/ServersTransport0/maxIdleConnsPerHost`</a> | `42` |
| <a id="traefikhttpserversTransportsServersTransport0peerCertURI" href="#traefikhttpserversTransportsServersTransport0peerCertURI" title="#traefikhttpserversTransportsServersTransport0peerCertURI">`traefik/http/serversTransports/ServersTransport0/peerCertURI`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0rootCAs0" href="#traefikhttpserversTransportsServersTransport0rootCAs0" title="#traefikhttpserversTransportsServersTransport0rootCAs0">`traefik/http/serversTransports/ServersTransport0/rootCAs/0`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0rootCAs1" href="#traefikhttpserversTransportsServersTransport0rootCAs1" title="#traefikhttpserversTransportsServersTransport0rootCAs1">`traefik/http/serversTransports/ServersTransport0/rootCAs/1`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0serverName" href="#traefikhttpserversTransportsServersTransport0serverName" title="#traefikhttpserversTransportsServersTransport0serverName">`traefik/http/serversTransports/ServersTransport0/serverName`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0spiffeids0" href="#traefikhttpserversTransportsServersTransport0spiffeids0" title="#traefikhttpserversTransportsServersTransport0spiffeids0">`traefik/http/serversTransports/ServersTransport0/spiffe/ids/0`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0spiffeids1" href="#traefikhttpserversTransportsServersTransport0spiffeids1" title="#traefikhttpserversTransportsServersTransport0spiffeids1">`traefik/http/serversTransports/ServersTransport0/spiffe/ids/1`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport0spiffetrustDomain" href="#traefikhttpserversTransportsServersTransport0spiffetrustDomain" title="#traefikhttpserversTransportsServersTransport0spiffetrustDomain">`traefik/http/serversTransports/ServersTransport0/spiffe/trustDomain`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1certificates0certFile" href="#traefikhttpserversTransportsServersTransport1certificates0certFile" title="#traefikhttpserversTransportsServersTransport1certificates0certFile">`traefik/http/serversTransports/ServersTransport1/certificates/0/certFile`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1certificates0keyFile" href="#traefikhttpserversTransportsServersTransport1certificates0keyFile" title="#traefikhttpserversTransportsServersTransport1certificates0keyFile">`traefik/http/serversTransports/ServersTransport1/certificates/0/keyFile`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1certificates1certFile" href="#traefikhttpserversTransportsServersTransport1certificates1certFile" title="#traefikhttpserversTransportsServersTransport1certificates1certFile">`traefik/http/serversTransports/ServersTransport1/certificates/1/certFile`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1certificates1keyFile" href="#traefikhttpserversTransportsServersTransport1certificates1keyFile" title="#traefikhttpserversTransportsServersTransport1certificates1keyFile">`traefik/http/serversTransports/ServersTransport1/certificates/1/keyFile`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1disableHTTP2" href="#traefikhttpserversTransportsServersTransport1disableHTTP2" title="#traefikhttpserversTransportsServersTransport1disableHTTP2">`traefik/http/serversTransports/ServersTransport1/disableHTTP2`</a> | `true` |
| <a id="traefikhttpserversTransportsServersTransport1forwardingTimeoutsdialTimeout" href="#traefikhttpserversTransportsServersTransport1forwardingTimeoutsdialTimeout" title="#traefikhttpserversTransportsServersTransport1forwardingTimeoutsdialTimeout">`traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/dialTimeout`</a> | `42s` |
| <a id="traefikhttpserversTransportsServersTransport1forwardingTimeoutsidleConnTimeout" href="#traefikhttpserversTransportsServersTransport1forwardingTimeoutsidleConnTimeout" title="#traefikhttpserversTransportsServersTransport1forwardingTimeoutsidleConnTimeout">`traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/idleConnTimeout`</a> | `42s` |
| <a id="traefikhttpserversTransportsServersTransport1forwardingTimeoutspingTimeout" href="#traefikhttpserversTransportsServersTransport1forwardingTimeoutspingTimeout" title="#traefikhttpserversTransportsServersTransport1forwardingTimeoutspingTimeout">`traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/pingTimeout`</a> | `42s` |
| <a id="traefikhttpserversTransportsServersTransport1forwardingTimeoutsreadIdleTimeout" href="#traefikhttpserversTransportsServersTransport1forwardingTimeoutsreadIdleTimeout" title="#traefikhttpserversTransportsServersTransport1forwardingTimeoutsreadIdleTimeout">`traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/readIdleTimeout`</a> | `42s` |
| <a id="traefikhttpserversTransportsServersTransport1forwardingTimeoutsresponseHeaderTimeout" href="#traefikhttpserversTransportsServersTransport1forwardingTimeoutsresponseHeaderTimeout" title="#traefikhttpserversTransportsServersTransport1forwardingTimeoutsresponseHeaderTimeout">`traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/responseHeaderTimeout`</a> | `42s` |
| <a id="traefikhttpserversTransportsServersTransport1insecureSkipVerify" href="#traefikhttpserversTransportsServersTransport1insecureSkipVerify" title="#traefikhttpserversTransportsServersTransport1insecureSkipVerify">`traefik/http/serversTransports/ServersTransport1/insecureSkipVerify`</a> | `true` |
| <a id="traefikhttpserversTransportsServersTransport1maxIdleConnsPerHost" href="#traefikhttpserversTransportsServersTransport1maxIdleConnsPerHost" title="#traefikhttpserversTransportsServersTransport1maxIdleConnsPerHost">`traefik/http/serversTransports/ServersTransport1/maxIdleConnsPerHost`</a> | `42` |
| <a id="traefikhttpserversTransportsServersTransport1peerCertURI" href="#traefikhttpserversTransportsServersTransport1peerCertURI" title="#traefikhttpserversTransportsServersTransport1peerCertURI">`traefik/http/serversTransports/ServersTransport1/peerCertURI`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1rootCAs0" href="#traefikhttpserversTransportsServersTransport1rootCAs0" title="#traefikhttpserversTransportsServersTransport1rootCAs0">`traefik/http/serversTransports/ServersTransport1/rootCAs/0`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1rootCAs1" href="#traefikhttpserversTransportsServersTransport1rootCAs1" title="#traefikhttpserversTransportsServersTransport1rootCAs1">`traefik/http/serversTransports/ServersTransport1/rootCAs/1`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1serverName" href="#traefikhttpserversTransportsServersTransport1serverName" title="#traefikhttpserversTransportsServersTransport1serverName">`traefik/http/serversTransports/ServersTransport1/serverName`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1spiffeids0" href="#traefikhttpserversTransportsServersTransport1spiffeids0" title="#traefikhttpserversTransportsServersTransport1spiffeids0">`traefik/http/serversTransports/ServersTransport1/spiffe/ids/0`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1spiffeids1" href="#traefikhttpserversTransportsServersTransport1spiffeids1" title="#traefikhttpserversTransportsServersTransport1spiffeids1">`traefik/http/serversTransports/ServersTransport1/spiffe/ids/1`</a> | `foobar` |
| <a id="traefikhttpserversTransportsServersTransport1spiffetrustDomain" href="#traefikhttpserversTransportsServersTransport1spiffetrustDomain" title="#traefikhttpserversTransportsServersTransport1spiffetrustDomain">`traefik/http/serversTransports/ServersTransport1/spiffe/trustDomain`</a> | `foobar` |
| <a id="traefikhttpservicesService01failoverfallback" href="#traefikhttpservicesService01failoverfallback" title="#traefikhttpservicesService01failoverfallback">`traefik/http/services/Service01/failover/fallback`</a> | `foobar` |
| <a id="traefikhttpservicesService01failoverhealthCheck" href="#traefikhttpservicesService01failoverhealthCheck" title="#traefikhttpservicesService01failoverhealthCheck">`traefik/http/services/Service01/failover/healthCheck`</a> | `` |
| <a id="traefikhttpservicesService01failoverservice" href="#traefikhttpservicesService01failoverservice" title="#traefikhttpservicesService01failoverservice">`traefik/http/services/Service01/failover/service`</a> | `foobar` |
| <a id="traefikhttpservicesService02highestRandomWeighthealthCheck" href="#traefikhttpservicesService02highestRandomWeighthealthCheck" title="#traefikhttpservicesService02highestRandomWeighthealthCheck">`traefik/http/services/Service02/highestRandomWeight/healthCheck`</a> | `` |
| <a id="traefikhttpservicesService02highestRandomWeightservices0name" href="#traefikhttpservicesService02highestRandomWeightservices0name" title="#traefikhttpservicesService02highestRandomWeightservices0name">`traefik/http/services/Service02/highestRandomWeight/services/0/name`</a> | `foobar` |
| <a id="traefikhttpservicesService02highestRandomWeightservices0weight" href="#traefikhttpservicesService02highestRandomWeightservices0weight" title="#traefikhttpservicesService02highestRandomWeightservices0weight">`traefik/http/services/Service02/highestRandomWeight/services/0/weight`</a> | `42` |
| <a id="traefikhttpservicesService02highestRandomWeightservices1name" href="#traefikhttpservicesService02highestRandomWeightservices1name" title="#traefikhttpservicesService02highestRandomWeightservices1name">`traefik/http/services/Service02/highestRandomWeight/services/1/name`</a> | `foobar` |
| <a id="traefikhttpservicesService02highestRandomWeightservices1weight" href="#traefikhttpservicesService02highestRandomWeightservices1weight" title="#traefikhttpservicesService02highestRandomWeightservices1weight">`traefik/http/services/Service02/highestRandomWeight/services/1/weight`</a> | `42` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckfollowRedirects" href="#traefikhttpservicesService03loadBalancerhealthCheckfollowRedirects" title="#traefikhttpservicesService03loadBalancerhealthCheckfollowRedirects">`traefik/http/services/Service03/loadBalancer/healthCheck/followRedirects`</a> | `true` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckheadersname0" href="#traefikhttpservicesService03loadBalancerhealthCheckheadersname0" title="#traefikhttpservicesService03loadBalancerhealthCheckheadersname0">`traefik/http/services/Service03/loadBalancer/healthCheck/headers/name0`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckheadersname1" href="#traefikhttpservicesService03loadBalancerhealthCheckheadersname1" title="#traefikhttpservicesService03loadBalancerhealthCheckheadersname1">`traefik/http/services/Service03/loadBalancer/healthCheck/headers/name1`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckhostname" href="#traefikhttpservicesService03loadBalancerhealthCheckhostname" title="#traefikhttpservicesService03loadBalancerhealthCheckhostname">`traefik/http/services/Service03/loadBalancer/healthCheck/hostname`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckinterval" href="#traefikhttpservicesService03loadBalancerhealthCheckinterval" title="#traefikhttpservicesService03loadBalancerhealthCheckinterval">`traefik/http/services/Service03/loadBalancer/healthCheck/interval`</a> | `42s` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckmethod" href="#traefikhttpservicesService03loadBalancerhealthCheckmethod" title="#traefikhttpservicesService03loadBalancerhealthCheckmethod">`traefik/http/services/Service03/loadBalancer/healthCheck/method`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckmode" href="#traefikhttpservicesService03loadBalancerhealthCheckmode" title="#traefikhttpservicesService03loadBalancerhealthCheckmode">`traefik/http/services/Service03/loadBalancer/healthCheck/mode`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckpath" href="#traefikhttpservicesService03loadBalancerhealthCheckpath" title="#traefikhttpservicesService03loadBalancerhealthCheckpath">`traefik/http/services/Service03/loadBalancer/healthCheck/path`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckport" href="#traefikhttpservicesService03loadBalancerhealthCheckport" title="#traefikhttpservicesService03loadBalancerhealthCheckport">`traefik/http/services/Service03/loadBalancer/healthCheck/port`</a> | `42` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckscheme" href="#traefikhttpservicesService03loadBalancerhealthCheckscheme" title="#traefikhttpservicesService03loadBalancerhealthCheckscheme">`traefik/http/services/Service03/loadBalancer/healthCheck/scheme`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckstatus" href="#traefikhttpservicesService03loadBalancerhealthCheckstatus" title="#traefikhttpservicesService03loadBalancerhealthCheckstatus">`traefik/http/services/Service03/loadBalancer/healthCheck/status`</a> | `42` |
| <a id="traefikhttpservicesService03loadBalancerhealthChecktimeout" href="#traefikhttpservicesService03loadBalancerhealthChecktimeout" title="#traefikhttpservicesService03loadBalancerhealthChecktimeout">`traefik/http/services/Service03/loadBalancer/healthCheck/timeout`</a> | `42s` |
| <a id="traefikhttpservicesService03loadBalancerhealthCheckunhealthyInterval" href="#traefikhttpservicesService03loadBalancerhealthCheckunhealthyInterval" title="#traefikhttpservicesService03loadBalancerhealthCheckunhealthyInterval">`traefik/http/services/Service03/loadBalancer/healthCheck/unhealthyInterval`</a> | `42s` |
| <a id="traefikhttpservicesService03loadBalancerpassHostHeader" href="#traefikhttpservicesService03loadBalancerpassHostHeader" title="#traefikhttpservicesService03loadBalancerpassHostHeader">`traefik/http/services/Service03/loadBalancer/passHostHeader`</a> | `true` |
| <a id="traefikhttpservicesService03loadBalancerpassiveHealthCheckfailureWindow" href="#traefikhttpservicesService03loadBalancerpassiveHealthCheckfailureWindow" title="#traefikhttpservicesService03loadBalancerpassiveHealthCheckfailureWindow">`traefik/http/services/Service03/loadBalancer/passiveHealthCheck/failureWindow`</a> | `42s` |
| <a id="traefikhttpservicesService03loadBalancerpassiveHealthCheckmaxFailedAttempts" href="#traefikhttpservicesService03loadBalancerpassiveHealthCheckmaxFailedAttempts" title="#traefikhttpservicesService03loadBalancerpassiveHealthCheckmaxFailedAttempts">`traefik/http/services/Service03/loadBalancer/passiveHealthCheck/maxFailedAttempts`</a> | `42` |
| <a id="traefikhttpservicesService03loadBalancerresponseForwardingflushInterval" href="#traefikhttpservicesService03loadBalancerresponseForwardingflushInterval" title="#traefikhttpservicesService03loadBalancerresponseForwardingflushInterval">`traefik/http/services/Service03/loadBalancer/responseForwarding/flushInterval`</a> | `42s` |
| <a id="traefikhttpservicesService03loadBalancerservers0preservePath" href="#traefikhttpservicesService03loadBalancerservers0preservePath" title="#traefikhttpservicesService03loadBalancerservers0preservePath">`traefik/http/services/Service03/loadBalancer/servers/0/preservePath`</a> | `true` |
| <a id="traefikhttpservicesService03loadBalancerservers0url" href="#traefikhttpservicesService03loadBalancerservers0url" title="#traefikhttpservicesService03loadBalancerservers0url">`traefik/http/services/Service03/loadBalancer/servers/0/url`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerservers0weight" href="#traefikhttpservicesService03loadBalancerservers0weight" title="#traefikhttpservicesService03loadBalancerservers0weight">`traefik/http/services/Service03/loadBalancer/servers/0/weight`</a> | `42` |
| <a id="traefikhttpservicesService03loadBalancerservers1preservePath" href="#traefikhttpservicesService03loadBalancerservers1preservePath" title="#traefikhttpservicesService03loadBalancerservers1preservePath">`traefik/http/services/Service03/loadBalancer/servers/1/preservePath`</a> | `true` |
| <a id="traefikhttpservicesService03loadBalancerservers1url" href="#traefikhttpservicesService03loadBalancerservers1url" title="#traefikhttpservicesService03loadBalancerservers1url">`traefik/http/services/Service03/loadBalancer/servers/1/url`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerservers1weight" href="#traefikhttpservicesService03loadBalancerservers1weight" title="#traefikhttpservicesService03loadBalancerservers1weight">`traefik/http/services/Service03/loadBalancer/servers/1/weight`</a> | `42` |
| <a id="traefikhttpservicesService03loadBalancerserversTransport" href="#traefikhttpservicesService03loadBalancerserversTransport" title="#traefikhttpservicesService03loadBalancerserversTransport">`traefik/http/services/Service03/loadBalancer/serversTransport`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerstickycookiedomain" href="#traefikhttpservicesService03loadBalancerstickycookiedomain" title="#traefikhttpservicesService03loadBalancerstickycookiedomain">`traefik/http/services/Service03/loadBalancer/sticky/cookie/domain`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerstickycookiehttpOnly" href="#traefikhttpservicesService03loadBalancerstickycookiehttpOnly" title="#traefikhttpservicesService03loadBalancerstickycookiehttpOnly">`traefik/http/services/Service03/loadBalancer/sticky/cookie/httpOnly`</a> | `true` |
| <a id="traefikhttpservicesService03loadBalancerstickycookiemaxAge" href="#traefikhttpservicesService03loadBalancerstickycookiemaxAge" title="#traefikhttpservicesService03loadBalancerstickycookiemaxAge">`traefik/http/services/Service03/loadBalancer/sticky/cookie/maxAge`</a> | `42` |
| <a id="traefikhttpservicesService03loadBalancerstickycookiename" href="#traefikhttpservicesService03loadBalancerstickycookiename" title="#traefikhttpservicesService03loadBalancerstickycookiename">`traefik/http/services/Service03/loadBalancer/sticky/cookie/name`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerstickycookiepath" href="#traefikhttpservicesService03loadBalancerstickycookiepath" title="#traefikhttpservicesService03loadBalancerstickycookiepath">`traefik/http/services/Service03/loadBalancer/sticky/cookie/path`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerstickycookiesameSite" href="#traefikhttpservicesService03loadBalancerstickycookiesameSite" title="#traefikhttpservicesService03loadBalancerstickycookiesameSite">`traefik/http/services/Service03/loadBalancer/sticky/cookie/sameSite`</a> | `foobar` |
| <a id="traefikhttpservicesService03loadBalancerstickycookiesecure" href="#traefikhttpservicesService03loadBalancerstickycookiesecure" title="#traefikhttpservicesService03loadBalancerstickycookiesecure">`traefik/http/services/Service03/loadBalancer/sticky/cookie/secure`</a> | `true` |
| <a id="traefikhttpservicesService03loadBalancerstrategy" href="#traefikhttpservicesService03loadBalancerstrategy" title="#traefikhttpservicesService03loadBalancerstrategy">`traefik/http/services/Service03/loadBalancer/strategy`</a> | `foobar` |
| <a id="traefikhttpservicesService04mirroringhealthCheck" href="#traefikhttpservicesService04mirroringhealthCheck" title="#traefikhttpservicesService04mirroringhealthCheck">`traefik/http/services/Service04/mirroring/healthCheck`</a> | `` |
| <a id="traefikhttpservicesService04mirroringmaxBodySize" href="#traefikhttpservicesService04mirroringmaxBodySize" title="#traefikhttpservicesService04mirroringmaxBodySize">`traefik/http/services/Service04/mirroring/maxBodySize`</a> | `42` |
| <a id="traefikhttpservicesService04mirroringmirrorBody" href="#traefikhttpservicesService04mirroringmirrorBody" title="#traefikhttpservicesService04mirroringmirrorBody">`traefik/http/services/Service04/mirroring/mirrorBody`</a> | `true` |
| <a id="traefikhttpservicesService04mirroringmirrors0name" href="#traefikhttpservicesService04mirroringmirrors0name" title="#traefikhttpservicesService04mirroringmirrors0name">`traefik/http/services/Service04/mirroring/mirrors/0/name`</a> | `foobar` |
| <a id="traefikhttpservicesService04mirroringmirrors0percent" href="#traefikhttpservicesService04mirroringmirrors0percent" title="#traefikhttpservicesService04mirroringmirrors0percent">`traefik/http/services/Service04/mirroring/mirrors/0/percent`</a> | `42` |
| <a id="traefikhttpservicesService04mirroringmirrors1name" href="#traefikhttpservicesService04mirroringmirrors1name" title="#traefikhttpservicesService04mirroringmirrors1name">`traefik/http/services/Service04/mirroring/mirrors/1/name`</a> | `foobar` |
| <a id="traefikhttpservicesService04mirroringmirrors1percent" href="#traefikhttpservicesService04mirroringmirrors1percent" title="#traefikhttpservicesService04mirroringmirrors1percent">`traefik/http/services/Service04/mirroring/mirrors/1/percent`</a> | `42` |
| <a id="traefikhttpservicesService04mirroringservice" href="#traefikhttpservicesService04mirroringservice" title="#traefikhttpservicesService04mirroringservice">`traefik/http/services/Service04/mirroring/service`</a> | `foobar` |
| <a id="traefikhttpservicesService05weightedhealthCheck" href="#traefikhttpservicesService05weightedhealthCheck" title="#traefikhttpservicesService05weightedhealthCheck">`traefik/http/services/Service05/weighted/healthCheck`</a> | `` |
| <a id="traefikhttpservicesService05weightedservices0name" href="#traefikhttpservicesService05weightedservices0name" title="#traefikhttpservicesService05weightedservices0name">`traefik/http/services/Service05/weighted/services/0/name`</a> | `foobar` |
| <a id="traefikhttpservicesService05weightedservices0weight" href="#traefikhttpservicesService05weightedservices0weight" title="#traefikhttpservicesService05weightedservices0weight">`traefik/http/services/Service05/weighted/services/0/weight`</a> | `42` |
| <a id="traefikhttpservicesService05weightedservices1name" href="#traefikhttpservicesService05weightedservices1name" title="#traefikhttpservicesService05weightedservices1name">`traefik/http/services/Service05/weighted/services/1/name`</a> | `foobar` |
| <a id="traefikhttpservicesService05weightedservices1weight" href="#traefikhttpservicesService05weightedservices1weight" title="#traefikhttpservicesService05weightedservices1weight">`traefik/http/services/Service05/weighted/services/1/weight`</a> | `42` |
| <a id="traefikhttpservicesService05weightedstickycookiedomain" href="#traefikhttpservicesService05weightedstickycookiedomain" title="#traefikhttpservicesService05weightedstickycookiedomain">`traefik/http/services/Service05/weighted/sticky/cookie/domain`</a> | `foobar` |
| <a id="traefikhttpservicesService05weightedstickycookiehttpOnly" href="#traefikhttpservicesService05weightedstickycookiehttpOnly" title="#traefikhttpservicesService05weightedstickycookiehttpOnly">`traefik/http/services/Service05/weighted/sticky/cookie/httpOnly`</a> | `true` |
| <a id="traefikhttpservicesService05weightedstickycookiemaxAge" href="#traefikhttpservicesService05weightedstickycookiemaxAge" title="#traefikhttpservicesService05weightedstickycookiemaxAge">`traefik/http/services/Service05/weighted/sticky/cookie/maxAge`</a> | `42` |
| <a id="traefikhttpservicesService05weightedstickycookiename" href="#traefikhttpservicesService05weightedstickycookiename" title="#traefikhttpservicesService05weightedstickycookiename">`traefik/http/services/Service05/weighted/sticky/cookie/name`</a> | `foobar` |
| <a id="traefikhttpservicesService05weightedstickycookiepath" href="#traefikhttpservicesService05weightedstickycookiepath" title="#traefikhttpservicesService05weightedstickycookiepath">`traefik/http/services/Service05/weighted/sticky/cookie/path`</a> | `foobar` |
| <a id="traefikhttpservicesService05weightedstickycookiesameSite" href="#traefikhttpservicesService05weightedstickycookiesameSite" title="#traefikhttpservicesService05weightedstickycookiesameSite">`traefik/http/services/Service05/weighted/sticky/cookie/sameSite`</a> | `foobar` |
| <a id="traefikhttpservicesService05weightedstickycookiesecure" href="#traefikhttpservicesService05weightedstickycookiesecure" title="#traefikhttpservicesService05weightedstickycookiesecure">`traefik/http/services/Service05/weighted/sticky/cookie/secure`</a> | `true` |
| <a id="traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange0" href="#traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange0" title="#traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange0">`traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/0`</a> | `foobar` |
| <a id="traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange1" href="#traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange1" title="#traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange1">`traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/1`</a> | `foobar` |
| <a id="traefiktcpmiddlewaresTCPMiddleware02ipWhiteListsourceRange0" href="#traefiktcpmiddlewaresTCPMiddleware02ipWhiteListsourceRange0" title="#traefiktcpmiddlewaresTCPMiddleware02ipWhiteListsourceRange0">`traefik/tcp/middlewares/TCPMiddleware02/ipWhiteList/sourceRange/0`</a> | `foobar` |
| <a id="traefiktcpmiddlewaresTCPMiddleware02ipWhiteListsourceRange1" href="#traefiktcpmiddlewaresTCPMiddleware02ipWhiteListsourceRange1" title="#traefiktcpmiddlewaresTCPMiddleware02ipWhiteListsourceRange1">`traefik/tcp/middlewares/TCPMiddleware02/ipWhiteList/sourceRange/1`</a> | `foobar` |
| <a id="traefiktcpmiddlewaresTCPMiddleware03inFlightConnamount" href="#traefiktcpmiddlewaresTCPMiddleware03inFlightConnamount" title="#traefiktcpmiddlewaresTCPMiddleware03inFlightConnamount">`traefik/tcp/middlewares/TCPMiddleware03/inFlightConn/amount`</a> | `42` |
| <a id="traefiktcproutersTCPRouter0entryPoints0" href="#traefiktcproutersTCPRouter0entryPoints0" title="#traefiktcproutersTCPRouter0entryPoints0">`traefik/tcp/routers/TCPRouter0/entryPoints/0`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0entryPoints1" href="#traefiktcproutersTCPRouter0entryPoints1" title="#traefiktcproutersTCPRouter0entryPoints1">`traefik/tcp/routers/TCPRouter0/entryPoints/1`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0middlewares0" href="#traefiktcproutersTCPRouter0middlewares0" title="#traefiktcproutersTCPRouter0middlewares0">`traefik/tcp/routers/TCPRouter0/middlewares/0`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0middlewares1" href="#traefiktcproutersTCPRouter0middlewares1" title="#traefiktcproutersTCPRouter0middlewares1">`traefik/tcp/routers/TCPRouter0/middlewares/1`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0priority" href="#traefiktcproutersTCPRouter0priority" title="#traefiktcproutersTCPRouter0priority">`traefik/tcp/routers/TCPRouter0/priority`</a> | `42` |
| <a id="traefiktcproutersTCPRouter0rule" href="#traefiktcproutersTCPRouter0rule" title="#traefiktcproutersTCPRouter0rule">`traefik/tcp/routers/TCPRouter0/rule`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0ruleSyntax" href="#traefiktcproutersTCPRouter0ruleSyntax" title="#traefiktcproutersTCPRouter0ruleSyntax">`traefik/tcp/routers/TCPRouter0/ruleSyntax`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0service" href="#traefiktcproutersTCPRouter0service" title="#traefiktcproutersTCPRouter0service">`traefik/tcp/routers/TCPRouter0/service`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0tlscertResolver" href="#traefiktcproutersTCPRouter0tlscertResolver" title="#traefiktcproutersTCPRouter0tlscertResolver">`traefik/tcp/routers/TCPRouter0/tls/certResolver`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0tlsdomains0main" href="#traefiktcproutersTCPRouter0tlsdomains0main" title="#traefiktcproutersTCPRouter0tlsdomains0main">`traefik/tcp/routers/TCPRouter0/tls/domains/0/main`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0tlsdomains0sans0" href="#traefiktcproutersTCPRouter0tlsdomains0sans0" title="#traefiktcproutersTCPRouter0tlsdomains0sans0">`traefik/tcp/routers/TCPRouter0/tls/domains/0/sans/0`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0tlsdomains0sans1" href="#traefiktcproutersTCPRouter0tlsdomains0sans1" title="#traefiktcproutersTCPRouter0tlsdomains0sans1">`traefik/tcp/routers/TCPRouter0/tls/domains/0/sans/1`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0tlsdomains1main" href="#traefiktcproutersTCPRouter0tlsdomains1main" title="#traefiktcproutersTCPRouter0tlsdomains1main">`traefik/tcp/routers/TCPRouter0/tls/domains/1/main`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0tlsdomains1sans0" href="#traefiktcproutersTCPRouter0tlsdomains1sans0" title="#traefiktcproutersTCPRouter0tlsdomains1sans0">`traefik/tcp/routers/TCPRouter0/tls/domains/1/sans/0`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0tlsdomains1sans1" href="#traefiktcproutersTCPRouter0tlsdomains1sans1" title="#traefiktcproutersTCPRouter0tlsdomains1sans1">`traefik/tcp/routers/TCPRouter0/tls/domains/1/sans/1`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0tlsoptions" href="#traefiktcproutersTCPRouter0tlsoptions" title="#traefiktcproutersTCPRouter0tlsoptions">`traefik/tcp/routers/TCPRouter0/tls/options`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter0tlspassthrough" href="#traefiktcproutersTCPRouter0tlspassthrough" title="#traefiktcproutersTCPRouter0tlspassthrough">`traefik/tcp/routers/TCPRouter0/tls/passthrough`</a> | `true` |
| <a id="traefiktcproutersTCPRouter1entryPoints0" href="#traefiktcproutersTCPRouter1entryPoints0" title="#traefiktcproutersTCPRouter1entryPoints0">`traefik/tcp/routers/TCPRouter1/entryPoints/0`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1entryPoints1" href="#traefiktcproutersTCPRouter1entryPoints1" title="#traefiktcproutersTCPRouter1entryPoints1">`traefik/tcp/routers/TCPRouter1/entryPoints/1`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1middlewares0" href="#traefiktcproutersTCPRouter1middlewares0" title="#traefiktcproutersTCPRouter1middlewares0">`traefik/tcp/routers/TCPRouter1/middlewares/0`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1middlewares1" href="#traefiktcproutersTCPRouter1middlewares1" title="#traefiktcproutersTCPRouter1middlewares1">`traefik/tcp/routers/TCPRouter1/middlewares/1`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1priority" href="#traefiktcproutersTCPRouter1priority" title="#traefiktcproutersTCPRouter1priority">`traefik/tcp/routers/TCPRouter1/priority`</a> | `42` |
| <a id="traefiktcproutersTCPRouter1rule" href="#traefiktcproutersTCPRouter1rule" title="#traefiktcproutersTCPRouter1rule">`traefik/tcp/routers/TCPRouter1/rule`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1ruleSyntax" href="#traefiktcproutersTCPRouter1ruleSyntax" title="#traefiktcproutersTCPRouter1ruleSyntax">`traefik/tcp/routers/TCPRouter1/ruleSyntax`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1service" href="#traefiktcproutersTCPRouter1service" title="#traefiktcproutersTCPRouter1service">`traefik/tcp/routers/TCPRouter1/service`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1tlscertResolver" href="#traefiktcproutersTCPRouter1tlscertResolver" title="#traefiktcproutersTCPRouter1tlscertResolver">`traefik/tcp/routers/TCPRouter1/tls/certResolver`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1tlsdomains0main" href="#traefiktcproutersTCPRouter1tlsdomains0main" title="#traefiktcproutersTCPRouter1tlsdomains0main">`traefik/tcp/routers/TCPRouter1/tls/domains/0/main`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1tlsdomains0sans0" href="#traefiktcproutersTCPRouter1tlsdomains0sans0" title="#traefiktcproutersTCPRouter1tlsdomains0sans0">`traefik/tcp/routers/TCPRouter1/tls/domains/0/sans/0`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1tlsdomains0sans1" href="#traefiktcproutersTCPRouter1tlsdomains0sans1" title="#traefiktcproutersTCPRouter1tlsdomains0sans1">`traefik/tcp/routers/TCPRouter1/tls/domains/0/sans/1`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1tlsdomains1main" href="#traefiktcproutersTCPRouter1tlsdomains1main" title="#traefiktcproutersTCPRouter1tlsdomains1main">`traefik/tcp/routers/TCPRouter1/tls/domains/1/main`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1tlsdomains1sans0" href="#traefiktcproutersTCPRouter1tlsdomains1sans0" title="#traefiktcproutersTCPRouter1tlsdomains1sans0">`traefik/tcp/routers/TCPRouter1/tls/domains/1/sans/0`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1tlsdomains1sans1" href="#traefiktcproutersTCPRouter1tlsdomains1sans1" title="#traefiktcproutersTCPRouter1tlsdomains1sans1">`traefik/tcp/routers/TCPRouter1/tls/domains/1/sans/1`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1tlsoptions" href="#traefiktcproutersTCPRouter1tlsoptions" title="#traefiktcproutersTCPRouter1tlsoptions">`traefik/tcp/routers/TCPRouter1/tls/options`</a> | `foobar` |
| <a id="traefiktcproutersTCPRouter1tlspassthrough" href="#traefiktcproutersTCPRouter1tlspassthrough" title="#traefiktcproutersTCPRouter1tlspassthrough">`traefik/tcp/routers/TCPRouter1/tls/passthrough`</a> | `true` |
| <a id="traefiktcpserversTransportsTCPServersTransport0dialKeepAlive" href="#traefiktcpserversTransportsTCPServersTransport0dialKeepAlive" title="#traefiktcpserversTransportsTCPServersTransport0dialKeepAlive">`traefik/tcp/serversTransports/TCPServersTransport0/dialKeepAlive`</a> | `42s` |
| <a id="traefiktcpserversTransportsTCPServersTransport0dialTimeout" href="#traefiktcpserversTransportsTCPServersTransport0dialTimeout" title="#traefiktcpserversTransportsTCPServersTransport0dialTimeout">`traefik/tcp/serversTransports/TCPServersTransport0/dialTimeout`</a> | `42s` |
| <a id="traefiktcpserversTransportsTCPServersTransport0terminationDelay" href="#traefiktcpserversTransportsTCPServersTransport0terminationDelay" title="#traefiktcpserversTransportsTCPServersTransport0terminationDelay">`traefik/tcp/serversTransports/TCPServersTransport0/terminationDelay`</a> | `42s` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlscertificates0certFile" href="#traefiktcpserversTransportsTCPServersTransport0tlscertificates0certFile" title="#traefiktcpserversTransportsTCPServersTransport0tlscertificates0certFile">`traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/certFile`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlscertificates0keyFile" href="#traefiktcpserversTransportsTCPServersTransport0tlscertificates0keyFile" title="#traefiktcpserversTransportsTCPServersTransport0tlscertificates0keyFile">`traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/keyFile`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlscertificates1certFile" href="#traefiktcpserversTransportsTCPServersTransport0tlscertificates1certFile" title="#traefiktcpserversTransportsTCPServersTransport0tlscertificates1certFile">`traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/1/certFile`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlscertificates1keyFile" href="#traefiktcpserversTransportsTCPServersTransport0tlscertificates1keyFile" title="#traefiktcpserversTransportsTCPServersTransport0tlscertificates1keyFile">`traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/1/keyFile`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlsinsecureSkipVerify" href="#traefiktcpserversTransportsTCPServersTransport0tlsinsecureSkipVerify" title="#traefiktcpserversTransportsTCPServersTransport0tlsinsecureSkipVerify">`traefik/tcp/serversTransports/TCPServersTransport0/tls/insecureSkipVerify`</a> | `true` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlspeerCertURI" href="#traefiktcpserversTransportsTCPServersTransport0tlspeerCertURI" title="#traefiktcpserversTransportsTCPServersTransport0tlspeerCertURI">`traefik/tcp/serversTransports/TCPServersTransport0/tls/peerCertURI`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlsrootCAs0" href="#traefiktcpserversTransportsTCPServersTransport0tlsrootCAs0" title="#traefiktcpserversTransportsTCPServersTransport0tlsrootCAs0">`traefik/tcp/serversTransports/TCPServersTransport0/tls/rootCAs/0`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlsrootCAs1" href="#traefiktcpserversTransportsTCPServersTransport0tlsrootCAs1" title="#traefiktcpserversTransportsTCPServersTransport0tlsrootCAs1">`traefik/tcp/serversTransports/TCPServersTransport0/tls/rootCAs/1`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlsserverName" href="#traefiktcpserversTransportsTCPServersTransport0tlsserverName" title="#traefiktcpserversTransportsTCPServersTransport0tlsserverName">`traefik/tcp/serversTransports/TCPServersTransport0/tls/serverName`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlsspiffeids0" href="#traefiktcpserversTransportsTCPServersTransport0tlsspiffeids0" title="#traefiktcpserversTransportsTCPServersTransport0tlsspiffeids0">`traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/ids/0`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlsspiffeids1" href="#traefiktcpserversTransportsTCPServersTransport0tlsspiffeids1" title="#traefiktcpserversTransportsTCPServersTransport0tlsspiffeids1">`traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/ids/1`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport0tlsspiffetrustDomain" href="#traefiktcpserversTransportsTCPServersTransport0tlsspiffetrustDomain" title="#traefiktcpserversTransportsTCPServersTransport0tlsspiffetrustDomain">`traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/trustDomain`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1dialKeepAlive" href="#traefiktcpserversTransportsTCPServersTransport1dialKeepAlive" title="#traefiktcpserversTransportsTCPServersTransport1dialKeepAlive">`traefik/tcp/serversTransports/TCPServersTransport1/dialKeepAlive`</a> | `42s` |
| <a id="traefiktcpserversTransportsTCPServersTransport1dialTimeout" href="#traefiktcpserversTransportsTCPServersTransport1dialTimeout" title="#traefiktcpserversTransportsTCPServersTransport1dialTimeout">`traefik/tcp/serversTransports/TCPServersTransport1/dialTimeout`</a> | `42s` |
| <a id="traefiktcpserversTransportsTCPServersTransport1terminationDelay" href="#traefiktcpserversTransportsTCPServersTransport1terminationDelay" title="#traefiktcpserversTransportsTCPServersTransport1terminationDelay">`traefik/tcp/serversTransports/TCPServersTransport1/terminationDelay`</a> | `42s` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlscertificates0certFile" href="#traefiktcpserversTransportsTCPServersTransport1tlscertificates0certFile" title="#traefiktcpserversTransportsTCPServersTransport1tlscertificates0certFile">`traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/certFile`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlscertificates0keyFile" href="#traefiktcpserversTransportsTCPServersTransport1tlscertificates0keyFile" title="#traefiktcpserversTransportsTCPServersTransport1tlscertificates0keyFile">`traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/keyFile`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlscertificates1certFile" href="#traefiktcpserversTransportsTCPServersTransport1tlscertificates1certFile" title="#traefiktcpserversTransportsTCPServersTransport1tlscertificates1certFile">`traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/1/certFile`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlscertificates1keyFile" href="#traefiktcpserversTransportsTCPServersTransport1tlscertificates1keyFile" title="#traefiktcpserversTransportsTCPServersTransport1tlscertificates1keyFile">`traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/1/keyFile`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlsinsecureSkipVerify" href="#traefiktcpserversTransportsTCPServersTransport1tlsinsecureSkipVerify" title="#traefiktcpserversTransportsTCPServersTransport1tlsinsecureSkipVerify">`traefik/tcp/serversTransports/TCPServersTransport1/tls/insecureSkipVerify`</a> | `true` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlspeerCertURI" href="#traefiktcpserversTransportsTCPServersTransport1tlspeerCertURI" title="#traefiktcpserversTransportsTCPServersTransport1tlspeerCertURI">`traefik/tcp/serversTransports/TCPServersTransport1/tls/peerCertURI`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlsrootCAs0" href="#traefiktcpserversTransportsTCPServersTransport1tlsrootCAs0" title="#traefiktcpserversTransportsTCPServersTransport1tlsrootCAs0">`traefik/tcp/serversTransports/TCPServersTransport1/tls/rootCAs/0`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlsrootCAs1" href="#traefiktcpserversTransportsTCPServersTransport1tlsrootCAs1" title="#traefiktcpserversTransportsTCPServersTransport1tlsrootCAs1">`traefik/tcp/serversTransports/TCPServersTransport1/tls/rootCAs/1`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlsserverName" href="#traefiktcpserversTransportsTCPServersTransport1tlsserverName" title="#traefiktcpserversTransportsTCPServersTransport1tlsserverName">`traefik/tcp/serversTransports/TCPServersTransport1/tls/serverName`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlsspiffeids0" href="#traefiktcpserversTransportsTCPServersTransport1tlsspiffeids0" title="#traefiktcpserversTransportsTCPServersTransport1tlsspiffeids0">`traefik/tcp/serversTransports/TCPServersTransport1/tls/spiffe/ids/0`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlsspiffeids1" href="#traefiktcpserversTransportsTCPServersTransport1tlsspiffeids1" title="#traefiktcpserversTransportsTCPServersTransport1tlsspiffeids1">`traefik/tcp/serversTransports/TCPServersTransport1/tls/spiffe/ids/1`</a> | `foobar` |
| <a id="traefiktcpserversTransportsTCPServersTransport1tlsspiffetrustDomain" href="#traefiktcpserversTransportsTCPServersTransport1tlsspiffetrustDomain" title="#traefiktcpserversTransportsTCPServersTransport1tlsspiffetrustDomain">`traefik/tcp/serversTransports/TCPServersTransport1/tls/spiffe/trustDomain`</a> | `foobar` |
| <a id="traefiktcpservicesTCPService01loadBalancerproxyProtocolversion" href="#traefiktcpservicesTCPService01loadBalancerproxyProtocolversion" title="#traefiktcpservicesTCPService01loadBalancerproxyProtocolversion">`traefik/tcp/services/TCPService01/loadBalancer/proxyProtocol/version`</a> | `42` |
| <a id="traefiktcpservicesTCPService01loadBalancerservers0address" href="#traefiktcpservicesTCPService01loadBalancerservers0address" title="#traefiktcpservicesTCPService01loadBalancerservers0address">`traefik/tcp/services/TCPService01/loadBalancer/servers/0/address`</a> | `foobar` |
| <a id="traefiktcpservicesTCPService01loadBalancerservers0tls" href="#traefiktcpservicesTCPService01loadBalancerservers0tls" title="#traefiktcpservicesTCPService01loadBalancerservers0tls">`traefik/tcp/services/TCPService01/loadBalancer/servers/0/tls`</a> | `true` |
| <a id="traefiktcpservicesTCPService01loadBalancerservers1address" href="#traefiktcpservicesTCPService01loadBalancerservers1address" title="#traefiktcpservicesTCPService01loadBalancerservers1address">`traefik/tcp/services/TCPService01/loadBalancer/servers/1/address`</a> | `foobar` |
| <a id="traefiktcpservicesTCPService01loadBalancerservers1tls" href="#traefiktcpservicesTCPService01loadBalancerservers1tls" title="#traefiktcpservicesTCPService01loadBalancerservers1tls">`traefik/tcp/services/TCPService01/loadBalancer/servers/1/tls`</a> | `true` |
| <a id="traefiktcpservicesTCPService01loadBalancerserversTransport" href="#traefiktcpservicesTCPService01loadBalancerserversTransport" title="#traefiktcpservicesTCPService01loadBalancerserversTransport">`traefik/tcp/services/TCPService01/loadBalancer/serversTransport`</a> | `foobar` |
| <a id="traefiktcpservicesTCPService01loadBalancerterminationDelay" href="#traefiktcpservicesTCPService01loadBalancerterminationDelay" title="#traefiktcpservicesTCPService01loadBalancerterminationDelay">`traefik/tcp/services/TCPService01/loadBalancer/terminationDelay`</a> | `42` |
| <a id="traefiktcpservicesTCPService02weightedservices0name" href="#traefiktcpservicesTCPService02weightedservices0name" title="#traefiktcpservicesTCPService02weightedservices0name">`traefik/tcp/services/TCPService02/weighted/services/0/name`</a> | `foobar` |
| <a id="traefiktcpservicesTCPService02weightedservices0weight" href="#traefiktcpservicesTCPService02weightedservices0weight" title="#traefiktcpservicesTCPService02weightedservices0weight">`traefik/tcp/services/TCPService02/weighted/services/0/weight`</a> | `42` |
| <a id="traefiktcpservicesTCPService02weightedservices1name" href="#traefiktcpservicesTCPService02weightedservices1name" title="#traefiktcpservicesTCPService02weightedservices1name">`traefik/tcp/services/TCPService02/weighted/services/1/name`</a> | `foobar` |
| <a id="traefiktcpservicesTCPService02weightedservices1weight" href="#traefiktcpservicesTCPService02weightedservices1weight" title="#traefiktcpservicesTCPService02weightedservices1weight">`traefik/tcp/services/TCPService02/weighted/services/1/weight`</a> | `42` |
| <a id="traefiktlscertificates0certFile" href="#traefiktlscertificates0certFile" title="#traefiktlscertificates0certFile">`traefik/tls/certificates/0/certFile`</a> | `foobar` |
| <a id="traefiktlscertificates0keyFile" href="#traefiktlscertificates0keyFile" title="#traefiktlscertificates0keyFile">`traefik/tls/certificates/0/keyFile`</a> | `foobar` |
| <a id="traefiktlscertificates0stores0" href="#traefiktlscertificates0stores0" title="#traefiktlscertificates0stores0">`traefik/tls/certificates/0/stores/0`</a> | `foobar` |
| <a id="traefiktlscertificates0stores1" href="#traefiktlscertificates0stores1" title="#traefiktlscertificates0stores1">`traefik/tls/certificates/0/stores/1`</a> | `foobar` |
| <a id="traefiktlscertificates1certFile" href="#traefiktlscertificates1certFile" title="#traefiktlscertificates1certFile">`traefik/tls/certificates/1/certFile`</a> | `foobar` |
| <a id="traefiktlscertificates1keyFile" href="#traefiktlscertificates1keyFile" title="#traefiktlscertificates1keyFile">`traefik/tls/certificates/1/keyFile`</a> | `foobar` |
| <a id="traefiktlscertificates1stores0" href="#traefiktlscertificates1stores0" title="#traefiktlscertificates1stores0">`traefik/tls/certificates/1/stores/0`</a> | `foobar` |
| <a id="traefiktlscertificates1stores1" href="#traefiktlscertificates1stores1" title="#traefiktlscertificates1stores1">`traefik/tls/certificates/1/stores/1`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0alpnProtocols0" href="#traefiktlsoptionsOptions0alpnProtocols0" title="#traefiktlsoptionsOptions0alpnProtocols0">`traefik/tls/options/Options0/alpnProtocols/0`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0alpnProtocols1" href="#traefiktlsoptionsOptions0alpnProtocols1" title="#traefiktlsoptionsOptions0alpnProtocols1">`traefik/tls/options/Options0/alpnProtocols/1`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0cipherSuites0" href="#traefiktlsoptionsOptions0cipherSuites0" title="#traefiktlsoptionsOptions0cipherSuites0">`traefik/tls/options/Options0/cipherSuites/0`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0cipherSuites1" href="#traefiktlsoptionsOptions0cipherSuites1" title="#traefiktlsoptionsOptions0cipherSuites1">`traefik/tls/options/Options0/cipherSuites/1`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0clientAuthcaFiles0" href="#traefiktlsoptionsOptions0clientAuthcaFiles0" title="#traefiktlsoptionsOptions0clientAuthcaFiles0">`traefik/tls/options/Options0/clientAuth/caFiles/0`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0clientAuthcaFiles1" href="#traefiktlsoptionsOptions0clientAuthcaFiles1" title="#traefiktlsoptionsOptions0clientAuthcaFiles1">`traefik/tls/options/Options0/clientAuth/caFiles/1`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0clientAuthclientAuthType" href="#traefiktlsoptionsOptions0clientAuthclientAuthType" title="#traefiktlsoptionsOptions0clientAuthclientAuthType">`traefik/tls/options/Options0/clientAuth/clientAuthType`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0curvePreferences0" href="#traefiktlsoptionsOptions0curvePreferences0" title="#traefiktlsoptionsOptions0curvePreferences0">`traefik/tls/options/Options0/curvePreferences/0`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0curvePreferences1" href="#traefiktlsoptionsOptions0curvePreferences1" title="#traefiktlsoptionsOptions0curvePreferences1">`traefik/tls/options/Options0/curvePreferences/1`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0disableSessionTickets" href="#traefiktlsoptionsOptions0disableSessionTickets" title="#traefiktlsoptionsOptions0disableSessionTickets">`traefik/tls/options/Options0/disableSessionTickets`</a> | `true` |
| <a id="traefiktlsoptionsOptions0maxVersion" href="#traefiktlsoptionsOptions0maxVersion" title="#traefiktlsoptionsOptions0maxVersion">`traefik/tls/options/Options0/maxVersion`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0minVersion" href="#traefiktlsoptionsOptions0minVersion" title="#traefiktlsoptionsOptions0minVersion">`traefik/tls/options/Options0/minVersion`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions0preferServerCipherSuites" href="#traefiktlsoptionsOptions0preferServerCipherSuites" title="#traefiktlsoptionsOptions0preferServerCipherSuites">`traefik/tls/options/Options0/preferServerCipherSuites`</a> | `true` |
| <a id="traefiktlsoptionsOptions0sniStrict" href="#traefiktlsoptionsOptions0sniStrict" title="#traefiktlsoptionsOptions0sniStrict">`traefik/tls/options/Options0/sniStrict`</a> | `true` |
| <a id="traefiktlsoptionsOptions1alpnProtocols0" href="#traefiktlsoptionsOptions1alpnProtocols0" title="#traefiktlsoptionsOptions1alpnProtocols0">`traefik/tls/options/Options1/alpnProtocols/0`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1alpnProtocols1" href="#traefiktlsoptionsOptions1alpnProtocols1" title="#traefiktlsoptionsOptions1alpnProtocols1">`traefik/tls/options/Options1/alpnProtocols/1`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1cipherSuites0" href="#traefiktlsoptionsOptions1cipherSuites0" title="#traefiktlsoptionsOptions1cipherSuites0">`traefik/tls/options/Options1/cipherSuites/0`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1cipherSuites1" href="#traefiktlsoptionsOptions1cipherSuites1" title="#traefiktlsoptionsOptions1cipherSuites1">`traefik/tls/options/Options1/cipherSuites/1`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1clientAuthcaFiles0" href="#traefiktlsoptionsOptions1clientAuthcaFiles0" title="#traefiktlsoptionsOptions1clientAuthcaFiles0">`traefik/tls/options/Options1/clientAuth/caFiles/0`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1clientAuthcaFiles1" href="#traefiktlsoptionsOptions1clientAuthcaFiles1" title="#traefiktlsoptionsOptions1clientAuthcaFiles1">`traefik/tls/options/Options1/clientAuth/caFiles/1`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1clientAuthclientAuthType" href="#traefiktlsoptionsOptions1clientAuthclientAuthType" title="#traefiktlsoptionsOptions1clientAuthclientAuthType">`traefik/tls/options/Options1/clientAuth/clientAuthType`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1curvePreferences0" href="#traefiktlsoptionsOptions1curvePreferences0" title="#traefiktlsoptionsOptions1curvePreferences0">`traefik/tls/options/Options1/curvePreferences/0`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1curvePreferences1" href="#traefiktlsoptionsOptions1curvePreferences1" title="#traefiktlsoptionsOptions1curvePreferences1">`traefik/tls/options/Options1/curvePreferences/1`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1disableSessionTickets" href="#traefiktlsoptionsOptions1disableSessionTickets" title="#traefiktlsoptionsOptions1disableSessionTickets">`traefik/tls/options/Options1/disableSessionTickets`</a> | `true` |
| <a id="traefiktlsoptionsOptions1maxVersion" href="#traefiktlsoptionsOptions1maxVersion" title="#traefiktlsoptionsOptions1maxVersion">`traefik/tls/options/Options1/maxVersion`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1minVersion" href="#traefiktlsoptionsOptions1minVersion" title="#traefiktlsoptionsOptions1minVersion">`traefik/tls/options/Options1/minVersion`</a> | `foobar` |
| <a id="traefiktlsoptionsOptions1preferServerCipherSuites" href="#traefiktlsoptionsOptions1preferServerCipherSuites" title="#traefiktlsoptionsOptions1preferServerCipherSuites">`traefik/tls/options/Options1/preferServerCipherSuites`</a> | `true` |
| <a id="traefiktlsoptionsOptions1sniStrict" href="#traefiktlsoptionsOptions1sniStrict" title="#traefiktlsoptionsOptions1sniStrict">`traefik/tls/options/Options1/sniStrict`</a> | `true` |
| <a id="traefiktlsstoresStore0defaultCertificatecertFile" href="#traefiktlsstoresStore0defaultCertificatecertFile" title="#traefiktlsstoresStore0defaultCertificatecertFile">`traefik/tls/stores/Store0/defaultCertificate/certFile`</a> | `foobar` |
| <a id="traefiktlsstoresStore0defaultCertificatekeyFile" href="#traefiktlsstoresStore0defaultCertificatekeyFile" title="#traefiktlsstoresStore0defaultCertificatekeyFile">`traefik/tls/stores/Store0/defaultCertificate/keyFile`</a> | `foobar` |
| <a id="traefiktlsstoresStore0defaultGeneratedCertdomainmain" href="#traefiktlsstoresStore0defaultGeneratedCertdomainmain" title="#traefiktlsstoresStore0defaultGeneratedCertdomainmain">`traefik/tls/stores/Store0/defaultGeneratedCert/domain/main`</a> | `foobar` |
| <a id="traefiktlsstoresStore0defaultGeneratedCertdomainsans0" href="#traefiktlsstoresStore0defaultGeneratedCertdomainsans0" title="#traefiktlsstoresStore0defaultGeneratedCertdomainsans0">`traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/0`</a> | `foobar` |
| <a id="traefiktlsstoresStore0defaultGeneratedCertdomainsans1" href="#traefiktlsstoresStore0defaultGeneratedCertdomainsans1" title="#traefiktlsstoresStore0defaultGeneratedCertdomainsans1">`traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/1`</a> | `foobar` |
| <a id="traefiktlsstoresStore0defaultGeneratedCertresolver" href="#traefiktlsstoresStore0defaultGeneratedCertresolver" title="#traefiktlsstoresStore0defaultGeneratedCertresolver">`traefik/tls/stores/Store0/defaultGeneratedCert/resolver`</a> | `foobar` |
| <a id="traefiktlsstoresStore1defaultCertificatecertFile" href="#traefiktlsstoresStore1defaultCertificatecertFile" title="#traefiktlsstoresStore1defaultCertificatecertFile">`traefik/tls/stores/Store1/defaultCertificate/certFile`</a> | `foobar` |
| <a id="traefiktlsstoresStore1defaultCertificatekeyFile" href="#traefiktlsstoresStore1defaultCertificatekeyFile" title="#traefiktlsstoresStore1defaultCertificatekeyFile">`traefik/tls/stores/Store1/defaultCertificate/keyFile`</a> | `foobar` |
| <a id="traefiktlsstoresStore1defaultGeneratedCertdomainmain" href="#traefiktlsstoresStore1defaultGeneratedCertdomainmain" title="#traefiktlsstoresStore1defaultGeneratedCertdomainmain">`traefik/tls/stores/Store1/defaultGeneratedCert/domain/main`</a> | `foobar` |
| <a id="traefiktlsstoresStore1defaultGeneratedCertdomainsans0" href="#traefiktlsstoresStore1defaultGeneratedCertdomainsans0" title="#traefiktlsstoresStore1defaultGeneratedCertdomainsans0">`traefik/tls/stores/Store1/defaultGeneratedCert/domain/sans/0`</a> | `foobar` |
| <a id="traefiktlsstoresStore1defaultGeneratedCertdomainsans1" href="#traefiktlsstoresStore1defaultGeneratedCertdomainsans1" title="#traefiktlsstoresStore1defaultGeneratedCertdomainsans1">`traefik/tls/stores/Store1/defaultGeneratedCert/domain/sans/1`</a> | `foobar` |
| <a id="traefiktlsstoresStore1defaultGeneratedCertresolver" href="#traefiktlsstoresStore1defaultGeneratedCertresolver" title="#traefiktlsstoresStore1defaultGeneratedCertresolver">`traefik/tls/stores/Store1/defaultGeneratedCert/resolver`</a> | `foobar` |
| <a id="traefikudproutersUDPRouter0entryPoints0" href="#traefikudproutersUDPRouter0entryPoints0" title="#traefikudproutersUDPRouter0entryPoints0">`traefik/udp/routers/UDPRouter0/entryPoints/0`</a> | `foobar` |
| <a id="traefikudproutersUDPRouter0entryPoints1" href="#traefikudproutersUDPRouter0entryPoints1" title="#traefikudproutersUDPRouter0entryPoints1">`traefik/udp/routers/UDPRouter0/entryPoints/1`</a> | `foobar` |
| <a id="traefikudproutersUDPRouter0service" href="#traefikudproutersUDPRouter0service" title="#traefikudproutersUDPRouter0service">`traefik/udp/routers/UDPRouter0/service`</a> | `foobar` |
| <a id="traefikudproutersUDPRouter1entryPoints0" href="#traefikudproutersUDPRouter1entryPoints0" title="#traefikudproutersUDPRouter1entryPoints0">`traefik/udp/routers/UDPRouter1/entryPoints/0`</a> | `foobar` |
| <a id="traefikudproutersUDPRouter1entryPoints1" href="#traefikudproutersUDPRouter1entryPoints1" title="#traefikudproutersUDPRouter1entryPoints1">`traefik/udp/routers/UDPRouter1/entryPoints/1`</a> | `foobar` |
| <a id="traefikudproutersUDPRouter1service" href="#traefikudproutersUDPRouter1service" title="#traefikudproutersUDPRouter1service">`traefik/udp/routers/UDPRouter1/service`</a> | `foobar` |
| <a id="traefikudpservicesUDPService01loadBalancerservers0address" href="#traefikudpservicesUDPService01loadBalancerservers0address" title="#traefikudpservicesUDPService01loadBalancerservers0address">`traefik/udp/services/UDPService01/loadBalancer/servers/0/address`</a> | `foobar` |
| <a id="traefikudpservicesUDPService01loadBalancerservers1address" href="#traefikudpservicesUDPService01loadBalancerservers1address" title="#traefikudpservicesUDPService01loadBalancerservers1address">`traefik/udp/services/UDPService01/loadBalancer/servers/1/address`</a> | `foobar` |
| <a id="traefikudpservicesUDPService02weightedservices0name" href="#traefikudpservicesUDPService02weightedservices0name" title="#traefikudpservicesUDPService02weightedservices0name">`traefik/udp/services/UDPService02/weighted/services/0/name`</a> | `foobar` |
| <a id="traefikudpservicesUDPService02weightedservices0weight" href="#traefikudpservicesUDPService02weightedservices0weight" title="#traefikudpservicesUDPService02weightedservices0weight">`traefik/udp/services/UDPService02/weighted/services/0/weight`</a> | `42` |
| <a id="traefikudpservicesUDPService02weightedservices1name" href="#traefikudpservicesUDPService02weightedservices1name" title="#traefikudpservicesUDPService02weightedservices1name">`traefik/udp/services/UDPService02/weighted/services/1/name`</a> | `foobar` |
| <a id="traefikudpservicesUDPService02weightedservices1weight" href="#traefikudpservicesUDPService02weightedservices1weight" title="#traefikudpservicesUDPService02weightedservices1weight">`traefik/udp/services/UDPService02/weighted/services/1/weight`</a> | `42` |

22
docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
View File

@@ -227,6 +227,25 @@ spec:
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health
checks for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window
during which the failed attempts must occur for
the server to be marked as unhealthy. It also defines
for how long the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window
before marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
@@ -312,11 +331,12 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:

1
docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
View File

@@ -123,6 +123,7 @@ spec:
description: |-
ProxyProtocol defines the PROXY protocol configuration.
More info: https://doc.traefik.io/traefik/v3.5/routing/services/#proxy-protocol
Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
properties:
version:
description: Version defines the PROXY Protocol version

22
docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
View File

@@ -381,6 +381,25 @@ spec:
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health checks
for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window during
which the failed attempts must occur for the server
to be marked as unhealthy. It also defines for how long
the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window before
marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
@@ -465,11 +484,12 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:

9
docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
View File

@@ -63,6 +63,15 @@ spec:
to a backend server can be established.
pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
x-kubernetes-int-or-string: true
proxyProtocol:
description: ProxyProtocol holds the PROXY Protocol configuration.
properties:
version:
description: Version defines the PROXY Protocol version to use.
maximum: 2
minimum: 1
type: integer
type: object
terminationDelay:
anyOf:
- type: integer

303
docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
View File

@@ -44,6 +44,243 @@ spec:
spec:
description: TraefikServiceSpec defines the desired state of a TraefikService.
properties:
highestRandomWeight:
description: HighestRandomWeight defines the highest random weight
service configuration.
properties:
services:
description: Services defines the list of Kubernetes Service and/or
TraefikService to load-balance, with weight.
items:
description: Service defines an upstream HTTP service to proxy
traffic to.
properties:
healthCheck:
description: Healthcheck defines health checks for ExternalName
services.
properties:
followRedirects:
description: |-
FollowRedirects defines whether redirects should be followed during the health check calls.
Default: true
type: boolean
headers:
additionalProperties:
type: string
description: Headers defines custom headers to be sent
to the health check endpoint.
type: object
hostname:
description: Hostname defines the value of hostname
in the Host header of the health check request.
type: string
interval:
anyOf:
- type: integer
- type: string
description: |-
Interval defines the frequency of the health check calls for healthy targets.
Default: 30s
x-kubernetes-int-or-string: true
method:
description: Method defines the healthcheck method.
type: string
mode:
description: |-
Mode defines the health check mode.
If defined to grpc, will use the gRPC health check protocol to probe the server.
Default: http
type: string
path:
description: Path defines the server URL path for the
health check endpoint.
type: string
port:
description: Port defines the server URL port for the
health check endpoint.
type: integer
scheme:
description: Scheme replaces the server URL scheme for
the health check endpoint.
type: string
status:
description: Status defines the expected HTTP status
code of the response to the health check request.
type: integer
timeout:
anyOf:
- type: integer
- type: string
description: |-
Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
Default: 5s
x-kubernetes-int-or-string: true
unhealthyInterval:
anyOf:
- type: integer
- type: string
description: |-
UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
When UnhealthyInterval is not defined, it defaults to the Interval value.
Default: 30s
x-kubernetes-int-or-string: true
type: object
kind:
description: Kind defines the kind of the Service.
enum:
- Service
- TraefikService
type: string
name:
description: |-
Name defines the name of the referenced Kubernetes Service or TraefikService.
The differentiation between the two is specified in the Kind field.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string
nativeLB:
description: |-
NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
By default, NativeLB is false.
type: boolean
nodePortLB:
description: |-
NodePortLB controls, when creating the load-balancer,
whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
By default, NodePortLB is false.
type: boolean
passHostHeader:
description: |-
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health checks
for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window during
which the failed attempts must occur for the server
to be marked as unhealthy. It also defines for how
long the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window
before marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
- type: string
description: |-
Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding defines how Traefik forwards
the response from the upstream Kubernetes Service to the
client.
properties:
flushInterval:
description: |-
FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
A negative value means to flush immediately after each write to the client.
This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
for such responses, writes are flushed to the client immediately.
Default: 100ms
type: string
type: object
scheme:
description: |-
Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
It defaults to https when Kubernetes Service port is 443, http otherwise.
type: string
serversTransport:
description: |-
ServersTransport defines the name of ServersTransport resource to use.
It allows to configure the transport between Traefik and your servers.
Can only be used on a Kubernetes Service.
type: string
sticky:
description: |-
Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
domain:
description: |-
Domain defines the host to which the cookie will be sent.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
type: string
httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as JavaScript.
type: boolean
maxAge:
description: |-
MaxAge defines the number of seconds until the cookie expires.
When set to a negative number, the cookie expires immediately.
When set to zero, the cookie never expires.
type: integer
name:
description: Name defines the Cookie name.
type: string
path:
description: |-
Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
When not provided the cookie will be sent on every request to the domain.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
type: string
sameSite:
description: |-
SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
enum:
- none
- lax
- strict
type: string
secure:
description: Secure defines whether the cookie can
only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean
type: object
type: object
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:
description: |-
Weight defines the weight and should only be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round Robin).
minimum: 0
type: integer
required:
- name
type: object
type: array
type: object
mirroring:
description: Mirroring defines the Mirroring service configuration.
properties:
@@ -245,6 +482,25 @@ spec:
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health checks
for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window during
which the failed attempts must occur for the server
to be marked as unhealthy. It also defines for how
long the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window
before marking the server as unhealthy.
type: integer
type: object
percent:
description: |-
Percent defines the part of the traffic to mirror.
@@ -334,11 +590,12 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:
@@ -379,6 +636,25 @@ spec:
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health checks
for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window during
which the failed attempts must occur for the server to be
marked as unhealthy. It also defines for how long the server
will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window before
marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
@@ -461,11 +737,12 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:
@@ -591,6 +868,25 @@ spec:
PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
By default, passHostHeader is true.
type: boolean
passiveHealthCheck:
description: PassiveHealthCheck defines passive health checks
for ExternalName services.
properties:
failureWindow:
anyOf:
- type: integer
- type: string
description: FailureWindow defines the time window during
which the failed attempts must occur for the server
to be marked as unhealthy. It also defines for how
long the server will be considered unhealthy.
x-kubernetes-int-or-string: true
maxFailedAttempts:
description: MaxFailedAttempts is the number of consecutive
failed attempts allowed within the failure window
before marking the server as unhealthy.
type: integer
type: object
port:
anyOf:
- type: integer
@@ -675,11 +971,12 @@ spec:
strategy:
description: |-
Strategy defines the load balancing strategy between the servers.
Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), and hrw (Highest Random Weight).
RoundRobin value is deprecated and supported for backward compatibility.
enum:
- wrr
- p2c
- hrw
- RoundRobin
type: string
weight:

64
docs/content/reference/install-configuration/api-dashboard.md
View File

@@ -155,11 +155,11 @@ enabing the dashboard [here](https://github.com/traefik/traefik-helm-chart/blob/
| Field | Description | Default | Required |
|:-----------|:---------------------------------|:--------|:---------|
| `api` | Enable api/dashboard. When set to `true`, its sub option `api.dashboard` is also set to true.| false | No |
| `api.dashboard` | Enable dashboard. | false | No |
| `api.debug` | Enable additional endpoints for debugging and profiling. | false | No |
| `api.disabledashboardad` | Disable the advertisement from the dashboard. | false | No |
| `api.insecure` | Enable the API and the dashboard on the entryPoint named traefik.| false | No |
| <a id="api" href="#api" title="#api">`api`</a> | Enable api/dashboard. When set to `true`, its sub option `api.dashboard` is also set to true.| false | No |
| <a id="api-dashboard" href="#api-dashboard" title="#api-dashboard">`api.dashboard`</a> | Enable dashboard. | false | No |
| <a id="api-debug" href="#api-debug" title="#api-debug">`api.debug`</a> | Enable additional endpoints for debugging and profiling. | false | No |
| <a id="api-disabledashboardad" href="#api-disabledashboardad" title="#api-disabledashboardad">`api.disabledashboardad`</a> | Disable the advertisement from the dashboard. | false | No |
| <a id="api-insecure" href="#api-insecure" title="#api-insecure">`api.insecure`</a> | Enable the API and the dashboard on the entryPoint named traefik.| false | No |
## Endpoints
@@ -167,33 +167,33 @@ All the following endpoints must be accessed with a `GET` HTTP request.
| Path | Description |
|--------------------------------|---------------------------------------------------------------------------------------------|
| `/api/http/routers` | Lists all the HTTP routers information. |
| `/api/http/routers/{name}` | Returns the information of the HTTP router specified by `name`. |
| `/api/http/services` | Lists all the HTTP services information. |
| `/api/http/services/{name}` | Returns the information of the HTTP service specified by `name`. |
| `/api/http/middlewares` | Lists all the HTTP middlewares information. |
| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`. |
| `/api/tcp/routers` | Lists all the TCP routers information. |
| `/api/tcp/routers/{name}` | Returns the information of the TCP router specified by `name`. |
| `/api/tcp/services` | Lists all the TCP services information. |
| `/api/tcp/services/{name}` | Returns the information of the TCP service specified by `name`. |
| `/api/tcp/middlewares` | Lists all the TCP middlewares information. |
| `/api/tcp/middlewares/{name}` | Returns the information of the TCP middleware specified by `name`. |
| `/api/udp/routers` | Lists all the UDP routers information. |
| `/api/udp/routers/{name}` | Returns the information of the UDP router specified by `name`. |
| `/api/udp/services` | Lists all the UDP services information. |
| `/api/udp/services/{name}` | Returns the information of the UDP service specified by `name`. |
| `/api/entrypoints` | Lists all the entry points information. |
| `/api/entrypoints/{name}` | Returns the information of the entry point specified by `name`. |
| `/api/overview` | Returns statistic information about HTTP, TCP and about enabled features and providers. |
| `/api/rawdata` | Returns information about dynamic configurations, errors, status and dependency relations. |
| `/api/version` | Returns information about Traefik version. |
| `/debug/vars` | See the [expvar](https://golang.org/pkg/expvar/) Go documentation. |
| `/debug/pprof/` | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation. |
| `/debug/pprof/cmdline` | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation. |
| `/debug/pprof/profile` | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation. |
| `/debug/pprof/symbol` | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation. |
| `/debug/pprof/trace` | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation. |
| <a id="apihttprouters" href="#apihttprouters" title="#apihttprouters">`/api/http/routers`</a> | Lists all the HTTP routers information. |
| <a id="apihttproutersname" href="#apihttproutersname" title="#apihttproutersname">`/api/http/routers/{name}`</a> | Returns the information of the HTTP router specified by `name`. |
| <a id="apihttpservices" href="#apihttpservices" title="#apihttpservices">`/api/http/services`</a> | Lists all the HTTP services information. |
| <a id="apihttpservicesname" href="#apihttpservicesname" title="#apihttpservicesname">`/api/http/services/{name}`</a> | Returns the information of the HTTP service specified by `name`. |
| <a id="apihttpmiddlewares" href="#apihttpmiddlewares" title="#apihttpmiddlewares">`/api/http/middlewares`</a> | Lists all the HTTP middlewares information. |
| <a id="apihttpmiddlewaresname" href="#apihttpmiddlewaresname" title="#apihttpmiddlewaresname">`/api/http/middlewares/{name}`</a> | Returns the information of the HTTP middleware specified by `name`. |
| <a id="apitcprouters" href="#apitcprouters" title="#apitcprouters">`/api/tcp/routers`</a> | Lists all the TCP routers information. |
| <a id="apitcproutersname" href="#apitcproutersname" title="#apitcproutersname">`/api/tcp/routers/{name}`</a> | Returns the information of the TCP router specified by `name`. |
| <a id="apitcpservices" href="#apitcpservices" title="#apitcpservices">`/api/tcp/services`</a> | Lists all the TCP services information. |
| <a id="apitcpservicesname" href="#apitcpservicesname" title="#apitcpservicesname">`/api/tcp/services/{name}`</a> | Returns the information of the TCP service specified by `name`. |
| <a id="apitcpmiddlewares" href="#apitcpmiddlewares" title="#apitcpmiddlewares">`/api/tcp/middlewares`</a> | Lists all the TCP middlewares information. |
| <a id="apitcpmiddlewaresname" href="#apitcpmiddlewaresname" title="#apitcpmiddlewaresname">`/api/tcp/middlewares/{name}`</a> | Returns the information of the TCP middleware specified by `name`. |
| <a id="apiudprouters" href="#apiudprouters" title="#apiudprouters">`/api/udp/routers`</a> | Lists all the UDP routers information. |
| <a id="apiudproutersname" href="#apiudproutersname" title="#apiudproutersname">`/api/udp/routers/{name}`</a> | Returns the information of the UDP router specified by `name`. |
| <a id="apiudpservices" href="#apiudpservices" title="#apiudpservices">`/api/udp/services`</a> | Lists all the UDP services information. |
| <a id="apiudpservicesname" href="#apiudpservicesname" title="#apiudpservicesname">`/api/udp/services/{name}`</a> | Returns the information of the UDP service specified by `name`. |
| <a id="apientrypoints" href="#apientrypoints" title="#apientrypoints">`/api/entrypoints`</a> | Lists all the entry points information. |
| <a id="apientrypointsname" href="#apientrypointsname" title="#apientrypointsname">`/api/entrypoints/{name}`</a> | Returns the information of the entry point specified by `name`. |
| <a id="apioverview" href="#apioverview" title="#apioverview">`/api/overview`</a> | Returns statistic information about HTTP, TCP and about enabled features and providers. |
| <a id="apirawdata" href="#apirawdata" title="#apirawdata">`/api/rawdata`</a> | Returns information about dynamic configurations, errors, status and dependency relations. |
| <a id="apiversion" href="#apiversion" title="#apiversion">`/api/version`</a> | Returns information about Traefik version. |
| <a id="debugvars" href="#debugvars" title="#debugvars">`/debug/vars`</a> | See the [expvar](https://golang.org/pkg/expvar/) Go documentation. |
| <a id="debugpprof" href="#debugpprof" title="#debugpprof">`/debug/pprof/`</a> | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation. |
| <a id="debugpprofcmdline" href="#debugpprofcmdline" title="#debugpprofcmdline">`/debug/pprof/cmdline`</a> | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation. |
| <a id="debugpprofprofile" href="#debugpprofprofile" title="#debugpprofprofile">`/debug/pprof/profile`</a> | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation. |
| <a id="debugpprofsymbol" href="#debugpprofsymbol" title="#debugpprofsymbol">`/debug/pprof/symbol`</a> | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation. |
| <a id="debugpproftrace" href="#debugpproftrace" title="#debugpproftrace">`/debug/pprof/trace`</a> | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation. |
## Dashboard

946
docs/content/reference/install-configuration/configuration-options.md
View File

@@ -7,475 +7,477 @@ THIS FILE MUST NOT BE EDITED BY HAND
| Field | Description | Default |
|:-------|:------------|:-------|
| accesslog | Access log settings. | false |
| accesslog.addinternals | Enables access log for internal services (ping, dashboard, etc...). | false |
| accesslog.bufferingsize | Number of access log lines to process in a buffered way. | 0 |
| accesslog.fields.defaultmode | Default mode for fields: keep | drop | keep |
| accesslog.fields.headers.defaultmode | Default mode for fields: keep | drop | redact | drop |
| accesslog.fields.headers.names._name_ | Override mode for headers | |
| accesslog.fields.names._name_ | Override mode for fields | |
| accesslog.filepath | Access log file path. Stdout is used when omitted or empty. | |
| accesslog.filters.minduration | Keep access logs when request took longer than the specified duration. | 0 |
| accesslog.filters.retryattempts | Keep access logs when at least one retry happened. | false |
| accesslog.filters.statuscodes | Keep access logs with status codes in the specified range. | |
| accesslog.format | Access log format: json | common | common |
| accesslog.otlp | Settings for OpenTelemetry. | false |
| accesslog.otlp.grpc | gRPC configuration for the OpenTelemetry collector. | false |
| accesslog.otlp.grpc.endpoint | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
| accesslog.otlp.grpc.headers._name_ | Headers sent with payload. | |
| accesslog.otlp.grpc.insecure | Disables client transport security for the exporter. | false |
| accesslog.otlp.grpc.tls.ca | TLS CA | |
| accesslog.otlp.grpc.tls.cert | TLS cert | |
| accesslog.otlp.grpc.tls.insecureskipverify | TLS insecure skip verify | false |
| accesslog.otlp.grpc.tls.key | TLS key | |
| accesslog.otlp.http | HTTP configuration for the OpenTelemetry collector. | false |
| accesslog.otlp.http.endpoint | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
| accesslog.otlp.http.headers._name_ | Headers sent with payload. | |
| accesslog.otlp.http.tls.ca | TLS CA | |
| accesslog.otlp.http.tls.cert | TLS cert | |
| accesslog.otlp.http.tls.insecureskipverify | TLS insecure skip verify | false |
| accesslog.otlp.http.tls.key | TLS key | |
| accesslog.otlp.resourceattributes._name_ | Defines additional resource attributes (key:value). | |
| accesslog.otlp.servicename | Defines the service name resource attribute. | traefik |
| api | Enable api/dashboard. | false |
| api.basepath | Defines the base path where the API and Dashboard will be exposed. | / |
| api.dashboard | Activate dashboard. | true |
| api.debug | Enable additional endpoints for debugging and profiling. | false |
| api.disabledashboardad | Disable ad in the dashboard. | false |
| api.insecure | Activate API directly on the entryPoint named traefik. | false |
| certificatesresolvers._name_ | Certificates resolvers configuration. | false |
| certificatesresolvers._name_.acme.cacertificates | Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | |
| certificatesresolvers._name_.acme.caserver | CA server to use. | https://acme-v02.api.letsencrypt.org/directory |
| certificatesresolvers._name_.acme.caservername | Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | |
| certificatesresolvers._name_.acme.casystemcertpool | Define if the certificates pool must use a copy of the system cert pool. | false |
| certificatesresolvers._name_.acme.certificatesduration | Certificates' duration in hours. | 2160 |
| certificatesresolvers._name_.acme.clientresponseheadertimeout | Timeout for receiving the response headers when communicating with the ACME server. | 30 |
| certificatesresolvers._name_.acme.clienttimeout | Timeout for a complete HTTP transaction with the ACME server. | 120 |
| certificatesresolvers._name_.acme.dnschallenge | Activate DNS-01 Challenge. | false |
| certificatesresolvers._name_.acme.dnschallenge.delaybeforecheck | (Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. | 0 |
| certificatesresolvers._name_.acme.dnschallenge.disablepropagationcheck | (Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] | false |
| certificatesresolvers._name_.acme.dnschallenge.propagation | DNS propagation checks configuration | false |
| certificatesresolvers._name_.acme.dnschallenge.propagation.delaybeforechecks | Defines the delay before checking the challenge TXT record propagation. | 0 |
| certificatesresolvers._name_.acme.dnschallenge.propagation.disableanschecks | Disables the challenge TXT record propagation checks against authoritative nameservers. | false |
| certificatesresolvers._name_.acme.dnschallenge.propagation.disablechecks | Disables the challenge TXT record propagation checks (not recommended). | false |
| certificatesresolvers._name_.acme.dnschallenge.propagation.requireallrns | Requires the challenge TXT record to be propagated to all recursive nameservers. | false |
| certificatesresolvers._name_.acme.dnschallenge.provider | Use a DNS-01 based challenge provider rather than HTTPS. | |
| certificatesresolvers._name_.acme.dnschallenge.resolvers | Use following DNS servers to resolve the FQDN authority. | |
| certificatesresolvers._name_.acme.eab.hmacencoded | Base64 encoded HMAC key from External CA. | |
| certificatesresolvers._name_.acme.eab.kid | Key identifier from External CA. | |
| certificatesresolvers._name_.acme.email | Email address used for registration. | |
| certificatesresolvers._name_.acme.emailaddresses | CSR email addresses to use. | |
| certificatesresolvers._name_.acme.httpchallenge | Activate HTTP-01 Challenge. | false |
| certificatesresolvers._name_.acme.httpchallenge.delay | Delay between the creation of the challenge and the validation. | 0 |
| certificatesresolvers._name_.acme.httpchallenge.entrypoint | HTTP challenge EntryPoint | |
| certificatesresolvers._name_.acme.keytype | KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. | RSA4096 |
| certificatesresolvers._name_.acme.preferredchain | Preferred chain to use. | |
| certificatesresolvers._name_.acme.profile | Certificate profile to use. | |
| certificatesresolvers._name_.acme.storage | Storage to use. | acme.json |
| certificatesresolvers._name_.acme.tlschallenge | Activate TLS-ALPN-01 Challenge. | true |
| certificatesresolvers._name_.tailscale | Enables Tailscale certificate resolution. | true |
| core.defaultrulesyntax | Defines the rule parser default syntax (v2 or v3) | v3 |
| entrypoints._name_ | Entry points definition. | false |
| entrypoints._name_.address | Entry point address. | |
| entrypoints._name_.allowacmebypass | Enables handling of ACME TLS and HTTP challenges with custom routers. | false |
| entrypoints._name_.asdefault | Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. | false |
| entrypoints._name_.forwardedheaders.connection | List of Connection headers that are allowed to pass through the middleware chain before being removed. | |
| entrypoints._name_.forwardedheaders.insecure | Trust all forwarded headers. | false |
| entrypoints._name_.forwardedheaders.trustedips | Trust only forwarded headers from selected IPs. | |
| entrypoints._name_.http | HTTP configuration. | |
| entrypoints._name_.http.encodequerysemicolons | Defines whether request query semicolons should be URLEncoded. | false |
| entrypoints._name_.http.maxheaderbytes | Maximum size of request headers in bytes. | 1048576 |
| entrypoints._name_.http.middlewares | Default middlewares for the routers linked to the entry point. | |
| entrypoints._name_.http.redirections.entrypoint.permanent | Applies a permanent redirection. | true |
| entrypoints._name_.http.redirections.entrypoint.priority | Priority of the generated router. | 9223372036854775806 |
| entrypoints._name_.http.redirections.entrypoint.scheme | Scheme used for the redirection. | https |
| entrypoints._name_.http.redirections.entrypoint.to | Targeted entry point of the redirection. | |
| entrypoints._name_.http.sanitizepath | Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences). | true |
| entrypoints._name_.http.tls | Default TLS configuration for the routers linked to the entry point. | false |
| entrypoints._name_.http.tls.certresolver | Default certificate resolver for the routers linked to the entry point. | |
| entrypoints._name_.http.tls.domains | Default TLS domains for the routers linked to the entry point. | |
| entrypoints._name_.http.tls.domains[0].main | Default subject name. | |
| entrypoints._name_.http.tls.domains[0].sans | Subject alternative names. | |
| entrypoints._name_.http.tls.options | Default TLS options for the routers linked to the entry point. | |
| entrypoints._name_.http2.maxconcurrentstreams | Specifies the number of concurrent streams per connection that each client is allowed to initiate. | 250 |
| entrypoints._name_.http3 | HTTP/3 configuration. | false |
| entrypoints._name_.http3.advertisedport | UDP port to advertise, on which HTTP/3 is available. | 0 |
| entrypoints._name_.observability.accesslogs | Enables access-logs for this entryPoint. | true |
| entrypoints._name_.observability.metrics | Enables metrics for this entryPoint. | true |
| entrypoints._name_.observability.traceverbosity | Defines the tracing verbosity level for this entryPoint. | minimal |
| entrypoints._name_.observability.tracing | Enables tracing for this entryPoint. | true |
| entrypoints._name_.proxyprotocol | Proxy-Protocol configuration. | false |
| entrypoints._name_.proxyprotocol.insecure | Trust all. | false |
| entrypoints._name_.proxyprotocol.trustedips | Trust only selected IPs. | |
| entrypoints._name_.reuseport | Enables EntryPoints from the same or different processes listening on the same TCP/UDP port. | false |
| entrypoints._name_.transport.keepalivemaxrequests | Maximum number of requests before closing a keep-alive connection. | 0 |
| entrypoints._name_.transport.keepalivemaxtime | Maximum duration before closing a keep-alive connection. | 0 |
| entrypoints._name_.transport.lifecycle.gracetimeout | Duration to give active requests a chance to finish before Traefik stops. | 10 |
| entrypoints._name_.transport.lifecycle.requestacceptgracetimeout | Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. | 0 |
| entrypoints._name_.transport.respondingtimeouts.idletimeout | IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. | 180 |
| entrypoints._name_.transport.respondingtimeouts.readtimeout | ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. | 60 |
| entrypoints._name_.transport.respondingtimeouts.writetimeout | WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. | 0 |
| entrypoints._name_.udp.timeout | Timeout defines how long to wait on an idle session before releasing the related resources. | 3 |
| experimental.abortonpluginfailure | Defines whether all plugins must be loaded successfully for Traefik to start. | false |
| experimental.fastproxy | Enables the FastProxy implementation. | false |
| experimental.fastproxy.debug | Enable debug mode for the FastProxy implementation. | false |
| experimental.kubernetesgateway | (Deprecated) Allow the Kubernetes gateway api provider usage. | false |
| experimental.kubernetesingressnginx | Allow the Kubernetes Ingress NGINX provider usage. | false |
| experimental.localplugins._name_ | Local plugins configuration. | false |
| experimental.localplugins._name_.modulename | Plugin's module name. | |
| experimental.localplugins._name_.settings | Plugin's settings (works only for wasm plugins). | |
| experimental.localplugins._name_.settings.envs | Environment variables to forward to the wasm guest. | |
| experimental.localplugins._name_.settings.mounts | Directory to mount to the wasm guest. | |
| experimental.localplugins._name_.settings.useunsafe | Allow the plugin to use unsafe package. | false |
| experimental.otlplogs | Enables the OpenTelemetry logs integration. | false |
| experimental.plugins._name_.modulename | plugin's module name. | |
| experimental.plugins._name_.settings | Plugin's settings (works only for wasm plugins). | |
| experimental.plugins._name_.settings.envs | Environment variables to forward to the wasm guest. | |
| experimental.plugins._name_.settings.mounts | Directory to mount to the wasm guest. | |
| experimental.plugins._name_.settings.useunsafe | Allow the plugin to use unsafe package. | false |
| experimental.plugins._name_.version | plugin's version. | |
| global.checknewversion | Periodically check if a new version has been released. | true |
| global.sendanonymoususage | Periodically send anonymous usage statistics. If the option is not specified, it will be disabled by default. | false |
| hostresolver | Enable CNAME Flattening. | false |
| hostresolver.cnameflattening | A flag to enable/disable CNAME flattening | false |
| hostresolver.resolvconfig | resolv.conf used for DNS resolving | /etc/resolv.conf |
| hostresolver.resolvdepth | The maximal depth of DNS recursive resolving | 5 |
| log | Traefik log settings. | false |
| log.compress | Determines if the rotated log files should be compressed using gzip. | false |
| log.filepath | Traefik log file path. Stdout is used when omitted or empty. | |
| log.format | Traefik log format: json | common | common |
| log.level | Log level set to traefik logs. | ERROR |
| log.maxage | Maximum number of days to retain old log files based on the timestamp encoded in their filename. | 0 |
| log.maxbackups | Maximum number of old log files to retain. | 0 |
| log.maxsize | Maximum size in megabytes of the log file before it gets rotated. | 0 |
| log.nocolor | When using the 'common' format, disables the colorized output. | false |
| log.otlp | Settings for OpenTelemetry. | false |
| log.otlp.grpc | gRPC configuration for the OpenTelemetry collector. | false |
| log.otlp.grpc.endpoint | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
| log.otlp.grpc.headers._name_ | Headers sent with payload. | |
| log.otlp.grpc.insecure | Disables client transport security for the exporter. | false |
| log.otlp.grpc.tls.ca | TLS CA | |
| log.otlp.grpc.tls.cert | TLS cert | |
| log.otlp.grpc.tls.insecureskipverify | TLS insecure skip verify | false |
| log.otlp.grpc.tls.key | TLS key | |
| log.otlp.http | HTTP configuration for the OpenTelemetry collector. | false |
| log.otlp.http.endpoint | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
| log.otlp.http.headers._name_ | Headers sent with payload. | |
| log.otlp.http.tls.ca | TLS CA | |
| log.otlp.http.tls.cert | TLS cert | |
| log.otlp.http.tls.insecureskipverify | TLS insecure skip verify | false |
| log.otlp.http.tls.key | TLS key | |
| log.otlp.resourceattributes._name_ | Defines additional resource attributes (key:value). | |
| log.otlp.servicename | Defines the service name resource attribute. | traefik |
| metrics.addinternals | Enables metrics for internal services (ping, dashboard, etc...). | false |
| metrics.datadog | Datadog metrics exporter type. | false |
| metrics.datadog.addentrypointslabels | Enable metrics on entry points. | true |
| metrics.datadog.address | Datadog's address. | localhost:8125 |
| metrics.datadog.addrouterslabels | Enable metrics on routers. | false |
| metrics.datadog.addserviceslabels | Enable metrics on services. | true |
| metrics.datadog.prefix | Prefix to use for metrics collection. | traefik |
| metrics.datadog.pushinterval | Datadog push interval. | 10 |
| metrics.influxdb2 | InfluxDB v2 metrics exporter type. | false |
| metrics.influxdb2.addentrypointslabels | Enable metrics on entry points. | true |
| metrics.influxdb2.additionallabels._name_ | Additional labels (influxdb tags) on all metrics | |
| metrics.influxdb2.address | InfluxDB v2 address. | http://localhost:8086 |
| metrics.influxdb2.addrouterslabels | Enable metrics on routers. | false |
| metrics.influxdb2.addserviceslabels | Enable metrics on services. | true |
| metrics.influxdb2.bucket | InfluxDB v2 bucket ID. | |
| metrics.influxdb2.org | InfluxDB v2 org ID. | |
| metrics.influxdb2.pushinterval | InfluxDB v2 push interval. | 10 |
| metrics.influxdb2.token | InfluxDB v2 access token. | |
| metrics.otlp | OpenTelemetry metrics exporter type. | false |
| metrics.otlp.addentrypointslabels | Enable metrics on entry points. | true |
| metrics.otlp.addrouterslabels | Enable metrics on routers. | false |
| metrics.otlp.addserviceslabels | Enable metrics on services. | true |
| metrics.otlp.explicitboundaries | Boundaries for latency metrics. | 0.005000, 0.010000, 0.025000, 0.050000, 0.075000, 0.100000, 0.250000, 0.500000, 0.750000, 1.000000, 2.500000, 5.000000, 7.500000, 10.000000 |
| metrics.otlp.grpc | gRPC configuration for the OpenTelemetry collector. | false |
| metrics.otlp.grpc.endpoint | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
| metrics.otlp.grpc.headers._name_ | Headers sent with payload. | |
| metrics.otlp.grpc.insecure | Disables client transport security for the exporter. | false |
| metrics.otlp.grpc.tls.ca | TLS CA | |
| metrics.otlp.grpc.tls.cert | TLS cert | |
| metrics.otlp.grpc.tls.insecureskipverify | TLS insecure skip verify | false |
| metrics.otlp.grpc.tls.key | TLS key | |
| metrics.otlp.http | HTTP configuration for the OpenTelemetry collector. | false |
| metrics.otlp.http.endpoint | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
| metrics.otlp.http.headers._name_ | Headers sent with payload. | |
| metrics.otlp.http.tls.ca | TLS CA | |
| metrics.otlp.http.tls.cert | TLS cert | |
| metrics.otlp.http.tls.insecureskipverify | TLS insecure skip verify | false |
| metrics.otlp.http.tls.key | TLS key | |
| metrics.otlp.pushinterval | Period between calls to collect a checkpoint. | 10 |
| metrics.otlp.resourceattributes._name_ | Defines additional resource attributes (key:value). | |
| metrics.otlp.servicename | Defines the service name resource attribute. | traefik |
| metrics.prometheus | Prometheus metrics exporter type. | false |
| metrics.prometheus.addentrypointslabels | Enable metrics on entry points. | true |
| metrics.prometheus.addrouterslabels | Enable metrics on routers. | false |
| metrics.prometheus.addserviceslabels | Enable metrics on services. | true |
| metrics.prometheus.buckets | Buckets for latency metrics. | 0.100000, 0.300000, 1.200000, 5.000000 |
| metrics.prometheus.entrypoint | EntryPoint | traefik |
| metrics.prometheus.headerlabels._name_ | Defines the extra labels for the requests_total metrics, and for each of them, the request header containing the value for this label. | |
| metrics.prometheus.manualrouting | Manual routing | false |
| metrics.statsd | StatsD metrics exporter type. | false |
| metrics.statsd.addentrypointslabels | Enable metrics on entry points. | true |
| metrics.statsd.address | StatsD address. | localhost:8125 |
| metrics.statsd.addrouterslabels | Enable metrics on routers. | false |
| metrics.statsd.addserviceslabels | Enable metrics on services. | true |
| metrics.statsd.prefix | Prefix to use for metrics collection. | traefik |
| metrics.statsd.pushinterval | StatsD push interval. | 10 |
| ocsp | OCSP configuration. | false |
| ocsp.responderoverrides._name_ | Defines a map of OCSP responders to replace for querying OCSP servers. | |
| ping | Enable ping. | false |
| ping.entrypoint | EntryPoint | traefik |
| ping.manualrouting | Manual routing | false |
| ping.terminatingstatuscode | Terminating status code | 503 |
| providers.consul | Enable Consul backend with default settings. | false |
| providers.consul.endpoints | KV store endpoints. | 127.0.0.1:8500 |
| providers.consul.namespaces | Sets the namespaces used to discover the configuration (Consul Enterprise only). | |
| providers.consul.rootkey | Root key used for KV store. | traefik |
| providers.consul.tls.ca | TLS CA | |
| providers.consul.tls.cert | TLS cert | |
| providers.consul.tls.insecureskipverify | TLS insecure skip verify | false |
| providers.consul.tls.key | TLS key | |
| providers.consul.token | Per-request ACL token. | |
| providers.consulcatalog | Enable ConsulCatalog backend with default settings. | false |
| providers.consulcatalog.cache | Use local agent caching for catalog reads. | false |
| providers.consulcatalog.connectaware | Enable Consul Connect support. | false |
| providers.consulcatalog.connectbydefault | Consider every service as Connect capable by default. | false |
| providers.consulcatalog.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
| providers.consulcatalog.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
| providers.consulcatalog.endpoint.address | The address of the Consul server | |
| providers.consulcatalog.endpoint.datacenter | Data center to use. If not provided, the default agent data center is used | |
| providers.consulcatalog.endpoint.endpointwaittime | WaitTime limits how long a Watch will block. If not provided, the agent default values will be used | 0 |
| providers.consulcatalog.endpoint.httpauth.password | Basic Auth password | |
| providers.consulcatalog.endpoint.httpauth.username | Basic Auth username | |
| providers.consulcatalog.endpoint.scheme | The URI scheme for the Consul server | |
| providers.consulcatalog.endpoint.tls.ca | TLS CA | |
| providers.consulcatalog.endpoint.tls.cert | TLS cert | |
| providers.consulcatalog.endpoint.tls.insecureskipverify | TLS insecure skip verify | false |
| providers.consulcatalog.endpoint.tls.key | TLS key | |
| providers.consulcatalog.endpoint.token | Token is used to provide a per-request ACL token which overrides the agent's default token | |
| providers.consulcatalog.exposedbydefault | Expose containers by default. | true |
| providers.consulcatalog.namespaces | Sets the namespaces used to discover services (Consul Enterprise only). | |
| providers.consulcatalog.prefix | Prefix for consul service tags. | traefik |
| providers.consulcatalog.refreshinterval | Interval for check Consul API. | 15 |
| providers.consulcatalog.requireconsistent | Forces the read to be fully consistent. | false |
| providers.consulcatalog.servicename | Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). | traefik |
| providers.consulcatalog.stale | Use stale consistency for catalog reads. | false |
| providers.consulcatalog.strictchecks | A list of service health statuses to allow taking traffic. | passing, warning |
| providers.consulcatalog.watch | Watch Consul API events. | false |
| providers.docker | Enable Docker backend with default settings. | false |
| providers.docker.allowemptyservices | Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. | false |
| providers.docker.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
| providers.docker.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
| providers.docker.endpoint | Docker server endpoint. Can be a TCP or a Unix socket endpoint. | unix:///var/run/docker.sock |
| providers.docker.exposedbydefault | Expose containers by default. | true |
| providers.docker.httpclienttimeout | Client timeout for HTTP connections. | 0 |
| providers.docker.network | Default Docker network used. | |
| providers.docker.password | Password for Basic HTTP authentication. | |
| providers.docker.tls.ca | TLS CA | |
| providers.docker.tls.cert | TLS cert | |
| providers.docker.tls.insecureskipverify | TLS insecure skip verify | false |
| providers.docker.tls.key | TLS key | |
| providers.docker.usebindportip | Use the ip address from the bound port, rather than from the inner network. | false |
| providers.docker.username | Username for Basic HTTP authentication. | |
| providers.docker.watch | Watch Docker events. | true |
| providers.ecs | Enable AWS ECS backend with default settings. | false |
| providers.ecs.accesskeyid | AWS credentials access key ID to use for making requests. | |
| providers.ecs.autodiscoverclusters | Auto discover cluster. | false |
| providers.ecs.clusters | ECS Cluster names. | default |
| providers.ecs.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
| providers.ecs.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
| providers.ecs.ecsanywhere | Enable ECS Anywhere support. | false |
| providers.ecs.exposedbydefault | Expose services by default. | true |
| providers.ecs.healthytasksonly | Determines whether to discover only healthy tasks. | false |
| providers.ecs.refreshseconds | Polling interval (in seconds). | 15 |
| providers.ecs.region | AWS region to use for requests. | |
| providers.ecs.secretaccesskey | AWS credentials access key to use for making requests. | |
| providers.etcd | Enable Etcd backend with default settings. | false |
| providers.etcd.endpoints | KV store endpoints. | 127.0.0.1:2379 |
| providers.etcd.password | Password for authentication. | |
| providers.etcd.rootkey | Root key used for KV store. | traefik |
| providers.etcd.tls.ca | TLS CA | |
| providers.etcd.tls.cert | TLS cert | |
| providers.etcd.tls.insecureskipverify | TLS insecure skip verify | false |
| providers.etcd.tls.key | TLS key | |
| providers.etcd.username | Username for authentication. | |
| providers.file.debugloggeneratedtemplate | Enable debug logging of generated configuration template. | false |
| providers.file.directory | Load dynamic configuration from one or more .yml or .toml files in a directory. | |
| providers.file.filename | Load dynamic configuration from a file. | |
| providers.file.watch | Watch provider. | true |
| providers.http | Enable HTTP backend with default settings. | false |
| providers.http.endpoint | Load configuration from this endpoint. | |
| providers.http.headers._name_ | Define custom headers to be sent to the endpoint. | |
| providers.http.pollinterval | Polling interval for endpoint. | 5 |
| providers.http.polltimeout | Polling timeout for endpoint. | 5 |
| providers.http.tls.ca | TLS CA | |
| providers.http.tls.cert | TLS cert | |
| providers.http.tls.insecureskipverify | TLS insecure skip verify | false |
| providers.http.tls.key | TLS key | |
| providers.kubernetescrd | Enable Kubernetes backend with default settings. | false |
| providers.kubernetescrd.allowcrossnamespace | Allow cross namespace resource reference. | false |
| providers.kubernetescrd.allowemptyservices | Allow the creation of services without endpoints. | false |
| providers.kubernetescrd.allowexternalnameservices | Allow ExternalName services. | false |
| providers.kubernetescrd.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
| providers.kubernetescrd.disableclusterscoperesources | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
| providers.kubernetescrd.endpoint | Kubernetes server endpoint (required for external cluster client). | |
| providers.kubernetescrd.ingressclass | Value of kubernetes.io/ingress.class annotation to watch for. | |
| providers.kubernetescrd.labelselector | Kubernetes label selector to use. | |
| providers.kubernetescrd.namespaces | Kubernetes namespaces. | |
| providers.kubernetescrd.nativelbbydefault | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
| providers.kubernetescrd.throttleduration | Ingress refresh throttle duration | 0 |
| providers.kubernetescrd.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
| providers.kubernetesgateway | Enable Kubernetes gateway api provider with default settings. | false |
| providers.kubernetesgateway.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
| providers.kubernetesgateway.endpoint | Kubernetes server endpoint (required for external cluster client). | |
| providers.kubernetesgateway.experimentalchannel | Toggles Experimental Channel resources support (TCPRoute, TLSRoute...). | false |
| providers.kubernetesgateway.labelselector | Kubernetes label selector to select specific GatewayClasses. | |
| providers.kubernetesgateway.namespaces | Kubernetes namespaces. | |
| providers.kubernetesgateway.nativelbbydefault | Defines whether to use Native Kubernetes load-balancing by default. | false |
| providers.kubernetesgateway.statusaddress.hostname | Hostname used for Kubernetes Gateway status address. | |
| providers.kubernetesgateway.statusaddress.ip | IP used to set Kubernetes Gateway status address. | |
| providers.kubernetesgateway.statusaddress.service | Published Kubernetes Service to copy status addresses from. | |
| providers.kubernetesgateway.statusaddress.service.name | Name of the Kubernetes service. | |
| providers.kubernetesgateway.statusaddress.service.namespace | Namespace of the Kubernetes service. | |
| providers.kubernetesgateway.throttleduration | Kubernetes refresh throttle duration | 0 |
| providers.kubernetesgateway.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
| providers.kubernetesingress | Enable Kubernetes backend with default settings. | false |
| providers.kubernetesingress.allowemptyservices | Allow creation of services without endpoints. | false |
| providers.kubernetesingress.allowexternalnameservices | Allow ExternalName services. | false |
| providers.kubernetesingress.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
| providers.kubernetesingress.disableclusterscoperesources | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
| providers.kubernetesingress.disableingressclasslookup | Disables the lookup of IngressClasses (Deprecated, please use DisableClusterScopeResources). | false |
| providers.kubernetesingress.endpoint | Kubernetes server endpoint (required for external cluster client). | |
| providers.kubernetesingress.ingressclass | Value of kubernetes.io/ingress.class annotation or IngressClass name to watch for. | |
| providers.kubernetesingress.ingressendpoint.hostname | Hostname used for Kubernetes Ingress endpoints. | |
| providers.kubernetesingress.ingressendpoint.ip | IP used for Kubernetes Ingress endpoints. | |
| providers.kubernetesingress.ingressendpoint.publishedservice | Published Kubernetes Service to copy status from. | |
| providers.kubernetesingress.labelselector | Kubernetes Ingress label selector to use. | |
| providers.kubernetesingress.namespaces | Kubernetes namespaces. | |
| providers.kubernetesingress.nativelbbydefault | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
| providers.kubernetesingress.strictprefixmatching | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). | false |
| providers.kubernetesingress.throttleduration | Ingress refresh throttle duration | 0 |
| providers.kubernetesingress.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
| providers.kubernetesingressnginx | Enable Kubernetes Ingress NGINX provider. | false |
| providers.kubernetesingressnginx.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
| providers.kubernetesingressnginx.controllerclass | Ingress Class Controller value this controller satisfies. | k8s.io/ingress-nginx |
| providers.kubernetesingressnginx.defaultbackendservice | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | |
| providers.kubernetesingressnginx.disablesvcexternalname | Disable support for Services of type ExternalName. | false |
| providers.kubernetesingressnginx.endpoint | Kubernetes server endpoint (required for external cluster client). | |
| providers.kubernetesingressnginx.ingressclass | Name of the ingress class this controller satisfies. | nginx |
| providers.kubernetesingressnginx.ingressclassbyname | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false |
| providers.kubernetesingressnginx.publishservice | Service fronting the Ingress controller. Takes the form 'namespace/name'. | |
| providers.kubernetesingressnginx.publishstatusaddress | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | |
| providers.kubernetesingressnginx.throttleduration | Ingress refresh throttle duration. | 0 |
| providers.kubernetesingressnginx.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
| providers.kubernetesingressnginx.watchingresswithoutclass | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. | false |
| providers.kubernetesingressnginx.watchnamespace | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. | |
| providers.kubernetesingressnginx.watchnamespaceselector | Selector selects namespaces the controller watches for updates to Kubernetes objects. | |
| providers.nomad | Enable Nomad backend with default settings. | false |
| providers.nomad.allowemptyservices | Allow the creation of services without endpoints. | false |
| providers.nomad.constraints | Constraints is an expression that Traefik matches against the Nomad service's tags to determine whether to create route(s) for that service. | |
| providers.nomad.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
| providers.nomad.endpoint.address | The address of the Nomad server, including scheme and port. | http://127.0.0.1:4646 |
| providers.nomad.endpoint.endpointwaittime | WaitTime limits how long a Watch will block. If not provided, the agent default values will be used | 0 |
| providers.nomad.endpoint.region | Nomad region to use. If not provided, the local agent region is used. | |
| providers.nomad.endpoint.tls.ca | TLS CA | |
| providers.nomad.endpoint.tls.cert | TLS cert | |
| providers.nomad.endpoint.tls.insecureskipverify | TLS insecure skip verify | false |
| providers.nomad.endpoint.tls.key | TLS key | |
| providers.nomad.endpoint.token | Token is used to provide a per-request ACL token. | |
| providers.nomad.exposedbydefault | Expose Nomad services by default. | true |
| providers.nomad.namespaces | Sets the Nomad namespaces used to discover services. | |
| providers.nomad.prefix | Prefix for nomad service tags. | traefik |
| providers.nomad.refreshinterval | Interval for polling Nomad API. | 15 |
| providers.nomad.stale | Use stale consistency for catalog reads. | false |
| providers.nomad.throttleduration | Watch throttle duration. | 0 |
| providers.nomad.watch | Watch Nomad Service events. | false |
| providers.plugin._name_ | Plugins configuration. | |
| providers.providersthrottleduration | Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. | 2 |
| providers.redis | Enable Redis backend with default settings. | false |
| providers.redis.db | Database to be selected after connecting to the server. | 0 |
| providers.redis.endpoints | KV store endpoints. | 127.0.0.1:6379 |
| providers.redis.password | Password for authentication. | |
| providers.redis.rootkey | Root key used for KV store. | traefik |
| providers.redis.sentinel.latencystrategy | Defines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy). | false |
| providers.redis.sentinel.mastername | Name of the master. | |
| providers.redis.sentinel.password | Password for Sentinel authentication. | |
| providers.redis.sentinel.randomstrategy | Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). | false |
| providers.redis.sentinel.replicastrategy | Defines whether to route all commands to replica nodes (mutually exclusive with LatencyStrategy and RandomStrategy). | false |
| providers.redis.sentinel.usedisconnectedreplicas | Use replicas disconnected with master when cannot get connected replicas. | false |
| providers.redis.sentinel.username | Username for Sentinel authentication. | |
| providers.redis.tls.ca | TLS CA | |
| providers.redis.tls.cert | TLS cert | |
| providers.redis.tls.insecureskipverify | TLS insecure skip verify | false |
| providers.redis.tls.key | TLS key | |
| providers.redis.username | Username for authentication. | |
| providers.rest | Enable Rest backend with default settings. | false |
| providers.rest.insecure | Activate REST Provider directly on the entryPoint named traefik. | false |
| providers.swarm | Enable Docker Swarm backend with default settings. | false |
| providers.swarm.allowemptyservices | Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. | false |
| providers.swarm.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
| providers.swarm.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
| providers.swarm.endpoint | Docker server endpoint. Can be a TCP or a Unix socket endpoint. | unix:///var/run/docker.sock |
| providers.swarm.exposedbydefault | Expose containers by default. | true |
| providers.swarm.httpclienttimeout | Client timeout for HTTP connections. | 0 |
| providers.swarm.network | Default Docker network used. | |
| providers.swarm.password | Password for Basic HTTP authentication. | |
| providers.swarm.refreshseconds | Polling interval for swarm mode. | 15 |
| providers.swarm.tls.ca | TLS CA | |
| providers.swarm.tls.cert | TLS cert | |
| providers.swarm.tls.insecureskipverify | TLS insecure skip verify | false |
| providers.swarm.tls.key | TLS key | |
| providers.swarm.usebindportip | Use the ip address from the bound port, rather than from the inner network. | false |
| providers.swarm.username | Username for Basic HTTP authentication. | |
| providers.swarm.watch | Watch Docker events. | true |
| providers.zookeeper | Enable ZooKeeper backend with default settings. | false |
| providers.zookeeper.endpoints | KV store endpoints. | 127.0.0.1:2181 |
| providers.zookeeper.password | Password for authentication. | |
| providers.zookeeper.rootkey | Root key used for KV store. | traefik |
| providers.zookeeper.username | Username for authentication. | |
| serverstransport.forwardingtimeouts.dialtimeout | The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. | 30 |
| serverstransport.forwardingtimeouts.idleconntimeout | The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself | 90 |
| serverstransport.forwardingtimeouts.responseheadertimeout | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. | 0 |
| serverstransport.insecureskipverify | Disable SSL certificate verification. | false |
| serverstransport.maxidleconnsperhost | If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used | 200 |
| serverstransport.rootcas | Add cert file for self-signed certificate. | |
| serverstransport.spiffe | Defines the SPIFFE configuration. | false |
| serverstransport.spiffe.ids | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). | |
| serverstransport.spiffe.trustdomain | Defines the allowed SPIFFE trust domain. | |
| spiffe.workloadapiaddr | Defines the workload API address. | |
| tcpserverstransport.dialkeepalive | Defines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled | 15 |
| tcpserverstransport.dialtimeout | Defines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. | 30 |
| tcpserverstransport.terminationdelay | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. | 0 |
| tcpserverstransport.tls | Defines the TLS configuration. | false |
| tcpserverstransport.tls.insecureskipverify | Disables SSL certificate verification. | false |
| tcpserverstransport.tls.rootcas | Defines a list of CA secret used to validate self-signed certificate | |
| tcpserverstransport.tls.spiffe | Defines the SPIFFE TLS configuration. | false |
| tcpserverstransport.tls.spiffe.ids | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). | |
| tcpserverstransport.tls.spiffe.trustdomain | Defines the allowed SPIFFE trust domain. | |
| tracing | Tracing configuration. | false |
| tracing.addinternals | Enables tracing for internal services (ping, dashboard, etc...). | false |
| tracing.capturedrequestheaders | Request headers to add as attributes for server and client spans. | |
| tracing.capturedresponseheaders | Response headers to add as attributes for server and client spans. | |
| tracing.globalattributes._name_ | (Deprecated) Defines additional resource attributes (key:value). | |
| tracing.otlp | Settings for OpenTelemetry. | false |
| tracing.otlp.grpc | gRPC configuration for the OpenTelemetry collector. | false |
| tracing.otlp.grpc.endpoint | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
| tracing.otlp.grpc.headers._name_ | Headers sent with payload. | |
| tracing.otlp.grpc.insecure | Disables client transport security for the exporter. | false |
| tracing.otlp.grpc.tls.ca | TLS CA | |
| tracing.otlp.grpc.tls.cert | TLS cert | |
| tracing.otlp.grpc.tls.insecureskipverify | TLS insecure skip verify | false |
| tracing.otlp.grpc.tls.key | TLS key | |
| tracing.otlp.http | HTTP configuration for the OpenTelemetry collector. | false |
| tracing.otlp.http.endpoint | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
| tracing.otlp.http.headers._name_ | Headers sent with payload. | |
| tracing.otlp.http.tls.ca | TLS CA | |
| tracing.otlp.http.tls.cert | TLS cert | |
| tracing.otlp.http.tls.insecureskipverify | TLS insecure skip verify | false |
| tracing.otlp.http.tls.key | TLS key | |
| tracing.resourceattributes._name_ | Defines additional resource attributes (key:value). | |
| tracing.safequeryparams | Query params to not redact. | |
| tracing.samplerate | Sets the rate between 0.0 and 1.0 of requests to trace. | 1.000000 |
| tracing.servicename | Defines the service name resource attribute. | traefik |
| <a id="accesslog" href="#accesslog" title="#accesslog">accesslog</a> | Access log settings. | false |
| <a id="accesslog-addinternals" href="#accesslog-addinternals" title="#accesslog-addinternals">accesslog.addinternals</a> | Enables access log for internal services (ping, dashboard, etc...). | false |
| <a id="accesslog-bufferingsize" href="#accesslog-bufferingsize" title="#accesslog-bufferingsize">accesslog.bufferingsize</a> | Number of access log lines to process in a buffered way. | 0 |
| <a id="accesslog-fields-defaultmode" href="#accesslog-fields-defaultmode" title="#accesslog-fields-defaultmode">accesslog.fields.defaultmode</a> | Default mode for fields: keep | drop | keep |
| <a id="accesslog-fields-headers-defaultmode" href="#accesslog-fields-headers-defaultmode" title="#accesslog-fields-headers-defaultmode">accesslog.fields.headers.defaultmode</a> | Default mode for fields: keep | drop | redact | drop |
| <a id="accesslog-fields-headers-names-name" href="#accesslog-fields-headers-names-name" title="#accesslog-fields-headers-names-name">accesslog.fields.headers.names._name_</a> | Override mode for headers | |
| <a id="accesslog-fields-names-name" href="#accesslog-fields-names-name" title="#accesslog-fields-names-name">accesslog.fields.names._name_</a> | Override mode for fields | |
| <a id="accesslog-filepath" href="#accesslog-filepath" title="#accesslog-filepath">accesslog.filepath</a> | Access log file path. Stdout is used when omitted or empty. | |
| <a id="accesslog-filters-minduration" href="#accesslog-filters-minduration" title="#accesslog-filters-minduration">accesslog.filters.minduration</a> | Keep access logs when request took longer than the specified duration. | 0 |
| <a id="accesslog-filters-retryattempts" href="#accesslog-filters-retryattempts" title="#accesslog-filters-retryattempts">accesslog.filters.retryattempts</a> | Keep access logs when at least one retry happened. | false |
| <a id="accesslog-filters-statuscodes" href="#accesslog-filters-statuscodes" title="#accesslog-filters-statuscodes">accesslog.filters.statuscodes</a> | Keep access logs with status codes in the specified range. | |
| <a id="accesslog-format" href="#accesslog-format" title="#accesslog-format">accesslog.format</a> | Access log format: json, common, or genericCLF | common |
| <a id="accesslog-otlp" href="#accesslog-otlp" title="#accesslog-otlp">accesslog.otlp</a> | Settings for OpenTelemetry. | false |
| <a id="accesslog-otlp-grpc" href="#accesslog-otlp-grpc" title="#accesslog-otlp-grpc">accesslog.otlp.grpc</a> | gRPC configuration for the OpenTelemetry collector. | false |
| <a id="accesslog-otlp-grpc-endpoint" href="#accesslog-otlp-grpc-endpoint" title="#accesslog-otlp-grpc-endpoint">accesslog.otlp.grpc.endpoint</a> | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
| <a id="accesslog-otlp-grpc-headers-name" href="#accesslog-otlp-grpc-headers-name" title="#accesslog-otlp-grpc-headers-name">accesslog.otlp.grpc.headers._name_</a> | Headers sent with payload. | |
| <a id="accesslog-otlp-grpc-insecure" href="#accesslog-otlp-grpc-insecure" title="#accesslog-otlp-grpc-insecure">accesslog.otlp.grpc.insecure</a> | Disables client transport security for the exporter. | false |
| <a id="accesslog-otlp-grpc-tls-ca" href="#accesslog-otlp-grpc-tls-ca" title="#accesslog-otlp-grpc-tls-ca">accesslog.otlp.grpc.tls.ca</a> | TLS CA | |
| <a id="accesslog-otlp-grpc-tls-cert" href="#accesslog-otlp-grpc-tls-cert" title="#accesslog-otlp-grpc-tls-cert">accesslog.otlp.grpc.tls.cert</a> | TLS cert | |
| <a id="accesslog-otlp-grpc-tls-insecureskipverify" href="#accesslog-otlp-grpc-tls-insecureskipverify" title="#accesslog-otlp-grpc-tls-insecureskipverify">accesslog.otlp.grpc.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="accesslog-otlp-grpc-tls-key" href="#accesslog-otlp-grpc-tls-key" title="#accesslog-otlp-grpc-tls-key">accesslog.otlp.grpc.tls.key</a> | TLS key | |
| <a id="accesslog-otlp-http" href="#accesslog-otlp-http" title="#accesslog-otlp-http">accesslog.otlp.http</a> | HTTP configuration for the OpenTelemetry collector. | false |
| <a id="accesslog-otlp-http-endpoint" href="#accesslog-otlp-http-endpoint" title="#accesslog-otlp-http-endpoint">accesslog.otlp.http.endpoint</a> | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
| <a id="accesslog-otlp-http-headers-name" href="#accesslog-otlp-http-headers-name" title="#accesslog-otlp-http-headers-name">accesslog.otlp.http.headers._name_</a> | Headers sent with payload. | |
| <a id="accesslog-otlp-http-tls-ca" href="#accesslog-otlp-http-tls-ca" title="#accesslog-otlp-http-tls-ca">accesslog.otlp.http.tls.ca</a> | TLS CA | |
| <a id="accesslog-otlp-http-tls-cert" href="#accesslog-otlp-http-tls-cert" title="#accesslog-otlp-http-tls-cert">accesslog.otlp.http.tls.cert</a> | TLS cert | |
| <a id="accesslog-otlp-http-tls-insecureskipverify" href="#accesslog-otlp-http-tls-insecureskipverify" title="#accesslog-otlp-http-tls-insecureskipverify">accesslog.otlp.http.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="accesslog-otlp-http-tls-key" href="#accesslog-otlp-http-tls-key" title="#accesslog-otlp-http-tls-key">accesslog.otlp.http.tls.key</a> | TLS key | |
| <a id="accesslog-otlp-resourceattributes-name" href="#accesslog-otlp-resourceattributes-name" title="#accesslog-otlp-resourceattributes-name">accesslog.otlp.resourceattributes._name_</a> | Defines additional resource attributes (key:value). | |
| <a id="accesslog-otlp-servicename" href="#accesslog-otlp-servicename" title="#accesslog-otlp-servicename">accesslog.otlp.servicename</a> | Defines the service name resource attribute. | traefik |
| <a id="api" href="#api" title="#api">api</a> | Enable api/dashboard. | false |
| <a id="api-basepath" href="#api-basepath" title="#api-basepath">api.basepath</a> | Defines the base path where the API and Dashboard will be exposed. | / |
| <a id="api-dashboard" href="#api-dashboard" title="#api-dashboard">api.dashboard</a> | Activate dashboard. | true |
| <a id="api-debug" href="#api-debug" title="#api-debug">api.debug</a> | Enable additional endpoints for debugging and profiling. | false |
| <a id="api-disabledashboardad" href="#api-disabledashboardad" title="#api-disabledashboardad">api.disabledashboardad</a> | Disable ad in the dashboard. | false |
| <a id="api-insecure" href="#api-insecure" title="#api-insecure">api.insecure</a> | Activate API directly on the entryPoint named traefik. | false |
| <a id="certificatesresolvers-name" href="#certificatesresolvers-name" title="#certificatesresolvers-name">certificatesresolvers._name_</a> | Certificates resolvers configuration. | false |
| <a id="certificatesresolvers-name-acme-cacertificates" href="#certificatesresolvers-name-acme-cacertificates" title="#certificatesresolvers-name-acme-cacertificates">certificatesresolvers._name_.acme.cacertificates</a> | Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | |
| <a id="certificatesresolvers-name-acme-caserver" href="#certificatesresolvers-name-acme-caserver" title="#certificatesresolvers-name-acme-caserver">certificatesresolvers._name_.acme.caserver</a> | CA server to use. | https://acme-v02.api.letsencrypt.org/directory |
| <a id="certificatesresolvers-name-acme-caservername" href="#certificatesresolvers-name-acme-caservername" title="#certificatesresolvers-name-acme-caservername">certificatesresolvers._name_.acme.caservername</a> | Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | |
| <a id="certificatesresolvers-name-acme-casystemcertpool" href="#certificatesresolvers-name-acme-casystemcertpool" title="#certificatesresolvers-name-acme-casystemcertpool">certificatesresolvers._name_.acme.casystemcertpool</a> | Define if the certificates pool must use a copy of the system cert pool. | false |
| <a id="certificatesresolvers-name-acme-certificatesduration" href="#certificatesresolvers-name-acme-certificatesduration" title="#certificatesresolvers-name-acme-certificatesduration">certificatesresolvers._name_.acme.certificatesduration</a> | Certificates' duration in hours. | 2160 |
| <a id="certificatesresolvers-name-acme-clientresponseheadertimeout" href="#certificatesresolvers-name-acme-clientresponseheadertimeout" title="#certificatesresolvers-name-acme-clientresponseheadertimeout">certificatesresolvers._name_.acme.clientresponseheadertimeout</a> | Timeout for receiving the response headers when communicating with the ACME server. | 30 |
| <a id="certificatesresolvers-name-acme-clienttimeout" href="#certificatesresolvers-name-acme-clienttimeout" title="#certificatesresolvers-name-acme-clienttimeout">certificatesresolvers._name_.acme.clienttimeout</a> | Timeout for a complete HTTP transaction with the ACME server. | 120 |
| <a id="certificatesresolvers-name-acme-disablecommonname" href="#certificatesresolvers-name-acme-disablecommonname" title="#certificatesresolvers-name-acme-disablecommonname">certificatesresolvers._name_.acme.disablecommonname</a> | Disable the common name in the CSR. | false |
| <a id="certificatesresolvers-name-acme-dnschallenge" href="#certificatesresolvers-name-acme-dnschallenge" title="#certificatesresolvers-name-acme-dnschallenge">certificatesresolvers._name_.acme.dnschallenge</a> | Activate DNS-01 Challenge. | false |
| <a id="certificatesresolvers-name-acme-dnschallenge-delaybeforecheck" href="#certificatesresolvers-name-acme-dnschallenge-delaybeforecheck" title="#certificatesresolvers-name-acme-dnschallenge-delaybeforecheck">certificatesresolvers._name_.acme.dnschallenge.delaybeforecheck</a> | (Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. | 0 |
| <a id="certificatesresolvers-name-acme-dnschallenge-disablepropagationcheck" href="#certificatesresolvers-name-acme-dnschallenge-disablepropagationcheck" title="#certificatesresolvers-name-acme-dnschallenge-disablepropagationcheck">certificatesresolvers._name_.acme.dnschallenge.disablepropagationcheck</a> | (Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] | false |
| <a id="certificatesresolvers-name-acme-dnschallenge-propagation" href="#certificatesresolvers-name-acme-dnschallenge-propagation" title="#certificatesresolvers-name-acme-dnschallenge-propagation">certificatesresolvers._name_.acme.dnschallenge.propagation</a> | DNS propagation checks configuration | false |
| <a id="certificatesresolvers-name-acme-dnschallenge-propagation-delaybeforechecks" href="#certificatesresolvers-name-acme-dnschallenge-propagation-delaybeforechecks" title="#certificatesresolvers-name-acme-dnschallenge-propagation-delaybeforechecks">certificatesresolvers._name_.acme.dnschallenge.propagation.delaybeforechecks</a> | Defines the delay before checking the challenge TXT record propagation. | 0 |
| <a id="certificatesresolvers-name-acme-dnschallenge-propagation-disableanschecks" href="#certificatesresolvers-name-acme-dnschallenge-propagation-disableanschecks" title="#certificatesresolvers-name-acme-dnschallenge-propagation-disableanschecks">certificatesresolvers._name_.acme.dnschallenge.propagation.disableanschecks</a> | Disables the challenge TXT record propagation checks against authoritative nameservers. | false |
| <a id="certificatesresolvers-name-acme-dnschallenge-propagation-disablechecks" href="#certificatesresolvers-name-acme-dnschallenge-propagation-disablechecks" title="#certificatesresolvers-name-acme-dnschallenge-propagation-disablechecks">certificatesresolvers._name_.acme.dnschallenge.propagation.disablechecks</a> | Disables the challenge TXT record propagation checks (not recommended). | false |
| <a id="certificatesresolvers-name-acme-dnschallenge-propagation-requireallrns" href="#certificatesresolvers-name-acme-dnschallenge-propagation-requireallrns" title="#certificatesresolvers-name-acme-dnschallenge-propagation-requireallrns">certificatesresolvers._name_.acme.dnschallenge.propagation.requireallrns</a> | Requires the challenge TXT record to be propagated to all recursive nameservers. | false |
| <a id="certificatesresolvers-name-acme-dnschallenge-provider" href="#certificatesresolvers-name-acme-dnschallenge-provider" title="#certificatesresolvers-name-acme-dnschallenge-provider">certificatesresolvers._name_.acme.dnschallenge.provider</a> | Use a DNS-01 based challenge provider rather than HTTPS. | |
| <a id="certificatesresolvers-name-acme-dnschallenge-resolvers" href="#certificatesresolvers-name-acme-dnschallenge-resolvers" title="#certificatesresolvers-name-acme-dnschallenge-resolvers">certificatesresolvers._name_.acme.dnschallenge.resolvers</a> | Use following DNS servers to resolve the FQDN authority. | |
| <a id="certificatesresolvers-name-acme-eab-hmacencoded" href="#certificatesresolvers-name-acme-eab-hmacencoded" title="#certificatesresolvers-name-acme-eab-hmacencoded">certificatesresolvers._name_.acme.eab.hmacencoded</a> | Base64 encoded HMAC key from External CA. | |
| <a id="certificatesresolvers-name-acme-eab-kid" href="#certificatesresolvers-name-acme-eab-kid" title="#certificatesresolvers-name-acme-eab-kid">certificatesresolvers._name_.acme.eab.kid</a> | Key identifier from External CA. | |
| <a id="certificatesresolvers-name-acme-email" href="#certificatesresolvers-name-acme-email" title="#certificatesresolvers-name-acme-email">certificatesresolvers._name_.acme.email</a> | Email address used for registration. | |
| <a id="certificatesresolvers-name-acme-emailaddresses" href="#certificatesresolvers-name-acme-emailaddresses" title="#certificatesresolvers-name-acme-emailaddresses">certificatesresolvers._name_.acme.emailaddresses</a> | CSR email addresses to use. | |
| <a id="certificatesresolvers-name-acme-httpchallenge" href="#certificatesresolvers-name-acme-httpchallenge" title="#certificatesresolvers-name-acme-httpchallenge">certificatesresolvers._name_.acme.httpchallenge</a> | Activate HTTP-01 Challenge. | false |
| <a id="certificatesresolvers-name-acme-httpchallenge-delay" href="#certificatesresolvers-name-acme-httpchallenge-delay" title="#certificatesresolvers-name-acme-httpchallenge-delay">certificatesresolvers._name_.acme.httpchallenge.delay</a> | Delay between the creation of the challenge and the validation. | 0 |
| <a id="certificatesresolvers-name-acme-httpchallenge-entrypoint" href="#certificatesresolvers-name-acme-httpchallenge-entrypoint" title="#certificatesresolvers-name-acme-httpchallenge-entrypoint">certificatesresolvers._name_.acme.httpchallenge.entrypoint</a> | HTTP challenge EntryPoint | |
| <a id="certificatesresolvers-name-acme-keytype" href="#certificatesresolvers-name-acme-keytype" title="#certificatesresolvers-name-acme-keytype">certificatesresolvers._name_.acme.keytype</a> | KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. | RSA4096 |
| <a id="certificatesresolvers-name-acme-preferredchain" href="#certificatesresolvers-name-acme-preferredchain" title="#certificatesresolvers-name-acme-preferredchain">certificatesresolvers._name_.acme.preferredchain</a> | Preferred chain to use. | |
| <a id="certificatesresolvers-name-acme-profile" href="#certificatesresolvers-name-acme-profile" title="#certificatesresolvers-name-acme-profile">certificatesresolvers._name_.acme.profile</a> | Certificate profile to use. | |
| <a id="certificatesresolvers-name-acme-storage" href="#certificatesresolvers-name-acme-storage" title="#certificatesresolvers-name-acme-storage">certificatesresolvers._name_.acme.storage</a> | Storage to use. | acme.json |
| <a id="certificatesresolvers-name-acme-tlschallenge" href="#certificatesresolvers-name-acme-tlschallenge" title="#certificatesresolvers-name-acme-tlschallenge">certificatesresolvers._name_.acme.tlschallenge</a> | Activate TLS-ALPN-01 Challenge. | false |
| <a id="certificatesresolvers-name-acme-tlschallenge-delay" href="#certificatesresolvers-name-acme-tlschallenge-delay" title="#certificatesresolvers-name-acme-tlschallenge-delay">certificatesresolvers._name_.acme.tlschallenge.delay</a> | Delay between the creation of the challenge and the validation. | 0 |
| <a id="certificatesresolvers-name-tailscale" href="#certificatesresolvers-name-tailscale" title="#certificatesresolvers-name-tailscale">certificatesresolvers._name_.tailscale</a> | Enables Tailscale certificate resolution. | true |
| <a id="core-defaultrulesyntax" href="#core-defaultrulesyntax" title="#core-defaultrulesyntax">core.defaultrulesyntax</a> | Defines the rule parser default syntax (v2 or v3) | v3 |
| <a id="entrypoints-name" href="#entrypoints-name" title="#entrypoints-name">entrypoints._name_</a> | Entry points definition. | false |
| <a id="entrypoints-name-address" href="#entrypoints-name-address" title="#entrypoints-name-address">entrypoints._name_.address</a> | Entry point address. | |
| <a id="entrypoints-name-allowacmebypass" href="#entrypoints-name-allowacmebypass" title="#entrypoints-name-allowacmebypass">entrypoints._name_.allowacmebypass</a> | Enables handling of ACME TLS and HTTP challenges with custom routers. | false |
| <a id="entrypoints-name-asdefault" href="#entrypoints-name-asdefault" title="#entrypoints-name-asdefault">entrypoints._name_.asdefault</a> | Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. | false |
| <a id="entrypoints-name-forwardedheaders-connection" href="#entrypoints-name-forwardedheaders-connection" title="#entrypoints-name-forwardedheaders-connection">entrypoints._name_.forwardedheaders.connection</a> | List of Connection headers that are allowed to pass through the middleware chain before being removed. | |
| <a id="entrypoints-name-forwardedheaders-insecure" href="#entrypoints-name-forwardedheaders-insecure" title="#entrypoints-name-forwardedheaders-insecure">entrypoints._name_.forwardedheaders.insecure</a> | Trust all forwarded headers. | false |
| <a id="entrypoints-name-forwardedheaders-trustedips" href="#entrypoints-name-forwardedheaders-trustedips" title="#entrypoints-name-forwardedheaders-trustedips">entrypoints._name_.forwardedheaders.trustedips</a> | Trust only forwarded headers from selected IPs. | |
| <a id="entrypoints-name-http" href="#entrypoints-name-http" title="#entrypoints-name-http">entrypoints._name_.http</a> | HTTP configuration. | |
| <a id="entrypoints-name-http-encodequerysemicolons" href="#entrypoints-name-http-encodequerysemicolons" title="#entrypoints-name-http-encodequerysemicolons">entrypoints._name_.http.encodequerysemicolons</a> | Defines whether request query semicolons should be URLEncoded. | false |
| <a id="entrypoints-name-http-maxheaderbytes" href="#entrypoints-name-http-maxheaderbytes" title="#entrypoints-name-http-maxheaderbytes">entrypoints._name_.http.maxheaderbytes</a> | Maximum size of request headers in bytes. | 1048576 |
| <a id="entrypoints-name-http-middlewares" href="#entrypoints-name-http-middlewares" title="#entrypoints-name-http-middlewares">entrypoints._name_.http.middlewares</a> | Default middlewares for the routers linked to the entry point. | |
| <a id="entrypoints-name-http-redirections-entrypoint-permanent" href="#entrypoints-name-http-redirections-entrypoint-permanent" title="#entrypoints-name-http-redirections-entrypoint-permanent">entrypoints._name_.http.redirections.entrypoint.permanent</a> | Applies a permanent redirection. | true |
| <a id="entrypoints-name-http-redirections-entrypoint-priority" href="#entrypoints-name-http-redirections-entrypoint-priority" title="#entrypoints-name-http-redirections-entrypoint-priority">entrypoints._name_.http.redirections.entrypoint.priority</a> | Priority of the generated router. | 9223372036854775806 |
| <a id="entrypoints-name-http-redirections-entrypoint-scheme" href="#entrypoints-name-http-redirections-entrypoint-scheme" title="#entrypoints-name-http-redirections-entrypoint-scheme">entrypoints._name_.http.redirections.entrypoint.scheme</a> | Scheme used for the redirection. | https |
| <a id="entrypoints-name-http-redirections-entrypoint-to" href="#entrypoints-name-http-redirections-entrypoint-to" title="#entrypoints-name-http-redirections-entrypoint-to">entrypoints._name_.http.redirections.entrypoint.to</a> | Targeted entry point of the redirection. | |
| <a id="entrypoints-name-http-sanitizepath" href="#entrypoints-name-http-sanitizepath" title="#entrypoints-name-http-sanitizepath">entrypoints._name_.http.sanitizepath</a> | Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences). | true |
| <a id="entrypoints-name-http-tls" href="#entrypoints-name-http-tls" title="#entrypoints-name-http-tls">entrypoints._name_.http.tls</a> | Default TLS configuration for the routers linked to the entry point. | false |
| <a id="entrypoints-name-http-tls-certresolver" href="#entrypoints-name-http-tls-certresolver" title="#entrypoints-name-http-tls-certresolver">entrypoints._name_.http.tls.certresolver</a> | Default certificate resolver for the routers linked to the entry point. | |
| <a id="entrypoints-name-http-tls-domains" href="#entrypoints-name-http-tls-domains" title="#entrypoints-name-http-tls-domains">entrypoints._name_.http.tls.domains</a> | Default TLS domains for the routers linked to the entry point. | |
| <a id="entrypoints-name-http-tls-domains0-main" href="#entrypoints-name-http-tls-domains0-main" title="#entrypoints-name-http-tls-domains0-main">entrypoints._name_.http.tls.domains[0].main</a> | Default subject name. | |
| <a id="entrypoints-name-http-tls-domains0-sans" href="#entrypoints-name-http-tls-domains0-sans" title="#entrypoints-name-http-tls-domains0-sans">entrypoints._name_.http.tls.domains[0].sans</a> | Subject alternative names. | |
| <a id="entrypoints-name-http-tls-options" href="#entrypoints-name-http-tls-options" title="#entrypoints-name-http-tls-options">entrypoints._name_.http.tls.options</a> | Default TLS options for the routers linked to the entry point. | |
| <a id="entrypoints-name-http2-maxconcurrentstreams" href="#entrypoints-name-http2-maxconcurrentstreams" title="#entrypoints-name-http2-maxconcurrentstreams">entrypoints._name_.http2.maxconcurrentstreams</a> | Specifies the number of concurrent streams per connection that each client is allowed to initiate. | 250 |
| <a id="entrypoints-name-http3" href="#entrypoints-name-http3" title="#entrypoints-name-http3">entrypoints._name_.http3</a> | HTTP/3 configuration. | false |
| <a id="entrypoints-name-http3-advertisedport" href="#entrypoints-name-http3-advertisedport" title="#entrypoints-name-http3-advertisedport">entrypoints._name_.http3.advertisedport</a> | UDP port to advertise, on which HTTP/3 is available. | 0 |
| <a id="entrypoints-name-observability-accesslogs" href="#entrypoints-name-observability-accesslogs" title="#entrypoints-name-observability-accesslogs">entrypoints._name_.observability.accesslogs</a> | Enables access-logs for this entryPoint. | true |
| <a id="entrypoints-name-observability-metrics" href="#entrypoints-name-observability-metrics" title="#entrypoints-name-observability-metrics">entrypoints._name_.observability.metrics</a> | Enables metrics for this entryPoint. | true |
| <a id="entrypoints-name-observability-traceverbosity" href="#entrypoints-name-observability-traceverbosity" title="#entrypoints-name-observability-traceverbosity">entrypoints._name_.observability.traceverbosity</a> | Defines the tracing verbosity level for this entryPoint. | minimal |
| <a id="entrypoints-name-observability-tracing" href="#entrypoints-name-observability-tracing" title="#entrypoints-name-observability-tracing">entrypoints._name_.observability.tracing</a> | Enables tracing for this entryPoint. | true |
| <a id="entrypoints-name-proxyprotocol" href="#entrypoints-name-proxyprotocol" title="#entrypoints-name-proxyprotocol">entrypoints._name_.proxyprotocol</a> | Proxy-Protocol configuration. | false |
| <a id="entrypoints-name-proxyprotocol-insecure" href="#entrypoints-name-proxyprotocol-insecure" title="#entrypoints-name-proxyprotocol-insecure">entrypoints._name_.proxyprotocol.insecure</a> | Trust all. | false |
| <a id="entrypoints-name-proxyprotocol-trustedips" href="#entrypoints-name-proxyprotocol-trustedips" title="#entrypoints-name-proxyprotocol-trustedips">entrypoints._name_.proxyprotocol.trustedips</a> | Trust only selected IPs. | |
| <a id="entrypoints-name-reuseport" href="#entrypoints-name-reuseport" title="#entrypoints-name-reuseport">entrypoints._name_.reuseport</a> | Enables EntryPoints from the same or different processes listening on the same TCP/UDP port. | false |
| <a id="entrypoints-name-transport-keepalivemaxrequests" href="#entrypoints-name-transport-keepalivemaxrequests" title="#entrypoints-name-transport-keepalivemaxrequests">entrypoints._name_.transport.keepalivemaxrequests</a> | Maximum number of requests before closing a keep-alive connection. | 0 |
| <a id="entrypoints-name-transport-keepalivemaxtime" href="#entrypoints-name-transport-keepalivemaxtime" title="#entrypoints-name-transport-keepalivemaxtime">entrypoints._name_.transport.keepalivemaxtime</a> | Maximum duration before closing a keep-alive connection. | 0 |
| <a id="entrypoints-name-transport-lifecycle-gracetimeout" href="#entrypoints-name-transport-lifecycle-gracetimeout" title="#entrypoints-name-transport-lifecycle-gracetimeout">entrypoints._name_.transport.lifecycle.gracetimeout</a> | Duration to give active requests a chance to finish before Traefik stops. | 10 |
| <a id="entrypoints-name-transport-lifecycle-requestacceptgracetimeout" href="#entrypoints-name-transport-lifecycle-requestacceptgracetimeout" title="#entrypoints-name-transport-lifecycle-requestacceptgracetimeout">entrypoints._name_.transport.lifecycle.requestacceptgracetimeout</a> | Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. | 0 |
| <a id="entrypoints-name-transport-respondingtimeouts-idletimeout" href="#entrypoints-name-transport-respondingtimeouts-idletimeout" title="#entrypoints-name-transport-respondingtimeouts-idletimeout">entrypoints._name_.transport.respondingtimeouts.idletimeout</a> | IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. | 180 |
| <a id="entrypoints-name-transport-respondingtimeouts-readtimeout" href="#entrypoints-name-transport-respondingtimeouts-readtimeout" title="#entrypoints-name-transport-respondingtimeouts-readtimeout">entrypoints._name_.transport.respondingtimeouts.readtimeout</a> | ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. | 60 |
| <a id="entrypoints-name-transport-respondingtimeouts-writetimeout" href="#entrypoints-name-transport-respondingtimeouts-writetimeout" title="#entrypoints-name-transport-respondingtimeouts-writetimeout">entrypoints._name_.transport.respondingtimeouts.writetimeout</a> | WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. | 0 |
| <a id="entrypoints-name-udp-timeout" href="#entrypoints-name-udp-timeout" title="#entrypoints-name-udp-timeout">entrypoints._name_.udp.timeout</a> | Timeout defines how long to wait on an idle session before releasing the related resources. | 3 |
| <a id="experimental-abortonpluginfailure" href="#experimental-abortonpluginfailure" title="#experimental-abortonpluginfailure">experimental.abortonpluginfailure</a> | Defines whether all plugins must be loaded successfully for Traefik to start. | false |
| <a id="experimental-fastproxy" href="#experimental-fastproxy" title="#experimental-fastproxy">experimental.fastproxy</a> | Enables the FastProxy implementation. | false |
| <a id="experimental-fastproxy-debug" href="#experimental-fastproxy-debug" title="#experimental-fastproxy-debug">experimental.fastproxy.debug</a> | Enable debug mode for the FastProxy implementation. | false |
| <a id="experimental-kubernetesgateway" href="#experimental-kubernetesgateway" title="#experimental-kubernetesgateway">experimental.kubernetesgateway</a> | (Deprecated) Allow the Kubernetes gateway api provider usage. | false |
| <a id="experimental-kubernetesingressnginx" href="#experimental-kubernetesingressnginx" title="#experimental-kubernetesingressnginx">experimental.kubernetesingressnginx</a> | Allow the Kubernetes Ingress NGINX provider usage. | false |
| <a id="experimental-localplugins-name" href="#experimental-localplugins-name" title="#experimental-localplugins-name">experimental.localplugins._name_</a> | Local plugins configuration. | false |
| <a id="experimental-localplugins-name-modulename" href="#experimental-localplugins-name-modulename" title="#experimental-localplugins-name-modulename">experimental.localplugins._name_.modulename</a> | Plugin's module name. | |
| <a id="experimental-localplugins-name-settings" href="#experimental-localplugins-name-settings" title="#experimental-localplugins-name-settings">experimental.localplugins._name_.settings</a> | Plugin's settings (works only for wasm plugins). | |
| <a id="experimental-localplugins-name-settings-envs" href="#experimental-localplugins-name-settings-envs" title="#experimental-localplugins-name-settings-envs">experimental.localplugins._name_.settings.envs</a> | Environment variables to forward to the wasm guest. | |
| <a id="experimental-localplugins-name-settings-mounts" href="#experimental-localplugins-name-settings-mounts" title="#experimental-localplugins-name-settings-mounts">experimental.localplugins._name_.settings.mounts</a> | Directory to mount to the wasm guest. | |
| <a id="experimental-localplugins-name-settings-useunsafe" href="#experimental-localplugins-name-settings-useunsafe" title="#experimental-localplugins-name-settings-useunsafe">experimental.localplugins._name_.settings.useunsafe</a> | Allow the plugin to use unsafe package. | false |
| <a id="experimental-otlplogs" href="#experimental-otlplogs" title="#experimental-otlplogs">experimental.otlplogs</a> | Enables the OpenTelemetry logs integration. | false |
| <a id="experimental-plugins-name-modulename" href="#experimental-plugins-name-modulename" title="#experimental-plugins-name-modulename">experimental.plugins._name_.modulename</a> | plugin's module name. | |
| <a id="experimental-plugins-name-settings" href="#experimental-plugins-name-settings" title="#experimental-plugins-name-settings">experimental.plugins._name_.settings</a> | Plugin's settings (works only for wasm plugins). | |
| <a id="experimental-plugins-name-settings-envs" href="#experimental-plugins-name-settings-envs" title="#experimental-plugins-name-settings-envs">experimental.plugins._name_.settings.envs</a> | Environment variables to forward to the wasm guest. | |
| <a id="experimental-plugins-name-settings-mounts" href="#experimental-plugins-name-settings-mounts" title="#experimental-plugins-name-settings-mounts">experimental.plugins._name_.settings.mounts</a> | Directory to mount to the wasm guest. | |
| <a id="experimental-plugins-name-settings-useunsafe" href="#experimental-plugins-name-settings-useunsafe" title="#experimental-plugins-name-settings-useunsafe">experimental.plugins._name_.settings.useunsafe</a> | Allow the plugin to use unsafe package. | false |
| <a id="experimental-plugins-name-version" href="#experimental-plugins-name-version" title="#experimental-plugins-name-version">experimental.plugins._name_.version</a> | plugin's version. | |
| <a id="global-checknewversion" href="#global-checknewversion" title="#global-checknewversion">global.checknewversion</a> | Periodically check if a new version has been released. | true |
| <a id="global-sendanonymoususage" href="#global-sendanonymoususage" title="#global-sendanonymoususage">global.sendanonymoususage</a> | Periodically send anonymous usage statistics. If the option is not specified, it will be disabled by default. | false |
| <a id="hostresolver" href="#hostresolver" title="#hostresolver">hostresolver</a> | Enable CNAME Flattening. | false |
| <a id="hostresolver-cnameflattening" href="#hostresolver-cnameflattening" title="#hostresolver-cnameflattening">hostresolver.cnameflattening</a> | A flag to enable/disable CNAME flattening | false |
| <a id="hostresolver-resolvconfig" href="#hostresolver-resolvconfig" title="#hostresolver-resolvconfig">hostresolver.resolvconfig</a> | resolv.conf used for DNS resolving | /etc/resolv.conf |
| <a id="hostresolver-resolvdepth" href="#hostresolver-resolvdepth" title="#hostresolver-resolvdepth">hostresolver.resolvdepth</a> | The maximal depth of DNS recursive resolving | 5 |
| <a id="log" href="#log" title="#log">log</a> | Traefik log settings. | false |
| <a id="log-compress" href="#log-compress" title="#log-compress">log.compress</a> | Determines if the rotated log files should be compressed using gzip. | false |
| <a id="log-filepath" href="#log-filepath" title="#log-filepath">log.filepath</a> | Traefik log file path. Stdout is used when omitted or empty. | |
| <a id="log-format" href="#log-format" title="#log-format">log.format</a> | Traefik log format: json | common | common |
| <a id="log-level" href="#log-level" title="#log-level">log.level</a> | Log level set to traefik logs. | ERROR |
| <a id="log-maxage" href="#log-maxage" title="#log-maxage">log.maxage</a> | Maximum number of days to retain old log files based on the timestamp encoded in their filename. | 0 |
| <a id="log-maxbackups" href="#log-maxbackups" title="#log-maxbackups">log.maxbackups</a> | Maximum number of old log files to retain. | 0 |
| <a id="log-maxsize" href="#log-maxsize" title="#log-maxsize">log.maxsize</a> | Maximum size in megabytes of the log file before it gets rotated. | 0 |
| <a id="log-nocolor" href="#log-nocolor" title="#log-nocolor">log.nocolor</a> | When using the 'common' format, disables the colorized output. | false |
| <a id="log-otlp" href="#log-otlp" title="#log-otlp">log.otlp</a> | Settings for OpenTelemetry. | false |
| <a id="log-otlp-grpc" href="#log-otlp-grpc" title="#log-otlp-grpc">log.otlp.grpc</a> | gRPC configuration for the OpenTelemetry collector. | false |
| <a id="log-otlp-grpc-endpoint" href="#log-otlp-grpc-endpoint" title="#log-otlp-grpc-endpoint">log.otlp.grpc.endpoint</a> | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
| <a id="log-otlp-grpc-headers-name" href="#log-otlp-grpc-headers-name" title="#log-otlp-grpc-headers-name">log.otlp.grpc.headers._name_</a> | Headers sent with payload. | |
| <a id="log-otlp-grpc-insecure" href="#log-otlp-grpc-insecure" title="#log-otlp-grpc-insecure">log.otlp.grpc.insecure</a> | Disables client transport security for the exporter. | false |
| <a id="log-otlp-grpc-tls-ca" href="#log-otlp-grpc-tls-ca" title="#log-otlp-grpc-tls-ca">log.otlp.grpc.tls.ca</a> | TLS CA | |
| <a id="log-otlp-grpc-tls-cert" href="#log-otlp-grpc-tls-cert" title="#log-otlp-grpc-tls-cert">log.otlp.grpc.tls.cert</a> | TLS cert | |
| <a id="log-otlp-grpc-tls-insecureskipverify" href="#log-otlp-grpc-tls-insecureskipverify" title="#log-otlp-grpc-tls-insecureskipverify">log.otlp.grpc.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="log-otlp-grpc-tls-key" href="#log-otlp-grpc-tls-key" title="#log-otlp-grpc-tls-key">log.otlp.grpc.tls.key</a> | TLS key | |
| <a id="log-otlp-http" href="#log-otlp-http" title="#log-otlp-http">log.otlp.http</a> | HTTP configuration for the OpenTelemetry collector. | false |
| <a id="log-otlp-http-endpoint" href="#log-otlp-http-endpoint" title="#log-otlp-http-endpoint">log.otlp.http.endpoint</a> | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
| <a id="log-otlp-http-headers-name" href="#log-otlp-http-headers-name" title="#log-otlp-http-headers-name">log.otlp.http.headers._name_</a> | Headers sent with payload. | |
| <a id="log-otlp-http-tls-ca" href="#log-otlp-http-tls-ca" title="#log-otlp-http-tls-ca">log.otlp.http.tls.ca</a> | TLS CA | |
| <a id="log-otlp-http-tls-cert" href="#log-otlp-http-tls-cert" title="#log-otlp-http-tls-cert">log.otlp.http.tls.cert</a> | TLS cert | |
| <a id="log-otlp-http-tls-insecureskipverify" href="#log-otlp-http-tls-insecureskipverify" title="#log-otlp-http-tls-insecureskipverify">log.otlp.http.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="log-otlp-http-tls-key" href="#log-otlp-http-tls-key" title="#log-otlp-http-tls-key">log.otlp.http.tls.key</a> | TLS key | |
| <a id="log-otlp-resourceattributes-name" href="#log-otlp-resourceattributes-name" title="#log-otlp-resourceattributes-name">log.otlp.resourceattributes._name_</a> | Defines additional resource attributes (key:value). | |
| <a id="log-otlp-servicename" href="#log-otlp-servicename" title="#log-otlp-servicename">log.otlp.servicename</a> | Defines the service name resource attribute. | traefik |
| <a id="metrics-addinternals" href="#metrics-addinternals" title="#metrics-addinternals">metrics.addinternals</a> | Enables metrics for internal services (ping, dashboard, etc...). | false |
| <a id="metrics-datadog" href="#metrics-datadog" title="#metrics-datadog">metrics.datadog</a> | Datadog metrics exporter type. | false |
| <a id="metrics-datadog-addentrypointslabels" href="#metrics-datadog-addentrypointslabels" title="#metrics-datadog-addentrypointslabels">metrics.datadog.addentrypointslabels</a> | Enable metrics on entry points. | true |
| <a id="metrics-datadog-address" href="#metrics-datadog-address" title="#metrics-datadog-address">metrics.datadog.address</a> | Datadog's address. | localhost:8125 |
| <a id="metrics-datadog-addrouterslabels" href="#metrics-datadog-addrouterslabels" title="#metrics-datadog-addrouterslabels">metrics.datadog.addrouterslabels</a> | Enable metrics on routers. | false |
| <a id="metrics-datadog-addserviceslabels" href="#metrics-datadog-addserviceslabels" title="#metrics-datadog-addserviceslabels">metrics.datadog.addserviceslabels</a> | Enable metrics on services. | true |
| <a id="metrics-datadog-prefix" href="#metrics-datadog-prefix" title="#metrics-datadog-prefix">metrics.datadog.prefix</a> | Prefix to use for metrics collection. | traefik |
| <a id="metrics-datadog-pushinterval" href="#metrics-datadog-pushinterval" title="#metrics-datadog-pushinterval">metrics.datadog.pushinterval</a> | Datadog push interval. | 10 |
| <a id="metrics-influxdb2" href="#metrics-influxdb2" title="#metrics-influxdb2">metrics.influxdb2</a> | InfluxDB v2 metrics exporter type. | false |
| <a id="metrics-influxdb2-addentrypointslabels" href="#metrics-influxdb2-addentrypointslabels" title="#metrics-influxdb2-addentrypointslabels">metrics.influxdb2.addentrypointslabels</a> | Enable metrics on entry points. | true |
| <a id="metrics-influxdb2-additionallabels-name" href="#metrics-influxdb2-additionallabels-name" title="#metrics-influxdb2-additionallabels-name">metrics.influxdb2.additionallabels._name_</a> | Additional labels (influxdb tags) on all metrics | |
| <a id="metrics-influxdb2-address" href="#metrics-influxdb2-address" title="#metrics-influxdb2-address">metrics.influxdb2.address</a> | InfluxDB v2 address. | http://localhost:8086 |
| <a id="metrics-influxdb2-addrouterslabels" href="#metrics-influxdb2-addrouterslabels" title="#metrics-influxdb2-addrouterslabels">metrics.influxdb2.addrouterslabels</a> | Enable metrics on routers. | false |
| <a id="metrics-influxdb2-addserviceslabels" href="#metrics-influxdb2-addserviceslabels" title="#metrics-influxdb2-addserviceslabels">metrics.influxdb2.addserviceslabels</a> | Enable metrics on services. | true |
| <a id="metrics-influxdb2-bucket" href="#metrics-influxdb2-bucket" title="#metrics-influxdb2-bucket">metrics.influxdb2.bucket</a> | InfluxDB v2 bucket ID. | |
| <a id="metrics-influxdb2-org" href="#metrics-influxdb2-org" title="#metrics-influxdb2-org">metrics.influxdb2.org</a> | InfluxDB v2 org ID. | |
| <a id="metrics-influxdb2-pushinterval" href="#metrics-influxdb2-pushinterval" title="#metrics-influxdb2-pushinterval">metrics.influxdb2.pushinterval</a> | InfluxDB v2 push interval. | 10 |
| <a id="metrics-influxdb2-token" href="#metrics-influxdb2-token" title="#metrics-influxdb2-token">metrics.influxdb2.token</a> | InfluxDB v2 access token. | |
| <a id="metrics-otlp" href="#metrics-otlp" title="#metrics-otlp">metrics.otlp</a> | OpenTelemetry metrics exporter type. | false |
| <a id="metrics-otlp-addentrypointslabels" href="#metrics-otlp-addentrypointslabels" title="#metrics-otlp-addentrypointslabels">metrics.otlp.addentrypointslabels</a> | Enable metrics on entry points. | true |
| <a id="metrics-otlp-addrouterslabels" href="#metrics-otlp-addrouterslabels" title="#metrics-otlp-addrouterslabels">metrics.otlp.addrouterslabels</a> | Enable metrics on routers. | false |
| <a id="metrics-otlp-addserviceslabels" href="#metrics-otlp-addserviceslabels" title="#metrics-otlp-addserviceslabels">metrics.otlp.addserviceslabels</a> | Enable metrics on services. | true |
| <a id="metrics-otlp-explicitboundaries" href="#metrics-otlp-explicitboundaries" title="#metrics-otlp-explicitboundaries">metrics.otlp.explicitboundaries</a> | Boundaries for latency metrics. | 0.005000, 0.010000, 0.025000, 0.050000, 0.075000, 0.100000, 0.250000, 0.500000, 0.750000, 1.000000, 2.500000, 5.000000, 7.500000, 10.000000 |
| <a id="metrics-otlp-grpc" href="#metrics-otlp-grpc" title="#metrics-otlp-grpc">metrics.otlp.grpc</a> | gRPC configuration for the OpenTelemetry collector. | false |
| <a id="metrics-otlp-grpc-endpoint" href="#metrics-otlp-grpc-endpoint" title="#metrics-otlp-grpc-endpoint">metrics.otlp.grpc.endpoint</a> | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
| <a id="metrics-otlp-grpc-headers-name" href="#metrics-otlp-grpc-headers-name" title="#metrics-otlp-grpc-headers-name">metrics.otlp.grpc.headers._name_</a> | Headers sent with payload. | |
| <a id="metrics-otlp-grpc-insecure" href="#metrics-otlp-grpc-insecure" title="#metrics-otlp-grpc-insecure">metrics.otlp.grpc.insecure</a> | Disables client transport security for the exporter. | false |
| <a id="metrics-otlp-grpc-tls-ca" href="#metrics-otlp-grpc-tls-ca" title="#metrics-otlp-grpc-tls-ca">metrics.otlp.grpc.tls.ca</a> | TLS CA | |
| <a id="metrics-otlp-grpc-tls-cert" href="#metrics-otlp-grpc-tls-cert" title="#metrics-otlp-grpc-tls-cert">metrics.otlp.grpc.tls.cert</a> | TLS cert | |
| <a id="metrics-otlp-grpc-tls-insecureskipverify" href="#metrics-otlp-grpc-tls-insecureskipverify" title="#metrics-otlp-grpc-tls-insecureskipverify">metrics.otlp.grpc.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="metrics-otlp-grpc-tls-key" href="#metrics-otlp-grpc-tls-key" title="#metrics-otlp-grpc-tls-key">metrics.otlp.grpc.tls.key</a> | TLS key | |
| <a id="metrics-otlp-http" href="#metrics-otlp-http" title="#metrics-otlp-http">metrics.otlp.http</a> | HTTP configuration for the OpenTelemetry collector. | false |
| <a id="metrics-otlp-http-endpoint" href="#metrics-otlp-http-endpoint" title="#metrics-otlp-http-endpoint">metrics.otlp.http.endpoint</a> | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
| <a id="metrics-otlp-http-headers-name" href="#metrics-otlp-http-headers-name" title="#metrics-otlp-http-headers-name">metrics.otlp.http.headers._name_</a> | Headers sent with payload. | |
| <a id="metrics-otlp-http-tls-ca" href="#metrics-otlp-http-tls-ca" title="#metrics-otlp-http-tls-ca">metrics.otlp.http.tls.ca</a> | TLS CA | |
| <a id="metrics-otlp-http-tls-cert" href="#metrics-otlp-http-tls-cert" title="#metrics-otlp-http-tls-cert">metrics.otlp.http.tls.cert</a> | TLS cert | |
| <a id="metrics-otlp-http-tls-insecureskipverify" href="#metrics-otlp-http-tls-insecureskipverify" title="#metrics-otlp-http-tls-insecureskipverify">metrics.otlp.http.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="metrics-otlp-http-tls-key" href="#metrics-otlp-http-tls-key" title="#metrics-otlp-http-tls-key">metrics.otlp.http.tls.key</a> | TLS key | |
| <a id="metrics-otlp-pushinterval" href="#metrics-otlp-pushinterval" title="#metrics-otlp-pushinterval">metrics.otlp.pushinterval</a> | Period between calls to collect a checkpoint. | 10 |
| <a id="metrics-otlp-resourceattributes-name" href="#metrics-otlp-resourceattributes-name" title="#metrics-otlp-resourceattributes-name">metrics.otlp.resourceattributes._name_</a> | Defines additional resource attributes (key:value). | |
| <a id="metrics-otlp-servicename" href="#metrics-otlp-servicename" title="#metrics-otlp-servicename">metrics.otlp.servicename</a> | Defines the service name resource attribute. | traefik |
| <a id="metrics-prometheus" href="#metrics-prometheus" title="#metrics-prometheus">metrics.prometheus</a> | Prometheus metrics exporter type. | false |
| <a id="metrics-prometheus-addentrypointslabels" href="#metrics-prometheus-addentrypointslabels" title="#metrics-prometheus-addentrypointslabels">metrics.prometheus.addentrypointslabels</a> | Enable metrics on entry points. | true |
| <a id="metrics-prometheus-addrouterslabels" href="#metrics-prometheus-addrouterslabels" title="#metrics-prometheus-addrouterslabels">metrics.prometheus.addrouterslabels</a> | Enable metrics on routers. | false |
| <a id="metrics-prometheus-addserviceslabels" href="#metrics-prometheus-addserviceslabels" title="#metrics-prometheus-addserviceslabels">metrics.prometheus.addserviceslabels</a> | Enable metrics on services. | true |
| <a id="metrics-prometheus-buckets" href="#metrics-prometheus-buckets" title="#metrics-prometheus-buckets">metrics.prometheus.buckets</a> | Buckets for latency metrics. | 0.100000, 0.300000, 1.200000, 5.000000 |
| <a id="metrics-prometheus-entrypoint" href="#metrics-prometheus-entrypoint" title="#metrics-prometheus-entrypoint">metrics.prometheus.entrypoint</a> | EntryPoint | traefik |
| <a id="metrics-prometheus-headerlabels-name" href="#metrics-prometheus-headerlabels-name" title="#metrics-prometheus-headerlabels-name">metrics.prometheus.headerlabels._name_</a> | Defines the extra labels for the requests_total metrics, and for each of them, the request header containing the value for this label. | |
| <a id="metrics-prometheus-manualrouting" href="#metrics-prometheus-manualrouting" title="#metrics-prometheus-manualrouting">metrics.prometheus.manualrouting</a> | Manual routing | false |
| <a id="metrics-statsd" href="#metrics-statsd" title="#metrics-statsd">metrics.statsd</a> | StatsD metrics exporter type. | false |
| <a id="metrics-statsd-addentrypointslabels" href="#metrics-statsd-addentrypointslabels" title="#metrics-statsd-addentrypointslabels">metrics.statsd.addentrypointslabels</a> | Enable metrics on entry points. | true |
| <a id="metrics-statsd-address" href="#metrics-statsd-address" title="#metrics-statsd-address">metrics.statsd.address</a> | StatsD address. | localhost:8125 |
| <a id="metrics-statsd-addrouterslabels" href="#metrics-statsd-addrouterslabels" title="#metrics-statsd-addrouterslabels">metrics.statsd.addrouterslabels</a> | Enable metrics on routers. | false |
| <a id="metrics-statsd-addserviceslabels" href="#metrics-statsd-addserviceslabels" title="#metrics-statsd-addserviceslabels">metrics.statsd.addserviceslabels</a> | Enable metrics on services. | true |
| <a id="metrics-statsd-prefix" href="#metrics-statsd-prefix" title="#metrics-statsd-prefix">metrics.statsd.prefix</a> | Prefix to use for metrics collection. | traefik |
| <a id="metrics-statsd-pushinterval" href="#metrics-statsd-pushinterval" title="#metrics-statsd-pushinterval">metrics.statsd.pushinterval</a> | StatsD push interval. | 10 |
| <a id="ocsp" href="#ocsp" title="#ocsp">ocsp</a> | OCSP configuration. | false |
| <a id="ocsp-responderoverrides-name" href="#ocsp-responderoverrides-name" title="#ocsp-responderoverrides-name">ocsp.responderoverrides._name_</a> | Defines a map of OCSP responders to replace for querying OCSP servers. | |
| <a id="ping" href="#ping" title="#ping">ping</a> | Enable ping. | false |
| <a id="ping-entrypoint" href="#ping-entrypoint" title="#ping-entrypoint">ping.entrypoint</a> | EntryPoint | traefik |
| <a id="ping-manualrouting" href="#ping-manualrouting" title="#ping-manualrouting">ping.manualrouting</a> | Manual routing | false |
| <a id="ping-terminatingstatuscode" href="#ping-terminatingstatuscode" title="#ping-terminatingstatuscode">ping.terminatingstatuscode</a> | Terminating status code | 503 |
| <a id="providers-consul" href="#providers-consul" title="#providers-consul">providers.consul</a> | Enable Consul backend with default settings. | false |
| <a id="providers-consul-endpoints" href="#providers-consul-endpoints" title="#providers-consul-endpoints">providers.consul.endpoints</a> | KV store endpoints. | 127.0.0.1:8500 |
| <a id="providers-consul-namespaces" href="#providers-consul-namespaces" title="#providers-consul-namespaces">providers.consul.namespaces</a> | Sets the namespaces used to discover the configuration (Consul Enterprise only). | |
| <a id="providers-consul-rootkey" href="#providers-consul-rootkey" title="#providers-consul-rootkey">providers.consul.rootkey</a> | Root key used for KV store. | traefik |
| <a id="providers-consul-tls-ca" href="#providers-consul-tls-ca" title="#providers-consul-tls-ca">providers.consul.tls.ca</a> | TLS CA | |
| <a id="providers-consul-tls-cert" href="#providers-consul-tls-cert" title="#providers-consul-tls-cert">providers.consul.tls.cert</a> | TLS cert | |
| <a id="providers-consul-tls-insecureskipverify" href="#providers-consul-tls-insecureskipverify" title="#providers-consul-tls-insecureskipverify">providers.consul.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="providers-consul-tls-key" href="#providers-consul-tls-key" title="#providers-consul-tls-key">providers.consul.tls.key</a> | TLS key | |
| <a id="providers-consul-token" href="#providers-consul-token" title="#providers-consul-token">providers.consul.token</a> | Per-request ACL token. | |
| <a id="providers-consulcatalog" href="#providers-consulcatalog" title="#providers-consulcatalog">providers.consulcatalog</a> | Enable ConsulCatalog backend with default settings. | false |
| <a id="providers-consulcatalog-cache" href="#providers-consulcatalog-cache" title="#providers-consulcatalog-cache">providers.consulcatalog.cache</a> | Use local agent caching for catalog reads. | false |
| <a id="providers-consulcatalog-connectaware" href="#providers-consulcatalog-connectaware" title="#providers-consulcatalog-connectaware">providers.consulcatalog.connectaware</a> | Enable Consul Connect support. | false |
| <a id="providers-consulcatalog-connectbydefault" href="#providers-consulcatalog-connectbydefault" title="#providers-consulcatalog-connectbydefault">providers.consulcatalog.connectbydefault</a> | Consider every service as Connect capable by default. | false |
| <a id="providers-consulcatalog-constraints" href="#providers-consulcatalog-constraints" title="#providers-consulcatalog-constraints">providers.consulcatalog.constraints</a> | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
| <a id="providers-consulcatalog-defaultrule" href="#providers-consulcatalog-defaultrule" title="#providers-consulcatalog-defaultrule">providers.consulcatalog.defaultrule</a> | Default rule. | Host(`{{ normalize .Name }}`) |
| <a id="providers-consulcatalog-endpoint-address" href="#providers-consulcatalog-endpoint-address" title="#providers-consulcatalog-endpoint-address">providers.consulcatalog.endpoint.address</a> | The address of the Consul server | |
| <a id="providers-consulcatalog-endpoint-datacenter" href="#providers-consulcatalog-endpoint-datacenter" title="#providers-consulcatalog-endpoint-datacenter">providers.consulcatalog.endpoint.datacenter</a> | Data center to use. If not provided, the default agent data center is used | |
| <a id="providers-consulcatalog-endpoint-endpointwaittime" href="#providers-consulcatalog-endpoint-endpointwaittime" title="#providers-consulcatalog-endpoint-endpointwaittime">providers.consulcatalog.endpoint.endpointwaittime</a> | WaitTime limits how long a Watch will block. If not provided, the agent default values will be used | 0 |
| <a id="providers-consulcatalog-endpoint-httpauth-password" href="#providers-consulcatalog-endpoint-httpauth-password" title="#providers-consulcatalog-endpoint-httpauth-password">providers.consulcatalog.endpoint.httpauth.password</a> | Basic Auth password | |
| <a id="providers-consulcatalog-endpoint-httpauth-username" href="#providers-consulcatalog-endpoint-httpauth-username" title="#providers-consulcatalog-endpoint-httpauth-username">providers.consulcatalog.endpoint.httpauth.username</a> | Basic Auth username | |
| <a id="providers-consulcatalog-endpoint-scheme" href="#providers-consulcatalog-endpoint-scheme" title="#providers-consulcatalog-endpoint-scheme">providers.consulcatalog.endpoint.scheme</a> | The URI scheme for the Consul server | |
| <a id="providers-consulcatalog-endpoint-tls-ca" href="#providers-consulcatalog-endpoint-tls-ca" title="#providers-consulcatalog-endpoint-tls-ca">providers.consulcatalog.endpoint.tls.ca</a> | TLS CA | |
| <a id="providers-consulcatalog-endpoint-tls-cert" href="#providers-consulcatalog-endpoint-tls-cert" title="#providers-consulcatalog-endpoint-tls-cert">providers.consulcatalog.endpoint.tls.cert</a> | TLS cert | |
| <a id="providers-consulcatalog-endpoint-tls-insecureskipverify" href="#providers-consulcatalog-endpoint-tls-insecureskipverify" title="#providers-consulcatalog-endpoint-tls-insecureskipverify">providers.consulcatalog.endpoint.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="providers-consulcatalog-endpoint-tls-key" href="#providers-consulcatalog-endpoint-tls-key" title="#providers-consulcatalog-endpoint-tls-key">providers.consulcatalog.endpoint.tls.key</a> | TLS key | |
| <a id="providers-consulcatalog-endpoint-token" href="#providers-consulcatalog-endpoint-token" title="#providers-consulcatalog-endpoint-token">providers.consulcatalog.endpoint.token</a> | Token is used to provide a per-request ACL token which overrides the agent's default token | |
| <a id="providers-consulcatalog-exposedbydefault" href="#providers-consulcatalog-exposedbydefault" title="#providers-consulcatalog-exposedbydefault">providers.consulcatalog.exposedbydefault</a> | Expose containers by default. | true |
| <a id="providers-consulcatalog-namespaces" href="#providers-consulcatalog-namespaces" title="#providers-consulcatalog-namespaces">providers.consulcatalog.namespaces</a> | Sets the namespaces used to discover services (Consul Enterprise only). | |
| <a id="providers-consulcatalog-prefix" href="#providers-consulcatalog-prefix" title="#providers-consulcatalog-prefix">providers.consulcatalog.prefix</a> | Prefix for consul service tags. | traefik |
| <a id="providers-consulcatalog-refreshinterval" href="#providers-consulcatalog-refreshinterval" title="#providers-consulcatalog-refreshinterval">providers.consulcatalog.refreshinterval</a> | Interval for check Consul API. | 15 |
| <a id="providers-consulcatalog-requireconsistent" href="#providers-consulcatalog-requireconsistent" title="#providers-consulcatalog-requireconsistent">providers.consulcatalog.requireconsistent</a> | Forces the read to be fully consistent. | false |
| <a id="providers-consulcatalog-servicename" href="#providers-consulcatalog-servicename" title="#providers-consulcatalog-servicename">providers.consulcatalog.servicename</a> | Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). | traefik |
| <a id="providers-consulcatalog-stale" href="#providers-consulcatalog-stale" title="#providers-consulcatalog-stale">providers.consulcatalog.stale</a> | Use stale consistency for catalog reads. | false |
| <a id="providers-consulcatalog-strictchecks" href="#providers-consulcatalog-strictchecks" title="#providers-consulcatalog-strictchecks">providers.consulcatalog.strictchecks</a> | A list of service health statuses to allow taking traffic. | passing, warning |
| <a id="providers-consulcatalog-watch" href="#providers-consulcatalog-watch" title="#providers-consulcatalog-watch">providers.consulcatalog.watch</a> | Watch Consul API events. | false |
| <a id="providers-docker" href="#providers-docker" title="#providers-docker">providers.docker</a> | Enable Docker backend with default settings. | false |
| <a id="providers-docker-allowemptyservices" href="#providers-docker-allowemptyservices" title="#providers-docker-allowemptyservices">providers.docker.allowemptyservices</a> | Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. | false |
| <a id="providers-docker-constraints" href="#providers-docker-constraints" title="#providers-docker-constraints">providers.docker.constraints</a> | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
| <a id="providers-docker-defaultrule" href="#providers-docker-defaultrule" title="#providers-docker-defaultrule">providers.docker.defaultrule</a> | Default rule. | Host(`{{ normalize .Name }}`) |
| <a id="providers-docker-endpoint" href="#providers-docker-endpoint" title="#providers-docker-endpoint">providers.docker.endpoint</a> | Docker server endpoint. Can be a TCP or a Unix socket endpoint. | unix:///var/run/docker.sock |
| <a id="providers-docker-exposedbydefault" href="#providers-docker-exposedbydefault" title="#providers-docker-exposedbydefault">providers.docker.exposedbydefault</a> | Expose containers by default. | true |
| <a id="providers-docker-httpclienttimeout" href="#providers-docker-httpclienttimeout" title="#providers-docker-httpclienttimeout">providers.docker.httpclienttimeout</a> | Client timeout for HTTP connections. | 0 |
| <a id="providers-docker-network" href="#providers-docker-network" title="#providers-docker-network">providers.docker.network</a> | Default Docker network used. | |
| <a id="providers-docker-password" href="#providers-docker-password" title="#providers-docker-password">providers.docker.password</a> | Password for Basic HTTP authentication. | |
| <a id="providers-docker-tls-ca" href="#providers-docker-tls-ca" title="#providers-docker-tls-ca">providers.docker.tls.ca</a> | TLS CA | |
| <a id="providers-docker-tls-cert" href="#providers-docker-tls-cert" title="#providers-docker-tls-cert">providers.docker.tls.cert</a> | TLS cert | |
| <a id="providers-docker-tls-insecureskipverify" href="#providers-docker-tls-insecureskipverify" title="#providers-docker-tls-insecureskipverify">providers.docker.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="providers-docker-tls-key" href="#providers-docker-tls-key" title="#providers-docker-tls-key">providers.docker.tls.key</a> | TLS key | |
| <a id="providers-docker-usebindportip" href="#providers-docker-usebindportip" title="#providers-docker-usebindportip">providers.docker.usebindportip</a> | Use the ip address from the bound port, rather than from the inner network. | false |
| <a id="providers-docker-username" href="#providers-docker-username" title="#providers-docker-username">providers.docker.username</a> | Username for Basic HTTP authentication. | |
| <a id="providers-docker-watch" href="#providers-docker-watch" title="#providers-docker-watch">providers.docker.watch</a> | Watch Docker events. | true |
| <a id="providers-ecs" href="#providers-ecs" title="#providers-ecs">providers.ecs</a> | Enable AWS ECS backend with default settings. | false |
| <a id="providers-ecs-accesskeyid" href="#providers-ecs-accesskeyid" title="#providers-ecs-accesskeyid">providers.ecs.accesskeyid</a> | AWS credentials access key ID to use for making requests. | |
| <a id="providers-ecs-autodiscoverclusters" href="#providers-ecs-autodiscoverclusters" title="#providers-ecs-autodiscoverclusters">providers.ecs.autodiscoverclusters</a> | Auto discover cluster. | false |
| <a id="providers-ecs-clusters" href="#providers-ecs-clusters" title="#providers-ecs-clusters">providers.ecs.clusters</a> | ECS Cluster names. | default |
| <a id="providers-ecs-constraints" href="#providers-ecs-constraints" title="#providers-ecs-constraints">providers.ecs.constraints</a> | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
| <a id="providers-ecs-defaultrule" href="#providers-ecs-defaultrule" title="#providers-ecs-defaultrule">providers.ecs.defaultrule</a> | Default rule. | Host(`{{ normalize .Name }}`) |
| <a id="providers-ecs-ecsanywhere" href="#providers-ecs-ecsanywhere" title="#providers-ecs-ecsanywhere">providers.ecs.ecsanywhere</a> | Enable ECS Anywhere support. | false |
| <a id="providers-ecs-exposedbydefault" href="#providers-ecs-exposedbydefault" title="#providers-ecs-exposedbydefault">providers.ecs.exposedbydefault</a> | Expose services by default. | true |
| <a id="providers-ecs-healthytasksonly" href="#providers-ecs-healthytasksonly" title="#providers-ecs-healthytasksonly">providers.ecs.healthytasksonly</a> | Determines whether to discover only healthy tasks. | false |
| <a id="providers-ecs-refreshseconds" href="#providers-ecs-refreshseconds" title="#providers-ecs-refreshseconds">providers.ecs.refreshseconds</a> | Polling interval (in seconds). | 15 |
| <a id="providers-ecs-region" href="#providers-ecs-region" title="#providers-ecs-region">providers.ecs.region</a> | AWS region to use for requests. | |
| <a id="providers-ecs-secretaccesskey" href="#providers-ecs-secretaccesskey" title="#providers-ecs-secretaccesskey">providers.ecs.secretaccesskey</a> | AWS credentials access key to use for making requests. | |
| <a id="providers-etcd" href="#providers-etcd" title="#providers-etcd">providers.etcd</a> | Enable Etcd backend with default settings. | false |
| <a id="providers-etcd-endpoints" href="#providers-etcd-endpoints" title="#providers-etcd-endpoints">providers.etcd.endpoints</a> | KV store endpoints. | 127.0.0.1:2379 |
| <a id="providers-etcd-password" href="#providers-etcd-password" title="#providers-etcd-password">providers.etcd.password</a> | Password for authentication. | |
| <a id="providers-etcd-rootkey" href="#providers-etcd-rootkey" title="#providers-etcd-rootkey">providers.etcd.rootkey</a> | Root key used for KV store. | traefik |
| <a id="providers-etcd-tls-ca" href="#providers-etcd-tls-ca" title="#providers-etcd-tls-ca">providers.etcd.tls.ca</a> | TLS CA | |
| <a id="providers-etcd-tls-cert" href="#providers-etcd-tls-cert" title="#providers-etcd-tls-cert">providers.etcd.tls.cert</a> | TLS cert | |
| <a id="providers-etcd-tls-insecureskipverify" href="#providers-etcd-tls-insecureskipverify" title="#providers-etcd-tls-insecureskipverify">providers.etcd.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="providers-etcd-tls-key" href="#providers-etcd-tls-key" title="#providers-etcd-tls-key">providers.etcd.tls.key</a> | TLS key | |
| <a id="providers-etcd-username" href="#providers-etcd-username" title="#providers-etcd-username">providers.etcd.username</a> | Username for authentication. | |
| <a id="providers-file-debugloggeneratedtemplate" href="#providers-file-debugloggeneratedtemplate" title="#providers-file-debugloggeneratedtemplate">providers.file.debugloggeneratedtemplate</a> | Enable debug logging of generated configuration template. | false |
| <a id="providers-file-directory" href="#providers-file-directory" title="#providers-file-directory">providers.file.directory</a> | Load dynamic configuration from one or more .yml or .toml files in a directory. | |
| <a id="providers-file-filename" href="#providers-file-filename" title="#providers-file-filename">providers.file.filename</a> | Load dynamic configuration from a file. | |
| <a id="providers-file-watch" href="#providers-file-watch" title="#providers-file-watch">providers.file.watch</a> | Watch provider. | true |
| <a id="providers-http" href="#providers-http" title="#providers-http">providers.http</a> | Enable HTTP backend with default settings. | false |
| <a id="providers-http-endpoint" href="#providers-http-endpoint" title="#providers-http-endpoint">providers.http.endpoint</a> | Load configuration from this endpoint. | |
| <a id="providers-http-headers-name" href="#providers-http-headers-name" title="#providers-http-headers-name">providers.http.headers._name_</a> | Define custom headers to be sent to the endpoint. | |
| <a id="providers-http-pollinterval" href="#providers-http-pollinterval" title="#providers-http-pollinterval">providers.http.pollinterval</a> | Polling interval for endpoint. | 5 |
| <a id="providers-http-polltimeout" href="#providers-http-polltimeout" title="#providers-http-polltimeout">providers.http.polltimeout</a> | Polling timeout for endpoint. | 5 |
| <a id="providers-http-tls-ca" href="#providers-http-tls-ca" title="#providers-http-tls-ca">providers.http.tls.ca</a> | TLS CA | |
| <a id="providers-http-tls-cert" href="#providers-http-tls-cert" title="#providers-http-tls-cert">providers.http.tls.cert</a> | TLS cert | |
| <a id="providers-http-tls-insecureskipverify" href="#providers-http-tls-insecureskipverify" title="#providers-http-tls-insecureskipverify">providers.http.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="providers-http-tls-key" href="#providers-http-tls-key" title="#providers-http-tls-key">providers.http.tls.key</a> | TLS key | |
| <a id="providers-kubernetescrd" href="#providers-kubernetescrd" title="#providers-kubernetescrd">providers.kubernetescrd</a> | Enable Kubernetes backend with default settings. | false |
| <a id="providers-kubernetescrd-allowcrossnamespace" href="#providers-kubernetescrd-allowcrossnamespace" title="#providers-kubernetescrd-allowcrossnamespace">providers.kubernetescrd.allowcrossnamespace</a> | Allow cross namespace resource reference. | false |
| <a id="providers-kubernetescrd-allowemptyservices" href="#providers-kubernetescrd-allowemptyservices" title="#providers-kubernetescrd-allowemptyservices">providers.kubernetescrd.allowemptyservices</a> | Allow the creation of services without endpoints. | false |
| <a id="providers-kubernetescrd-allowexternalnameservices" href="#providers-kubernetescrd-allowexternalnameservices" title="#providers-kubernetescrd-allowexternalnameservices">providers.kubernetescrd.allowexternalnameservices</a> | Allow ExternalName services. | false |
| <a id="providers-kubernetescrd-certauthfilepath" href="#providers-kubernetescrd-certauthfilepath" title="#providers-kubernetescrd-certauthfilepath">providers.kubernetescrd.certauthfilepath</a> | Kubernetes certificate authority file path (not needed for in-cluster client). | |
| <a id="providers-kubernetescrd-disableclusterscoperesources" href="#providers-kubernetescrd-disableclusterscoperesources" title="#providers-kubernetescrd-disableclusterscoperesources">providers.kubernetescrd.disableclusterscoperesources</a> | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
| <a id="providers-kubernetescrd-endpoint" href="#providers-kubernetescrd-endpoint" title="#providers-kubernetescrd-endpoint">providers.kubernetescrd.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
| <a id="providers-kubernetescrd-ingressclass" href="#providers-kubernetescrd-ingressclass" title="#providers-kubernetescrd-ingressclass">providers.kubernetescrd.ingressclass</a> | Value of kubernetes.io/ingress.class annotation to watch for. | |
| <a id="providers-kubernetescrd-labelselector" href="#providers-kubernetescrd-labelselector" title="#providers-kubernetescrd-labelselector">providers.kubernetescrd.labelselector</a> | Kubernetes label selector to use. | |
| <a id="providers-kubernetescrd-namespaces" href="#providers-kubernetescrd-namespaces" title="#providers-kubernetescrd-namespaces">providers.kubernetescrd.namespaces</a> | Kubernetes namespaces. | |
| <a id="providers-kubernetescrd-nativelbbydefault" href="#providers-kubernetescrd-nativelbbydefault" title="#providers-kubernetescrd-nativelbbydefault">providers.kubernetescrd.nativelbbydefault</a> | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
| <a id="providers-kubernetescrd-throttleduration" href="#providers-kubernetescrd-throttleduration" title="#providers-kubernetescrd-throttleduration">providers.kubernetescrd.throttleduration</a> | Ingress refresh throttle duration | 0 |
| <a id="providers-kubernetescrd-token" href="#providers-kubernetescrd-token" title="#providers-kubernetescrd-token">providers.kubernetescrd.token</a> | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
| <a id="providers-kubernetesgateway" href="#providers-kubernetesgateway" title="#providers-kubernetesgateway">providers.kubernetesgateway</a> | Enable Kubernetes gateway api provider with default settings. | false |
| <a id="providers-kubernetesgateway-certauthfilepath" href="#providers-kubernetesgateway-certauthfilepath" title="#providers-kubernetesgateway-certauthfilepath">providers.kubernetesgateway.certauthfilepath</a> | Kubernetes certificate authority file path (not needed for in-cluster client). | |
| <a id="providers-kubernetesgateway-endpoint" href="#providers-kubernetesgateway-endpoint" title="#providers-kubernetesgateway-endpoint">providers.kubernetesgateway.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
| <a id="providers-kubernetesgateway-experimentalchannel" href="#providers-kubernetesgateway-experimentalchannel" title="#providers-kubernetesgateway-experimentalchannel">providers.kubernetesgateway.experimentalchannel</a> | Toggles Experimental Channel resources support (TCPRoute, TLSRoute...). | false |
| <a id="providers-kubernetesgateway-labelselector" href="#providers-kubernetesgateway-labelselector" title="#providers-kubernetesgateway-labelselector">providers.kubernetesgateway.labelselector</a> | Kubernetes label selector to select specific GatewayClasses. | |
| <a id="providers-kubernetesgateway-namespaces" href="#providers-kubernetesgateway-namespaces" title="#providers-kubernetesgateway-namespaces">providers.kubernetesgateway.namespaces</a> | Kubernetes namespaces. | |
| <a id="providers-kubernetesgateway-nativelbbydefault" href="#providers-kubernetesgateway-nativelbbydefault" title="#providers-kubernetesgateway-nativelbbydefault">providers.kubernetesgateway.nativelbbydefault</a> | Defines whether to use Native Kubernetes load-balancing by default. | false |
| <a id="providers-kubernetesgateway-statusaddress-hostname" href="#providers-kubernetesgateway-statusaddress-hostname" title="#providers-kubernetesgateway-statusaddress-hostname">providers.kubernetesgateway.statusaddress.hostname</a> | Hostname used for Kubernetes Gateway status address. | |
| <a id="providers-kubernetesgateway-statusaddress-ip" href="#providers-kubernetesgateway-statusaddress-ip" title="#providers-kubernetesgateway-statusaddress-ip">providers.kubernetesgateway.statusaddress.ip</a> | IP used to set Kubernetes Gateway status address. | |
| <a id="providers-kubernetesgateway-statusaddress-service" href="#providers-kubernetesgateway-statusaddress-service" title="#providers-kubernetesgateway-statusaddress-service">providers.kubernetesgateway.statusaddress.service</a> | Published Kubernetes Service to copy status addresses from. | |
| <a id="providers-kubernetesgateway-statusaddress-service-name" href="#providers-kubernetesgateway-statusaddress-service-name" title="#providers-kubernetesgateway-statusaddress-service-name">providers.kubernetesgateway.statusaddress.service.name</a> | Name of the Kubernetes service. | |
| <a id="providers-kubernetesgateway-statusaddress-service-namespace" href="#providers-kubernetesgateway-statusaddress-service-namespace" title="#providers-kubernetesgateway-statusaddress-service-namespace">providers.kubernetesgateway.statusaddress.service.namespace</a> | Namespace of the Kubernetes service. | |
| <a id="providers-kubernetesgateway-throttleduration" href="#providers-kubernetesgateway-throttleduration" title="#providers-kubernetesgateway-throttleduration">providers.kubernetesgateway.throttleduration</a> | Kubernetes refresh throttle duration | 0 |
| <a id="providers-kubernetesgateway-token" href="#providers-kubernetesgateway-token" title="#providers-kubernetesgateway-token">providers.kubernetesgateway.token</a> | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
| <a id="providers-kubernetesingress" href="#providers-kubernetesingress" title="#providers-kubernetesingress">providers.kubernetesingress</a> | Enable Kubernetes backend with default settings. | false |
| <a id="providers-kubernetesingress-allowemptyservices" href="#providers-kubernetesingress-allowemptyservices" title="#providers-kubernetesingress-allowemptyservices">providers.kubernetesingress.allowemptyservices</a> | Allow creation of services without endpoints. | false |
| <a id="providers-kubernetesingress-allowexternalnameservices" href="#providers-kubernetesingress-allowexternalnameservices" title="#providers-kubernetesingress-allowexternalnameservices">providers.kubernetesingress.allowexternalnameservices</a> | Allow ExternalName services. | false |
| <a id="providers-kubernetesingress-certauthfilepath" href="#providers-kubernetesingress-certauthfilepath" title="#providers-kubernetesingress-certauthfilepath">providers.kubernetesingress.certauthfilepath</a> | Kubernetes certificate authority file path (not needed for in-cluster client). | |
| <a id="providers-kubernetesingress-disableclusterscoperesources" href="#providers-kubernetesingress-disableclusterscoperesources" title="#providers-kubernetesingress-disableclusterscoperesources">providers.kubernetesingress.disableclusterscoperesources</a> | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
| <a id="providers-kubernetesingress-disableingressclasslookup" href="#providers-kubernetesingress-disableingressclasslookup" title="#providers-kubernetesingress-disableingressclasslookup">providers.kubernetesingress.disableingressclasslookup</a> | Disables the lookup of IngressClasses (Deprecated, please use DisableClusterScopeResources). | false |
| <a id="providers-kubernetesingress-endpoint" href="#providers-kubernetesingress-endpoint" title="#providers-kubernetesingress-endpoint">providers.kubernetesingress.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
| <a id="providers-kubernetesingress-ingressclass" href="#providers-kubernetesingress-ingressclass" title="#providers-kubernetesingress-ingressclass">providers.kubernetesingress.ingressclass</a> | Value of kubernetes.io/ingress.class annotation or IngressClass name to watch for. | |
| <a id="providers-kubernetesingress-ingressendpoint-hostname" href="#providers-kubernetesingress-ingressendpoint-hostname" title="#providers-kubernetesingress-ingressendpoint-hostname">providers.kubernetesingress.ingressendpoint.hostname</a> | Hostname used for Kubernetes Ingress endpoints. | |
| <a id="providers-kubernetesingress-ingressendpoint-ip" href="#providers-kubernetesingress-ingressendpoint-ip" title="#providers-kubernetesingress-ingressendpoint-ip">providers.kubernetesingress.ingressendpoint.ip</a> | IP used for Kubernetes Ingress endpoints. | |
| <a id="providers-kubernetesingress-ingressendpoint-publishedservice" href="#providers-kubernetesingress-ingressendpoint-publishedservice" title="#providers-kubernetesingress-ingressendpoint-publishedservice">providers.kubernetesingress.ingressendpoint.publishedservice</a> | Published Kubernetes Service to copy status from. | |
| <a id="providers-kubernetesingress-labelselector" href="#providers-kubernetesingress-labelselector" title="#providers-kubernetesingress-labelselector">providers.kubernetesingress.labelselector</a> | Kubernetes Ingress label selector to use. | |
| <a id="providers-kubernetesingress-namespaces" href="#providers-kubernetesingress-namespaces" title="#providers-kubernetesingress-namespaces">providers.kubernetesingress.namespaces</a> | Kubernetes namespaces. | |
| <a id="providers-kubernetesingress-nativelbbydefault" href="#providers-kubernetesingress-nativelbbydefault" title="#providers-kubernetesingress-nativelbbydefault">providers.kubernetesingress.nativelbbydefault</a> | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
| <a id="providers-kubernetesingress-strictprefixmatching" href="#providers-kubernetesingress-strictprefixmatching" title="#providers-kubernetesingress-strictprefixmatching">providers.kubernetesingress.strictprefixmatching</a> | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). | false |
| <a id="providers-kubernetesingress-throttleduration" href="#providers-kubernetesingress-throttleduration" title="#providers-kubernetesingress-throttleduration">providers.kubernetesingress.throttleduration</a> | Ingress refresh throttle duration | 0 |
| <a id="providers-kubernetesingress-token" href="#providers-kubernetesingress-token" title="#providers-kubernetesingress-token">providers.kubernetesingress.token</a> | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
| <a id="providers-kubernetesingressnginx" href="#providers-kubernetesingressnginx" title="#providers-kubernetesingressnginx">providers.kubernetesingressnginx</a> | Enable Kubernetes Ingress NGINX provider. | false |
| <a id="providers-kubernetesingressnginx-certauthfilepath" href="#providers-kubernetesingressnginx-certauthfilepath" title="#providers-kubernetesingressnginx-certauthfilepath">providers.kubernetesingressnginx.certauthfilepath</a> | Kubernetes certificate authority file path (not needed for in-cluster client). | |
| <a id="providers-kubernetesingressnginx-controllerclass" href="#providers-kubernetesingressnginx-controllerclass" title="#providers-kubernetesingressnginx-controllerclass">providers.kubernetesingressnginx.controllerclass</a> | Ingress Class Controller value this controller satisfies. | k8s.io/ingress-nginx |
| <a id="providers-kubernetesingressnginx-defaultbackendservice" href="#providers-kubernetesingressnginx-defaultbackendservice" title="#providers-kubernetesingressnginx-defaultbackendservice">providers.kubernetesingressnginx.defaultbackendservice</a> | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | |
| <a id="providers-kubernetesingressnginx-disablesvcexternalname" href="#providers-kubernetesingressnginx-disablesvcexternalname" title="#providers-kubernetesingressnginx-disablesvcexternalname">providers.kubernetesingressnginx.disablesvcexternalname</a> | Disable support for Services of type ExternalName. | false |
| <a id="providers-kubernetesingressnginx-endpoint" href="#providers-kubernetesingressnginx-endpoint" title="#providers-kubernetesingressnginx-endpoint">providers.kubernetesingressnginx.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
| <a id="providers-kubernetesingressnginx-ingressclass" href="#providers-kubernetesingressnginx-ingressclass" title="#providers-kubernetesingressnginx-ingressclass">providers.kubernetesingressnginx.ingressclass</a> | Name of the ingress class this controller satisfies. | nginx |
| <a id="providers-kubernetesingressnginx-ingressclassbyname" href="#providers-kubernetesingressnginx-ingressclassbyname" title="#providers-kubernetesingressnginx-ingressclassbyname">providers.kubernetesingressnginx.ingressclassbyname</a> | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false |
| <a id="providers-kubernetesingressnginx-publishservice" href="#providers-kubernetesingressnginx-publishservice" title="#providers-kubernetesingressnginx-publishservice">providers.kubernetesingressnginx.publishservice</a> | Service fronting the Ingress controller. Takes the form 'namespace/name'. | |
| <a id="providers-kubernetesingressnginx-publishstatusaddress" href="#providers-kubernetesingressnginx-publishstatusaddress" title="#providers-kubernetesingressnginx-publishstatusaddress">providers.kubernetesingressnginx.publishstatusaddress</a> | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | |
| <a id="providers-kubernetesingressnginx-throttleduration" href="#providers-kubernetesingressnginx-throttleduration" title="#providers-kubernetesingressnginx-throttleduration">providers.kubernetesingressnginx.throttleduration</a> | Ingress refresh throttle duration. | 0 |
| <a id="providers-kubernetesingressnginx-token" href="#providers-kubernetesingressnginx-token" title="#providers-kubernetesingressnginx-token">providers.kubernetesingressnginx.token</a> | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
| <a id="providers-kubernetesingressnginx-watchingresswithoutclass" href="#providers-kubernetesingressnginx-watchingresswithoutclass" title="#providers-kubernetesingressnginx-watchingresswithoutclass">providers.kubernetesingressnginx.watchingresswithoutclass</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. | false |
| <a id="providers-kubernetesingressnginx-watchnamespace" href="#providers-kubernetesingressnginx-watchnamespace" title="#providers-kubernetesingressnginx-watchnamespace">providers.kubernetesingressnginx.watchnamespace</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. | |
| <a id="providers-kubernetesingressnginx-watchnamespaceselector" href="#providers-kubernetesingressnginx-watchnamespaceselector" title="#providers-kubernetesingressnginx-watchnamespaceselector">providers.kubernetesingressnginx.watchnamespaceselector</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects. | |
| <a id="providers-nomad" href="#providers-nomad" title="#providers-nomad">providers.nomad</a> | Enable Nomad backend with default settings. | false |
| <a id="providers-nomad-allowemptyservices" href="#providers-nomad-allowemptyservices" title="#providers-nomad-allowemptyservices">providers.nomad.allowemptyservices</a> | Allow the creation of services without endpoints. | false |
| <a id="providers-nomad-constraints" href="#providers-nomad-constraints" title="#providers-nomad-constraints">providers.nomad.constraints</a> | Constraints is an expression that Traefik matches against the Nomad service's tags to determine whether to create route(s) for that service. | |
| <a id="providers-nomad-defaultrule" href="#providers-nomad-defaultrule" title="#providers-nomad-defaultrule">providers.nomad.defaultrule</a> | Default rule. | Host(`{{ normalize .Name }}`) |
| <a id="providers-nomad-endpoint-address" href="#providers-nomad-endpoint-address" title="#providers-nomad-endpoint-address">providers.nomad.endpoint.address</a> | The address of the Nomad server, including scheme and port. | http://127.0.0.1:4646 |
| <a id="providers-nomad-endpoint-endpointwaittime" href="#providers-nomad-endpoint-endpointwaittime" title="#providers-nomad-endpoint-endpointwaittime">providers.nomad.endpoint.endpointwaittime</a> | WaitTime limits how long a Watch will block. If not provided, the agent default values will be used | 0 |
| <a id="providers-nomad-endpoint-region" href="#providers-nomad-endpoint-region" title="#providers-nomad-endpoint-region">providers.nomad.endpoint.region</a> | Nomad region to use. If not provided, the local agent region is used. | |
| <a id="providers-nomad-endpoint-tls-ca" href="#providers-nomad-endpoint-tls-ca" title="#providers-nomad-endpoint-tls-ca">providers.nomad.endpoint.tls.ca</a> | TLS CA | |
| <a id="providers-nomad-endpoint-tls-cert" href="#providers-nomad-endpoint-tls-cert" title="#providers-nomad-endpoint-tls-cert">providers.nomad.endpoint.tls.cert</a> | TLS cert | |
| <a id="providers-nomad-endpoint-tls-insecureskipverify" href="#providers-nomad-endpoint-tls-insecureskipverify" title="#providers-nomad-endpoint-tls-insecureskipverify">providers.nomad.endpoint.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="providers-nomad-endpoint-tls-key" href="#providers-nomad-endpoint-tls-key" title="#providers-nomad-endpoint-tls-key">providers.nomad.endpoint.tls.key</a> | TLS key | |
| <a id="providers-nomad-endpoint-token" href="#providers-nomad-endpoint-token" title="#providers-nomad-endpoint-token">providers.nomad.endpoint.token</a> | Token is used to provide a per-request ACL token. | |
| <a id="providers-nomad-exposedbydefault" href="#providers-nomad-exposedbydefault" title="#providers-nomad-exposedbydefault">providers.nomad.exposedbydefault</a> | Expose Nomad services by default. | true |
| <a id="providers-nomad-namespaces" href="#providers-nomad-namespaces" title="#providers-nomad-namespaces">providers.nomad.namespaces</a> | Sets the Nomad namespaces used to discover services. | |
| <a id="providers-nomad-prefix" href="#providers-nomad-prefix" title="#providers-nomad-prefix">providers.nomad.prefix</a> | Prefix for nomad service tags. | traefik |
| <a id="providers-nomad-refreshinterval" href="#providers-nomad-refreshinterval" title="#providers-nomad-refreshinterval">providers.nomad.refreshinterval</a> | Interval for polling Nomad API. | 15 |
| <a id="providers-nomad-stale" href="#providers-nomad-stale" title="#providers-nomad-stale">providers.nomad.stale</a> | Use stale consistency for catalog reads. | false |
| <a id="providers-nomad-throttleduration" href="#providers-nomad-throttleduration" title="#providers-nomad-throttleduration">providers.nomad.throttleduration</a> | Watch throttle duration. | 0 |
| <a id="providers-nomad-watch" href="#providers-nomad-watch" title="#providers-nomad-watch">providers.nomad.watch</a> | Watch Nomad Service events. | false |
| <a id="providers-plugin-name" href="#providers-plugin-name" title="#providers-plugin-name">providers.plugin._name_</a> | Plugins configuration. | |
| <a id="providers-providersthrottleduration" href="#providers-providersthrottleduration" title="#providers-providersthrottleduration">providers.providersthrottleduration</a> | Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. | 2 |
| <a id="providers-redis" href="#providers-redis" title="#providers-redis">providers.redis</a> | Enable Redis backend with default settings. | false |
| <a id="providers-redis-db" href="#providers-redis-db" title="#providers-redis-db">providers.redis.db</a> | Database to be selected after connecting to the server. | 0 |
| <a id="providers-redis-endpoints" href="#providers-redis-endpoints" title="#providers-redis-endpoints">providers.redis.endpoints</a> | KV store endpoints. | 127.0.0.1:6379 |
| <a id="providers-redis-password" href="#providers-redis-password" title="#providers-redis-password">providers.redis.password</a> | Password for authentication. | |
| <a id="providers-redis-rootkey" href="#providers-redis-rootkey" title="#providers-redis-rootkey">providers.redis.rootkey</a> | Root key used for KV store. | traefik |
| <a id="providers-redis-sentinel-latencystrategy" href="#providers-redis-sentinel-latencystrategy" title="#providers-redis-sentinel-latencystrategy">providers.redis.sentinel.latencystrategy</a> | Defines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy). | false |
| <a id="providers-redis-sentinel-mastername" href="#providers-redis-sentinel-mastername" title="#providers-redis-sentinel-mastername">providers.redis.sentinel.mastername</a> | Name of the master. | |
| <a id="providers-redis-sentinel-password" href="#providers-redis-sentinel-password" title="#providers-redis-sentinel-password">providers.redis.sentinel.password</a> | Password for Sentinel authentication. | |
| <a id="providers-redis-sentinel-randomstrategy" href="#providers-redis-sentinel-randomstrategy" title="#providers-redis-sentinel-randomstrategy">providers.redis.sentinel.randomstrategy</a> | Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). | false |
| <a id="providers-redis-sentinel-replicastrategy" href="#providers-redis-sentinel-replicastrategy" title="#providers-redis-sentinel-replicastrategy">providers.redis.sentinel.replicastrategy</a> | Defines whether to route all commands to replica nodes (mutually exclusive with LatencyStrategy and RandomStrategy). | false |
| <a id="providers-redis-sentinel-usedisconnectedreplicas" href="#providers-redis-sentinel-usedisconnectedreplicas" title="#providers-redis-sentinel-usedisconnectedreplicas">providers.redis.sentinel.usedisconnectedreplicas</a> | Use replicas disconnected with master when cannot get connected replicas. | false |
| <a id="providers-redis-sentinel-username" href="#providers-redis-sentinel-username" title="#providers-redis-sentinel-username">providers.redis.sentinel.username</a> | Username for Sentinel authentication. | |
| <a id="providers-redis-tls-ca" href="#providers-redis-tls-ca" title="#providers-redis-tls-ca">providers.redis.tls.ca</a> | TLS CA | |
| <a id="providers-redis-tls-cert" href="#providers-redis-tls-cert" title="#providers-redis-tls-cert">providers.redis.tls.cert</a> | TLS cert | |
| <a id="providers-redis-tls-insecureskipverify" href="#providers-redis-tls-insecureskipverify" title="#providers-redis-tls-insecureskipverify">providers.redis.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="providers-redis-tls-key" href="#providers-redis-tls-key" title="#providers-redis-tls-key">providers.redis.tls.key</a> | TLS key | |
| <a id="providers-redis-username" href="#providers-redis-username" title="#providers-redis-username">providers.redis.username</a> | Username for authentication. | |
| <a id="providers-rest" href="#providers-rest" title="#providers-rest">providers.rest</a> | Enable Rest backend with default settings. | false |
| <a id="providers-rest-insecure" href="#providers-rest-insecure" title="#providers-rest-insecure">providers.rest.insecure</a> | Activate REST Provider directly on the entryPoint named traefik. | false |
| <a id="providers-swarm" href="#providers-swarm" title="#providers-swarm">providers.swarm</a> | Enable Docker Swarm backend with default settings. | false |
| <a id="providers-swarm-allowemptyservices" href="#providers-swarm-allowemptyservices" title="#providers-swarm-allowemptyservices">providers.swarm.allowemptyservices</a> | Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. | false |
| <a id="providers-swarm-constraints" href="#providers-swarm-constraints" title="#providers-swarm-constraints">providers.swarm.constraints</a> | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
| <a id="providers-swarm-defaultrule" href="#providers-swarm-defaultrule" title="#providers-swarm-defaultrule">providers.swarm.defaultrule</a> | Default rule. | Host(`{{ normalize .Name }}`) |
| <a id="providers-swarm-endpoint" href="#providers-swarm-endpoint" title="#providers-swarm-endpoint">providers.swarm.endpoint</a> | Docker server endpoint. Can be a TCP or a Unix socket endpoint. | unix:///var/run/docker.sock |
| <a id="providers-swarm-exposedbydefault" href="#providers-swarm-exposedbydefault" title="#providers-swarm-exposedbydefault">providers.swarm.exposedbydefault</a> | Expose containers by default. | true |
| <a id="providers-swarm-httpclienttimeout" href="#providers-swarm-httpclienttimeout" title="#providers-swarm-httpclienttimeout">providers.swarm.httpclienttimeout</a> | Client timeout for HTTP connections. | 0 |
| <a id="providers-swarm-network" href="#providers-swarm-network" title="#providers-swarm-network">providers.swarm.network</a> | Default Docker network used. | |
| <a id="providers-swarm-password" href="#providers-swarm-password" title="#providers-swarm-password">providers.swarm.password</a> | Password for Basic HTTP authentication. | |
| <a id="providers-swarm-refreshseconds" href="#providers-swarm-refreshseconds" title="#providers-swarm-refreshseconds">providers.swarm.refreshseconds</a> | Polling interval for swarm mode. | 15 |
| <a id="providers-swarm-tls-ca" href="#providers-swarm-tls-ca" title="#providers-swarm-tls-ca">providers.swarm.tls.ca</a> | TLS CA | |
| <a id="providers-swarm-tls-cert" href="#providers-swarm-tls-cert" title="#providers-swarm-tls-cert">providers.swarm.tls.cert</a> | TLS cert | |
| <a id="providers-swarm-tls-insecureskipverify" href="#providers-swarm-tls-insecureskipverify" title="#providers-swarm-tls-insecureskipverify">providers.swarm.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="providers-swarm-tls-key" href="#providers-swarm-tls-key" title="#providers-swarm-tls-key">providers.swarm.tls.key</a> | TLS key | |
| <a id="providers-swarm-usebindportip" href="#providers-swarm-usebindportip" title="#providers-swarm-usebindportip">providers.swarm.usebindportip</a> | Use the ip address from the bound port, rather than from the inner network. | false |
| <a id="providers-swarm-username" href="#providers-swarm-username" title="#providers-swarm-username">providers.swarm.username</a> | Username for Basic HTTP authentication. | |
| <a id="providers-swarm-watch" href="#providers-swarm-watch" title="#providers-swarm-watch">providers.swarm.watch</a> | Watch Docker events. | true |
| <a id="providers-zookeeper" href="#providers-zookeeper" title="#providers-zookeeper">providers.zookeeper</a> | Enable ZooKeeper backend with default settings. | false |
| <a id="providers-zookeeper-endpoints" href="#providers-zookeeper-endpoints" title="#providers-zookeeper-endpoints">providers.zookeeper.endpoints</a> | KV store endpoints. | 127.0.0.1:2181 |
| <a id="providers-zookeeper-password" href="#providers-zookeeper-password" title="#providers-zookeeper-password">providers.zookeeper.password</a> | Password for authentication. | |
| <a id="providers-zookeeper-rootkey" href="#providers-zookeeper-rootkey" title="#providers-zookeeper-rootkey">providers.zookeeper.rootkey</a> | Root key used for KV store. | traefik |
| <a id="providers-zookeeper-username" href="#providers-zookeeper-username" title="#providers-zookeeper-username">providers.zookeeper.username</a> | Username for authentication. | |
| <a id="serverstransport-forwardingtimeouts-dialtimeout" href="#serverstransport-forwardingtimeouts-dialtimeout" title="#serverstransport-forwardingtimeouts-dialtimeout">serverstransport.forwardingtimeouts.dialtimeout</a> | The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. | 30 |
| <a id="serverstransport-forwardingtimeouts-idleconntimeout" href="#serverstransport-forwardingtimeouts-idleconntimeout" title="#serverstransport-forwardingtimeouts-idleconntimeout">serverstransport.forwardingtimeouts.idleconntimeout</a> | The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself | 90 |
| <a id="serverstransport-forwardingtimeouts-responseheadertimeout" href="#serverstransport-forwardingtimeouts-responseheadertimeout" title="#serverstransport-forwardingtimeouts-responseheadertimeout">serverstransport.forwardingtimeouts.responseheadertimeout</a> | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. | 0 |
| <a id="serverstransport-insecureskipverify" href="#serverstransport-insecureskipverify" title="#serverstransport-insecureskipverify">serverstransport.insecureskipverify</a> | Disable SSL certificate verification. | false |
| <a id="serverstransport-maxidleconnsperhost" href="#serverstransport-maxidleconnsperhost" title="#serverstransport-maxidleconnsperhost">serverstransport.maxidleconnsperhost</a> | If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used | 200 |
| <a id="serverstransport-rootcas" href="#serverstransport-rootcas" title="#serverstransport-rootcas">serverstransport.rootcas</a> | Add cert file for self-signed certificate. | |
| <a id="serverstransport-spiffe" href="#serverstransport-spiffe" title="#serverstransport-spiffe">serverstransport.spiffe</a> | Defines the SPIFFE configuration. | false |
| <a id="serverstransport-spiffe-ids" href="#serverstransport-spiffe-ids" title="#serverstransport-spiffe-ids">serverstransport.spiffe.ids</a> | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). | |
| <a id="serverstransport-spiffe-trustdomain" href="#serverstransport-spiffe-trustdomain" title="#serverstransport-spiffe-trustdomain">serverstransport.spiffe.trustdomain</a> | Defines the allowed SPIFFE trust domain. | |
| <a id="spiffe-workloadapiaddr" href="#spiffe-workloadapiaddr" title="#spiffe-workloadapiaddr">spiffe.workloadapiaddr</a> | Defines the workload API address. | |
| <a id="tcpserverstransport-dialkeepalive" href="#tcpserverstransport-dialkeepalive" title="#tcpserverstransport-dialkeepalive">tcpserverstransport.dialkeepalive</a> | Defines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled | 15 |
| <a id="tcpserverstransport-dialtimeout" href="#tcpserverstransport-dialtimeout" title="#tcpserverstransport-dialtimeout">tcpserverstransport.dialtimeout</a> | Defines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. | 30 |
| <a id="tcpserverstransport-terminationdelay" href="#tcpserverstransport-terminationdelay" title="#tcpserverstransport-terminationdelay">tcpserverstransport.terminationdelay</a> | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. | 0 |
| <a id="tcpserverstransport-tls" href="#tcpserverstransport-tls" title="#tcpserverstransport-tls">tcpserverstransport.tls</a> | Defines the TLS configuration. | false |
| <a id="tcpserverstransport-tls-insecureskipverify" href="#tcpserverstransport-tls-insecureskipverify" title="#tcpserverstransport-tls-insecureskipverify">tcpserverstransport.tls.insecureskipverify</a> | Disables SSL certificate verification. | false |
| <a id="tcpserverstransport-tls-rootcas" href="#tcpserverstransport-tls-rootcas" title="#tcpserverstransport-tls-rootcas">tcpserverstransport.tls.rootcas</a> | Defines a list of CA secret used to validate self-signed certificate | |
| <a id="tcpserverstransport-tls-spiffe" href="#tcpserverstransport-tls-spiffe" title="#tcpserverstransport-tls-spiffe">tcpserverstransport.tls.spiffe</a> | Defines the SPIFFE TLS configuration. | false |
| <a id="tcpserverstransport-tls-spiffe-ids" href="#tcpserverstransport-tls-spiffe-ids" title="#tcpserverstransport-tls-spiffe-ids">tcpserverstransport.tls.spiffe.ids</a> | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). | |
| <a id="tcpserverstransport-tls-spiffe-trustdomain" href="#tcpserverstransport-tls-spiffe-trustdomain" title="#tcpserverstransport-tls-spiffe-trustdomain">tcpserverstransport.tls.spiffe.trustdomain</a> | Defines the allowed SPIFFE trust domain. | |
| <a id="tracing" href="#tracing" title="#tracing">tracing</a> | Tracing configuration. | false |
| <a id="tracing-addinternals" href="#tracing-addinternals" title="#tracing-addinternals">tracing.addinternals</a> | Enables tracing for internal services (ping, dashboard, etc...). | false |
| <a id="tracing-capturedrequestheaders" href="#tracing-capturedrequestheaders" title="#tracing-capturedrequestheaders">tracing.capturedrequestheaders</a> | Request headers to add as attributes for server and client spans. | |
| <a id="tracing-capturedresponseheaders" href="#tracing-capturedresponseheaders" title="#tracing-capturedresponseheaders">tracing.capturedresponseheaders</a> | Response headers to add as attributes for server and client spans. | |
| <a id="tracing-globalattributes-name" href="#tracing-globalattributes-name" title="#tracing-globalattributes-name">tracing.globalattributes._name_</a> | (Deprecated) Defines additional resource attributes (key:value). | |
| <a id="tracing-otlp" href="#tracing-otlp" title="#tracing-otlp">tracing.otlp</a> | Settings for OpenTelemetry. | false |
| <a id="tracing-otlp-grpc" href="#tracing-otlp-grpc" title="#tracing-otlp-grpc">tracing.otlp.grpc</a> | gRPC configuration for the OpenTelemetry collector. | false |
| <a id="tracing-otlp-grpc-endpoint" href="#tracing-otlp-grpc-endpoint" title="#tracing-otlp-grpc-endpoint">tracing.otlp.grpc.endpoint</a> | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
| <a id="tracing-otlp-grpc-headers-name" href="#tracing-otlp-grpc-headers-name" title="#tracing-otlp-grpc-headers-name">tracing.otlp.grpc.headers._name_</a> | Headers sent with payload. | |
| <a id="tracing-otlp-grpc-insecure" href="#tracing-otlp-grpc-insecure" title="#tracing-otlp-grpc-insecure">tracing.otlp.grpc.insecure</a> | Disables client transport security for the exporter. | false |
| <a id="tracing-otlp-grpc-tls-ca" href="#tracing-otlp-grpc-tls-ca" title="#tracing-otlp-grpc-tls-ca">tracing.otlp.grpc.tls.ca</a> | TLS CA | |
| <a id="tracing-otlp-grpc-tls-cert" href="#tracing-otlp-grpc-tls-cert" title="#tracing-otlp-grpc-tls-cert">tracing.otlp.grpc.tls.cert</a> | TLS cert | |
| <a id="tracing-otlp-grpc-tls-insecureskipverify" href="#tracing-otlp-grpc-tls-insecureskipverify" title="#tracing-otlp-grpc-tls-insecureskipverify">tracing.otlp.grpc.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="tracing-otlp-grpc-tls-key" href="#tracing-otlp-grpc-tls-key" title="#tracing-otlp-grpc-tls-key">tracing.otlp.grpc.tls.key</a> | TLS key | |
| <a id="tracing-otlp-http" href="#tracing-otlp-http" title="#tracing-otlp-http">tracing.otlp.http</a> | HTTP configuration for the OpenTelemetry collector. | false |
| <a id="tracing-otlp-http-endpoint" href="#tracing-otlp-http-endpoint" title="#tracing-otlp-http-endpoint">tracing.otlp.http.endpoint</a> | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
| <a id="tracing-otlp-http-headers-name" href="#tracing-otlp-http-headers-name" title="#tracing-otlp-http-headers-name">tracing.otlp.http.headers._name_</a> | Headers sent with payload. | |
| <a id="tracing-otlp-http-tls-ca" href="#tracing-otlp-http-tls-ca" title="#tracing-otlp-http-tls-ca">tracing.otlp.http.tls.ca</a> | TLS CA | |
| <a id="tracing-otlp-http-tls-cert" href="#tracing-otlp-http-tls-cert" title="#tracing-otlp-http-tls-cert">tracing.otlp.http.tls.cert</a> | TLS cert | |
| <a id="tracing-otlp-http-tls-insecureskipverify" href="#tracing-otlp-http-tls-insecureskipverify" title="#tracing-otlp-http-tls-insecureskipverify">tracing.otlp.http.tls.insecureskipverify</a> | TLS insecure skip verify | false |
| <a id="tracing-otlp-http-tls-key" href="#tracing-otlp-http-tls-key" title="#tracing-otlp-http-tls-key">tracing.otlp.http.tls.key</a> | TLS key | |
| <a id="tracing-resourceattributes-name" href="#tracing-resourceattributes-name" title="#tracing-resourceattributes-name">tracing.resourceattributes._name_</a> | Defines additional resource attributes (key:value). | |
| <a id="tracing-safequeryparams" href="#tracing-safequeryparams" title="#tracing-safequeryparams">tracing.safequeryparams</a> | Query params to not redact. | |
| <a id="tracing-samplerate" href="#tracing-samplerate" title="#tracing-samplerate">tracing.samplerate</a> | Sets the rate between 0.0 and 1.0 of requests to trace. | 1.000000 |
| <a id="tracing-servicename" href="#tracing-servicename" title="#tracing-servicename">tracing.servicename</a> | Defines the service name resource attribute. | traefik |

88
docs/content/reference/install-configuration/entrypoints.md
View File

@@ -85,38 +85,38 @@ additionalArguments:
| Field | Description | Default | Required |
|:----------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------|
| `address` | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp] | - | Yes |
| `asDefault` | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault). | false | No |
| `forwardedHeaders.trustedIPs` | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
| `forwardedHeaders.insecure` | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production. | false | No |
| `http.redirections.`<br />`entryPoint.to` | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`). | - | Yes |
| `http.redirections.`<br />`entryPoint.scheme` | The target scheme to use for (permanent) redirection of all incoming requests. | https | No |
| `http.redirections.`<br />`entryPoint.permanent` | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`). | false | No |
| `http.redirections.`<br />`entryPoint.priority` | Default priority applied to the routers attached to the `entryPoint`. | MaxInt32-1 (2147483646) | No |
| `http.encodeQuerySemicolons` | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons). | false | No |
| `http.sanitizePath` | Defines whether to enable the request path sanitization.<br /> More information [here](#sanitizepath). | false | No |
| `http.middlewares` | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares). | - | No |
| `http.tls` | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generates by Traefik. <br /> We recommend to not use self signed certificates in production. | - | No |
| `http.tls.options` | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption). | - | No |
| `http.tls.certResolver` | Apply a certificate resolver on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md). | - | No |
| `http2.maxConcurrentStreams` | Set the number of concurrent streams per connection that each client is allowed to initiate. <br /> The value must be greater than zero. | 250 | No |
| `http3` | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3. | - | No |
| `http3.advertisedPort` | Set the UDP port to advertise as the HTTP/3 authority. <br /> It defaults to the entryPoint's address port. <br /> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening. | - | No |
| `observability.accessLogs` | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| `observability.metrics` | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| `observability.tracing` | Defines whether a router attached to this EntryPoint produces traces by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| `observability.traceVerbosity` | Defines the tracing verbosity level for routers attached to this EntryPoint. Possible values: `minimal` (default), `detailed`. Routers can override this value in their own observability configuration. <br /> More information [here](#traceverbosity). | minimal | No |
| `proxyProtocol.trustedIPs` | Enable PROXY protocol with Trusted IPs. <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br /> More information [here](#proxyprotocol-and-load-balancers). | - | No |
| `proxyProtocol.insecure` | Enable PROXY protocol trusting every incoming connection. <br /> Every remote client address will be replaced (`trustedIPs`) won't have any effect). <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br />We recommend to use this option only for tests purposes, not in production.<br /> More information [here](#proxyprotocol-and-load-balancers). | - | No |
| `reusePort` | Enable `entryPoints` from the same or different processes listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option. <br /> It also allows the kernel to act like a load balancer to distribute incoming connections between entry points.<br /> More information [here](#reuseport). | false | No |
| `transport.`<br />`respondingTimeouts.`<br />`readTimeout` | Set the timeouts for incoming requests to the Traefik instance. This is the maximum duration for reading the entire request, including the body. Setting them has no effect for UDP `entryPoints`.<br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds. | 60s (seconds) | No |
| `transport.`<br />`respondingTimeouts.`<br />`writeTimeout` | Maximum duration before timing out writes of the response. <br /> It covers the time from the end of the request header read to the end of the response write. <br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds. | 0s (seconds) | No |
| `transport.`<br />`respondingTimeouts.`<br />`idleTimeout` | Maximum duration an idle (keep-alive) connection will remain idle before closing itself. <br /> If zero, no timeout exists <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds | 180s (seconds) | No |
| `transport.`<br />`lifeCycle.`<br />`graceTimeOut` | Set the duration to give active requests a chance to finish before Traefik stops. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds <br /> In this time frame no new requests are accepted. | 10s (seconds) | No |
| `transport.`<br />`lifeCycle.`<br />`requestAcceptGraceTimeout` | Set the duration to keep accepting requests prior to initiating the graceful termination period (as defined by the `transportlifeCycle.graceTimeOut` option). <br /> This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds | 0s (seconds) | No |
| `transport.`<br />`keepAliveMaxRequests` | Set the maximum number of requests Traefik can handle before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). <br /> Zero means no limit. | 0 | No |
| `transport.`<br />`keepAliveMaxTime` | Set the maximum duration Traefik can handle requests before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). Zero means no limit. | 0s (seconds) | No |
| `udp.timeout` | Define how long to wait on an idle session before releasing the related resources. <br />The Timeout value must be greater than zero. | 3s (seconds) | No |
| <a id="address" href="#address" title="#address">`address`</a> | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp] | - | Yes |
| <a id="asDefault" href="#asDefault" title="#asDefault">`asDefault`</a> | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault). | false | No |
| <a id="forwardedHeaders-trustedIPs" href="#forwardedHeaders-trustedIPs" title="#forwardedHeaders-trustedIPs">`forwardedHeaders.trustedIPs`</a> | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
| <a id="forwardedHeaders-insecure" href="#forwardedHeaders-insecure" title="#forwardedHeaders-insecure">`forwardedHeaders.insecure`</a> | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production. | false | No |
| <a id="http-redirections-entryPoint-to" href="#http-redirections-entryPoint-to" title="#http-redirections-entryPoint-to">`http.redirections.`<br />`entryPoint.to`</a> | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`). | - | Yes |
| <a id="http-redirections-entryPoint-scheme" href="#http-redirections-entryPoint-scheme" title="#http-redirections-entryPoint-scheme">`http.redirections.`<br />`entryPoint.scheme`</a> | The target scheme to use for (permanent) redirection of all incoming requests. | https | No |
| <a id="http-redirections-entryPoint-permanent" href="#http-redirections-entryPoint-permanent" title="#http-redirections-entryPoint-permanent">`http.redirections.`<br />`entryPoint.permanent`</a> | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`). | false | No |
| <a id="http-redirections-entryPoint-priority" href="#http-redirections-entryPoint-priority" title="#http-redirections-entryPoint-priority">`http.redirections.`<br />`entryPoint.priority`</a> | Default priority applied to the routers attached to the `entryPoint`. | MaxInt32-1 (2147483646) | No |
| <a id="http-encodeQuerySemicolons" href="#http-encodeQuerySemicolons" title="#http-encodeQuerySemicolons">`http.encodeQuerySemicolons`</a> | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons). | false | No |
| <a id="http-sanitizePath" href="#http-sanitizePath" title="#http-sanitizePath">`http.sanitizePath`</a> | Defines whether to enable the request path sanitization.<br /> More information [here](#sanitizepath). | false | No |
| <a id="http-middlewares" href="#http-middlewares" title="#http-middlewares">`http.middlewares`</a> | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares). | - | No |
| <a id="http-tls" href="#http-tls" title="#http-tls">`http.tls`</a> | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generates by Traefik. <br /> We recommend to not use self signed certificates in production. | - | No |
| <a id="http-tls-options" href="#http-tls-options" title="#http-tls-options">`http.tls.options`</a> | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption). | - | No |
| <a id="http-tls-certResolver" href="#http-tls-certResolver" title="#http-tls-certResolver">`http.tls.certResolver`</a> | Apply a certificate resolver on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md). | - | No |
| <a id="http2-maxConcurrentStreams" href="#http2-maxConcurrentStreams" title="#http2-maxConcurrentStreams">`http2.maxConcurrentStreams`</a> | Set the number of concurrent streams per connection that each client is allowed to initiate. <br /> The value must be greater than zero. | 250 | No |
| <a id="http3" href="#http3" title="#http3">`http3`</a> | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3). | - | No |
| <a id="http3-advertisedPort" href="#http3-advertisedPort" title="#http3-advertisedPort">`http3.advertisedPort`</a> | Set the UDP port to advertise as the HTTP/3 authority. <br /> It defaults to the entryPoint's address port. <br /> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening. | - | No |
| <a id="observability-accessLogs" href="#observability-accessLogs" title="#observability-accessLogs">`observability.accessLogs`</a> | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| <a id="observability-metrics" href="#observability-metrics" title="#observability-metrics">`observability.metrics`</a> | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| <a id="observability-tracing" href="#observability-tracing" title="#observability-tracing">`observability.tracing`</a> | Defines whether a router attached to this EntryPoint produces traces by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| <a id="observability-traceVerbosity" href="#observability-traceVerbosity" title="#observability-traceVerbosity">`observability.traceVerbosity`</a> | Defines the tracing verbosity level for routers attached to this EntryPoint. Possible values: `minimal` (default), `detailed`. Routers can override this value in their own observability configuration. <br /> More information [here](#traceverbosity). | minimal | No |
| <a id="proxyProtocol-trustedIPs" href="#proxyProtocol-trustedIPs" title="#proxyProtocol-trustedIPs">`proxyProtocol.trustedIPs`</a> | Enable PROXY protocol with Trusted IPs. <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br /> More information [here](#proxyprotocol-and-load-balancers). | - | No |
| <a id="proxyProtocol-insecure" href="#proxyProtocol-insecure" title="#proxyProtocol-insecure">`proxyProtocol.insecure`</a> | Enable PROXY protocol trusting every incoming connection. <br /> Every remote client address will be replaced (`trustedIPs`) won't have any effect). <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br />We recommend to use this option only for tests purposes, not in production.<br /> More information [here](#proxyprotocol-and-load-balancers). | - | No |
| <a id="reusePort" href="#reusePort" title="#reusePort">`reusePort`</a> | Enable `entryPoints` from the same or different processes listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option. <br /> It also allows the kernel to act like a load balancer to distribute incoming connections between entry points.<br /> More information [here](#reuseport). | false | No |
| <a id="transport-respondingTimeouts-readTimeout" href="#transport-respondingTimeouts-readTimeout" title="#transport-respondingTimeouts-readTimeout">`transport.`<br />`respondingTimeouts.`<br />`readTimeout`</a> | Set the timeouts for incoming requests to the Traefik instance. This is the maximum duration for reading the entire request, including the body. Setting them has no effect for UDP `entryPoints`.<br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds. | 60s (seconds) | No |
| <a id="transport-respondingTimeouts-writeTimeout" href="#transport-respondingTimeouts-writeTimeout" title="#transport-respondingTimeouts-writeTimeout">`transport.`<br />`respondingTimeouts.`<br />`writeTimeout`</a> | Maximum duration before timing out writes of the response. <br /> It covers the time from the end of the request header read to the end of the response write. <br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds. | 0s (seconds) | No |
| <a id="transport-respondingTimeouts-idleTimeout" href="#transport-respondingTimeouts-idleTimeout" title="#transport-respondingTimeouts-idleTimeout">`transport.`<br />`respondingTimeouts.`<br />`idleTimeout`</a> | Maximum duration an idle (keep-alive) connection will remain idle before closing itself. <br /> If zero, no timeout exists <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds | 180s (seconds) | No |
| <a id="transport-lifeCycle-graceTimeOut" href="#transport-lifeCycle-graceTimeOut" title="#transport-lifeCycle-graceTimeOut">`transport.`<br />`lifeCycle.`<br />`graceTimeOut`</a> | Set the duration to give active requests a chance to finish before Traefik stops. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds <br /> In this time frame no new requests are accepted. | 10s (seconds) | No |
| <a id="transport-lifeCycle-requestAcceptGraceTimeout" href="#transport-lifeCycle-requestAcceptGraceTimeout" title="#transport-lifeCycle-requestAcceptGraceTimeout">`transport.`<br />`lifeCycle.`<br />`requestAcceptGraceTimeout`</a> | Set the duration to keep accepting requests prior to initiating the graceful termination period (as defined by the `transportlifeCycle.graceTimeOut` option). <br /> This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds | 0s (seconds) | No |
| <a id="transport-keepAliveMaxRequests" href="#transport-keepAliveMaxRequests" title="#transport-keepAliveMaxRequests">`transport.`<br />`keepAliveMaxRequests`</a> | Set the maximum number of requests Traefik can handle before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). <br /> Zero means no limit. | 0 | No |
| <a id="transport-keepAliveMaxTime" href="#transport-keepAliveMaxTime" title="#transport-keepAliveMaxTime">`transport.`<br />`keepAliveMaxTime`</a> | Set the maximum duration Traefik can handle requests before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). Zero means no limit. | 0s (seconds) | No |
| <a id="udp-timeout" href="#udp-timeout" title="#udp-timeout">`udp.timeout`</a> | Define how long to wait on an idle session before releasing the related resources. <br />The Timeout value must be greater than zero. | 3s (seconds) | No |
### asDefault
@@ -171,10 +171,10 @@ Behavior examples:
| EncodeQuerySemicolons | Request Query | Resulting Request Query |
|-----------------------|---------------------|-------------------------|
| false | foo=bar;baz=bar | foo=bar&baz=bar |
| true | foo=bar;baz=bar | foo=bar%3Bbaz=bar |
| false | foo=bar&baz=bar;foo | foo=bar&baz=bar&foo |
| true | foo=bar&baz=bar;foo | foo=bar&baz=bar%3Bfoo |
| <a id="false" href="#false" title="#false">false</a> | foo=bar;baz=bar | foo=bar&baz=bar |
| <a id="true" href="#true" title="#true">true</a> | foo=bar;baz=bar | foo=bar%3Bbaz=bar |
| <a id="false-2" href="#false-2" title="#false-2">false</a> | foo=bar&baz=bar;foo | foo=bar&baz=bar&foo |
| <a id="true-2" href="#true-2" title="#true-2">true</a> | foo=bar&baz=bar;foo | foo=bar&baz=bar%3Bfoo |
### SanitizePath
@@ -194,14 +194,14 @@ it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
| SanitizePath | Request Path | Resulting Request Path |
|--------------|-----------------|------------------------|
| false | /./foo/bar | /./foo/bar |
| true | /./foo/bar | /foo/bar |
| false | /foo/../bar | /foo/../bar |
| true | /foo/../bar | /bar |
| false | /foo/bar// | /foo/bar// |
| true | /foo/bar// | /foo/bar/ |
| false | /./foo/../bar// | /./foo/../bar// |
| true | /./foo/../bar// | /bar/ |
| <a id="false-3" href="#false-3" title="#false-3">false</a> | /./foo/bar | /./foo/bar |
| <a id="true-3" href="#true-3" title="#true-3">true</a> | /./foo/bar | /foo/bar |
| <a id="false-4" href="#false-4" title="#false-4">false</a> | /foo/../bar | /foo/../bar |
| <a id="true-4" href="#true-4" title="#true-4">true</a> | /foo/../bar | /bar |
| <a id="false-5" href="#false-5" title="#false-5">false</a> | /foo/bar// | /foo/bar// |
| <a id="true-5" href="#true-5" title="#true-5">true</a> | /foo/bar// | /foo/bar/ |
| <a id="false-6" href="#false-6" title="#false-6">false</a> | /./foo/../bar// | /./foo/../bar// |
| <a id="true-6" href="#true-6" title="#true-6">true</a> | /./foo/../bar// | /bar/ |
### HTTP3

8
docs/content/reference/install-configuration/observability/healthcheck.md
View File

@@ -36,7 +36,7 @@ whose default value is `traefik` (port `8080`).
| Path | Method | Description |
|---------|---------------|-----------------------------------------------------------------------------------------------------|
| `/ping` | `GET`, `HEAD` | An endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
| <a id="ping" href="#ping" title="#ping">`/ping`</a> | `GET`, `HEAD` | An endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
### Configuration Example
@@ -58,9 +58,9 @@ ping: {}
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `ping.entryPoint` | Enables `/ping` on a dedicated EntryPoint. | traefik | No |
| `ping.manualRouting` | Disables the default internal router in order to allow one to create a custom router for the `ping@internal` service when set to `true`. | false | No |
| `ping.terminatingStatusCode` | Defines the status code for the ping handler during a graceful shut down. See more information [here](#terminatingstatuscode) | 503 | No |
| <a id="ping-entryPoint" href="#ping-entryPoint" title="#ping-entryPoint">`ping.entryPoint`</a> | Enables `/ping` on a dedicated EntryPoint. | traefik | No |
| <a id="ping-manualRouting" href="#ping-manualRouting" title="#ping-manualRouting">`ping.manualRouting`</a> | Disables the default internal router in order to allow one to create a custom router for the `ping@internal` service when set to `true`. | false | No |
| <a id="ping-terminatingStatusCode" href="#ping-terminatingStatusCode" title="#ping-terminatingStatusCode">`ping.terminatingStatusCode`</a> | Defines the status code for the ping handler during a graceful shut down. See more information [here](#terminatingstatuscode) | 503 | No |
#### `terminatingStatusCode`

6
docs/content/reference/install-configuration/observability/healthcheck/ping.md
View File

@@ -37,9 +37,9 @@ You can define it using the same [configuration methods](../../boot-environment.
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `ping.entryPoint` | Enables `/ping` on a dedicated EntryPoint. | traefik | No |
| `ping.manualRouting` | Disables the default internal router in order to allow one to create a custom router for the `ping@internal` service when set to `true`. | false | No |
| `ping.terminatingStatusCode` | Defines the status code for the ping handler during a graceful shut down. See more information [here](#terminatingstatuscode) | 503 | No |
| <a id="ping-entryPoint" href="#ping-entryPoint" title="#ping-entryPoint">`ping.entryPoint`</a> | Enables `/ping` on a dedicated EntryPoint. | traefik | No |
| <a id="ping-manualRouting" href="#ping-manualRouting" title="#ping-manualRouting">`ping.manualRouting`</a> | Disables the default internal router in order to allow one to create a custom router for the `ping@internal` service when set to `true`. | false | No |
| <a id="ping-terminatingStatusCode" href="#ping-terminatingStatusCode" title="#ping-terminatingStatusCode">`ping.terminatingStatusCode`</a> | Defines the status code for the ping handler during a graceful shut down. See more information [here](#terminatingstatuscode) | 503 | No |
### `terminatingStatusCode`

200
docs/content/reference/install-configuration/observability/logs-and-accesslogs.md
View File

@@ -35,14 +35,14 @@ The section below describe how to configure Traefik logs using the static config
| Field | Description | Default | Required |
|:-----------|:----------------------------|:--------|:---------|
| `log.filePath` | By default, the logs are written to the standard output.<br />You can configure a file path instead using the `filePath` option.| - | No |
| `log.format` | Log format (`common`or `json`).<br /> The fields displayed with the format `common` cannot be customized. | "common" | No |
| `log.level` | Log level (`TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`)| ERROR | No |
| `log.noColor` | When using the format `common`, disables the colorized output. | false | No |
| `log.maxSize` | Maximum size in megabytes of the log file before it gets rotated. | 100MB | No |
| `log.maxAge` | Maximum number of days to retain old log files based on the timestamp encoded in their filename.<br /> A day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.<br />By default files are not removed based on their age. | 0 | No |
| `log.maxBackups` | Maximum number of old log files to retain.<br />The default is to retain all old log files. | 0 | No |
| `log.compress` | Compress log files in gzip after rotation. | false | No |
| <a id="log-filePath" href="#log-filePath" title="#log-filePath">`log.filePath`</a> | By default, the logs are written to the standard output.<br />You can configure a file path instead using the `filePath` option.| - | No |
| <a id="log-format" href="#log-format" title="#log-format">`log.format`</a> | Log format (`common`or `json`).<br /> The fields displayed with the format `common` cannot be customized. | "common" | No |
| <a id="log-level" href="#log-level" title="#log-level">`log.level`</a> | Log level (`TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`)| ERROR | No |
| <a id="log-noColor" href="#log-noColor" title="#log-noColor">`log.noColor`</a> | When using the format `common`, disables the colorized output. | false | No |
| <a id="log-maxSize" href="#log-maxSize" title="#log-maxSize">`log.maxSize`</a> | Maximum size in megabytes of the log file before it gets rotated. | 100MB | No |
| <a id="log-maxAge" href="#log-maxAge" title="#log-maxAge">`log.maxAge`</a> | Maximum number of days to retain old log files based on the timestamp encoded in their filename.<br /> A day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.<br />By default files are not removed based on their age. | 0 | No |
| <a id="log-maxBackups" href="#log-maxBackups" title="#log-maxBackups">`log.maxBackups`</a> | Maximum number of old log files to retain.<br />The default is to retain all old log files. | 0 | No |
| <a id="log-compress" href="#log-compress" title="#log-compress">`log.compress`</a> | Compress log files in gzip after rotation. | false | No |
### OpenTelemetry
@@ -98,25 +98,25 @@ log:
| Field | Description | Default | Required |
|:---------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------|:---------|
| `log.otlp.serviceName` | Service name used in selected backend. | "traefik" | No |
| `log.otlp.resourceAttributes` | Defines additional resource attributes to be sent to the collector. | [] | No |
| `log.otlp.http` | This instructs the exporter to send logs to the OpenTelemetry Collector using HTTP. | | No |
| `log.otlp.http.endpoint` | The endpoint of the OpenTelemetry Collector. (format=`<scheme>://<host>:<port><path>`) | `https://localhost:4318/v1/logs` | No |
| `log.otlp.http.headers` | Additional headers sent with logs by the exporter to the OpenTelemetry Collector. | [ ] | No |
| `log.otlp.http.tls` | Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector. | | No |
| `log.otlp.http.tls.ca` | The path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | | No |
| `log.otlp.http.tls.cert` | The path to the certificate to use for the OpenTelemetry Collector. | | No |
| `log.otlp.http.tls.key` | The path to the key to use for the OpenTelemetry Collector. | | No |
| `log.otlp.http.tls.insecureSkipVerify` | Instructs the OpenTelemetry Collector to accept any certificate presented by the server regardless of the hostname in the certificate. | false | No |
| `log.otlp.grpc` | This instructs the exporter to send logs to the OpenTelemetry Collector using gRPC. | | No |
| `log.otlp.grpc.endpoint` | The endpoint of the OpenTelemetry Collector. (format=`<host>:<port>`) | `localhost:4317` | No |
| `log.otlp.grpc.headers` | Additional headers sent with logs by the exporter to the OpenTelemetry Collector. | [ ] | No |
| `log.otlp.grpc.insecure` | Instructs the exporter to send logs to the OpenTelemetry Collector using an insecure protocol. | false | No |
| `log.otlp.grpc.tls` | Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector. | | No |
| `log.otlp.grpc.tls.ca` | The path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | | No |
| `log.otlp.grpc.tls.cert` | The path to the certificate to use for the OpenTelemetry Collector. | | No |
| `log.otlp.grpc.tls.key` | The path to the key to use for the OpenTelemetry Collector. | | No |
| `log.otlp.grpc.tls.insecureSkipVerify` | Instructs the OpenTelemetry Collector to accept any certificate presented by the server regardless of the hostname in the certificate. | false | No |
| <a id="log-otlp-serviceName" href="#log-otlp-serviceName" title="#log-otlp-serviceName">`log.otlp.serviceName`</a> | Service name used in selected backend. | "traefik" | No |
| <a id="log-otlp-resourceAttributes" href="#log-otlp-resourceAttributes" title="#log-otlp-resourceAttributes">`log.otlp.resourceAttributes`</a> | Defines additional resource attributes to be sent to the collector. | [] | No |
| <a id="log-otlp-http" href="#log-otlp-http" title="#log-otlp-http">`log.otlp.http`</a> | This instructs the exporter to send logs to the OpenTelemetry Collector using HTTP. | | No |
| <a id="log-otlp-http-endpoint" href="#log-otlp-http-endpoint" title="#log-otlp-http-endpoint">`log.otlp.http.endpoint`</a> | The endpoint of the OpenTelemetry Collector. (format=`<scheme>://<host>:<port><path>`) | `https://localhost:4318/v1/logs` | No |
| <a id="log-otlp-http-headers" href="#log-otlp-http-headers" title="#log-otlp-http-headers">`log.otlp.http.headers`</a> | Additional headers sent with logs by the exporter to the OpenTelemetry Collector. | [ ] | No |
| <a id="log-otlp-http-tls" href="#log-otlp-http-tls" title="#log-otlp-http-tls">`log.otlp.http.tls`</a> | Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector. | | No |
| <a id="log-otlp-http-tls-ca" href="#log-otlp-http-tls-ca" title="#log-otlp-http-tls-ca">`log.otlp.http.tls.ca`</a> | The path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | | No |
| <a id="log-otlp-http-tls-cert" href="#log-otlp-http-tls-cert" title="#log-otlp-http-tls-cert">`log.otlp.http.tls.cert`</a> | The path to the certificate to use for the OpenTelemetry Collector. | | No |
| <a id="log-otlp-http-tls-key" href="#log-otlp-http-tls-key" title="#log-otlp-http-tls-key">`log.otlp.http.tls.key`</a> | The path to the key to use for the OpenTelemetry Collector. | | No |
| <a id="log-otlp-http-tls-insecureSkipVerify" href="#log-otlp-http-tls-insecureSkipVerify" title="#log-otlp-http-tls-insecureSkipVerify">`log.otlp.http.tls.insecureSkipVerify`</a> | Instructs the OpenTelemetry Collector to accept any certificate presented by the server regardless of the hostname in the certificate. | false | No |
| <a id="log-otlp-grpc" href="#log-otlp-grpc" title="#log-otlp-grpc">`log.otlp.grpc`</a> | This instructs the exporter to send logs to the OpenTelemetry Collector using gRPC. | | No |
| <a id="log-otlp-grpc-endpoint" href="#log-otlp-grpc-endpoint" title="#log-otlp-grpc-endpoint">`log.otlp.grpc.endpoint`</a> | The endpoint of the OpenTelemetry Collector. (format=`<host>:<port>`) | `localhost:4317` | No |
| <a id="log-otlp-grpc-headers" href="#log-otlp-grpc-headers" title="#log-otlp-grpc-headers">`log.otlp.grpc.headers`</a> | Additional headers sent with logs by the exporter to the OpenTelemetry Collector. | [ ] | No |
| <a id="log-otlp-grpc-insecure" href="#log-otlp-grpc-insecure" title="#log-otlp-grpc-insecure">`log.otlp.grpc.insecure`</a> | Instructs the exporter to send logs to the OpenTelemetry Collector using an insecure protocol. | false | No |
| <a id="log-otlp-grpc-tls" href="#log-otlp-grpc-tls" title="#log-otlp-grpc-tls">`log.otlp.grpc.tls`</a> | Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector. | | No |
| <a id="log-otlp-grpc-tls-ca" href="#log-otlp-grpc-tls-ca" title="#log-otlp-grpc-tls-ca">`log.otlp.grpc.tls.ca`</a> | The path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | | No |
| <a id="log-otlp-grpc-tls-cert" href="#log-otlp-grpc-tls-cert" title="#log-otlp-grpc-tls-cert">`log.otlp.grpc.tls.cert`</a> | The path to the certificate to use for the OpenTelemetry Collector. | | No |
| <a id="log-otlp-grpc-tls-key" href="#log-otlp-grpc-tls-key" title="#log-otlp-grpc-tls-key">`log.otlp.grpc.tls.key`</a> | The path to the key to use for the OpenTelemetry Collector. | | No |
| <a id="log-otlp-grpc-tls-insecureSkipVerify" href="#log-otlp-grpc-tls-insecureSkipVerify" title="#log-otlp-grpc-tls-insecureSkipVerify">`log.otlp.grpc.tls.insecureSkipVerify`</a> | Instructs the OpenTelemetry Collector to accept any certificate presented by the server regardless of the hostname in the certificate. | false | No |
## AccessLogs
@@ -187,24 +187,23 @@ accessLog:
--accesslog.fields.headers.names.Authorization=drop
```
### Configuration Options
The section below describes how to configure Traefik access logs using the static configuration.
| Field | Description | Default | Required |
|:-----------|:--------------------------|:--------|:---------|
| `accesslog.filePath` | By default, the access logs are written to the standard output.<br />You can configure a file path instead using the `filePath` option.| | No |
| `accesslog.format` | By default, logs are written using the Common Log Format (CLF).<br />To write logs in JSON, use `json` in the `format` option.<br />If the given format is unsupported, the default (CLF) is used instead.<br />More information about CLF fields [here](#clf-format-fields). | "common" | No |
| `accesslog.bufferingSize` | To write the logs in an asynchronous fashion, specify a `bufferingSize` option.<br />This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.<br />In some cases, this option can greatly help performances.| 0 | No |
| `accesslog.addInternals` | Enables access logs for internal resources (e.g.: `ping@internal`). | false | No |
| `accesslog.filters.statusCodes` | Limit the access logs to requests with a status codes in the specified range. | [ ] | No |
| `accesslog.filters.retryAttempts` | Keep the access logs when at least one retry has happened. | false | No |
| `accesslog.filters.minDuration` | Keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)). | 0 | No |
| `accesslog.fields.defaultMode` | Mode to apply by default to the access logs fields (`keep`, `redact` or `drop`). | keep | No |
| `accesslog.fields.names` | Set the fields list to display in the access logs (format `name:mode`).<br /> Available fields list [here](#available-fields). | [ ] | No |
| `accesslog.headers.defaultMode` | Mode to apply by default to the access logs headers (`keep`, `redact` or `drop`). | drop | No |
| `accesslog.headers.names` | Set the headers list to display in the access logs (format `name:mode`). | [ ] | No |
| <a id="accesslog-filePath" href="#accesslog-filePath" title="#accesslog-filePath">`accesslog.filePath`</a> | By default, the access logs are written to the standard output.<br />You can configure a file path instead using the `filePath` option.| | No |
| <a id="accesslog-format" href="#accesslog-format" title="#accesslog-format">`accesslog.format`</a> | By default, logs are written using the Traefik Common Log Format (CLF).<br />Available formats: [`common`](#traefik-clf-format-fields) (Traefik extended CLF), [`genericCLF`](#generic-clf-format-fields) (standard CLF compatible with analyzers), or [`json`](#json-format-fields).<br />If the given format is unsupported, the default (`common`) is used instead. | "common" | No |
| <a id="accesslog-bufferingSize" href="#accesslog-bufferingSize" title="#accesslog-bufferingSize">`accesslog.bufferingSize`</a> | To write the logs in an asynchronous fashion, specify a `bufferingSize` option.<br />This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.<br />In some cases, this option can greatly help performances.| 0 | No |
| <a id="accesslog-addInternals" href="#accesslog-addInternals" title="#accesslog-addInternals">`accesslog.addInternals`</a> | Enables access logs for internal resources (e.g.: `ping@internal`). | false | No |
| <a id="accesslog-filters-statusCodes" href="#accesslog-filters-statusCodes" title="#accesslog-filters-statusCodes">`accesslog.filters.statusCodes`</a> | Limit the access logs to requests with a status codes in the specified range. | [ ] | No |
| <a id="accesslog-filters-retryAttempts" href="#accesslog-filters-retryAttempts" title="#accesslog-filters-retryAttempts">`accesslog.filters.retryAttempts`</a> | Keep the access logs when at least one retry has happened. | false | No |
| <a id="accesslog-filters-minDuration" href="#accesslog-filters-minDuration" title="#accesslog-filters-minDuration">`accesslog.filters.minDuration`</a> | Keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)). | 0 | No |
| <a id="accesslog-fields-defaultMode" href="#accesslog-fields-defaultMode" title="#accesslog-fields-defaultMode">`accesslog.fields.defaultMode`</a> | Mode to apply by default to the access logs fields (`keep`, `redact` or `drop`). | keep | No |
| <a id="accesslog-fields-names" href="#accesslog-fields-names" title="#accesslog-fields-names">`accesslog.fields.names`</a> | Set the fields list to display in the access logs (format `name:mode`).<br /> Available fields list [here](#available-fields). | [ ] | No |
| <a id="accesslog-fields-headers-defaultMode" href="#accesslog-fields-headers-defaultMode" title="#accesslog-fields-headers-defaultMode">`accesslog.fields.headers.defaultMode`</a> | Mode to apply by default to the access logs headers (`keep`, `redact` or `drop`). | drop | No |
| <a id="accesslog-fields-headers-names" href="#accesslog-fields-headers-names" title="#accesslog-fields-headers-names">`accesslog.fields.headers.names`</a> | Set the headers list to display in the access logs (format `name:mode`). | [ ] | No |
### OpenTelemetry
@@ -260,29 +259,30 @@ accesslog:
| Field | Description | Default | Required |
|:---------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------|:---------|
| `accesslog.otlp.serviceName` | Defines the service name resource attribute. | "traefik" | No |
| `accesslog.otlp.resourceAttributes` | Defines additional resource attributes to be sent to the collector. | [] | No |
| `accesslog.otlp.http` | This instructs the exporter to send access logs to the OpenTelemetry Collector using HTTP. | | No |
| `accesslog.otlp.http.endpoint` | The endpoint of the OpenTelemetry Collector. (format=`<scheme>://<host>:<port><path>`) | `https://localhost:4318/v1/logs` | No |
| `accesslog.otlp.http.headers` | Additional headers sent with access logs by the exporter to the OpenTelemetry Collector. | [ ] | No |
| `accesslog.otlp.http.tls` | Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector. | | No |
| `accesslog.otlp.http.tls.ca` | The path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | | No |
| `accesslog.otlp.http.tls.cert` | The path to the certificate to use for the OpenTelemetry Collector. | | No |
| `accesslog.otlp.http.tls.key` | The path to the key to use for the OpenTelemetry Collector. | | No |
| `accesslog.otlp.http.tls.insecureSkipVerify` | Instructs the OpenTelemetry Collector to accept any certificate presented by the server regardless of the hostname in the certificate. | false | No |
| `accesslog.otlp.grpc` | This instructs the exporter to send access logs to the OpenTelemetry Collector using gRPC. | | No |
| `accesslog.otlp.grpc.endpoint` | The endpoint of the OpenTelemetry Collector. (format=`<host>:<port>`) | `localhost:4317` | No |
| `accesslog.otlp.grpc.headers` | Additional headers sent with access logs by the exporter to the OpenTelemetry Collector. | [ ] | No |
| `accesslog.otlp.grpc.insecure` | Instructs the exporter to send access logs to the OpenTelemetry Collector using an insecure protocol. | false | No |
| `accesslog.otlp.grpc.tls` | Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector. | | No |
| `accesslog.otlp.grpc.tls.ca` | The path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | | No |
| `accesslog.otlp.grpc.tls.cert` | The path to the certificate to use for the OpenTelemetry Collector. | | No |
| `accesslog.otlp.grpc.tls.key` | The path to the key to use for the OpenTelemetry Collector. | | No |
| `accesslog.otlp.grpc.tls.insecureSkipVerify` | Instructs the OpenTelemetry Collector to accept any certificate presented by the server regardless of the hostname in the certificate. | false | No |
| <a id="accesslog-otlp-serviceName" href="#accesslog-otlp-serviceName" title="#accesslog-otlp-serviceName">`accesslog.otlp.serviceName`</a> | Defines the service name resource attribute. | "traefik" | No |
| <a id="accesslog-otlp-resourceAttributes" href="#accesslog-otlp-resourceAttributes" title="#accesslog-otlp-resourceAttributes">`accesslog.otlp.resourceAttributes`</a> | Defines additional resource attributes to be sent to the collector. | [] | No |
| <a id="accesslog-otlp-http" href="#accesslog-otlp-http" title="#accesslog-otlp-http">`accesslog.otlp.http`</a> | This instructs the exporter to send access logs to the OpenTelemetry Collector using HTTP. | | No |
| <a id="accesslog-otlp-http-endpoint" href="#accesslog-otlp-http-endpoint" title="#accesslog-otlp-http-endpoint">`accesslog.otlp.http.endpoint`</a> | The endpoint of the OpenTelemetry Collector. (format=`<scheme>://<host>:<port><path>`) | `https://localhost:4318/v1/logs` | No |
| <a id="accesslog-otlp-http-headers" href="#accesslog-otlp-http-headers" title="#accesslog-otlp-http-headers">`accesslog.otlp.http.headers`</a> | Additional headers sent with access logs by the exporter to the OpenTelemetry Collector. | [ ] | No |
| <a id="accesslog-otlp-http-tls" href="#accesslog-otlp-http-tls" title="#accesslog-otlp-http-tls">`accesslog.otlp.http.tls`</a> | Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector. | | No |
| <a id="accesslog-otlp-http-tls-ca" href="#accesslog-otlp-http-tls-ca" title="#accesslog-otlp-http-tls-ca">`accesslog.otlp.http.tls.ca`</a> | The path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | | No |
| <a id="accesslog-otlp-http-tls-cert" href="#accesslog-otlp-http-tls-cert" title="#accesslog-otlp-http-tls-cert">`accesslog.otlp.http.tls.cert`</a> | The path to the certificate to use for the OpenTelemetry Collector. | | No |
| <a id="accesslog-otlp-http-tls-key" href="#accesslog-otlp-http-tls-key" title="#accesslog-otlp-http-tls-key">`accesslog.otlp.http.tls.key`</a> | The path to the key to use for the OpenTelemetry Collector. | | No |
| <a id="accesslog-otlp-http-tls-insecureSkipVerify" href="#accesslog-otlp-http-tls-insecureSkipVerify" title="#accesslog-otlp-http-tls-insecureSkipVerify">`accesslog.otlp.http.tls.insecureSkipVerify`</a> | Instructs the OpenTelemetry Collector to accept any certificate presented by the server regardless of the hostname in the certificate. | false | No |
| <a id="accesslog-otlp-grpc" href="#accesslog-otlp-grpc" title="#accesslog-otlp-grpc">`accesslog.otlp.grpc`</a> | This instructs the exporter to send access logs to the OpenTelemetry Collector using gRPC. | | No |
| <a id="accesslog-otlp-grpc-endpoint" href="#accesslog-otlp-grpc-endpoint" title="#accesslog-otlp-grpc-endpoint">`accesslog.otlp.grpc.endpoint`</a> | The endpoint of the OpenTelemetry Collector. (format=`<host>:<port>`) | `localhost:4317` | No |
| <a id="accesslog-otlp-grpc-headers" href="#accesslog-otlp-grpc-headers" title="#accesslog-otlp-grpc-headers">`accesslog.otlp.grpc.headers`</a> | Additional headers sent with access logs by the exporter to the OpenTelemetry Collector. | [ ] | No |
| <a id="accesslog-otlp-grpc-insecure" href="#accesslog-otlp-grpc-insecure" title="#accesslog-otlp-grpc-insecure">`accesslog.otlp.grpc.insecure`</a> | Instructs the exporter to send access logs to the OpenTelemetry Collector using an insecure protocol. | false | No |
| <a id="accesslog-otlp-grpc-tls" href="#accesslog-otlp-grpc-tls" title="#accesslog-otlp-grpc-tls">`accesslog.otlp.grpc.tls`</a> | Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector. | | No |
| <a id="accesslog-otlp-grpc-tls-ca" href="#accesslog-otlp-grpc-tls-ca" title="#accesslog-otlp-grpc-tls-ca">`accesslog.otlp.grpc.tls.ca`</a> | The path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | | No |
| <a id="accesslog-otlp-grpc-tls-cert" href="#accesslog-otlp-grpc-tls-cert" title="#accesslog-otlp-grpc-tls-cert">`accesslog.otlp.grpc.tls.cert`</a> | The path to the certificate to use for the OpenTelemetry Collector. | | No |
| <a id="accesslog-otlp-grpc-tls-key" href="#accesslog-otlp-grpc-tls-key" title="#accesslog-otlp-grpc-tls-key">`accesslog.otlp.grpc.tls.key`</a> | The path to the key to use for the OpenTelemetry Collector. | | No |
| <a id="accesslog-otlp-grpc-tls-insecureSkipVerify" href="#accesslog-otlp-grpc-tls-insecureSkipVerify" title="#accesslog-otlp-grpc-tls-insecureSkipVerify">`accesslog.otlp.grpc.tls.insecureSkipVerify`</a> | Instructs the OpenTelemetry Collector to accept any certificate presented by the server regardless of the hostname in the certificate. | false | No |
### CLF format fields
### Traefik CLF format fields
Below the fields displayed with the CLF format:
It's the default format provided by Traefik.
Below the fields displayed with the Traefik CLF format:
```html
<remote_IP_address> - <client_user_name_if_available> [<timestamp>]
@@ -291,44 +291,54 @@ Below the fields displayed with the CLF format:
"<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
```
### Available Fields
### Generic CLF format fields
Below the fields displayed with the generic CLF format:
```html
<remote_IP_address> - <client_user_name_if_available> [<timestamp>]
"<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length>
"<request_referrer>" "<request_user_agent>"
```
### JSON format fields
| Field | Description |
|-------------------------|------------------|
| `StartUTC` | The time at which request processing started. |
| `StartLocal` | The local time at which request processing started. |
| `Duration` | The total time taken (in nanoseconds) by processing the response, including the origin server's time but not the log writing time. |
| `RouterName` | The name of the Traefik router. |
| `ServiceName` | The name of the Traefik backend. |
| `ServiceURL` | The URL of the Traefik backend. |
| `ServiceAddr` | The IP:port of the Traefik backend (extracted from `ServiceURL`). |
| `ClientAddr` | The remote address in its original form (usually IP:port). |
| `ClientHost` | The remote IP address from which the client request was received. |
| `ClientPort` | The remote TCP port from which the client request was received. |
| `ClientUsername` | The username provided in the URL, if present. |
| `RequestAddr` | The HTTP Host header (usually IP:port). This is treated as not a header by the Go API. |
| `RequestHost` | The HTTP Host server name (not including port). |
| `RequestPort` | The TCP port from the HTTP Host. |
| `RequestMethod` | The HTTP method. |
| `RequestPath` | The HTTP request URI, not including the scheme, host or port. |
| `RequestProtocol` | The version of HTTP requested. |
| `RequestScheme` | The HTTP scheme requested `http` or `https`. |
| `RequestLine` | The `RequestMethod`, + `RequestPath` and `RequestProtocol`. |
| `RequestContentSize` | The number of bytes in the request entity (a.k.a. body) sent by the client. |
| `OriginDuration` | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. |
| `OriginContentSize` | The content length specified by the origin server, or 0 if unspecified. |
| `OriginStatus` | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0). |
| `OriginStatusLine` | `OriginStatus` + Status code explanation |
| `DownstreamStatus` | The HTTP status code returned to the client. |
| `DownstreamStatusLine` | The `DownstreamStatus` and status code explanation. |
| `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
| `RequestCount` | The number of requests received since the Traefik instance started. |
| `GzipRatio` | The response body compression ratio achieved. |
| `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. |
| `RetryAttempts` | The amount of attempts the request was retried. |
| `TLSVersion` | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS). |
| `TLSCipher` | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS). |
| `TLSClientSubject` | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`). |
| <a id="StartUTC" href="#StartUTC" title="#StartUTC">`StartUTC`</a> | The time at which request processing started. |
| <a id="StartLocal" href="#StartLocal" title="#StartLocal">`StartLocal`</a> | The local time at which request processing started. |
| <a id="Duration" href="#Duration" title="#Duration">`Duration`</a> | The total time taken (in nanoseconds) by processing the response, including the origin server's time but not the log writing time. |
| <a id="RouterName" href="#RouterName" title="#RouterName">`RouterName`</a> | The name of the Traefik router. |
| <a id="ServiceName" href="#ServiceName" title="#ServiceName">`ServiceName`</a> | The name of the Traefik backend. |
| <a id="ServiceURL" href="#ServiceURL" title="#ServiceURL">`ServiceURL`</a> | The URL of the Traefik backend. |
| <a id="ServiceAddr" href="#ServiceAddr" title="#ServiceAddr">`ServiceAddr`</a> | The IP:port of the Traefik backend (extracted from `ServiceURL`). |
| <a id="ClientAddr" href="#ClientAddr" title="#ClientAddr">`ClientAddr`</a> | The remote address in its original form (usually IP:port). |
| <a id="ClientHost" href="#ClientHost" title="#ClientHost">`ClientHost`</a> | The remote IP address from which the client request was received. |
| <a id="ClientPort" href="#ClientPort" title="#ClientPort">`ClientPort`</a> | The remote TCP port from which the client request was received. |
| <a id="ClientUsername" href="#ClientUsername" title="#ClientUsername">`ClientUsername`</a> | The username provided in the URL, if present. |
| <a id="RequestAddr" href="#RequestAddr" title="#RequestAddr">`RequestAddr`</a> | The HTTP Host header (usually IP:port). This is treated as not a header by the Go API. |
| <a id="RequestHost" href="#RequestHost" title="#RequestHost">`RequestHost`</a> | The HTTP Host server name (not including port). |
| <a id="RequestPort" href="#RequestPort" title="#RequestPort">`RequestPort`</a> | The TCP port from the HTTP Host. |
| <a id="RequestMethod" href="#RequestMethod" title="#RequestMethod">`RequestMethod`</a> | The HTTP method. |
| <a id="RequestPath" href="#RequestPath" title="#RequestPath">`RequestPath`</a> | The HTTP request URI, not including the scheme, host or port. |
| <a id="RequestProtocol" href="#RequestProtocol" title="#RequestProtocol">`RequestProtocol`</a> | The version of HTTP requested. |
| <a id="RequestScheme" href="#RequestScheme" title="#RequestScheme">`RequestScheme`</a> | The HTTP scheme requested `http` or `https`. |
| <a id="RequestLine" href="#RequestLine" title="#RequestLine">`RequestLine`</a> | The `RequestMethod`, + `RequestPath` and `RequestProtocol`. |
| <a id="RequestContentSize" href="#RequestContentSize" title="#RequestContentSize">`RequestContentSize`</a> | The number of bytes in the request entity (a.k.a. body) sent by the client. |
| <a id="OriginDuration" href="#OriginDuration" title="#OriginDuration">`OriginDuration`</a> | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. |
| <a id="OriginContentSize" href="#OriginContentSize" title="#OriginContentSize">`OriginContentSize`</a> | The content length specified by the origin server, or 0 if unspecified. |
| <a id="OriginStatus" href="#OriginStatus" title="#OriginStatus">`OriginStatus`</a> | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0). |
| <a id="OriginStatusLine" href="#OriginStatusLine" title="#OriginStatusLine">`OriginStatusLine`</a> | `OriginStatus` + Status code explanation |
| <a id="DownstreamStatus" href="#DownstreamStatus" title="#DownstreamStatus">`DownstreamStatus`</a> | The HTTP status code returned to the client. |
| <a id="DownstreamStatusLine" href="#DownstreamStatusLine" title="#DownstreamStatusLine">`DownstreamStatusLine`</a> | The `DownstreamStatus` and status code explanation. |
| <a id="DownstreamContentSize" href="#DownstreamContentSize" title="#DownstreamContentSize">`DownstreamContentSize`</a> | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
| <a id="RequestCount" href="#RequestCount" title="#RequestCount">`RequestCount`</a> | The number of requests received since the Traefik instance started. |
| <a id="GzipRatio" href="#GzipRatio" title="#GzipRatio">`GzipRatio`</a> | The response body compression ratio achieved. |
| <a id="Overhead" href="#Overhead" title="#Overhead">`Overhead`</a> | The processing time overhead (in nanoseconds) caused by Traefik. |
| <a id="RetryAttempts" href="#RetryAttempts" title="#RetryAttempts">`RetryAttempts`</a> | The amount of attempts the request was retried. |
| <a id="TLSVersion" href="#TLSVersion" title="#TLSVersion">`TLSVersion`</a> | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS). |
| <a id="TLSCipher" href="#TLSCipher" title="#TLSCipher">`TLSCipher`</a> | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS). |
| <a id="TLSClientSubject" href="#TLSClientSubject" title="#TLSClientSubject">`TLSClientSubject`</a> | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`). |
### Log Rotation

388
docs/content/reference/install-configuration/observability/metrics.md
View File

@@ -62,29 +62,29 @@ metrics:
| Field | Description | Default | Required |
|:-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------|:---------|
| `metrics.addInternals` | Enables metrics for internal resources (e.g.: `ping@internal`). | false | No |
| `metrics.otlp.serviceName` | Defines the service name resource attribute. | "traefik" | No |
| `metrics.otlp.resourceAttributes` | Defines additional resource attributes to be sent to the collector. | [] | No |
| `metrics.otlp.addEntryPointsLabels` | Enable metrics on entry points. | true | No |
| `metrics.otlp.addRoutersLabels` | Enable metrics on routers. | false | No |
| `metrics.otlp.addServicesLabels` | Enable metrics on services. | true | No |
| `metrics.otlp.explicitBoundaries` | Explicit boundaries for Histogram data points. | ".005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10" | No |
| `metrics.otlp.pushInterval` | Interval at which metrics are sent to the OpenTelemetry Collector. | 10s | No |
| `metrics.otlp.http` | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| `metrics.otlp.http.endpoint` | URL of the OpenTelemetry Collector to send metrics to.<br /> Format="`<scheme>://<host>:<port><path>`" | "http://localhost:4318/v1/metrics" | Yes |
| `metrics.otlp.http.headers` | Additional headers sent with metrics by the exporter to the OpenTelemetry Collector. | - | No |
| `metrics.otlp.http.tls.ca` | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector,<br />it defaults to the system bundle. | "" | No |
| `metrics.otlp.http.tls.cert` | Path to the public certificate used for the secure connection to the OpenTelemetry Collector.<br />When using this option, setting the `key` option is required. | "" | No |
| `metrics.otlp.http.tls.key` | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| `metrics.otlp.http.tls.insecureskipverify` | Allow the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |
| `metrics.otlp.grpc` | This instructs the exporter to send metrics to the OpenTelemetry Collector using gRPC. | null/false | No |
| `metrics.otlp.grpc.endpoint` | Address of the OpenTelemetry Collector to send metrics to.<br /> Format="`<host>:<port>`" | "localhost:4317" | Yes |
| `metrics.otlp.grpc.headers` | Additional headers sent with metrics by the exporter to the OpenTelemetry Collector. | - | No |
| `metrics.otlp.http.grpc.insecure` | Allows exporter to send metrics to the OpenTelemetry Collector without using a secured protocol. | false | Yes |
| `metrics.otlp.grpc.tls.ca` | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector,<br />it defaults to the system bundle. | - | No |
| `metrics.otlp.grpc.tls.cert` | Path to the public certificate used for the secure connection to the OpenTelemetry Collector.<br />When using this option, setting the `key` option is required. | - | No |
| `metrics.otlp.grpc.tls.key` | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| `metrics.otlp.grpc.tls.insecureskipverify` | Allow the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |
| <a id="metrics-addInternals" href="#metrics-addInternals" title="#metrics-addInternals">`metrics.addInternals`</a> | Enables metrics for internal resources (e.g.: `ping@internal`). | false | No |
| <a id="metrics-otlp-serviceName" href="#metrics-otlp-serviceName" title="#metrics-otlp-serviceName">`metrics.otlp.serviceName`</a> | Defines the service name resource attribute. | "traefik" | No |
| <a id="metrics-otlp-resourceAttributes" href="#metrics-otlp-resourceAttributes" title="#metrics-otlp-resourceAttributes">`metrics.otlp.resourceAttributes`</a> | Defines additional resource attributes to be sent to the collector. | [] | No |
| <a id="metrics-otlp-addEntryPointsLabels" href="#metrics-otlp-addEntryPointsLabels" title="#metrics-otlp-addEntryPointsLabels">`metrics.otlp.addEntryPointsLabels`</a> | Enable metrics on entry points. | true | No |
| <a id="metrics-otlp-addRoutersLabels" href="#metrics-otlp-addRoutersLabels" title="#metrics-otlp-addRoutersLabels">`metrics.otlp.addRoutersLabels`</a> | Enable metrics on routers. | false | No |
| <a id="metrics-otlp-addServicesLabels" href="#metrics-otlp-addServicesLabels" title="#metrics-otlp-addServicesLabels">`metrics.otlp.addServicesLabels`</a> | Enable metrics on services. | true | No |
| <a id="metrics-otlp-explicitBoundaries" href="#metrics-otlp-explicitBoundaries" title="#metrics-otlp-explicitBoundaries">`metrics.otlp.explicitBoundaries`</a> | Explicit boundaries for Histogram data points. | ".005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10" | No |
| <a id="metrics-otlp-pushInterval" href="#metrics-otlp-pushInterval" title="#metrics-otlp-pushInterval">`metrics.otlp.pushInterval`</a> | Interval at which metrics are sent to the OpenTelemetry Collector. | 10s | No |
| <a id="metrics-otlp-http" href="#metrics-otlp-http" title="#metrics-otlp-http">`metrics.otlp.http`</a> | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| <a id="metrics-otlp-http-endpoint" href="#metrics-otlp-http-endpoint" title="#metrics-otlp-http-endpoint">`metrics.otlp.http.endpoint`</a> | URL of the OpenTelemetry Collector to send metrics to.<br /> Format="`<scheme>://<host>:<port><path>`" | "http://localhost:4318/v1/metrics" | Yes |
| <a id="metrics-otlp-http-headers" href="#metrics-otlp-http-headers" title="#metrics-otlp-http-headers">`metrics.otlp.http.headers`</a> | Additional headers sent with metrics by the exporter to the OpenTelemetry Collector. | - | No |
| <a id="metrics-otlp-http-tls-ca" href="#metrics-otlp-http-tls-ca" title="#metrics-otlp-http-tls-ca">`metrics.otlp.http.tls.ca`</a> | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector,<br />it defaults to the system bundle. | "" | No |
| <a id="metrics-otlp-http-tls-cert" href="#metrics-otlp-http-tls-cert" title="#metrics-otlp-http-tls-cert">`metrics.otlp.http.tls.cert`</a> | Path to the public certificate used for the secure connection to the OpenTelemetry Collector.<br />When using this option, setting the `key` option is required. | "" | No |
| <a id="metrics-otlp-http-tls-key" href="#metrics-otlp-http-tls-key" title="#metrics-otlp-http-tls-key">`metrics.otlp.http.tls.key`</a> | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| <a id="metrics-otlp-http-tls-insecureskipverify" href="#metrics-otlp-http-tls-insecureskipverify" title="#metrics-otlp-http-tls-insecureskipverify">`metrics.otlp.http.tls.insecureskipverify`</a> | Allow the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |
| <a id="metrics-otlp-grpc" href="#metrics-otlp-grpc" title="#metrics-otlp-grpc">`metrics.otlp.grpc`</a> | This instructs the exporter to send metrics to the OpenTelemetry Collector using gRPC. | null/false | No |
| <a id="metrics-otlp-grpc-endpoint" href="#metrics-otlp-grpc-endpoint" title="#metrics-otlp-grpc-endpoint">`metrics.otlp.grpc.endpoint`</a> | Address of the OpenTelemetry Collector to send metrics to.<br /> Format="`<host>:<port>`" | "localhost:4317" | Yes |
| <a id="metrics-otlp-grpc-headers" href="#metrics-otlp-grpc-headers" title="#metrics-otlp-grpc-headers">`metrics.otlp.grpc.headers`</a> | Additional headers sent with metrics by the exporter to the OpenTelemetry Collector. | - | No |
| <a id="metrics-otlp-http-grpc-insecure" href="#metrics-otlp-http-grpc-insecure" title="#metrics-otlp-http-grpc-insecure">`metrics.otlp.http.grpc.insecure`</a> | Allows exporter to send metrics to the OpenTelemetry Collector without using a secured protocol. | false | Yes |
| <a id="metrics-otlp-grpc-tls-ca" href="#metrics-otlp-grpc-tls-ca" title="#metrics-otlp-grpc-tls-ca">`metrics.otlp.grpc.tls.ca`</a> | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector,<br />it defaults to the system bundle. | - | No |
| <a id="metrics-otlp-grpc-tls-cert" href="#metrics-otlp-grpc-tls-cert" title="#metrics-otlp-grpc-tls-cert">`metrics.otlp.grpc.tls.cert`</a> | Path to the public certificate used for the secure connection to the OpenTelemetry Collector.<br />When using this option, setting the `key` option is required. | - | No |
| <a id="metrics-otlp-grpc-tls-key" href="#metrics-otlp-grpc-tls-key" title="#metrics-otlp-grpc-tls-key">`metrics.otlp.grpc.tls.key`</a> | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| <a id="metrics-otlp-grpc-tls-insecureskipverify" href="#metrics-otlp-grpc-tls-insecureskipverify" title="#metrics-otlp-grpc-tls-insecureskipverify">`metrics.otlp.grpc.tls.insecureskipverify`</a> | Allow the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |
## Vendors
@@ -112,13 +112,13 @@ metrics:
| Field | Description | Default | Required |
|:------|:-------------------------------|:---------------------|:---------|
| `metrics.addInternals` | Enables metrics for internal resources (e.g.: `ping@internal`). | false | No |
| `datadog.address` | Defines the address for the exporter to send metrics to datadog-agent. More information [here](#address)| `127.0.0.1:8125` | Yes |
| `datadog.addEntryPointsLabels` | Enable metrics on entry points. | true | No |
| `datadog.addRoutersLabels` | Enable metrics on routers. | false | No |
| `datadog.addServicesLabels` | Enable metrics on services. | true | No |
| `datadog.pushInterval` | Defines the interval used by the exporter to push metrics to datadog-agent. | 10s | No |
| `datadog.prefix` | Defines the prefix to use for metrics collection. | "traefik" | No |
| <a id="metrics-addInternals-2" href="#metrics-addInternals-2" title="#metrics-addInternals-2">`metrics.addInternals`</a> | Enables metrics for internal resources (e.g.: `ping@internal`). | false | No |
| <a id="datadog-address" href="#datadog-address" title="#datadog-address">`datadog.address`</a> | Defines the address for the exporter to send metrics to datadog-agent. More information [here](#address)| `127.0.0.1:8125` | Yes |
| <a id="datadog-addEntryPointsLabels" href="#datadog-addEntryPointsLabels" title="#datadog-addEntryPointsLabels">`datadog.addEntryPointsLabels`</a> | Enable metrics on entry points. | true | No |
| <a id="datadog-addRoutersLabels" href="#datadog-addRoutersLabels" title="#datadog-addRoutersLabels">`datadog.addRoutersLabels`</a> | Enable metrics on routers. | false | No |
| <a id="datadog-addServicesLabels" href="#datadog-addServicesLabels" title="#datadog-addServicesLabels">`datadog.addServicesLabels`</a> | Enable metrics on services. | true | No |
| <a id="datadog-pushInterval" href="#datadog-pushInterval" title="#datadog-pushInterval">`datadog.pushInterval`</a> | Defines the interval used by the exporter to push metrics to datadog-agent. | 10s | No |
| <a id="datadog-prefix" href="#datadog-prefix" title="#datadog-prefix">`datadog.prefix`</a> | Defines the prefix to use for metrics collection. | "traefik" | No |
##### `address`
@@ -170,16 +170,16 @@ metrics:
| Field | Description | Default | Required |
|:-----------|-------------------------|:--------|:---------|
| `metrics.addInternal` | Enables metrics for internal resources (e.g.: `ping@internal`). | false | No |
| `metrics.influxDB2.addEntryPointsLabels` | Enable metrics on entry points. | true | No |
| `metrics.influxDB2.addRoutersLabels` | Enable metrics on routers. | false | No |
| `metrics.influxDB2.addServicesLabels` | Enable metrics on services.| true | No |
| `metrics.influxDB2.additionalLabels` | Additional labels (InfluxDB tags) on all metrics. | - | No |
| `metrics.influxDB2.pushInterval` | The interval used by the exporter to push metrics to InfluxDB server. | 10s | No |
| `metrics.influxDB2.address` | Address of the InfluxDB v2 instance. | "http://localhost:8086" | Yes |
| `metrics.influxDB2.token` | Token with which to connect to InfluxDB v2. | - | Yes |
| `metrics.influxDB2.org` | Organisation where metrics will be stored. | - | Yes |
| `metrics.influxDB2.bucket` | Bucket where metrics will be stored. | - | Yes |
| <a id="metrics-addInternal" href="#metrics-addInternal" title="#metrics-addInternal">`metrics.addInternal`</a> | Enables metrics for internal resources (e.g.: `ping@internal`). | false | No |
| <a id="metrics-influxDB2-addEntryPointsLabels" href="#metrics-influxDB2-addEntryPointsLabels" title="#metrics-influxDB2-addEntryPointsLabels">`metrics.influxDB2.addEntryPointsLabels`</a> | Enable metrics on entry points. | true | No |
| <a id="metrics-influxDB2-addRoutersLabels" href="#metrics-influxDB2-addRoutersLabels" title="#metrics-influxDB2-addRoutersLabels">`metrics.influxDB2.addRoutersLabels`</a> | Enable metrics on routers. | false | No |
| <a id="metrics-influxDB2-addServicesLabels" href="#metrics-influxDB2-addServicesLabels" title="#metrics-influxDB2-addServicesLabels">`metrics.influxDB2.addServicesLabels`</a> | Enable metrics on services.| true | No |
| <a id="metrics-influxDB2-additionalLabels" href="#metrics-influxDB2-additionalLabels" title="#metrics-influxDB2-additionalLabels">`metrics.influxDB2.additionalLabels`</a> | Additional labels (InfluxDB tags) on all metrics. | - | No |
| <a id="metrics-influxDB2-pushInterval" href="#metrics-influxDB2-pushInterval" title="#metrics-influxDB2-pushInterval">`metrics.influxDB2.pushInterval`</a> | The interval used by the exporter to push metrics to InfluxDB server. | 10s | No |
| <a id="metrics-influxDB2-address" href="#metrics-influxDB2-address" title="#metrics-influxDB2-address">`metrics.influxDB2.address`</a> | Address of the InfluxDB v2 instance. | "http://localhost:8086" | Yes |
| <a id="metrics-influxDB2-token" href="#metrics-influxDB2-token" title="#metrics-influxDB2-token">`metrics.influxDB2.token`</a> | Token with which to connect to InfluxDB v2. | - | Yes |
| <a id="metrics-influxDB2-org" href="#metrics-influxDB2-org" title="#metrics-influxDB2-org">`metrics.influxDB2.org`</a> | Organisation where metrics will be stored. | - | Yes |
| <a id="metrics-influxDB2-bucket" href="#metrics-influxDB2-bucket" title="#metrics-influxDB2-bucket">`metrics.influxDB2.bucket`</a> | Bucket where metrics will be stored. | - | Yes |
### Prometheus
@@ -215,14 +215,14 @@ metrics:
| Field | Description | Default | Required |
|:-----------|---------------------|:--------|:---------|
| `metrics.prometheus.addInternals` | Enables metrics for internal resources (e.g.: `ping@internals`). | false | No |
| `metrics.prometheus.addEntryPointsLabels` | Enable metrics on entry points. | true | No |
| `metrics.prometheus.addRoutersLabels` | Enable metrics on routers. | false | No |
| `metrics.prometheus.addServicesLabels` | Enable metrics on services.| true | No |
| `metrics.prometheus.buckets` | Buckets for latency metrics. |"0.100000, 0.300000, 1.200000, 5.000000" | No |
| `metrics.prometheus.manualRouting` | Set to _true_, it disables the default internal router in order to allow creating a custom router for the `prometheus@internal` service. | false | No |
| `metrics.prometheus.entryPoint` | Traefik Entrypoint name used to expose metrics. | "traefik" | No |
| `metrics.prometheus.headerLabels` | Defines extra labels extracted from request headers for the `requests_total` metrics.<br />More information [here](#headerlabels). | | Yes |
| <a id="metrics-prometheus-addInternals" href="#metrics-prometheus-addInternals" title="#metrics-prometheus-addInternals">`metrics.prometheus.addInternals`</a> | Enables metrics for internal resources (e.g.: `ping@internals`). | false | No |
| <a id="metrics-prometheus-addEntryPointsLabels" href="#metrics-prometheus-addEntryPointsLabels" title="#metrics-prometheus-addEntryPointsLabels">`metrics.prometheus.addEntryPointsLabels`</a> | Enable metrics on entry points. | true | No |
| <a id="metrics-prometheus-addRoutersLabels" href="#metrics-prometheus-addRoutersLabels" title="#metrics-prometheus-addRoutersLabels">`metrics.prometheus.addRoutersLabels`</a> | Enable metrics on routers. | false | No |
| <a id="metrics-prometheus-addServicesLabels" href="#metrics-prometheus-addServicesLabels" title="#metrics-prometheus-addServicesLabels">`metrics.prometheus.addServicesLabels`</a> | Enable metrics on services.| true | No |
| <a id="metrics-prometheus-buckets" href="#metrics-prometheus-buckets" title="#metrics-prometheus-buckets">`metrics.prometheus.buckets`</a> | Buckets for latency metrics. |"0.100000, 0.300000, 1.200000, 5.000000" | No |
| <a id="metrics-prometheus-manualRouting" href="#metrics-prometheus-manualRouting" title="#metrics-prometheus-manualRouting">`metrics.prometheus.manualRouting`</a> | Set to _true_, it disables the default internal router in order to allow creating a custom router for the `prometheus@internal` service. | false | No |
| <a id="metrics-prometheus-entryPoint" href="#metrics-prometheus-entryPoint" title="#metrics-prometheus-entryPoint">`metrics.prometheus.entryPoint`</a> | Traefik Entrypoint name used to expose metrics. | "traefik" | No |
| <a id="metrics-prometheus-headerLabels" href="#metrics-prometheus-headerLabels" title="#metrics-prometheus-headerLabels">`metrics.prometheus.headerLabels`</a> | Defines extra labels extracted from request headers for the `requests_total` metrics.<br />More information [here](#headerlabels). | | Yes |
##### headerLabels
@@ -288,13 +288,13 @@ metrics:
| Field | Description | Default | Required |
|:-----------|:-------------------------|:--------|:---------|
| `metrics.addInternals` | Enables metrics for internal resources (e.g.: `ping@internals`). | false | No |
| `metrics.statsD.addEntryPointsLabels` | Enable metrics on entry points. | true | No |
| `metrics.statsD.addRoutersLabels` | Enable metrics on routers. | false | No |
| `metrics.statsD.addServicesLabels` | Enable metrics on services.| true | No |
| `metrics.statsD.pushInterval` | The interval used by the exporter to push metrics to DataDog server. | 10s | No |
| `metrics.statsD.address` | Address instructs exporter to send metrics to statsd at this address. | "127.0.0.1:8125" | Yes |
| `metrics.statsD.prefix` | The prefix to use for metrics collection. | "traefik" | No |
| <a id="metrics-addInternals-3" href="#metrics-addInternals-3" title="#metrics-addInternals-3">`metrics.addInternals`</a> | Enables metrics for internal resources (e.g.: `ping@internals`). | false | No |
| <a id="metrics-statsD-addEntryPointsLabels" href="#metrics-statsD-addEntryPointsLabels" title="#metrics-statsD-addEntryPointsLabels">`metrics.statsD.addEntryPointsLabels`</a> | Enable metrics on entry points. | true | No |
| <a id="metrics-statsD-addRoutersLabels" href="#metrics-statsD-addRoutersLabels" title="#metrics-statsD-addRoutersLabels">`metrics.statsD.addRoutersLabels`</a> | Enable metrics on routers. | false | No |
| <a id="metrics-statsD-addServicesLabels" href="#metrics-statsD-addServicesLabels" title="#metrics-statsD-addServicesLabels">`metrics.statsD.addServicesLabels`</a> | Enable metrics on services.| true | No |
| <a id="metrics-statsD-pushInterval" href="#metrics-statsD-pushInterval" title="#metrics-statsD-pushInterval">`metrics.statsD.pushInterval`</a> | The interval used by the exporter to push metrics to DataDog server. | 10s | No |
| <a id="metrics-statsD-address" href="#metrics-statsD-address" title="#metrics-statsD-address">`metrics.statsD.address`</a> | Address instructs exporter to send metrics to statsd at this address. | "127.0.0.1:8125" | Yes |
| <a id="metrics-statsD-prefix" href="#metrics-statsD-prefix" title="#metrics-statsD-prefix">`metrics.statsD.prefix`</a> | The prefix to use for metrics collection. | "traefik" | No |
## Metrics Provided
@@ -303,42 +303,42 @@ metrics:
=== "OpenTelemetry"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `traefik_config_reloads_total` | Count | | The total count of configuration reloads. |
| `traefik_config_last_reload_success` | Gauge | | The timestamp of the last configuration reload success. |
| `traefik_open_connections` | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| `traefik_tls_certs_not_after` | Gauge | | The expiration date of certificates. |
| <a id="traefik-config-reloads-total" href="#traefik-config-reloads-total" title="#traefik-config-reloads-total">`traefik_config_reloads_total`</a> | Count | | The total count of configuration reloads. |
| <a id="traefik-config-last-reload-success" href="#traefik-config-last-reload-success" title="#traefik-config-last-reload-success">`traefik_config_last_reload_success`</a> | Gauge | | The timestamp of the last configuration reload success. |
| <a id="traefik-open-connections" href="#traefik-open-connections" title="#traefik-open-connections">`traefik_open_connections`</a> | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| <a id="traefik-tls-certs-not-after" href="#traefik-tls-certs-not-after" title="#traefik-tls-certs-not-after">`traefik_tls_certs_not_after`</a> | Gauge | | The expiration date of certificates. |
=== "Prometheus"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `traefik_config_reloads_total` | Count | | The total count of configuration reloads. |
| `traefik_config_last_reload_success` | Gauge | | The timestamp of the last configuration reload success. |
| `traefik_open_connections` | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| `traefik_tls_certs_not_after` | Gauge | | The expiration date of certificates. |
| <a id="traefik-config-reloads-total-2" href="#traefik-config-reloads-total-2" title="#traefik-config-reloads-total-2">`traefik_config_reloads_total`</a> | Count | | The total count of configuration reloads. |
| <a id="traefik-config-last-reload-success-2" href="#traefik-config-last-reload-success-2" title="#traefik-config-last-reload-success-2">`traefik_config_last_reload_success`</a> | Gauge | | The timestamp of the last configuration reload success. |
| <a id="traefik-open-connections-2" href="#traefik-open-connections-2" title="#traefik-open-connections-2">`traefik_open_connections`</a> | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| <a id="traefik-tls-certs-not-after-2" href="#traefik-tls-certs-not-after-2" title="#traefik-tls-certs-not-after-2">`traefik_tls_certs_not_after`</a> | Gauge | | The expiration date of certificates. |
=== "Datadog"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `config.reload.total` | Count | | The total count of configuration reloads. |
| `config.reload.lastSuccessTimestamp` | Gauge | | The timestamp of the last configuration reload success. |
| `open.connections` | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| `tls.certs.notAfterTimestamp` | Gauge | | The expiration date of certificates. |
| <a id="config-reload-total" href="#config-reload-total" title="#config-reload-total">`config.reload.total`</a> | Count | | The total count of configuration reloads. |
| <a id="config-reload-lastSuccessTimestamp" href="#config-reload-lastSuccessTimestamp" title="#config-reload-lastSuccessTimestamp">`config.reload.lastSuccessTimestamp`</a> | Gauge | | The timestamp of the last configuration reload success. |
| <a id="open-connections" href="#open-connections" title="#open-connections">`open.connections`</a> | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| <a id="tls-certs-notAfterTimestamp" href="#tls-certs-notAfterTimestamp" title="#tls-certs-notAfterTimestamp">`tls.certs.notAfterTimestamp`</a> | Gauge | | The expiration date of certificates. |
=== "InfluxDB2"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `traefik.config.reload.total` | Count | | The total count of configuration reloads. |
| `traefik.config.reload.lastSuccessTimestamp` | Gauge | | The timestamp of the last configuration reload success. |
| `traefik.open.connections` | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| `traefik.tls.certs.notAfterTimestamp` | Gauge | | The expiration date of certificates. |
| <a id="traefik-config-reload-total" href="#traefik-config-reload-total" title="#traefik-config-reload-total">`traefik.config.reload.total`</a> | Count | | The total count of configuration reloads. |
| <a id="traefik-config-reload-lastSuccessTimestamp" href="#traefik-config-reload-lastSuccessTimestamp" title="#traefik-config-reload-lastSuccessTimestamp">`traefik.config.reload.lastSuccessTimestamp`</a> | Gauge | | The timestamp of the last configuration reload success. |
| <a id="traefik-open-connections-3" href="#traefik-open-connections-3" title="#traefik-open-connections-3">`traefik.open.connections`</a> | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| <a id="traefik-tls-certs-notAfterTimestamp" href="#traefik-tls-certs-notAfterTimestamp" title="#traefik-tls-certs-notAfterTimestamp">`traefik.tls.certs.notAfterTimestamp`</a> | Gauge | | The expiration date of certificates. |
=== "StatsD"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `{prefix}.config.reload.total` | Count | | The total count of configuration reloads. |
| `{prefix}.config.reload.lastSuccessTimestamp` | Gauge | | The timestamp of the last configuration reload success. |
| `{prefix}.open.connections` | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| `{prefix}.tls.certs.notAfterTimestamp` | Gauge | | The expiration date of certificates. |
| <a id="prefix-config-reload-total" href="#prefix-config-reload-total" title="#prefix-config-reload-total">`{prefix}.config.reload.total`</a> | Count | | The total count of configuration reloads. |
| <a id="prefix-config-reload-lastSuccessTimestamp" href="#prefix-config-reload-lastSuccessTimestamp" title="#prefix-config-reload-lastSuccessTimestamp">`{prefix}.config.reload.lastSuccessTimestamp`</a> | Gauge | | The timestamp of the last configuration reload success. |
| <a id="prefix-open-connections" href="#prefix-open-connections" title="#prefix-open-connections">`{prefix}.open.connections`</a> | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
| <a id="prefix-tls-certs-notAfterTimestamp" href="#prefix-tls-certs-notAfterTimestamp" title="#prefix-tls-certs-notAfterTimestamp">`{prefix}.tls.certs.notAfterTimestamp`</a> | Gauge | | The expiration date of certificates. |
!!! note "\{prefix\} Default Value"
By default, \{prefix\} value is `traefik`.
@@ -349,8 +349,8 @@ Here is a comprehensive list of labels that are provided by the global metrics:
| Label | Description | example |
|--------------|----------------------------------------|----------------------|
| `entrypoint` | Entrypoint that handled the connection | "example_entrypoint" |
| `protocol` | Connection protocol | "TCP" |
| <a id="entrypoint" href="#entrypoint" title="#entrypoint">`entrypoint`</a> | Entrypoint that handled the connection | "example_entrypoint" |
| <a id="protocol" href="#protocol" title="#protocol">`protocol`</a> | Connection protocol | "TCP" |
### OpenTelemetry Semantic Conventions
@@ -360,7 +360,7 @@ Traefik Proxy follows [official OpenTelemetry semantic conventions v1.23.1](http
| Metric | Type | [Labels](#labels) | Description |
|----------|-----------|-------------------------|------------------|
| `http.server.request.duration` | Histogram | `error.type`, `http.request.method`, `http.response.status_code`, `network.protocol.name`, `server.address`, `server.port`, `url.scheme` | Duration of HTTP server requests |
| <a id="http-server-request-duration" href="#http-server-request-duration" title="#http-server-request-duration">`http.server.request.duration`</a> | Histogram | `error.type`, `http.request.method`, `http.response.status_code`, `network.protocol.name`, `server.address`, `server.port`, `url.scheme` | Duration of HTTP server requests |
##### Labels
@@ -368,35 +368,35 @@ Here is a comprehensive list of labels that are provided by the metrics:
| Label | Description | example |
|-----------------------------|--------|---------------|
| `error.type` | Describes a class of error the operation ended with | "500" |
| `http.request.method` | HTTP request method | "GET" |
| `http.response.status_code` | HTTP response status code | "200" |
| `network.protocol.name` | OSI application layer or non-OSI equivalent | "http/1.1" |
| `network.protocol.version` | Version of the protocol specified in `network.protocol.name` | "1.1" |
| `server.address` | Name of the local HTTP server that received the request | "example.com" |
| `server.port` | Port of the local HTTP server that received the request | "80" |
| `url.scheme` | The URI scheme component identifying the used protocol | "http" |
| <a id="error-type" href="#error-type" title="#error-type">`error.type`</a> | Describes a class of error the operation ended with | "500" |
| <a id="http-request-method" href="#http-request-method" title="#http-request-method">`http.request.method`</a> | HTTP request method | "GET" |
| <a id="http-response-status-code" href="#http-response-status-code" title="#http-response-status-code">`http.response.status_code`</a> | HTTP response status code | "200" |
| <a id="network-protocol-name" href="#network-protocol-name" title="#network-protocol-name">`network.protocol.name`</a> | OSI application layer or non-OSI equivalent | "http/1.1" |
| <a id="network-protocol-version" href="#network-protocol-version" title="#network-protocol-version">`network.protocol.version`</a> | Version of the protocol specified in `network.protocol.name` | "1.1" |
| <a id="server-address" href="#server-address" title="#server-address">`server.address`</a> | Name of the local HTTP server that received the request | "example.com" |
| <a id="server-port" href="#server-port" title="#server-port">`server.port`</a> | Port of the local HTTP server that received the request | "80" |
| <a id="url-scheme" href="#url-scheme" title="#url-scheme">`url.scheme`</a> | The URI scheme component identifying the used protocol | "http" |
#### HTTP Client
| Metric | Type | [Labels](#labels) | Description |
|-------------------------------|-----------|-----------------|--------|
| `http.client.request.duration` | Histogram | `error.type`, `http.request.method`, `http.response.status_code`, `network.protocol.name`, `server.address`, `server.port`, `url.scheme` | Duration of HTTP client requests |
| <a id="http-client-request-duration" href="#http-client-request-duration" title="#http-client-request-duration">`http.client.request.duration`</a> | Histogram | `error.type`, `http.request.method`, `http.response.status_code`, `network.protocol.name`, `server.address`, `server.port`, `url.scheme` | Duration of HTTP client requests |
##### Labels
Here is a comprehensive list of labels that are provided by the metrics:
| Label | Description | example |
|------ -----|------------|---------------|
| `error.type` | Describes a class of error the operation ended with | "500" |
| `http.request.method` | HTTP request method | "GET" |
| `http.response.status_code` | HTTP response status code | "200" |
| `network.protocol.name` | OSI application layer or non-OSI equivalent | "http/1.1" |
| `network.protocol.version` | Version of the protocol specified in `network.protocol.name` | "1.1" |
| `server.address` | Name of the local HTTP server that received the request | "example.com" |
| `server.port` | Port of the local HTTP server that received the request | "80" |
| `url.scheme` | The URI scheme component identifying the used protocol | "http" |
| <a id="Label" href="#Label" title="#Label">Label</a> | Description | example |
| <a id="row" href="#row" title="#row">------ -----</a> |------------|---------------|
| <a id="error-type-2" href="#error-type-2" title="#error-type-2">`error.type`</a> | Describes a class of error the operation ended with | "500" |
| <a id="http-request-method-2" href="#http-request-method-2" title="#http-request-method-2">`http.request.method`</a> | HTTP request method | "GET" |
| <a id="http-response-status-code-2" href="#http-response-status-code-2" title="#http-response-status-code-2">`http.response.status_code`</a> | HTTP response status code | "200" |
| <a id="network-protocol-name-2" href="#network-protocol-name-2" title="#network-protocol-name-2">`network.protocol.name`</a> | OSI application layer or non-OSI equivalent | "http/1.1" |
| <a id="network-protocol-version-2" href="#network-protocol-version-2" title="#network-protocol-version-2">`network.protocol.version`</a> | Version of the protocol specified in `network.protocol.name` | "1.1" |
| <a id="server-address-2" href="#server-address-2" title="#server-address-2">`server.address`</a> | Name of the local HTTP server that received the request | "example.com" |
| <a id="server-port-2" href="#server-port-2" title="#server-port-2">`server.port`</a> | Port of the local HTTP server that received the request | "80" |
| <a id="url-scheme-2" href="#url-scheme-2" title="#url-scheme-2">`url.scheme`</a> | The URI scheme component identifying the used protocol | "http" |
### HTTP Metrics
@@ -408,51 +408,51 @@ On top of the official OpenTelemetry semantic conventions, Traefik provides its
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|--------------------|--------------------------|
| `traefik_entrypoint_requests_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| `traefik_entrypoint_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| `traefik_entrypoint_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| `traefik_entrypoint_requests_bytes_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| `traefik_entrypoint_responses_bytes_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
| <a id="traefik-entrypoint-requests-total" href="#traefik-entrypoint-requests-total" title="#traefik-entrypoint-requests-total">`traefik_entrypoint_requests_total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| <a id="traefik-entrypoint-requests-tls-total" href="#traefik-entrypoint-requests-tls-total" title="#traefik-entrypoint-requests-tls-total">`traefik_entrypoint_requests_tls_total`</a> | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| <a id="traefik-entrypoint-request-duration-seconds" href="#traefik-entrypoint-request-duration-seconds" title="#traefik-entrypoint-request-duration-seconds">`traefik_entrypoint_request_duration_seconds`</a> | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| <a id="traefik-entrypoint-requests-bytes-total" href="#traefik-entrypoint-requests-bytes-total" title="#traefik-entrypoint-requests-bytes-total">`traefik_entrypoint_requests_bytes_total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| <a id="traefik-entrypoint-responses-bytes-total" href="#traefik-entrypoint-responses-bytes-total" title="#traefik-entrypoint-responses-bytes-total">`traefik_entrypoint_responses_bytes_total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
=== "Prometheus"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|------------------------|-------------------------|
| `traefik_entrypoint_requests_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| `traefik_entrypoint_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| `traefik_entrypoint_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| `traefik_entrypoint_requests_bytes_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| `traefik_entrypoint_responses_bytes_total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
| <a id="traefik-entrypoint-requests-total-2" href="#traefik-entrypoint-requests-total-2" title="#traefik-entrypoint-requests-total-2">`traefik_entrypoint_requests_total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| <a id="traefik-entrypoint-requests-tls-total-2" href="#traefik-entrypoint-requests-tls-total-2" title="#traefik-entrypoint-requests-tls-total-2">`traefik_entrypoint_requests_tls_total`</a> | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| <a id="traefik-entrypoint-request-duration-seconds-2" href="#traefik-entrypoint-request-duration-seconds-2" title="#traefik-entrypoint-request-duration-seconds-2">`traefik_entrypoint_request_duration_seconds`</a> | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| <a id="traefik-entrypoint-requests-bytes-total-2" href="#traefik-entrypoint-requests-bytes-total-2" title="#traefik-entrypoint-requests-bytes-total-2">`traefik_entrypoint_requests_bytes_total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| <a id="traefik-entrypoint-responses-bytes-total-2" href="#traefik-entrypoint-responses-bytes-total-2" title="#traefik-entrypoint-responses-bytes-total-2">`traefik_entrypoint_responses_bytes_total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
=== "Datadog"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|------------------|---------------------------|
| `entrypoint.requests.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| `entrypoint.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| `entrypoint.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| `entrypoint.requests.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| `entrypoint.responses.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
| <a id="entrypoint-requests-total" href="#entrypoint-requests-total" title="#entrypoint-requests-total">`entrypoint.requests.total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| <a id="entrypoint-requests-tls-total" href="#entrypoint-requests-tls-total" title="#entrypoint-requests-tls-total">`entrypoint.requests.tls.total`</a> | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| <a id="entrypoint-request-duration-seconds" href="#entrypoint-request-duration-seconds" title="#entrypoint-request-duration-seconds">`entrypoint.request.duration.seconds`</a> | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| <a id="entrypoint-requests-bytes-total" href="#entrypoint-requests-bytes-total" title="#entrypoint-requests-bytes-total">`entrypoint.requests.bytes.total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| <a id="entrypoint-responses-bytes-total" href="#entrypoint-responses-bytes-total" title="#entrypoint-responses-bytes-total">`entrypoint.responses.bytes.total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
=== "InfluxDB2"
| Metric | Type | [Labels](#labels) | Description |
|------------|-----------|-------------------|-----------------|
| `traefik.entrypoint.requests.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| `traefik.entrypoint.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| `traefik.entrypoint.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| `traefik.entrypoint.requests.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| `traefik.entrypoint.responses.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
| <a id="traefik-entrypoint-requests-total-3" href="#traefik-entrypoint-requests-total-3" title="#traefik-entrypoint-requests-total-3">`traefik.entrypoint.requests.total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| <a id="traefik-entrypoint-requests-tls-total-3" href="#traefik-entrypoint-requests-tls-total-3" title="#traefik-entrypoint-requests-tls-total-3">`traefik.entrypoint.requests.tls.total`</a> | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| <a id="traefik-entrypoint-request-duration-seconds-3" href="#traefik-entrypoint-request-duration-seconds-3" title="#traefik-entrypoint-request-duration-seconds-3">`traefik.entrypoint.request.duration.seconds`</a> | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| <a id="traefik-entrypoint-requests-bytes-total-3" href="#traefik-entrypoint-requests-bytes-total-3" title="#traefik-entrypoint-requests-bytes-total-3">`traefik.entrypoint.requests.bytes.total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| <a id="traefik-entrypoint-responses-bytes-total-3" href="#traefik-entrypoint-responses-bytes-total-3" title="#traefik-entrypoint-responses-bytes-total-3">`traefik.entrypoint.responses.bytes.total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
=== "StatsD"
| Metric | Type | [Labels](#labels) | Description |
|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
| `{prefix}.entrypoint.requests.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| `{prefix}.entrypoint.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| `{prefix}.entrypoint.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| `{prefix}.entrypoint.requests.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| `{prefix}.entrypoint.responses.bytes.total` | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
| <a id="prefix-entrypoint-requests-total" href="#prefix-entrypoint-requests-total" title="#prefix-entrypoint-requests-total">`{prefix}.entrypoint.requests.total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
| <a id="prefix-entrypoint-requests-tls-total" href="#prefix-entrypoint-requests-tls-total" title="#prefix-entrypoint-requests-tls-total">`{prefix}.entrypoint.requests.tls.total`</a> | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
| <a id="prefix-entrypoint-request-duration-seconds" href="#prefix-entrypoint-request-duration-seconds" title="#prefix-entrypoint-request-duration-seconds">`{prefix}.entrypoint.request.duration.seconds`</a> | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
| <a id="prefix-entrypoint-requests-bytes-total" href="#prefix-entrypoint-requests-bytes-total" title="#prefix-entrypoint-requests-bytes-total">`{prefix}.entrypoint.requests.bytes.total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
| <a id="prefix-entrypoint-responses-bytes-total" href="#prefix-entrypoint-responses-bytes-total" title="#prefix-entrypoint-responses-bytes-total">`{prefix}.entrypoint.responses.bytes.total`</a> | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
!!! note "\{prefix\} Default Value"
By default, \{prefix\} value is `traefik`.
@@ -463,51 +463,51 @@ On top of the official OpenTelemetry semantic conventions, Traefik provides its
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|----------------------|--------------------------------|
| `traefik_router_requests_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| `traefik_router_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| `traefik_router_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| `traefik_router_requests_bytes_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| `traefik_router_responses_bytes_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
| <a id="traefik-router-requests-total" href="#traefik-router-requests-total" title="#traefik-router-requests-total">`traefik_router_requests_total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| <a id="traefik-router-requests-tls-total" href="#traefik-router-requests-tls-total" title="#traefik-router-requests-tls-total">`traefik_router_requests_tls_total`</a> | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| <a id="traefik-router-request-duration-seconds" href="#traefik-router-request-duration-seconds" title="#traefik-router-request-duration-seconds">`traefik_router_request_duration_seconds`</a> | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| <a id="traefik-router-requests-bytes-total" href="#traefik-router-requests-bytes-total" title="#traefik-router-requests-bytes-total">`traefik_router_requests_bytes_total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| <a id="traefik-router-responses-bytes-total" href="#traefik-router-responses-bytes-total" title="#traefik-router-responses-bytes-total">`traefik_router_responses_bytes_total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
=== "Prometheus"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
| `traefik_router_requests_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| `traefik_router_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| `traefik_router_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| `traefik_router_requests_bytes_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| `traefik_router_responses_bytes_total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
| <a id="traefik-router-requests-total-2" href="#traefik-router-requests-total-2" title="#traefik-router-requests-total-2">`traefik_router_requests_total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| <a id="traefik-router-requests-tls-total-2" href="#traefik-router-requests-tls-total-2" title="#traefik-router-requests-tls-total-2">`traefik_router_requests_tls_total`</a> | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| <a id="traefik-router-request-duration-seconds-2" href="#traefik-router-request-duration-seconds-2" title="#traefik-router-request-duration-seconds-2">`traefik_router_request_duration_seconds`</a> | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| <a id="traefik-router-requests-bytes-total-2" href="#traefik-router-requests-bytes-total-2" title="#traefik-router-requests-bytes-total-2">`traefik_router_requests_bytes_total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| <a id="traefik-router-responses-bytes-total-2" href="#traefik-router-responses-bytes-total-2" title="#traefik-router-responses-bytes-total-2">`traefik_router_responses_bytes_total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
=== "Datadog"
| Metric | Type | [Labels](#labels) | Description |
|-------------|-----------|---------------|---------------------|
| `router.requests.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| `router.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| `router.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| `router.requests.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| `router.responses.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
| <a id="router-requests-total" href="#router-requests-total" title="#router-requests-total">`router.requests.total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| <a id="router-requests-tls-total" href="#router-requests-tls-total" title="#router-requests-tls-total">`router.requests.tls.total`</a> | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| <a id="router-request-duration-seconds" href="#router-request-duration-seconds" title="#router-request-duration-seconds">`router.request.duration.seconds`</a> | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| <a id="router-requests-bytes-total" href="#router-requests-bytes-total" title="#router-requests-bytes-total">`router.requests.bytes.total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| <a id="router-responses-bytes-total" href="#router-responses-bytes-total" title="#router-responses-bytes-total">`router.responses.bytes.total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
=== "InfluxDB2"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
| `traefik.router.requests.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| `traefik.router.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| `traefik.router.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| `traefik.router.requests.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| `traefik.router.responses.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
| <a id="traefik-router-requests-total-3" href="#traefik-router-requests-total-3" title="#traefik-router-requests-total-3">`traefik.router.requests.total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| <a id="traefik-router-requests-tls-total-3" href="#traefik-router-requests-tls-total-3" title="#traefik-router-requests-tls-total-3">`traefik.router.requests.tls.total`</a> | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| <a id="traefik-router-request-duration-seconds-3" href="#traefik-router-request-duration-seconds-3" title="#traefik-router-request-duration-seconds-3">`traefik.router.request.duration.seconds`</a> | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| <a id="traefik-router-requests-bytes-total-3" href="#traefik-router-requests-bytes-total-3" title="#traefik-router-requests-bytes-total-3">`traefik.router.requests.bytes.total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| <a id="traefik-router-responses-bytes-total-3" href="#traefik-router-responses-bytes-total-3" title="#traefik-router-responses-bytes-total-3">`traefik.router.responses.bytes.total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
=== "StatsD"
| Metric | Type | [Labels](#labels) | Description |
|-----------------------|-----------|---------------|-------------|
| `{prefix}.router.requests.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| `{prefix}.router.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| `{prefix}.router.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| `{prefix}.router.requests.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| `{prefix}.router.responses.bytes.total` | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
| <a id="prefix-router-requests-total" href="#prefix-router-requests-total" title="#prefix-router-requests-total">`{prefix}.router.requests.total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
| <a id="prefix-router-requests-tls-total" href="#prefix-router-requests-tls-total" title="#prefix-router-requests-tls-total">`{prefix}.router.requests.tls.total`</a> | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
| <a id="prefix-router-request-duration-seconds" href="#prefix-router-request-duration-seconds" title="#prefix-router-request-duration-seconds">`{prefix}.router.request.duration.seconds`</a> | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
| <a id="prefix-router-requests-bytes-total" href="#prefix-router-requests-bytes-total" title="#prefix-router-requests-bytes-total">`{prefix}.router.requests.bytes.total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
| <a id="prefix-router-responses-bytes-total" href="#prefix-router-responses-bytes-total" title="#prefix-router-responses-bytes-total">`{prefix}.router.responses.bytes.total`</a> | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
!!! note "\{prefix\} Default Value"
By default, \{prefix\} value is `traefik`.
@@ -518,61 +518,61 @@ On top of the official OpenTelemetry semantic conventions, Traefik provides its
| Metric | Type | Labels | Description |
|-----------------------|-----------|------------|------------|
| `traefik_service_requests_total` | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| `traefik_service_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| `traefik_service_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| `traefik_service_retries_total` | Count | `service` | The count of requests retries on a service. |
| `traefik_service_server_up` | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| `traefik_service_requests_bytes_total` | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| `traefik_service_responses_bytes_total` | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
| <a id="traefik-service-requests-total" href="#traefik-service-requests-total" title="#traefik-service-requests-total">`traefik_service_requests_total`</a> | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| <a id="traefik-service-requests-tls-total" href="#traefik-service-requests-tls-total" title="#traefik-service-requests-tls-total">`traefik_service_requests_tls_total`</a> | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| <a id="traefik-service-request-duration-seconds" href="#traefik-service-request-duration-seconds" title="#traefik-service-request-duration-seconds">`traefik_service_request_duration_seconds`</a> | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| <a id="traefik-service-retries-total" href="#traefik-service-retries-total" title="#traefik-service-retries-total">`traefik_service_retries_total`</a> | Count | `service` | The count of requests retries on a service. |
| <a id="traefik-service-server-up" href="#traefik-service-server-up" title="#traefik-service-server-up">`traefik_service_server_up`</a> | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| <a id="traefik-service-requests-bytes-total" href="#traefik-service-requests-bytes-total" title="#traefik-service-requests-bytes-total">`traefik_service_requests_bytes_total`</a> | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| <a id="traefik-service-responses-bytes-total" href="#traefik-service-responses-bytes-total" title="#traefik-service-responses-bytes-total">`traefik_service_responses_bytes_total`</a> | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
=== "Prometheus"
| Metric | Type | Labels | Description |
|-----------------------|-----------|-------|------------|
| `traefik_service_requests_total` | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| `traefik_service_requests_tls_total` | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| `traefik_service_request_duration_seconds` | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| `traefik_service_retries_total` | Count | `service` | The count of requests retries on a service. |
| `traefik_service_server_up` | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| `traefik_service_requests_bytes_total` | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| `traefik_service_responses_bytes_total` | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
| <a id="traefik-service-requests-total-2" href="#traefik-service-requests-total-2" title="#traefik-service-requests-total-2">`traefik_service_requests_total`</a> | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| <a id="traefik-service-requests-tls-total-2" href="#traefik-service-requests-tls-total-2" title="#traefik-service-requests-tls-total-2">`traefik_service_requests_tls_total`</a> | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| <a id="traefik-service-request-duration-seconds-2" href="#traefik-service-request-duration-seconds-2" title="#traefik-service-request-duration-seconds-2">`traefik_service_request_duration_seconds`</a> | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| <a id="traefik-service-retries-total-2" href="#traefik-service-retries-total-2" title="#traefik-service-retries-total-2">`traefik_service_retries_total`</a> | Count | `service` | The count of requests retries on a service. |
| <a id="traefik-service-server-up-2" href="#traefik-service-server-up-2" title="#traefik-service-server-up-2">`traefik_service_server_up`</a> | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| <a id="traefik-service-requests-bytes-total-2" href="#traefik-service-requests-bytes-total-2" title="#traefik-service-requests-bytes-total-2">`traefik_service_requests_bytes_total`</a> | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| <a id="traefik-service-responses-bytes-total-2" href="#traefik-service-responses-bytes-total-2" title="#traefik-service-responses-bytes-total-2">`traefik_service_responses_bytes_total`</a> | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
=== "Datadog"
| Metric | Type | Labels | Description |
|-----------------------|-----------|--------|------------------|
| `service.requests.total` | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| `router.service.tls.total` | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| `service.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| `service.retries.total` | Count | `service` | The count of requests retries on a service. |
| `service.server.up` | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| `service.requests.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| `service.responses.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
| <a id="service-requests-total" href="#service-requests-total" title="#service-requests-total">`service.requests.total`</a> | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| <a id="router-service-tls-total" href="#router-service-tls-total" title="#router-service-tls-total">`router.service.tls.total`</a> | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| <a id="service-request-duration-seconds" href="#service-request-duration-seconds" title="#service-request-duration-seconds">`service.request.duration.seconds`</a> | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| <a id="service-retries-total" href="#service-retries-total" title="#service-retries-total">`service.retries.total`</a> | Count | `service` | The count of requests retries on a service. |
| <a id="service-server-up" href="#service-server-up" title="#service-server-up">`service.server.up`</a> | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| <a id="service-requests-bytes-total" href="#service-requests-bytes-total" title="#service-requests-bytes-total">`service.requests.bytes.total`</a> | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| <a id="service-responses-bytes-total" href="#service-responses-bytes-total" title="#service-responses-bytes-total">`service.responses.bytes.total`</a> | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
=== "InfluxDB2"
| Metric | Type | Labels | Description |
|-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
| `traefik.service.requests.total` | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| `traefik.service.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| `traefik.service.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| `traefik.service.retries.total` | Count | `service` | The count of requests retries on a service. |
| `traefik.service.server.up` | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| `traefik.service.requests.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| `traefik.service.responses.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
| <a id="traefik-service-requests-total-3" href="#traefik-service-requests-total-3" title="#traefik-service-requests-total-3">`traefik.service.requests.total`</a> | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| <a id="traefik-service-requests-tls-total-3" href="#traefik-service-requests-tls-total-3" title="#traefik-service-requests-tls-total-3">`traefik.service.requests.tls.total`</a> | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| <a id="traefik-service-request-duration-seconds-3" href="#traefik-service-request-duration-seconds-3" title="#traefik-service-request-duration-seconds-3">`traefik.service.request.duration.seconds`</a> | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| <a id="traefik-service-retries-total-3" href="#traefik-service-retries-total-3" title="#traefik-service-retries-total-3">`traefik.service.retries.total`</a> | Count | `service` | The count of requests retries on a service. |
| <a id="traefik-service-server-up-3" href="#traefik-service-server-up-3" title="#traefik-service-server-up-3">`traefik.service.server.up`</a> | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| <a id="traefik-service-requests-bytes-total-3" href="#traefik-service-requests-bytes-total-3" title="#traefik-service-requests-bytes-total-3">`traefik.service.requests.bytes.total`</a> | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| <a id="traefik-service-responses-bytes-total-3" href="#traefik-service-responses-bytes-total-3" title="#traefik-service-responses-bytes-total-3">`traefik.service.responses.bytes.total`</a> | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
=== "StatsD"
| Metric | Type | Labels | Description |
|-----------------------|-----------|-----|---------|
| `{prefix}.service.requests.total` | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| `{prefix}.service.requests.tls.total` | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| `{prefix}.service.request.duration.seconds` | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| `{prefix}.service.retries.total` | Count | `service` | The count of requests retries on a service. |
| `{prefix}.service.server.up` | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| `{prefix}.service.requests.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| `{prefix}.service.responses.bytes.total` | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
| <a id="prefix-service-requests-total" href="#prefix-service-requests-total" title="#prefix-service-requests-total">`{prefix}.service.requests.total`</a> | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
| <a id="prefix-service-requests-tls-total" href="#prefix-service-requests-tls-total" title="#prefix-service-requests-tls-total">`{prefix}.service.requests.tls.total`</a> | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
| <a id="prefix-service-request-duration-seconds" href="#prefix-service-request-duration-seconds" title="#prefix-service-request-duration-seconds">`{prefix}.service.request.duration.seconds`</a> | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
| <a id="prefix-service-retries-total" href="#prefix-service-retries-total" title="#prefix-service-retries-total">`{prefix}.service.retries.total`</a> | Count | `service` | The count of requests retries on a service. |
| <a id="prefix-service-server-up" href="#prefix-service-server-up" title="#prefix-service-server-up">`{prefix}.service.server.up`</a> | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
| <a id="prefix-service-requests-bytes-total" href="#prefix-service-requests-bytes-total" title="#prefix-service-requests-bytes-total">`{prefix}.service.requests.bytes.total`</a> | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
| <a id="prefix-service-responses-bytes-total" href="#prefix-service-responses-bytes-total" title="#prefix-service-responses-bytes-total">`{prefix}.service.responses.bytes.total`</a> | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
!!! note "\{prefix\} Default Value"
By default, \{prefix\} value is `traefik`.
@@ -583,18 +583,18 @@ Here is a comprehensive list of labels that are provided by the metrics:
| Label | Description | example |
|---------------|-------------------|----------------------------|
| `cn` | Certificate Common Name | "example.com" |
| `code` | Request code | "200" |
| `entrypoint` | Entrypoint that handled the request | "example_entrypoint" |
| `method` | Request Method | "GET" |
| `protocol` | Request protocol | "http" |
| `router` | Router that handled the request | "example_router" |
| `sans` | Certificate Subject Alternative NameS | "example.com" |
| `serial` | Certificate Serial Number | "123..." |
| `service` | Service that handled the request | "example_service@provider" |
| `tls_cipher` | TLS cipher used for the request | "TLS_FALLBACK_SCSV" |
| `tls_version` | TLS version used for the request | "1.0" |
| `url` | Service server url | "http://example.com" |
| <a id="cn" href="#cn" title="#cn">`cn`</a> | Certificate Common Name | "example.com" |
| <a id="code" href="#code" title="#code">`code`</a> | Request code | "200" |
| <a id="entrypoint-2" href="#entrypoint-2" title="#entrypoint-2">`entrypoint`</a> | Entrypoint that handled the request | "example_entrypoint" |
| <a id="method" href="#method" title="#method">`method`</a> | Request Method | "GET" |
| <a id="protocol-2" href="#protocol-2" title="#protocol-2">`protocol`</a> | Request protocol | "http" |
| <a id="router" href="#router" title="#router">`router`</a> | Router that handled the request | "example_router" |
| <a id="sans" href="#sans" title="#sans">`sans`</a> | Certificate Subject Alternative NameS | "example.com" |
| <a id="serial" href="#serial" title="#serial">`serial`</a> | Certificate Serial Number | "123..." |
| <a id="service" href="#service" title="#service">`service`</a> | Service that handled the request | "example_service@provider" |
| <a id="tls-cipher" href="#tls-cipher" title="#tls-cipher">`tls_cipher`</a> | TLS cipher used for the request | "TLS_FALLBACK_SCSV" |
| <a id="tls-version" href="#tls-version" title="#tls-version">`tls_version`</a> | TLS version used for the request | "1.0" |
| <a id="url" href="#url" title="#url">`url`</a> | Service server url | "http://example.com" |
!!! info "`method` label value"

44
docs/content/reference/install-configuration/observability/tracing.md
View File

@@ -38,25 +38,25 @@ tracing: {}
| Field | Description | Default | Required |
|:-------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------|:---------|
| `tracing.addInternals` | Enables tracing for internal resources (e.g.: `ping@internal`). | false | No |
| `tracing.serviceName` | Defines the service name resource attribute. | "traefik" | No |
| `tracing.resourceAttributes` | Defines additional resource attributes to be sent to the collector. | [] | No |
| `tracing.sampleRate` | The proportion of requests to trace, specified between 0.0 and 1.0. | 1.0 | No |
| `tracing.capturedRequestHeaders` | Defines the list of request headers to add as attributes.<br />It applies to client and server kind spans. | [] | No |
| `tracing.capturedResponseHeaders` | Defines the list of response headers to add as attributes.<br />It applies to client and server kind spans. | [] | False |
| `tracing.safeQueryParams` | By default, all query parameters are redacted.<br />Defines the list of query parameters to not redact. | [] | No |
| `tracing.otlp.http` | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| `tracing.otlp.http.endpoint` | URL of the OpenTelemetry Collector to send tracing to.<br /> Format="`<scheme>://<host>:<port><path>`" | "http://localhost:4318/v1/tracing" | Yes |
| `tracing.otlp.http.headers` | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector. | | No |
| `tracing.otlp.http.tls.ca` | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | "" | No |
| `tracing.otlp.http.tls.cert` | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required. | "" | No |
| `tracing.otlp.http.tls.key` | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | ""null/false "" | No |
| `tracing.otlp.http.tls.insecureskipverify` | If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |
| `tracing.otlp.grpc` | This instructs the exporter to send tracing to the OpenTelemetry Collector using gRPC. | false | No |
| `tracing.otlp.grpc.endpoint` | Address of the OpenTelemetry Collector to send tracing to.<br /> Format="`<host>:<port>`" | "localhost:4317" | Yes |
| `tracing.otlp.grpc.headers` | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector. | [] | No |
| `tracing.otlp.grpc.insecure` | Allows exporter to send tracing to the OpenTelemetry Collector without using a secured protocol. | false | Yes |
| `tracing.otlp.grpc.tls.ca` | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | "" | No |
| `tracing.otlp.grpc.tls.cert` | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required. | "" | No |
| `tracing.otlp.grpc.tls.key` | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | ""null/false "" | No |
| `tracing.otlp.grpc.tls.insecureskipverify` | If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |
| <a id="tracing-addInternals" href="#tracing-addInternals" title="#tracing-addInternals">`tracing.addInternals`</a> | Enables tracing for internal resources (e.g.: `ping@internal`). | false | No |
| <a id="tracing-serviceName" href="#tracing-serviceName" title="#tracing-serviceName">`tracing.serviceName`</a> | Defines the service name resource attribute. | "traefik" | No |
| <a id="tracing-resourceAttributes" href="#tracing-resourceAttributes" title="#tracing-resourceAttributes">`tracing.resourceAttributes`</a> | Defines additional resource attributes to be sent to the collector. | [] | No |
| <a id="tracing-sampleRate" href="#tracing-sampleRate" title="#tracing-sampleRate">`tracing.sampleRate`</a> | The proportion of requests to trace, specified between 0.0 and 1.0. | 1.0 | No |
| <a id="tracing-capturedRequestHeaders" href="#tracing-capturedRequestHeaders" title="#tracing-capturedRequestHeaders">`tracing.capturedRequestHeaders`</a> | Defines the list of request headers to add as attributes.<br />It applies to client and server kind spans. | [] | No |
| <a id="tracing-capturedResponseHeaders" href="#tracing-capturedResponseHeaders" title="#tracing-capturedResponseHeaders">`tracing.capturedResponseHeaders`</a> | Defines the list of response headers to add as attributes.<br />It applies to client and server kind spans. | [] | False |
| <a id="tracing-safeQueryParams" href="#tracing-safeQueryParams" title="#tracing-safeQueryParams">`tracing.safeQueryParams`</a> | By default, all query parameters are redacted.<br />Defines the list of query parameters to not redact. | [] | No |
| <a id="tracing-otlp-http" href="#tracing-otlp-http" title="#tracing-otlp-http">`tracing.otlp.http`</a> | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false | No |
| <a id="tracing-otlp-http-endpoint" href="#tracing-otlp-http-endpoint" title="#tracing-otlp-http-endpoint">`tracing.otlp.http.endpoint`</a> | URL of the OpenTelemetry Collector to send tracing to.<br /> Format="`<scheme>://<host>:<port><path>`" | "http://localhost:4318/v1/tracing" | Yes |
| <a id="tracing-otlp-http-headers" href="#tracing-otlp-http-headers" title="#tracing-otlp-http-headers">`tracing.otlp.http.headers`</a> | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector. | | No |
| <a id="tracing-otlp-http-tls-ca" href="#tracing-otlp-http-tls-ca" title="#tracing-otlp-http-tls-ca">`tracing.otlp.http.tls.ca`</a> | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | "" | No |
| <a id="tracing-otlp-http-tls-cert" href="#tracing-otlp-http-tls-cert" title="#tracing-otlp-http-tls-cert">`tracing.otlp.http.tls.cert`</a> | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required. | "" | No |
| <a id="tracing-otlp-http-tls-key" href="#tracing-otlp-http-tls-key" title="#tracing-otlp-http-tls-key">`tracing.otlp.http.tls.key`</a> | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | ""null/false "" | No |
| <a id="tracing-otlp-http-tls-insecureskipverify" href="#tracing-otlp-http-tls-insecureskipverify" title="#tracing-otlp-http-tls-insecureskipverify">`tracing.otlp.http.tls.insecureskipverify`</a> | If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |
| <a id="tracing-otlp-grpc" href="#tracing-otlp-grpc" title="#tracing-otlp-grpc">`tracing.otlp.grpc`</a> | This instructs the exporter to send tracing to the OpenTelemetry Collector using gRPC. | false | No |
| <a id="tracing-otlp-grpc-endpoint" href="#tracing-otlp-grpc-endpoint" title="#tracing-otlp-grpc-endpoint">`tracing.otlp.grpc.endpoint`</a> | Address of the OpenTelemetry Collector to send tracing to.<br /> Format="`<host>:<port>`" | "localhost:4317" | Yes |
| <a id="tracing-otlp-grpc-headers" href="#tracing-otlp-grpc-headers" title="#tracing-otlp-grpc-headers">`tracing.otlp.grpc.headers`</a> | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector. | [] | No |
| <a id="tracing-otlp-grpc-insecure" href="#tracing-otlp-grpc-insecure" title="#tracing-otlp-grpc-insecure">`tracing.otlp.grpc.insecure`</a> | Allows exporter to send tracing to the OpenTelemetry Collector without using a secured protocol. | false | Yes |
| <a id="tracing-otlp-grpc-tls-ca" href="#tracing-otlp-grpc-tls-ca" title="#tracing-otlp-grpc-tls-ca">`tracing.otlp.grpc.tls.ca`</a> | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | "" | No |
| <a id="tracing-otlp-grpc-tls-cert" href="#tracing-otlp-grpc-tls-cert" title="#tracing-otlp-grpc-tls-cert">`tracing.otlp.grpc.tls.cert`</a> | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required. | "" | No |
| <a id="tracing-otlp-grpc-tls-key" href="#tracing-otlp-grpc-tls-key" title="#tracing-otlp-grpc-tls-key">`tracing.otlp.grpc.tls.key`</a> | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | ""null/false "" | No |
| <a id="tracing-otlp-grpc-tls-insecureskipverify" href="#tracing-otlp-grpc-tls-insecureskipverify" title="#tracing-otlp-grpc-tls-insecureskipverify">`tracing.otlp.grpc.tls.insecureskipverify`</a> | If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false | Yes |

46
docs/content/reference/install-configuration/providers/docker.md
View File

@@ -40,22 +40,22 @@ services:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.docker.endpoint` | Specifies the Docker API endpoint. See [here](#endpoint) for more information| "unix:///var/run/docker.sock" | Yes |
| `providers.docker.username` | Defines the username for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.| "" | No |
| `providers.docker.password` | Defines the password for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.| "" | No |
| `providers.docker.useBindPortIP` | Instructs Traefik to use the IP/Port attached to the container's binding instead of its inner network IP/Port. See [here](#usebindportip) for more information | false | No |
| `providers.docker.exposedByDefault` | Expose containers by default through Traefik. See [here](./overview.md#restrict-the-scope-of-service-discovery) for additional information | true | No |
| `providers.docker.network` | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.docker.network` label.| "" | No |
| `providers.docker.defaultRule` | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information. | ```"Host(`{{ normalize .Name }}`)"``` | No |
| `providers.docker.httpClientTimeout` | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set. | 0 | No |
| `providers.docker.watch` | Instructs Traefik to watch Docker events or not. | True | No |
| `providers.docker.constraints` | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| `providers.docker.allowEmptyServices` | Instructs the provider to create any [servers load balancer](../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| `providers.docker.tls.ca` | Defines the path to the certificate authority used for the secure connection to Docker, it defaults to the system bundle. | "" | No |
| `providers.docker.tls.cert` | Defines the path to the public certificate used for the secure connection to Docker. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.docker.tls.key` | Defines the path to the private key used for the secure connection to Docker. When using this option, setting the `cert` option is required. | "" | Yes |
| `providers.docker.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by the Docker server when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-docker-endpoint" href="#providers-docker-endpoint" title="#providers-docker-endpoint">`providers.docker.endpoint`</a> | Specifies the Docker API endpoint. See [here](#endpoint) for more information| "unix:///var/run/docker.sock" | Yes |
| <a id="providers-docker-username" href="#providers-docker-username" title="#providers-docker-username">`providers.docker.username`</a> | Defines the username for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.| "" | No |
| <a id="providers-docker-password" href="#providers-docker-password" title="#providers-docker-password">`providers.docker.password`</a> | Defines the password for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.| "" | No |
| <a id="providers-docker-useBindPortIP" href="#providers-docker-useBindPortIP" title="#providers-docker-useBindPortIP">`providers.docker.useBindPortIP`</a> | Instructs Traefik to use the IP/Port attached to the container's binding instead of its inner network IP/Port. See [here](#usebindportip) for more information | false | No |
| <a id="providers-docker-exposedByDefault" href="#providers-docker-exposedByDefault" title="#providers-docker-exposedByDefault">`providers.docker.exposedByDefault`</a> | Expose containers by default through Traefik. See [here](./overview.md#restrict-the-scope-of-service-discovery) for additional information | true | No |
| <a id="providers-docker-network" href="#providers-docker-network" title="#providers-docker-network">`providers.docker.network`</a> | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.docker.network` label.| "" | No |
| <a id="providers-docker-defaultRule" href="#providers-docker-defaultRule" title="#providers-docker-defaultRule">`providers.docker.defaultRule`</a> | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information. | ```"Host(`{{ normalize .Name }}`)"``` | No |
| <a id="providers-docker-httpClientTimeout" href="#providers-docker-httpClientTimeout" title="#providers-docker-httpClientTimeout">`providers.docker.httpClientTimeout`</a> | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set. | 0 | No |
| <a id="providers-docker-watch" href="#providers-docker-watch" title="#providers-docker-watch">`providers.docker.watch`</a> | Instructs Traefik to watch Docker events or not. | True | No |
| <a id="providers-docker-constraints" href="#providers-docker-constraints" title="#providers-docker-constraints">`providers.docker.constraints`</a> | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| <a id="providers-docker-allowEmptyServices" href="#providers-docker-allowEmptyServices" title="#providers-docker-allowEmptyServices">`providers.docker.allowEmptyServices`</a> | Instructs the provider to create any [servers load balancer](../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| <a id="providers-docker-tls-ca" href="#providers-docker-tls-ca" title="#providers-docker-tls-ca">`providers.docker.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to Docker, it defaults to the system bundle. | "" | No |
| <a id="providers-docker-tls-cert" href="#providers-docker-tls-cert" title="#providers-docker-tls-cert">`providers.docker.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to Docker. When using this option, setting the `key` option is required. | "" | Yes |
| <a id="providers-docker-tls-key" href="#providers-docker-tls-key" title="#providers-docker-tls-key">`providers.docker.tls.key`</a> | Defines the path to the private key used for the secure connection to Docker. When using this option, setting the `cert` option is required. | "" | Yes |
| <a id="providers-docker-tls-insecureSkipVerify" href="#providers-docker-tls-insecureSkipVerify" title="#providers-docker-tls-insecureSkipVerify">`providers.docker.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by the Docker server when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
### `endpoint`
@@ -192,13 +192,13 @@ but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that
| port label | Container's binding | Routes to |
|--------------------|----------------------------------------------------|----------------|
| - | - | IntIP:IntPort |
| - | ExtPort:IntPort | IntIP:IntPort |
| - | ExtIp:ExtPort:IntPort | ExtIp:ExtPort |
| LblPort | - | IntIp:LblPort |
| LblPort | ExtIp:ExtPort:LblPort | ExtIp:ExtPort |
| LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort |
| LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
| <a id="row" href="#row" title="#row">-</a> | - | IntIP:IntPort |
| <a id="row-2" href="#row-2" title="#row-2">-</a> | ExtPort:IntPort | IntIP:IntPort |
| <a id="row-3" href="#row-3" title="#row-3">-</a> | ExtIp:ExtPort:IntPort | ExtIp:ExtPort |
| <a id="LblPort" href="#LblPort" title="#LblPort">LblPort</a> | - | IntIp:LblPort |
| <a id="LblPort-2" href="#LblPort-2" title="#LblPort-2">LblPort</a> | ExtIp:ExtPort:LblPort | ExtIp:ExtPort |
| <a id="LblPort-3" href="#LblPort-3" title="#LblPort-3">LblPort</a> | ExtIp:ExtPort:OtherPort | IntIp:LblPort |
| <a id="LblPort-4" href="#LblPort-4" title="#LblPort-4">LblPort</a> | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
!!! info ""
In the above table:

56
docs/content/reference/install-configuration/providers/hashicorp/consul-catalog.md
View File

@@ -32,34 +32,34 @@ Attaching tags to services:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.consulCatalog.refreshInterval` | Defines the polling interval.| 15s | No |
| `providers.consulCatalog.prefix` | Defines the prefix for Consul Catalog tags defining Traefik labels.| traefik | yes |
| `providers.consulCatalog.requireConsistent` | Forces the read to be fully consistent. See [here](#requireconsistent) for more information.| false | yes |
| `providers.consulCatalog.exposedByDefault` | Expose Consul Catalog services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#restrict-the-scope-of-service-discovery). | true | no |
| `providers.consulCatalog.defaultRule` | The Default Host rule for all services. See [here](#defaultrule) for more information. | ```"Host(`{{ normalize .Name }}`)"``` | No |
| `providers.consulCatalog.connectAware` | Enable Consul Connect support. If set to `true`, Traefik will be enabled to communicate with Connect services. | false | No |
| `providers.consulCatalog.connectByDefault` | Consider every service as Connect capable by default. If set to true, Traefik will consider every Consul Catalog service to be Connect capable by default. The option can be overridden on an instance basis with the traefik.consulcatalog.connect tag. | false | No |
| `providers.consulCatalog.serviceName` | Defines the name of the Traefik service in Consul Catalog. | "traefik" | No |
| `providers.consulCatalog.constraints` | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| `providers.consulCatalog.namespaces` | Defines the namespaces to query. See [here](#namespaces) for more information. | "" | no |
| `providers.consulCatalog.stale` | Instruct Traefik to use stale consistency for catalog reads. | false | no |
| `providers.consulCatalog.cache` | Instruct Traefik to use local agent caching for catalog reads. | false | no |
| `providers.consulCatalog.endpoint` | Defines the Consul server endpoint. | - | yes |
| `providers.consulCatalog.endpoint.address` | Defines the address of the Consul server. | 127.0.0.1:8500 | no |
| `providers.consulCatalog.endpoint.scheme` | Defines the URI scheme for the Consul server. | "" | no |
| `providers.consulCatalog.endpoint.datacenter` | Defines the datacenter to use. If not provided in Traefik, Consul uses the default agent datacenter. | "" | no |
| `providers.consulCatalog.endpoint.token` | Defines a per-request ACL token which overwrites the agent's default token. | "" | no |
| `providers.consulCatalog.endpoint.endpointWaitTime` | Defines a duration for which a `watch` can block. If not provided, the agent default values will be used. | "" | no |
| `providers.consulCatalog.endpoint.httpAuth` | Defines authentication settings for the HTTP client using HTTP Basic Authentication. | N/A | no |
| `providers.consulCatalog.endpoint.httpAuth.username` | Defines the username to use for HTTP Basic Authentication. | "" | no |
| `providers.consulCatalog.endpoint.httpAuth.password` | Defines the password to use for HTTP Basic Authentication. | "" | no |
| `providers.consulCatalog.strictChecks` | Define which [Consul Service health checks](https://developer.hashicorp.com/consul/docs/services/usage/checks#define-initial-health-check-status) are allowed to take on traffic. | "passing,warning" | no |
| `providers.consulCatalog.tls.ca` | Defines the path to the certificate authority used for the secure connection to Consul Calatog, it defaults to the system bundle. | "" | No |
| `providers.consulCatalog.tls.cert` | Defines the path to the public certificate used for the secure connection to Consul Calatog. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.consulCatalog.tls.key` | Defines the path to the private key used for the secure connection to Consul Catalog. When using this option, setting the `cert` option is required. | "" | Yes |
| `providers.consulCatalog.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by Consul Catalog when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| `providers.consulCatalog.watch` | When set to `true`, watches for Consul changes ([Consul watches checks](https://www.consul.io/docs/dynamic-app-config/watches#checks)). | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-consulCatalog-refreshInterval" href="#providers-consulCatalog-refreshInterval" title="#providers-consulCatalog-refreshInterval">`providers.consulCatalog.refreshInterval`</a> | Defines the polling interval.| 15s | No |
| <a id="providers-consulCatalog-prefix" href="#providers-consulCatalog-prefix" title="#providers-consulCatalog-prefix">`providers.consulCatalog.prefix`</a> | Defines the prefix for Consul Catalog tags defining Traefik labels.| traefik | yes |
| <a id="providers-consulCatalog-requireConsistent" href="#providers-consulCatalog-requireConsistent" title="#providers-consulCatalog-requireConsistent">`providers.consulCatalog.requireConsistent`</a> | Forces the read to be fully consistent. See [here](#requireconsistent) for more information.| false | yes |
| <a id="providers-consulCatalog-exposedByDefault" href="#providers-consulCatalog-exposedByDefault" title="#providers-consulCatalog-exposedByDefault">`providers.consulCatalog.exposedByDefault`</a> | Expose Consul Catalog services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#restrict-the-scope-of-service-discovery). | true | no |
| <a id="providers-consulCatalog-defaultRule" href="#providers-consulCatalog-defaultRule" title="#providers-consulCatalog-defaultRule">`providers.consulCatalog.defaultRule`</a> | The Default Host rule for all services. See [here](#defaultrule) for more information. | ```"Host(`{{ normalize .Name }}`)"``` | No |
| <a id="providers-consulCatalog-connectAware" href="#providers-consulCatalog-connectAware" title="#providers-consulCatalog-connectAware">`providers.consulCatalog.connectAware`</a> | Enable Consul Connect support. If set to `true`, Traefik will be enabled to communicate with Connect services. | false | No |
| <a id="providers-consulCatalog-connectByDefault" href="#providers-consulCatalog-connectByDefault" title="#providers-consulCatalog-connectByDefault">`providers.consulCatalog.connectByDefault`</a> | Consider every service as Connect capable by default. If set to true, Traefik will consider every Consul Catalog service to be Connect capable by default. The option can be overridden on an instance basis with the traefik.consulcatalog.connect tag. | false | No |
| <a id="providers-consulCatalog-serviceName" href="#providers-consulCatalog-serviceName" title="#providers-consulCatalog-serviceName">`providers.consulCatalog.serviceName`</a> | Defines the name of the Traefik service in Consul Catalog. | "traefik" | No |
| <a id="providers-consulCatalog-constraints" href="#providers-consulCatalog-constraints" title="#providers-consulCatalog-constraints">`providers.consulCatalog.constraints`</a> | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| <a id="providers-consulCatalog-namespaces" href="#providers-consulCatalog-namespaces" title="#providers-consulCatalog-namespaces">`providers.consulCatalog.namespaces`</a> | Defines the namespaces to query. See [here](#namespaces) for more information. | "" | no |
| <a id="providers-consulCatalog-stale" href="#providers-consulCatalog-stale" title="#providers-consulCatalog-stale">`providers.consulCatalog.stale`</a> | Instruct Traefik to use stale consistency for catalog reads. | false | no |
| <a id="providers-consulCatalog-cache" href="#providers-consulCatalog-cache" title="#providers-consulCatalog-cache">`providers.consulCatalog.cache`</a> | Instruct Traefik to use local agent caching for catalog reads. | false | no |
| <a id="providers-consulCatalog-endpoint" href="#providers-consulCatalog-endpoint" title="#providers-consulCatalog-endpoint">`providers.consulCatalog.endpoint`</a> | Defines the Consul server endpoint. | - | yes |
| <a id="providers-consulCatalog-endpoint-address" href="#providers-consulCatalog-endpoint-address" title="#providers-consulCatalog-endpoint-address">`providers.consulCatalog.endpoint.address`</a> | Defines the address of the Consul server. | 127.0.0.1:8500 | no |
| <a id="providers-consulCatalog-endpoint-scheme" href="#providers-consulCatalog-endpoint-scheme" title="#providers-consulCatalog-endpoint-scheme">`providers.consulCatalog.endpoint.scheme`</a> | Defines the URI scheme for the Consul server. | "" | no |
| <a id="providers-consulCatalog-endpoint-datacenter" href="#providers-consulCatalog-endpoint-datacenter" title="#providers-consulCatalog-endpoint-datacenter">`providers.consulCatalog.endpoint.datacenter`</a> | Defines the datacenter to use. If not provided in Traefik, Consul uses the default agent datacenter. | "" | no |
| <a id="providers-consulCatalog-endpoint-token" href="#providers-consulCatalog-endpoint-token" title="#providers-consulCatalog-endpoint-token">`providers.consulCatalog.endpoint.token`</a> | Defines a per-request ACL token which overwrites the agent's default token. | "" | no |
| <a id="providers-consulCatalog-endpoint-endpointWaitTime" href="#providers-consulCatalog-endpoint-endpointWaitTime" title="#providers-consulCatalog-endpoint-endpointWaitTime">`providers.consulCatalog.endpoint.endpointWaitTime`</a> | Defines a duration for which a `watch` can block. If not provided, the agent default values will be used. | "" | no |
| <a id="providers-consulCatalog-endpoint-httpAuth" href="#providers-consulCatalog-endpoint-httpAuth" title="#providers-consulCatalog-endpoint-httpAuth">`providers.consulCatalog.endpoint.httpAuth`</a> | Defines authentication settings for the HTTP client using HTTP Basic Authentication. | N/A | no |
| <a id="providers-consulCatalog-endpoint-httpAuth-username" href="#providers-consulCatalog-endpoint-httpAuth-username" title="#providers-consulCatalog-endpoint-httpAuth-username">`providers.consulCatalog.endpoint.httpAuth.username`</a> | Defines the username to use for HTTP Basic Authentication. | "" | no |
| <a id="providers-consulCatalog-endpoint-httpAuth-password" href="#providers-consulCatalog-endpoint-httpAuth-password" title="#providers-consulCatalog-endpoint-httpAuth-password">`providers.consulCatalog.endpoint.httpAuth.password`</a> | Defines the password to use for HTTP Basic Authentication. | "" | no |
| <a id="providers-consulCatalog-strictChecks" href="#providers-consulCatalog-strictChecks" title="#providers-consulCatalog-strictChecks">`providers.consulCatalog.strictChecks`</a> | Define which [Consul Service health checks](https://developer.hashicorp.com/consul/docs/services/usage/checks#define-initial-health-check-status) are allowed to take on traffic. | "passing,warning" | no |
| <a id="providers-consulCatalog-tls-ca" href="#providers-consulCatalog-tls-ca" title="#providers-consulCatalog-tls-ca">`providers.consulCatalog.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to Consul Calatog, it defaults to the system bundle. | "" | No |
| <a id="providers-consulCatalog-tls-cert" href="#providers-consulCatalog-tls-cert" title="#providers-consulCatalog-tls-cert">`providers.consulCatalog.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to Consul Calatog. When using this option, setting the `key` option is required. | "" | Yes |
| <a id="providers-consulCatalog-tls-key" href="#providers-consulCatalog-tls-key" title="#providers-consulCatalog-tls-key">`providers.consulCatalog.tls.key`</a> | Defines the path to the private key used for the secure connection to Consul Catalog. When using this option, setting the `cert` option is required. | "" | Yes |
| <a id="providers-consulCatalog-tls-insecureSkipVerify" href="#providers-consulCatalog-tls-insecureSkipVerify" title="#providers-consulCatalog-tls-insecureSkipVerify">`providers.consulCatalog.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by Consul Catalog when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| <a id="providers-consulCatalog-watch" href="#providers-consulCatalog-watch" title="#providers-consulCatalog-watch">`providers.consulCatalog.watch`</a> | When set to `true`, watches for Consul changes ([Consul watches checks](https://www.consul.io/docs/dynamic-app-config/watches#checks)). | false | No |
### `requireConsistent`

24
docs/content/reference/install-configuration/providers/hashicorp/consul.md
View File

@@ -26,18 +26,18 @@ providers:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.consul.endpoints` | Defines the endpoint to access Consul. | "127.0.0.1:8500" | yes |
| `providers.consul.rootKey` | Defines the root key of the configuration. | "traefik" | yes |
| `providers.consul.namespaces` | Defines the namespaces to query. See [here](#namespaces) for more information | "" | no |
| `providers.consul.username` | Defines a username to connect to Consul with. | "" | no |
| `providers.consul.password` | Defines a password with which to connect to Consul. | "" | no |
| `providers.consul.token` | Defines a token with which to connect to Consul. | "" | no |
| `providers.consul.tls` | Defines the TLS configuration used for the secure connection to Consul | - | No |
| `providers.consul.tls.ca` | Defines the path to the certificate authority used for the secure connection to Consul, it defaults to the system bundle. | - | Yes |
| `providers.consul.tls.cert` | Defines the path to the public certificate used for the secure connection to Consul. When using this option, setting the `key` option is required. | - | Yes |
| `providers.consul.tls.key` | Defines the path to the private key used for the secure connection to Consul. When using this option, setting the `cert` option is required. | - | Yes |
| `providers.consul.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by Consul when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-consul-endpoints" href="#providers-consul-endpoints" title="#providers-consul-endpoints">`providers.consul.endpoints`</a> | Defines the endpoint to access Consul. | "127.0.0.1:8500" | yes |
| <a id="providers-consul-rootKey" href="#providers-consul-rootKey" title="#providers-consul-rootKey">`providers.consul.rootKey`</a> | Defines the root key of the configuration. | "traefik" | yes |
| <a id="providers-consul-namespaces" href="#providers-consul-namespaces" title="#providers-consul-namespaces">`providers.consul.namespaces`</a> | Defines the namespaces to query. See [here](#namespaces) for more information | "" | no |
| <a id="providers-consul-username" href="#providers-consul-username" title="#providers-consul-username">`providers.consul.username`</a> | Defines a username to connect to Consul with. | "" | no |
| <a id="providers-consul-password" href="#providers-consul-password" title="#providers-consul-password">`providers.consul.password`</a> | Defines a password with which to connect to Consul. | "" | no |
| <a id="providers-consul-token" href="#providers-consul-token" title="#providers-consul-token">`providers.consul.token`</a> | Defines a token with which to connect to Consul. | "" | no |
| <a id="providers-consul-tls" href="#providers-consul-tls" title="#providers-consul-tls">`providers.consul.tls`</a> | Defines the TLS configuration used for the secure connection to Consul | - | No |
| <a id="providers-consul-tls-ca" href="#providers-consul-tls-ca" title="#providers-consul-tls-ca">`providers.consul.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to Consul, it defaults to the system bundle. | - | Yes |
| <a id="providers-consul-tls-cert" href="#providers-consul-tls-cert" title="#providers-consul-tls-cert">`providers.consul.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to Consul. When using this option, setting the `key` option is required. | - | Yes |
| <a id="providers-consul-tls-key" href="#providers-consul-tls-key" title="#providers-consul-tls-key">`providers.consul.tls.key`</a> | Defines the path to the private key used for the secure connection to Consul. When using this option, setting the `cert` option is required. | - | Yes |
| <a id="providers-consul-tls-insecureSkipVerify" href="#providers-consul-tls-insecureSkipVerify" title="#providers-consul-tls-insecureSkipVerify">`providers.consul.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by Consul when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
### `namespaces`

38
docs/content/reference/install-configuration/providers/hashicorp/nomad.md
View File

@@ -39,25 +39,25 @@ service {
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.nomad.namespaces` | Defines the namespaces in which the nomad services will be discovered.| "" | No |
| `providers.nomad.refreshInterval` | Defines the polling interval. This option is ignored when the `watch` option is enabled | 15s | No |
| `providers.nomad.watch` | Enables the watch mode to refresh the configuration on a per-event basis. | false | No |
| `providers.nomad.throttleDuration` | Defines how often the provider is allowed to handle service events from Nomad. This option is only compatible when the `watch` option is enabled | 0s | No |
| `providers.nomad.defaultRule` | The Default Host rule for all services. See [here](#defaultrule) for more information | ```"Host(`{{ normalize .Name }}`)"``` | No |
| `providers.nomad.constraints` | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| `providers.nomad.exposedByDefault` | Expose Nomad services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#restrict-the-scope-of-service-discovery) for additional information | true | No |
| `providers.nomad.allowEmptyServices` | Instructs the provider to create any [servers load balancer](../../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| `providers.nomad.prefix` | Defines the prefix for Nomad service tags defining Traefik labels. | `traefik` | yes |
| `providers.nomad.stale` | Instructs Traefik to use stale consistency for Nomad service API reads. See [here](#stale) for more information | false | No |
| `providers.nomad.endpoint.address` | Defines the Address of the Nomad server. | `http://127.0.0.1:4646` | No |
| `providers.nomad.endpoint.token` | Defines a per-request ACL token if Nomad ACLs are enabled. See [here](#token) for more information | "" | No |
| `providers.nomad.endpoint.endpointWaitTime` | Defines a duration for which a `watch` can block. If not provided, the agent default values will be used. | "" | No |
| `providers.nomad.endpoint.tls` | Defines the TLS configuration used for the secure connection to the Nomad APi. | - | No |
| `providers.nomad.endpoint.tls.ca` | Defines the path to the certificate authority used for the secure connection to the Nomad API, it defaults to the system bundle. | "" | No |
| `providers.nomad.endpoint.tls.cert` | Defines the path to the public certificate used for the secure connection to the Nomad API. When using this option, setting the `key` option is required. | '" | Yes |
| `providers.nomad.endpoint.tls.key` | Defines the path to the private key used for the secure connection to the Nomad API. When using this option, setting the `cert` option is required. | "" | Yes |
| `providers.nomad.endpoint.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by Nomad when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-nomad-namespaces" href="#providers-nomad-namespaces" title="#providers-nomad-namespaces">`providers.nomad.namespaces`</a> | Defines the namespaces in which the nomad services will be discovered.| "" | No |
| <a id="providers-nomad-refreshInterval" href="#providers-nomad-refreshInterval" title="#providers-nomad-refreshInterval">`providers.nomad.refreshInterval`</a> | Defines the polling interval. This option is ignored when the `watch` option is enabled | 15s | No |
| <a id="providers-nomad-watch" href="#providers-nomad-watch" title="#providers-nomad-watch">`providers.nomad.watch`</a> | Enables the watch mode to refresh the configuration on a per-event basis. | false | No |
| <a id="providers-nomad-throttleDuration" href="#providers-nomad-throttleDuration" title="#providers-nomad-throttleDuration">`providers.nomad.throttleDuration`</a> | Defines how often the provider is allowed to handle service events from Nomad. This option is only compatible when the `watch` option is enabled | 0s | No |
| <a id="providers-nomad-defaultRule" href="#providers-nomad-defaultRule" title="#providers-nomad-defaultRule">`providers.nomad.defaultRule`</a> | The Default Host rule for all services. See [here](#defaultrule) for more information | ```"Host(`{{ normalize .Name }}`)"``` | No |
| <a id="providers-nomad-constraints" href="#providers-nomad-constraints" title="#providers-nomad-constraints">`providers.nomad.constraints`</a> | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| <a id="providers-nomad-exposedByDefault" href="#providers-nomad-exposedByDefault" title="#providers-nomad-exposedByDefault">`providers.nomad.exposedByDefault`</a> | Expose Nomad services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#restrict-the-scope-of-service-discovery) for additional information | true | No |
| <a id="providers-nomad-allowEmptyServices" href="#providers-nomad-allowEmptyServices" title="#providers-nomad-allowEmptyServices">`providers.nomad.allowEmptyServices`</a> | Instructs the provider to create any [servers load balancer](../../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| <a id="providers-nomad-prefix" href="#providers-nomad-prefix" title="#providers-nomad-prefix">`providers.nomad.prefix`</a> | Defines the prefix for Nomad service tags defining Traefik labels. | `traefik` | yes |
| <a id="providers-nomad-stale" href="#providers-nomad-stale" title="#providers-nomad-stale">`providers.nomad.stale`</a> | Instructs Traefik to use stale consistency for Nomad service API reads. See [here](#stale) for more information | false | No |
| <a id="providers-nomad-endpoint-address" href="#providers-nomad-endpoint-address" title="#providers-nomad-endpoint-address">`providers.nomad.endpoint.address`</a> | Defines the Address of the Nomad server. | `http://127.0.0.1:4646` | No |
| <a id="providers-nomad-endpoint-token" href="#providers-nomad-endpoint-token" title="#providers-nomad-endpoint-token">`providers.nomad.endpoint.token`</a> | Defines a per-request ACL token if Nomad ACLs are enabled. See [here](#token) for more information | "" | No |
| <a id="providers-nomad-endpoint-endpointWaitTime" href="#providers-nomad-endpoint-endpointWaitTime" title="#providers-nomad-endpoint-endpointWaitTime">`providers.nomad.endpoint.endpointWaitTime`</a> | Defines a duration for which a `watch` can block. If not provided, the agent default values will be used. | "" | No |
| <a id="providers-nomad-endpoint-tls" href="#providers-nomad-endpoint-tls" title="#providers-nomad-endpoint-tls">`providers.nomad.endpoint.tls`</a> | Defines the TLS configuration used for the secure connection to the Nomad APi. | - | No |
| <a id="providers-nomad-endpoint-tls-ca" href="#providers-nomad-endpoint-tls-ca" title="#providers-nomad-endpoint-tls-ca">`providers.nomad.endpoint.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to the Nomad API, it defaults to the system bundle. | "" | No |
| <a id="providers-nomad-endpoint-tls-cert" href="#providers-nomad-endpoint-tls-cert" title="#providers-nomad-endpoint-tls-cert">`providers.nomad.endpoint.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to the Nomad API. When using this option, setting the `key` option is required. | '" | Yes |
| <a id="providers-nomad-endpoint-tls-key" href="#providers-nomad-endpoint-tls-key" title="#providers-nomad-endpoint-tls-key">`providers.nomad.endpoint.tls.key`</a> | Defines the path to the private key used for the secure connection to the Nomad API. When using this option, setting the `cert` option is required. | "" | Yes |
| <a id="providers-nomad-endpoint-tls-insecureSkipVerify" href="#providers-nomad-endpoint-tls-insecureSkipVerify" title="#providers-nomad-endpoint-tls-insecureSkipVerify">`providers.nomad.endpoint.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by Nomad when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
### `namespaces`

46
docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md
View File

@@ -54,19 +54,19 @@ providers:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:--------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.kubernetesCRD.endpoint` | Server endpoint URL.<br />More information [here](#endpoint). | "" | No |
| `providers.kubernetesCRD.token` | Bearer token used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesCRD.certAuthFilePath` | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesCRD.namespaces` | Array of namespaces to watch.<br />If left empty, watch all namespaces. | [] | No |
| `providers.kubernetesCRD.labelselector` | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](#list-of-resources) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | "" | No |
| `providers.kubernetesCRD.ingressClass` | Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed. | "" | No |
| `providers.kubernetesCRD.throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s | No |
| `providers.kubernetesCRD.allowEmptyServices` | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status. | false | No |
| `providers.kubernetesCRD.allowCrossNamespace` | Allows the `IngressRoutes` to reference resources in namespaces other than theirs. | false | No |
| `providers.kubernetesCRD.allowExternalNameServices` | Allows the `IngressRoutes` to reference ExternalName services. | false | No |
| `providers.kubernetesCRD.nativeLBByDefault` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `IngressRoute` by default.<br />It can br overridden in the [`ServerTransport`](../../../../routing/services/index.md#serverstransport). | false | No |
| `providers.kubernetesCRD.disableClusterScopeResources` | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle IngressRoutes with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-kubernetesCRD-endpoint" href="#providers-kubernetesCRD-endpoint" title="#providers-kubernetesCRD-endpoint">`providers.kubernetesCRD.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint). | "" | No |
| <a id="providers-kubernetesCRD-token" href="#providers-kubernetesCRD-token" title="#providers-kubernetesCRD-token">`providers.kubernetesCRD.token`</a> | Bearer token used for the Kubernetes client configuration. | "" | No |
| <a id="providers-kubernetesCRD-certAuthFilePath" href="#providers-kubernetesCRD-certAuthFilePath" title="#providers-kubernetesCRD-certAuthFilePath">`providers.kubernetesCRD.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | "" | No |
| <a id="providers-kubernetesCRD-namespaces" href="#providers-kubernetesCRD-namespaces" title="#providers-kubernetesCRD-namespaces">`providers.kubernetesCRD.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces. | [] | No |
| <a id="providers-kubernetesCRD-labelselector" href="#providers-kubernetesCRD-labelselector" title="#providers-kubernetesCRD-labelselector">`providers.kubernetesCRD.labelselector`</a> | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](#list-of-resources) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | "" | No |
| <a id="providers-kubernetesCRD-ingressClass" href="#providers-kubernetesCRD-ingressClass" title="#providers-kubernetesCRD-ingressClass">`providers.kubernetesCRD.ingressClass`</a> | Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed. | "" | No |
| <a id="providers-kubernetesCRD-throttleDuration" href="#providers-kubernetesCRD-throttleDuration" title="#providers-kubernetesCRD-throttleDuration">`providers.kubernetesCRD.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s | No |
| <a id="providers-kubernetesCRD-allowEmptyServices" href="#providers-kubernetesCRD-allowEmptyServices" title="#providers-kubernetesCRD-allowEmptyServices">`providers.kubernetesCRD.allowEmptyServices`</a> | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status. | false | No |
| <a id="providers-kubernetesCRD-allowCrossNamespace" href="#providers-kubernetesCRD-allowCrossNamespace" title="#providers-kubernetesCRD-allowCrossNamespace">`providers.kubernetesCRD.allowCrossNamespace`</a> | Allows the `IngressRoutes` to reference resources in namespaces other than theirs. | false | No |
| <a id="providers-kubernetesCRD-allowExternalNameServices" href="#providers-kubernetesCRD-allowExternalNameServices" title="#providers-kubernetesCRD-allowExternalNameServices">`providers.kubernetesCRD.allowExternalNameServices`</a> | Allows the `IngressRoutes` to reference ExternalName services. | false | No |
| <a id="providers-kubernetesCRD-nativeLBByDefault" href="#providers-kubernetesCRD-nativeLBByDefault" title="#providers-kubernetesCRD-nativeLBByDefault">`providers.kubernetesCRD.nativeLBByDefault`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `IngressRoute` by default.<br />It can br overridden in the [`ServerTransport`](../../../../routing/services/index.md#serverstransport). | false | No |
| <a id="providers-kubernetesCRD-disableClusterScopeResources" href="#providers-kubernetesCRD-disableClusterScopeResources" title="#providers-kubernetesCRD-disableClusterScopeResources">`providers.kubernetesCRD.disableClusterScopeResources`</a> | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle IngressRoutes with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false | No |
### endpoint
@@ -110,16 +110,16 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-
| Resource | Purpose |
|--------------------------------------------------|--------------------------------------------------------------------|
| [IngressRoute](../../../../routing/providers/kubernetes-crd.md#kind-ingressroute) | HTTP Routing |
| [Middleware](../../../../middlewares/http/overview.md) | Tweaks the HTTP requests before they are sent to your service |
| [TraefikService](../../../../routing/providers/kubernetes-crd.md#kind-traefikservice) | Abstraction for HTTP loadbalancing/mirroring |
| [TLSOptions](../../../../routing/providers/kubernetes-crd.md#kind-tlsoption) | Allows configuring some parameters of the TLS connection |
| [TLSStores](../../../../routing/providers/kubernetes-crd.md#kind-tlsstore) | Allows configuring the default TLS store |
| [ServersTransport](../../../../routing/providers/kubernetes-crd.md#kind-serverstransport) | Allows configuring the transport between Traefik and the backends |
| [IngressRouteTCP](../../../../routing/providers/kubernetes-crd.md#kind-ingressroutetcp) | TCP Routing |
| [MiddlewareTCP](../../../../routing/providers/kubernetes-crd.md#kind-middlewaretcp) | Tweaks the TCP requests before they are sent to your service |
| [ServersTransportTCP](../../../../routing/providers/kubernetes-crd.md#kind-serverstransporttc) | Allows configuring the transport between Traefik and the backends |
| [IngressRouteUDP](../../../../routing/providers/kubernetes-crd.md#kind-ingressrouteudp) | UDP Routing |
| <a id="IngressRoute" href="#IngressRoute" title="#IngressRoute">[IngressRoute](../../../../routing/providers/kubernetes-crd.md#kind-ingressroute)</a> | HTTP Routing |
| <a id="Middleware" href="#Middleware" title="#Middleware">[Middleware](../../../../middlewares/http/overview.md)</a> | Tweaks the HTTP requests before they are sent to your service |
| <a id="TraefikService" href="#TraefikService" title="#TraefikService">[TraefikService](../../../../routing/providers/kubernetes-crd.md#kind-traefikservice)</a> | Abstraction for HTTP loadbalancing/mirroring |
| <a id="TLSOptions" href="#TLSOptions" title="#TLSOptions">[TLSOptions](../../../../routing/providers/kubernetes-crd.md#kind-tlsoption)</a> | Allows configuring some parameters of the TLS connection |
| <a id="TLSStores" href="#TLSStores" title="#TLSStores">[TLSStores](../../../../routing/providers/kubernetes-crd.md#kind-tlsstore)</a> | Allows configuring the default TLS store |
| <a id="ServersTransport" href="#ServersTransport" title="#ServersTransport">[ServersTransport](../../../../routing/providers/kubernetes-crd.md#kind-serverstransport)</a> | Allows configuring the transport between Traefik and the backends |
| <a id="IngressRouteTCP" href="#IngressRouteTCP" title="#IngressRouteTCP">[IngressRouteTCP](../../../../routing/providers/kubernetes-crd.md#kind-ingressroutetcp)</a> | TCP Routing |
| <a id="MiddlewareTCP" href="#MiddlewareTCP" title="#MiddlewareTCP">[MiddlewareTCP](../../../../routing/providers/kubernetes-crd.md#kind-middlewaretcp)</a> | Tweaks the TCP requests before they are sent to your service |
| <a id="ServersTransportTCP" href="#ServersTransportTCP" title="#ServersTransportTCP">[ServersTransportTCP](../../../../routing/providers/kubernetes-crd.md#kind-serverstransporttc)</a> | Allows configuring the transport between Traefik and the backends |
| <a id="IngressRouteUDP" href="#IngressRouteUDP" title="#IngressRouteUDP">[IngressRouteUDP](../../../../routing/providers/kubernetes-crd.md#kind-ingressrouteudp)</a> | UDP Routing |
## Particularities

26
docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md
View File

@@ -69,19 +69,19 @@ providers:
| Field | Description | Default | Required |
|:----------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.kubernetesGateway.endpoint` | Server endpoint URL.<br />More information [here](#endpoint). | "" | No |
| `providers.kubernetesGateway.experimentalChannel` | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).<br />(ex: `TCPRoute` and `TLSRoute`) | false | No |
| `providers.kubernetesGateway.token` | Bearer token used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesGateway.certAuthFilePath` | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesGateway.namespaces` | Array of namespaces to watch.<br />If left empty, watch all namespaces. | [] | No |
| `providers.kubernetesGateway.labelselector` | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](./kubernetes-crd.md#list-of-resources) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | "" | No |
| `providers.kubernetesGateway.throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s | No |
| `providers.kubernetesGateway.nativeLBByDefault` | Defines whether to use Native Kubernetes load-balancing mode by default. For more information, please check out the `traefik.io/service.nativelb` service annotation documentation. | false | No |
| `providers.kubernetesGateway.`<br />`statusAddress.hostname` | Hostname copied to the Gateway `status.addresses`. | "" | No |
| `providers.kubernetesGateway.`<br />`statusAddress.ip` | IP address copied to the Gateway `status.addresses`, and currently only supports one IP value (IPv4 or IPv6). | "" | No |
| `providers.kubernetesGateway.`<br />`statusAddress.service.namespace` | The namespace of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`. | "" | No |
| `providers.kubernetesGateway.`<br />`statusAddress.service.name` | The name of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`. | "" | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-kubernetesGateway-endpoint" href="#providers-kubernetesGateway-endpoint" title="#providers-kubernetesGateway-endpoint">`providers.kubernetesGateway.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint). | "" | No |
| <a id="providers-kubernetesGateway-experimentalChannel" href="#providers-kubernetesGateway-experimentalChannel" title="#providers-kubernetesGateway-experimentalChannel">`providers.kubernetesGateway.experimentalChannel`</a> | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).<br />(ex: `TCPRoute` and `TLSRoute`) | false | No |
| <a id="providers-kubernetesGateway-token" href="#providers-kubernetesGateway-token" title="#providers-kubernetesGateway-token">`providers.kubernetesGateway.token`</a> | Bearer token used for the Kubernetes client configuration. | "" | No |
| <a id="providers-kubernetesGateway-certAuthFilePath" href="#providers-kubernetesGateway-certAuthFilePath" title="#providers-kubernetesGateway-certAuthFilePath">`providers.kubernetesGateway.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | "" | No |
| <a id="providers-kubernetesGateway-namespaces" href="#providers-kubernetesGateway-namespaces" title="#providers-kubernetesGateway-namespaces">`providers.kubernetesGateway.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces. | [] | No |
| <a id="providers-kubernetesGateway-labelselector" href="#providers-kubernetesGateway-labelselector" title="#providers-kubernetesGateway-labelselector">`providers.kubernetesGateway.labelselector`</a> | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](./kubernetes-crd.md#list-of-resources) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | "" | No |
| <a id="providers-kubernetesGateway-throttleDuration" href="#providers-kubernetesGateway-throttleDuration" title="#providers-kubernetesGateway-throttleDuration">`providers.kubernetesGateway.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s | No |
| <a id="providers-kubernetesGateway-nativeLBByDefault" href="#providers-kubernetesGateway-nativeLBByDefault" title="#providers-kubernetesGateway-nativeLBByDefault">`providers.kubernetesGateway.nativeLBByDefault`</a> | Defines whether to use Native Kubernetes load-balancing mode by default. For more information, please check out the `traefik.io/service.nativelb` service annotation documentation. | false | No |
| <a id="providers-kubernetesGateway-statusAddress-hostname" href="#providers-kubernetesGateway-statusAddress-hostname" title="#providers-kubernetesGateway-statusAddress-hostname">`providers.kubernetesGateway.`<br />`statusAddress.hostname`</a> | Hostname copied to the Gateway `status.addresses`. | "" | No |
| <a id="providers-kubernetesGateway-statusAddress-ip" href="#providers-kubernetesGateway-statusAddress-ip" title="#providers-kubernetesGateway-statusAddress-ip">`providers.kubernetesGateway.`<br />`statusAddress.ip`</a> | IP address copied to the Gateway `status.addresses`, and currently only supports one IP value (IPv4 or IPv6). | "" | No |
| <a id="providers-kubernetesGateway-statusAddress-service-namespace" href="#providers-kubernetesGateway-statusAddress-service-namespace" title="#providers-kubernetesGateway-statusAddress-service-namespace">`providers.kubernetesGateway.`<br />`statusAddress.service.namespace`</a> | The namespace of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`. | "" | No |
| <a id="providers-kubernetesGateway-statusAddress-service-name" href="#providers-kubernetesGateway-statusAddress-service-name" title="#providers-kubernetesGateway-statusAddress-service-name">`providers.kubernetesGateway.`<br />`statusAddress.service.name`</a> | The name of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`. | "" | No |
<!-- markdownlint-enable MD013 -->

30
docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md
View File

@@ -49,21 +49,21 @@ which in turn creates the resulting routers, services, handlers, etc.
| Field | Description | Default | Required |
|:------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.kubernetesIngressNGINX.endpoint` | Server endpoint URL.<br />More information [here](#endpoint). | "" | No |
| `providers.kubernetesIngressNGINX.token` | Bearer token used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesIngressNGINX.certAuthFilePath` | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesIngressNGINX.throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s | No |
| `providers.kubernetesIngressNGINX.watchNamespace` | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. | "" | No |
| `providers.kubernetesIngressNGINX.watchNamespaceSelector` | Selector selects namespaces the controller watches for updates to Kubernetes objects. | "" | No |
| `providers.kubernetesIngressNGINX.ingressClass` | Name of the ingress class this controller satisfies. | "" | No |
| `providers.kubernetesIngressNGINX.controllerClass` | Ingress Class Controller value this controller satisfies. | "" | No |
| `providers.kubernetesIngressNGINX.watchIngressWithoutClass` | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. | false | No |
| `providers.kubernetesIngressNGINX.ingressClassByName` | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false | No |
| `providers.kubernetesIngressNGINX.publishService` | Service fronting the Ingress controller. Takes the form namespace/name. | "" | No |
| `providers.kubernetesIngressNGINX.publishStatusAddress` | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | "" | No |
| `providers.kubernetesIngressNGINX.defaultBackendService` | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | "" | No |
| `providers.kubernetesIngressNGINX.disableSvcExternalName` | Disable support for Services of type ExternalName. | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-kubernetesIngressNGINX-endpoint" href="#providers-kubernetesIngressNGINX-endpoint" title="#providers-kubernetesIngressNGINX-endpoint">`providers.kubernetesIngressNGINX.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint). | "" | No |
| <a id="providers-kubernetesIngressNGINX-token" href="#providers-kubernetesIngressNGINX-token" title="#providers-kubernetesIngressNGINX-token">`providers.kubernetesIngressNGINX.token`</a> | Bearer token used for the Kubernetes client configuration. | "" | No |
| <a id="providers-kubernetesIngressNGINX-certAuthFilePath" href="#providers-kubernetesIngressNGINX-certAuthFilePath" title="#providers-kubernetesIngressNGINX-certAuthFilePath">`providers.kubernetesIngressNGINX.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | "" | No |
| <a id="providers-kubernetesIngressNGINX-throttleDuration" href="#providers-kubernetesIngressNGINX-throttleDuration" title="#providers-kubernetesIngressNGINX-throttleDuration">`providers.kubernetesIngressNGINX.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s | No |
| <a id="providers-kubernetesIngressNGINX-watchNamespace" href="#providers-kubernetesIngressNGINX-watchNamespace" title="#providers-kubernetesIngressNGINX-watchNamespace">`providers.kubernetesIngressNGINX.watchNamespace`</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. | "" | No |
| <a id="providers-kubernetesIngressNGINX-watchNamespaceSelector" href="#providers-kubernetesIngressNGINX-watchNamespaceSelector" title="#providers-kubernetesIngressNGINX-watchNamespaceSelector">`providers.kubernetesIngressNGINX.watchNamespaceSelector`</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects. | "" | No |
| <a id="providers-kubernetesIngressNGINX-ingressClass" href="#providers-kubernetesIngressNGINX-ingressClass" title="#providers-kubernetesIngressNGINX-ingressClass">`providers.kubernetesIngressNGINX.ingressClass`</a> | Name of the ingress class this controller satisfies. | "" | No |
| <a id="providers-kubernetesIngressNGINX-controllerClass" href="#providers-kubernetesIngressNGINX-controllerClass" title="#providers-kubernetesIngressNGINX-controllerClass">`providers.kubernetesIngressNGINX.controllerClass`</a> | Ingress Class Controller value this controller satisfies. | "" | No |
| <a id="providers-kubernetesIngressNGINX-watchIngressWithoutClass" href="#providers-kubernetesIngressNGINX-watchIngressWithoutClass" title="#providers-kubernetesIngressNGINX-watchIngressWithoutClass">`providers.kubernetesIngressNGINX.watchIngressWithoutClass`</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. | false | No |
| <a id="providers-kubernetesIngressNGINX-ingressClassByName" href="#providers-kubernetesIngressNGINX-ingressClassByName" title="#providers-kubernetesIngressNGINX-ingressClassByName">`providers.kubernetesIngressNGINX.ingressClassByName`</a> | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false | No |
| <a id="providers-kubernetesIngressNGINX-publishService" href="#providers-kubernetesIngressNGINX-publishService" title="#providers-kubernetesIngressNGINX-publishService">`providers.kubernetesIngressNGINX.publishService`</a> | Service fronting the Ingress controller. Takes the form namespace/name. | "" | No |
| <a id="providers-kubernetesIngressNGINX-publishStatusAddress" href="#providers-kubernetesIngressNGINX-publishStatusAddress" title="#providers-kubernetesIngressNGINX-publishStatusAddress">`providers.kubernetesIngressNGINX.publishStatusAddress`</a> | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | "" | No |
| <a id="providers-kubernetesIngressNGINX-defaultBackendService" href="#providers-kubernetesIngressNGINX-defaultBackendService" title="#providers-kubernetesIngressNGINX-defaultBackendService">`providers.kubernetesIngressNGINX.defaultBackendService`</a> | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | "" | No |
| <a id="providers-kubernetesIngressNGINX-disableSvcExternalName" href="#providers-kubernetesIngressNGINX-disableSvcExternalName" title="#providers-kubernetesIngressNGINX-disableSvcExternalName">`providers.kubernetesIngressNGINX.disableSvcExternalName`</a> | Disable support for Services of type ExternalName. | false | No |
<!-- markdownlint-enable MD013 -->

36
docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md
View File

@@ -46,24 +46,24 @@ which in turn creates the resulting routers, services, handlers, etc.
| Field | Description | Default | Required |
|:-----------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.kubernetesIngress.endpoint` | Server endpoint URL.<br />More information [here](#endpoint). | "" | No |
| `providers.kubernetesIngress.token` | Bearer token used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesIngress.certAuthFilePath` | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesCRD.namespaces` | Array of namespaces to watch.<br />If left empty, watch all namespaces. | | No |
| `providers.kubernetesIngress.labelselector` | Allow filtering on Ingress objects using label selectors.<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | "" | No |
| `providers.kubernetesIngress.ingressClass` | The `IngressClass` resource name or the `kubernetes.io/ingress.class` annotation value that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed. | "" | No |
| `providers.kubernetesIngress.disableIngressClassLookup` | Prevent to discover IngressClasses in the cluster.<br />It alleviates the requirement of giving Traefik the rights to look IngressClasses up.<br />Ignore Ingresses with IngressClass.<br />Annotations are not affected by this option. | false | No |
| `providers.kubernetesIngress.`<br />`ingressEndpoint.hostname` | Hostname used for Kubernetes Ingress endpoints. | "" | No |
| `providers.kubernetesIngress.`<br />`ingressEndpoint.ip` | This IP will get copied to the Ingress `status.loadbalancer.ip`, and currently only supports one IP value (IPv4 or IPv6). | "" | No |
| `providers.kubernetesIngress.`<br />`ingressEndpoint.publishedService` | The Kubernetes service to copy status from.<br />More information [here](#ingressendpointpublishedservice). | "" | No |
| `providers.kubernetesIngress.throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s | No |
| `providers.kubernetesIngress.allowEmptyServices` | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status. | false | No |
| `providers.kubernetesIngress.allowCrossNamespace` | Allows the `Ingress` to reference resources in namespaces other than theirs. | false | No |
| `providers.kubernetesIngress.allowExternalNameServices` | Allows the `Ingress` to reference ExternalName services. | false | No |
| `providers.kubernetesIngress.nativeLBByDefault` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `Ingress` by default.<br />It can br overridden in the [`ServerTransport`](../../../../routing/services/index.md#serverstransport). | false | No |
| `providers.kubernetesIngress.disableClusterScopeResources` | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false | No |
| `providers.kubernetesIngress.strictPrefixMatching` | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). For example, a PathPrefix of `/foo` will match `/foo`, `/foo/`, and `/foo/bar` but not `/foobar`. | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-kubernetesIngress-endpoint" href="#providers-kubernetesIngress-endpoint" title="#providers-kubernetesIngress-endpoint">`providers.kubernetesIngress.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint). | "" | No |
| <a id="providers-kubernetesIngress-token" href="#providers-kubernetesIngress-token" title="#providers-kubernetesIngress-token">`providers.kubernetesIngress.token`</a> | Bearer token used for the Kubernetes client configuration. | "" | No |
| <a id="providers-kubernetesIngress-certAuthFilePath" href="#providers-kubernetesIngress-certAuthFilePath" title="#providers-kubernetesIngress-certAuthFilePath">`providers.kubernetesIngress.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | "" | No |
| <a id="providers-kubernetesCRD-namespaces" href="#providers-kubernetesCRD-namespaces" title="#providers-kubernetesCRD-namespaces">`providers.kubernetesCRD.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces. | | No |
| <a id="providers-kubernetesIngress-labelselector" href="#providers-kubernetesIngress-labelselector" title="#providers-kubernetesIngress-labelselector">`providers.kubernetesIngress.labelselector`</a> | Allow filtering on Ingress objects using label selectors.<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | "" | No |
| <a id="providers-kubernetesIngress-ingressClass" href="#providers-kubernetesIngress-ingressClass" title="#providers-kubernetesIngress-ingressClass">`providers.kubernetesIngress.ingressClass`</a> | The `IngressClass` resource name or the `kubernetes.io/ingress.class` annotation value that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed. | "" | No |
| <a id="providers-kubernetesIngress-disableIngressClassLookup" href="#providers-kubernetesIngress-disableIngressClassLookup" title="#providers-kubernetesIngress-disableIngressClassLookup">`providers.kubernetesIngress.disableIngressClassLookup`</a> | Prevent to discover IngressClasses in the cluster.<br />It alleviates the requirement of giving Traefik the rights to look IngressClasses up.<br />Ignore Ingresses with IngressClass.<br />Annotations are not affected by this option. | false | No |
| <a id="providers-kubernetesIngress-ingressEndpoint-hostname" href="#providers-kubernetesIngress-ingressEndpoint-hostname" title="#providers-kubernetesIngress-ingressEndpoint-hostname">`providers.kubernetesIngress.`<br />`ingressEndpoint.hostname`</a> | Hostname used for Kubernetes Ingress endpoints. | "" | No |
| <a id="providers-kubernetesIngress-ingressEndpoint-ip" href="#providers-kubernetesIngress-ingressEndpoint-ip" title="#providers-kubernetesIngress-ingressEndpoint-ip">`providers.kubernetesIngress.`<br />`ingressEndpoint.ip`</a> | This IP will get copied to the Ingress `status.loadbalancer.ip`, and currently only supports one IP value (IPv4 or IPv6). | "" | No |
| <a id="providers-kubernetesIngress-ingressEndpoint-publishedService" href="#providers-kubernetesIngress-ingressEndpoint-publishedService" title="#providers-kubernetesIngress-ingressEndpoint-publishedService">`providers.kubernetesIngress.`<br />`ingressEndpoint.publishedService`</a> | The Kubernetes service to copy status from.<br />More information [here](#ingressendpointpublishedservice). | "" | No |
| <a id="providers-kubernetesIngress-throttleDuration" href="#providers-kubernetesIngress-throttleDuration" title="#providers-kubernetesIngress-throttleDuration">`providers.kubernetesIngress.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s | No |
| <a id="providers-kubernetesIngress-allowEmptyServices" href="#providers-kubernetesIngress-allowEmptyServices" title="#providers-kubernetesIngress-allowEmptyServices">`providers.kubernetesIngress.allowEmptyServices`</a> | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status. | false | No |
| <a id="providers-kubernetesIngress-allowCrossNamespace" href="#providers-kubernetesIngress-allowCrossNamespace" title="#providers-kubernetesIngress-allowCrossNamespace">`providers.kubernetesIngress.allowCrossNamespace`</a> | Allows the `Ingress` to reference resources in namespaces other than theirs. | false | No |
| <a id="providers-kubernetesIngress-allowExternalNameServices" href="#providers-kubernetesIngress-allowExternalNameServices" title="#providers-kubernetesIngress-allowExternalNameServices">`providers.kubernetesIngress.allowExternalNameServices`</a> | Allows the `Ingress` to reference ExternalName services. | false | No |
| <a id="providers-kubernetesIngress-nativeLBByDefault" href="#providers-kubernetesIngress-nativeLBByDefault" title="#providers-kubernetesIngress-nativeLBByDefault">`providers.kubernetesIngress.nativeLBByDefault`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `Ingress` by default.<br />It can br overridden in the [`ServerTransport`](../../../../routing/services/index.md#serverstransport). | false | No |
| <a id="providers-kubernetesIngress-disableClusterScopeResources" href="#providers-kubernetesIngress-disableClusterScopeResources" title="#providers-kubernetesIngress-disableClusterScopeResources">`providers.kubernetesIngress.disableClusterScopeResources`</a> | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false | No |
| <a id="providers-kubernetesIngress-strictPrefixMatching" href="#providers-kubernetesIngress-strictPrefixMatching" title="#providers-kubernetesIngress-strictPrefixMatching">`providers.kubernetesIngress.strictPrefixMatching`</a> | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). For example, a PathPrefix of `/foo` will match `/foo`, `/foo/`, and `/foo/bar` but not `/foobar`. | false | No |
<!-- markdownlint-enable MD013 -->

20
docs/content/reference/install-configuration/providers/kv/etcd.md
View File

@@ -26,16 +26,16 @@ providers:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.etcd.endpoints` | Defines the endpoint to access etcd. | "127.0.0.1:2379" | Yes |
| `providers.etcd.rootKey` | Defines the root key for the configuration. | "traefik" | Yes |
| `providers.etcd.username` | Defines a username with which to connect to etcd. | "" | No |
| `providers.etcd.password` | Defines a password for connecting to etcd. | "" | No |
| `providers.etcd.tls` | Defines the TLS configuration used for the secure connection to etcd. | - | No |
| `providers.etcd.tls.ca` | Defines the path to the certificate authority used for the secure connection to etcd, it defaults to the system bundle. | "" | No |
| `providers.etcd.tls.cert` | Defines the path to the public certificate used for the secure connection to etcd. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.etcd.tls.key` | Defines the path to the private key used for the secure connection to etcd. When using this option, setting the `cert` option is required. | "" | Yes |
| `providers.etcd.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by etcd when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-etcd-endpoints" href="#providers-etcd-endpoints" title="#providers-etcd-endpoints">`providers.etcd.endpoints`</a> | Defines the endpoint to access etcd. | "127.0.0.1:2379" | Yes |
| <a id="providers-etcd-rootKey" href="#providers-etcd-rootKey" title="#providers-etcd-rootKey">`providers.etcd.rootKey`</a> | Defines the root key for the configuration. | "traefik" | Yes |
| <a id="providers-etcd-username" href="#providers-etcd-username" title="#providers-etcd-username">`providers.etcd.username`</a> | Defines a username with which to connect to etcd. | "" | No |
| <a id="providers-etcd-password" href="#providers-etcd-password" title="#providers-etcd-password">`providers.etcd.password`</a> | Defines a password for connecting to etcd. | "" | No |
| <a id="providers-etcd-tls" href="#providers-etcd-tls" title="#providers-etcd-tls">`providers.etcd.tls`</a> | Defines the TLS configuration used for the secure connection to etcd. | - | No |
| <a id="providers-etcd-tls-ca" href="#providers-etcd-tls-ca" title="#providers-etcd-tls-ca">`providers.etcd.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to etcd, it defaults to the system bundle. | "" | No |
| <a id="providers-etcd-tls-cert" href="#providers-etcd-tls-cert" title="#providers-etcd-tls-cert">`providers.etcd.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to etcd. When using this option, setting the `key` option is required. | "" | Yes |
| <a id="providers-etcd-tls-key" href="#providers-etcd-tls-key" title="#providers-etcd-tls-key">`providers.etcd.tls.key`</a> | Defines the path to the private key used for the secure connection to etcd. When using this option, setting the `cert` option is required. | "" | Yes |
| <a id="providers-etcd-tls-insecureSkipVerify" href="#providers-etcd-tls-insecureSkipVerify" title="#providers-etcd-tls-insecureSkipVerify">`providers.etcd.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by etcd when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
## Routing Configuration

38
docs/content/reference/install-configuration/providers/kv/redis.md
View File

@@ -26,25 +26,25 @@ providers:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.redis.endpoints` | Defines the endpoint to access Redis. | "127.0.0.1:6379" | Yes |
| `providers.redis.rootKey` | Defines the root key for the configuration. | "traefik" | Yes |
| `providers.redis.username` | Defines a username for connecting to Redis. | "" | No |
| `providers.redis.password` | Defines a password for connecting to Redis. | "" | No |
| `providers.redis.db` | Defines the database to be selected after connecting to the Redis. | 0 | No |
| `providers.redis.tls` | Defines the TLS configuration used for the secure connection to Redis. | - | No |
| `providers.redis.tls.ca` | Defines the path to the certificate authority used for the secure connection to Redis, it defaults to the system bundle. | "" | No |
| `providers.redis.tls.cert` | Defines the path to the public certificate used for the secure connection to Redis. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.redis.tls.key` | Defines the path to the private key used for the secure connection to Redis. When using this option, setting the `cert` option is required. | "" | Yes |
| `providers.redis.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by Redis when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| `providers.redis.sentinel` | Defines the Sentinel configuration used to interact with Redis Sentinel. | - | No |
| `providers.redis.sentinel.masterName` | Defines the name of the Sentinel master. | "" | Yes |
| `providers.redis.sentinel.username` | Defines the username for Sentinel authentication. | "" | No |
| `providers.redis.sentinel.password` | Defines the password for Sentinel authentication. | "" | No |
| `providers.redis.sentinel.latencyStrategy` | Defines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy). | false | No |
| `providers.redis.sentinel.randomStrategy` | Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). | false | No |
| `providers.redis.sentinel.replicaStrategy` | Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). | false | No |
| `providers.redis.sentinel.useDisconnectedReplicas` | Defines whether to use replicas disconnected with master when cannot get connected replicas. | false | false |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-redis-endpoints" href="#providers-redis-endpoints" title="#providers-redis-endpoints">`providers.redis.endpoints`</a> | Defines the endpoint to access Redis. | "127.0.0.1:6379" | Yes |
| <a id="providers-redis-rootKey" href="#providers-redis-rootKey" title="#providers-redis-rootKey">`providers.redis.rootKey`</a> | Defines the root key for the configuration. | "traefik" | Yes |
| <a id="providers-redis-username" href="#providers-redis-username" title="#providers-redis-username">`providers.redis.username`</a> | Defines a username for connecting to Redis. | "" | No |
| <a id="providers-redis-password" href="#providers-redis-password" title="#providers-redis-password">`providers.redis.password`</a> | Defines a password for connecting to Redis. | "" | No |
| <a id="providers-redis-db" href="#providers-redis-db" title="#providers-redis-db">`providers.redis.db`</a> | Defines the database to be selected after connecting to the Redis. | 0 | No |
| <a id="providers-redis-tls" href="#providers-redis-tls" title="#providers-redis-tls">`providers.redis.tls`</a> | Defines the TLS configuration used for the secure connection to Redis. | - | No |
| <a id="providers-redis-tls-ca" href="#providers-redis-tls-ca" title="#providers-redis-tls-ca">`providers.redis.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to Redis, it defaults to the system bundle. | "" | No |
| <a id="providers-redis-tls-cert" href="#providers-redis-tls-cert" title="#providers-redis-tls-cert">`providers.redis.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to Redis. When using this option, setting the `key` option is required. | "" | Yes |
| <a id="providers-redis-tls-key" href="#providers-redis-tls-key" title="#providers-redis-tls-key">`providers.redis.tls.key`</a> | Defines the path to the private key used for the secure connection to Redis. When using this option, setting the `cert` option is required. | "" | Yes |
| <a id="providers-redis-tls-insecureSkipVerify" href="#providers-redis-tls-insecureSkipVerify" title="#providers-redis-tls-insecureSkipVerify">`providers.redis.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by Redis when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| <a id="providers-redis-sentinel" href="#providers-redis-sentinel" title="#providers-redis-sentinel">`providers.redis.sentinel`</a> | Defines the Sentinel configuration used to interact with Redis Sentinel. | - | No |
| <a id="providers-redis-sentinel-masterName" href="#providers-redis-sentinel-masterName" title="#providers-redis-sentinel-masterName">`providers.redis.sentinel.masterName`</a> | Defines the name of the Sentinel master. | "" | Yes |
| <a id="providers-redis-sentinel-username" href="#providers-redis-sentinel-username" title="#providers-redis-sentinel-username">`providers.redis.sentinel.username`</a> | Defines the username for Sentinel authentication. | "" | No |
| <a id="providers-redis-sentinel-password" href="#providers-redis-sentinel-password" title="#providers-redis-sentinel-password">`providers.redis.sentinel.password`</a> | Defines the password for Sentinel authentication. | "" | No |
| <a id="providers-redis-sentinel-latencyStrategy" href="#providers-redis-sentinel-latencyStrategy" title="#providers-redis-sentinel-latencyStrategy">`providers.redis.sentinel.latencyStrategy`</a> | Defines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy). | false | No |
| <a id="providers-redis-sentinel-randomStrategy" href="#providers-redis-sentinel-randomStrategy" title="#providers-redis-sentinel-randomStrategy">`providers.redis.sentinel.randomStrategy`</a> | Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). | false | No |
| <a id="providers-redis-sentinel-replicaStrategy" href="#providers-redis-sentinel-replicaStrategy" title="#providers-redis-sentinel-replicaStrategy">`providers.redis.sentinel.replicaStrategy`</a> | Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). | false | No |
| <a id="providers-redis-sentinel-useDisconnectedReplicas" href="#providers-redis-sentinel-useDisconnectedReplicas" title="#providers-redis-sentinel-useDisconnectedReplicas">`providers.redis.sentinel.useDisconnectedReplicas`</a> | Defines whether to use replicas disconnected with master when cannot get connected replicas. | false | false |
## Routing Configuration

20
docs/content/reference/install-configuration/providers/kv/zk.md
View File

@@ -26,16 +26,16 @@ providers:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.zooKeeper.endpoints` | Defines the endpoint to access ZooKeeper. | "127.0.0.1:2181" | Yes |
| `providers.zooKeeper.rootKey` | Defines the root key for the configuration. | "traefik" | Yes |
| `providers.zooKeeper.username` | Defines a username with which to connect to zooKeeper. | "" | No |
| `providers.zooKeeper.password` | Defines a password for connecting to zooKeeper. | "" | No |
| `providers.zooKeeper.tls` | Defines the TLS configuration used for the secure connection to zooKeeper. | - | No |
| `providers.zooKeeper.tls.ca` | Defines the path to the certificate authority used for the secure connection to zooKeeper, it defaults to the system bundle. | "" | No |
| `providers.zooKeeper.tls.cert` | Defines the path to the public certificate used for the secure connection to zooKeeper. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.zooKeeper.tls.key` | Defines the path to the private key used for the secure connection to zooKeeper. When using this option, setting the `cert` option is required. | "" | Yes |
| `providers.zooKeeper.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by etcd when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-zooKeeper-endpoints" href="#providers-zooKeeper-endpoints" title="#providers-zooKeeper-endpoints">`providers.zooKeeper.endpoints`</a> | Defines the endpoint to access ZooKeeper. | "127.0.0.1:2181" | Yes |
| <a id="providers-zooKeeper-rootKey" href="#providers-zooKeeper-rootKey" title="#providers-zooKeeper-rootKey">`providers.zooKeeper.rootKey`</a> | Defines the root key for the configuration. | "traefik" | Yes |
| <a id="providers-zooKeeper-username" href="#providers-zooKeeper-username" title="#providers-zooKeeper-username">`providers.zooKeeper.username`</a> | Defines a username with which to connect to zooKeeper. | "" | No |
| <a id="providers-zooKeeper-password" href="#providers-zooKeeper-password" title="#providers-zooKeeper-password">`providers.zooKeeper.password`</a> | Defines a password for connecting to zooKeeper. | "" | No |
| <a id="providers-zooKeeper-tls" href="#providers-zooKeeper-tls" title="#providers-zooKeeper-tls">`providers.zooKeeper.tls`</a> | Defines the TLS configuration used for the secure connection to zooKeeper. | - | No |
| <a id="providers-zooKeeper-tls-ca" href="#providers-zooKeeper-tls-ca" title="#providers-zooKeeper-tls-ca">`providers.zooKeeper.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to zooKeeper, it defaults to the system bundle. | "" | No |
| <a id="providers-zooKeeper-tls-cert" href="#providers-zooKeeper-tls-cert" title="#providers-zooKeeper-tls-cert">`providers.zooKeeper.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to zooKeeper. When using this option, setting the `key` option is required. | "" | Yes |
| <a id="providers-zooKeeper-tls-key" href="#providers-zooKeeper-tls-key" title="#providers-zooKeeper-tls-key">`providers.zooKeeper.tls.key`</a> | Defines the path to the private key used for the secure connection to zooKeeper. When using this option, setting the `cert` option is required. | "" | Yes |
| <a id="providers-zooKeeper-tls-insecureSkipVerify" href="#providers-zooKeeper-tls-insecureSkipVerify" title="#providers-zooKeeper-tls-insecureSkipVerify">`providers.zooKeeper.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by etcd when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
## Routing Configuration

24
docs/content/reference/install-configuration/providers/others/ecs.md
View File

@@ -26,18 +26,18 @@ providers:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.ecs.autoDiscoverClusters` | Search for services in cluster list. If set to `true` service discovery is enabled for all clusters. | false | No |
| `providers.ecs.ecsAnywhere` | Enable ECS Anywhere support. | false | No |
| `providers.ecs.clusters` | Search for services in cluster list. This option is ignored if `autoDiscoverClusters` is set to `true`. | `["default"]` | No |
| `providers.ecs.exposedByDefault` | Expose ECS services by default in Traefik. | true | No |
| `providers.ecs.constraints` | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | true | No |
| `providers.ecs.healthyTasksOnly` | Defines whether Traefik discovers only healthy tasks (`HEALTHY` healthStatus). | false | No |
| `providers.ecs.defaultRule` | The Default Host rule for all services. See [here](#defaultrule) for more information. | ```"Host(`{{ normalize .Name }}`)"``` | No |
| `providers.ecs.refreshSeconds` | Defines the polling interval (in seconds). | 15 | No |
| `providers.ecs.region` | Defines the region of the ECS instance. See [here](#credentials) for more information. | "" | No |
| `providers.ecs.accessKeyID` | Defines the Access Key ID for the ECS instance. See [here](#credentials) for more information. | "" | No |
| `providers.ecs.secretAccessKey` | Defines the Secret Access Key for the ECS instance. See [here](#credentials) for more information. | "" | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-ecs-autoDiscoverClusters" href="#providers-ecs-autoDiscoverClusters" title="#providers-ecs-autoDiscoverClusters">`providers.ecs.autoDiscoverClusters`</a> | Search for services in cluster list. If set to `true` service discovery is enabled for all clusters. | false | No |
| <a id="providers-ecs-ecsAnywhere" href="#providers-ecs-ecsAnywhere" title="#providers-ecs-ecsAnywhere">`providers.ecs.ecsAnywhere`</a> | Enable ECS Anywhere support. | false | No |
| <a id="providers-ecs-clusters" href="#providers-ecs-clusters" title="#providers-ecs-clusters">`providers.ecs.clusters`</a> | Search for services in cluster list. This option is ignored if `autoDiscoverClusters` is set to `true`. | `["default"]` | No |
| <a id="providers-ecs-exposedByDefault" href="#providers-ecs-exposedByDefault" title="#providers-ecs-exposedByDefault">`providers.ecs.exposedByDefault`</a> | Expose ECS services by default in Traefik. | true | No |
| <a id="providers-ecs-constraints" href="#providers-ecs-constraints" title="#providers-ecs-constraints">`providers.ecs.constraints`</a> | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | true | No |
| <a id="providers-ecs-healthyTasksOnly" href="#providers-ecs-healthyTasksOnly" title="#providers-ecs-healthyTasksOnly">`providers.ecs.healthyTasksOnly`</a> | Defines whether Traefik discovers only healthy tasks (`HEALTHY` healthStatus). | false | No |
| <a id="providers-ecs-defaultRule" href="#providers-ecs-defaultRule" title="#providers-ecs-defaultRule">`providers.ecs.defaultRule`</a> | The Default Host rule for all services. See [here](#defaultrule) for more information. | ```"Host(`{{ normalize .Name }}`)"``` | No |
| <a id="providers-ecs-refreshSeconds" href="#providers-ecs-refreshSeconds" title="#providers-ecs-refreshSeconds">`providers.ecs.refreshSeconds`</a> | Defines the polling interval (in seconds). | 15 | No |
| <a id="providers-ecs-region" href="#providers-ecs-region" title="#providers-ecs-region">`providers.ecs.region`</a> | Defines the region of the ECS instance. See [here](#credentials) for more information. | "" | No |
| <a id="providers-ecs-accessKeyID" href="#providers-ecs-accessKeyID" title="#providers-ecs-accessKeyID">`providers.ecs.accessKeyID`</a> | Defines the Access Key ID for the ECS instance. See [here](#credentials) for more information. | "" | No |
| <a id="providers-ecs-secretAccessKey" href="#providers-ecs-secretAccessKey" title="#providers-ecs-secretAccessKey">`providers.ecs.secretAccessKey`</a> | Defines the Secret Access Key for the ECS instance. See [here](#credentials) for more information. | "" | No |
### `constraints`

8
docs/content/reference/install-configuration/providers/others/file.md
View File

@@ -100,10 +100,10 @@ http:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.file.filename` | Defines the path to the configuration file. | "" | Yes |
| `providers.file.directory` | Defines the path to the directory that contains the configuration files. The `filename` and `directory` options are mutually exclusive. It is recommended to use `directory`. | "" | Yes |
| `providers.file.watch` | Set the `watch` option to `true` to allow Traefik to automatically watch for file changes. It works with both the `filename` and the `directory` options. | true | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-file-filename" href="#providers-file-filename" title="#providers-file-filename">`providers.file.filename`</a> | Defines the path to the configuration file. | "" | Yes |
| <a id="providers-file-directory" href="#providers-file-directory" title="#providers-file-directory">`providers.file.directory`</a> | Defines the path to the directory that contains the configuration files. The `filename` and `directory` options are mutually exclusive. It is recommended to use `directory`. | "" | Yes |
| <a id="providers-file-watch" href="#providers-file-watch" title="#providers-file-watch">`providers.file.watch`</a> | Set the `watch` option to `true` to allow Traefik to automatically watch for file changes. It works with both the `filename` and the `directory` options. | true | No |
!!! warning "Limitations"

18
docs/content/reference/install-configuration/providers/others/http.md
View File

@@ -30,15 +30,15 @@ providers:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.http.endpoint` | Defines the HTTP(S) endpoint to poll. | "" | Yes |
| `providers.http.pollInterval` | Defines the polling interval. | 5s | No |
| `providers.http.pollTimeout` | Defines the polling timeout when connecting to the endpoint. | 5s | No |
| `providers.http.headers` | Defines custom headers to be sent to the endpoint. | "" | No |
| `providers.http.tls.ca` | Defines the path to the certificate authority used for the secure connection to the endpoint, it defaults to the system bundle. | "" | No |
| `providers.http.tls.cert` | Defines the path to the public certificate used for the secure connection to the endpoint. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.http.tls.key` | Defines the path to the private key used for the secure connection to the endpoint. When using this option, setting the `cert` option is required. | "" | Yes |
| `providers.http.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by endpoint when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-http-endpoint" href="#providers-http-endpoint" title="#providers-http-endpoint">`providers.http.endpoint`</a> | Defines the HTTP(S) endpoint to poll. | "" | Yes |
| <a id="providers-http-pollInterval" href="#providers-http-pollInterval" title="#providers-http-pollInterval">`providers.http.pollInterval`</a> | Defines the polling interval. | 5s | No |
| <a id="providers-http-pollTimeout" href="#providers-http-pollTimeout" title="#providers-http-pollTimeout">`providers.http.pollTimeout`</a> | Defines the polling timeout when connecting to the endpoint. | 5s | No |
| <a id="providers-http-headers" href="#providers-http-headers" title="#providers-http-headers">`providers.http.headers`</a> | Defines custom headers to be sent to the endpoint. | "" | No |
| <a id="providers-http-tls-ca" href="#providers-http-tls-ca" title="#providers-http-tls-ca">`providers.http.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to the endpoint, it defaults to the system bundle. | "" | No |
| <a id="providers-http-tls-cert" href="#providers-http-tls-cert" title="#providers-http-tls-cert">`providers.http.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to the endpoint. When using this option, setting the `key` option is required. | "" | Yes |
| <a id="providers-http-tls-key" href="#providers-http-tls-key" title="#providers-http-tls-key">`providers.http.tls.key`</a> | Defines the path to the private key used for the secure connection to the endpoint. When using this option, setting the `cert` option is required. | "" | Yes |
| <a id="providers-http-tls-insecureSkipVerify" href="#providers-http-tls-insecureSkipVerify" title="#providers-http-tls-insecureSkipVerify">`providers.http.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by endpoint when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
### headers

28
docs/content/reference/install-configuration/providers/overview.md
View File

@@ -51,20 +51,20 @@ Below is the list of the currently supported providers in Traefik.
| Provider | Type | Configuration Type | Provider Name |
|--------------------------------------------------------------|--------------|----------------------|---------------------|
| [Docker](./docker.md) | Orchestrator | Label | `docker` |
| [Docker Swarm](./swarm.md) | Orchestrator | Label | `swarm` |
| [Kubernetes IngressRoute](./kubernetes/kubernetes-crd.md) | Orchestrator | Custom Resource | `kubernetescrd` |
| [Kubernetes Ingress](./kubernetes/kubernetes-ingress.md) | Orchestrator | Ingress | `kubernetes` |
| [Kubernetes Gateway API](./kubernetes/kubernetes-gateway.md) | Orchestrator | Gateway API Resource | `kubernetesgateway` |
| [Consul Catalog](./hashicorp/consul-catalog.md) | Orchestrator | Label | `consulcatalog` |
| [Nomad](./hashicorp/nomad.md) | Orchestrator | Label | `nomad` |
| [ECS](./others/ecs.md) | Orchestrator | Label | `ecs` |
| [File](./others/file.md) | Manual | YAML/TOML format | `file` |
| [Consul](./hashicorp/consul.md) | KV | KV | `consul` |
| [Etcd](./kv/etcd.md) | KV | KV | `etcd` |
| [ZooKeeper](./kv/zk.md) | KV | KV | `zookeeper` |
| [Redis](./kv/redis.md) | KV | KV | `redis` |
| [HTTP](./others/http.md) | Manual | JSON/YAML format | `http` |
| <a id="Docker" href="#Docker" title="#Docker">[Docker](./docker.md)</a> | Orchestrator | Label | `docker` |
| <a id="Docker-Swarm" href="#Docker-Swarm" title="#Docker-Swarm">[Docker Swarm](./swarm.md)</a> | Orchestrator | Label | `swarm` |
| <a id="Kubernetes-IngressRoute" href="#Kubernetes-IngressRoute" title="#Kubernetes-IngressRoute">[Kubernetes IngressRoute](./kubernetes/kubernetes-crd.md)</a> | Orchestrator | Custom Resource | `kubernetescrd` |
| <a id="Kubernetes-Ingress" href="#Kubernetes-Ingress" title="#Kubernetes-Ingress">[Kubernetes Ingress](./kubernetes/kubernetes-ingress.md)</a> | Orchestrator | Ingress | `kubernetes` |
| <a id="Kubernetes-Gateway-API" href="#Kubernetes-Gateway-API" title="#Kubernetes-Gateway-API">[Kubernetes Gateway API](./kubernetes/kubernetes-gateway.md)</a> | Orchestrator | Gateway API Resource | `kubernetesgateway` |
| <a id="Consul-Catalog" href="#Consul-Catalog" title="#Consul-Catalog">[Consul Catalog](./hashicorp/consul-catalog.md)</a> | Orchestrator | Label | `consulcatalog` |
| <a id="Nomad" href="#Nomad" title="#Nomad">[Nomad](./hashicorp/nomad.md)</a> | Orchestrator | Label | `nomad` |
| <a id="ECS" href="#ECS" title="#ECS">[ECS](./others/ecs.md)</a> | Orchestrator | Label | `ecs` |
| <a id="File" href="#File" title="#File">[File](./others/file.md)</a> | Manual | YAML/TOML format | `file` |
| <a id="Consul" href="#Consul" title="#Consul">[Consul](./hashicorp/consul.md)</a> | KV | KV | `consul` |
| <a id="Etcd" href="#Etcd" title="#Etcd">[Etcd](./kv/etcd.md)</a> | KV | KV | `etcd` |
| <a id="ZooKeeper" href="#ZooKeeper" title="#ZooKeeper">[ZooKeeper](./kv/zk.md)</a> | KV | KV | `zookeeper` |
| <a id="Redis" href="#Redis" title="#Redis">[Redis](./kv/redis.md)</a> | KV | KV | `redis` |
| <a id="HTTP" href="#HTTP" title="#HTTP">[HTTP](./others/http.md)</a> | Manual | JSON/YAML format | `http` |
!!! info "More Providers"

50
docs/content/reference/install-configuration/providers/swarm.md
View File

@@ -45,23 +45,23 @@ services:
| Field | Description | Default | Required |
|:-----------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------|:---------|
| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| `providers.swarm.endpoint` | Specifies the Docker API endpoint. See [here](#endpoint) for more information | `unix:///var/run/docker.sock` | Yes |
| `providers.swarm.username` | Defines the username for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication. | "" | No |
| `providers.swarm.password` | Defines the password for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication. | "" | No |
| `providers.swarm.useBindPortIP` | Instructs Traefik to use the IP/Port attached to the container's binding instead of its inner network IP/Port. See [here](#usebindportip) for more information | false | No |
| `providers.swarm.exposedByDefault` | Expose containers by default through Traefik. See [here](./overview.md#restrict-the-scope-of-service-discovery) for additional information | true | No |
| `providers.swarm.network` | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.swarm.network` label. | "" | No |
| `providers.swarm.defaultRule` | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information | ```"Host(`{{ normalize .Name }}`)"``` | No |
| `providers.swarm.refreshSeconds` | Defines the polling interval for Swarm Mode. | "15s" | No |
| `providers.swarm.httpClientTimeout` | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set. | 0 | No |
| `providers.swarm.watch` | Instructs Traefik to watch Docker events or not. | True | No |
| `providers.swarm.constraints` | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| `providers.swarm.allowEmptyServices` | Instructs the provider to create any [servers load balancer](../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| `providers.swarm.tls.ca` | Defines the path to the certificate authority used for the secure connection to Docker, it defaults to the system bundle. | "" | No |
| `providers.swarm.tls.cert` | Defines the path to the public certificate used for the secure connection to Docker. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.swarm.tls.key` | Defines the path to the private key used for the secure connection to Docker. When using this option, setting the `cert` option is required. | "" | Yes |
| `providers.swarm.tls.insecureSkipVerify` | Instructs the provider to accept any certificate presented by the Docker server when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
| <a id="providers-providersThrottleDuration" href="#providers-providersThrottleDuration" title="#providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
| <a id="providers-swarm-endpoint" href="#providers-swarm-endpoint" title="#providers-swarm-endpoint">`providers.swarm.endpoint`</a> | Specifies the Docker API endpoint. See [here](#endpoint) for more information | `unix:///var/run/docker.sock` | Yes |
| <a id="providers-swarm-username" href="#providers-swarm-username" title="#providers-swarm-username">`providers.swarm.username`</a> | Defines the username for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication. | "" | No |
| <a id="providers-swarm-password" href="#providers-swarm-password" title="#providers-swarm-password">`providers.swarm.password`</a> | Defines the password for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication. | "" | No |
| <a id="providers-swarm-useBindPortIP" href="#providers-swarm-useBindPortIP" title="#providers-swarm-useBindPortIP">`providers.swarm.useBindPortIP`</a> | Instructs Traefik to use the IP/Port attached to the container's binding instead of its inner network IP/Port. See [here](#usebindportip) for more information | false | No |
| <a id="providers-swarm-exposedByDefault" href="#providers-swarm-exposedByDefault" title="#providers-swarm-exposedByDefault">`providers.swarm.exposedByDefault`</a> | Expose containers by default through Traefik. See [here](./overview.md#restrict-the-scope-of-service-discovery) for additional information | true | No |
| <a id="providers-swarm-network" href="#providers-swarm-network" title="#providers-swarm-network">`providers.swarm.network`</a> | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.swarm.network` label. | "" | No |
| <a id="providers-swarm-defaultRule" href="#providers-swarm-defaultRule" title="#providers-swarm-defaultRule">`providers.swarm.defaultRule`</a> | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information | ```"Host(`{{ normalize .Name }}`)"``` | No |
| <a id="providers-swarm-refreshSeconds" href="#providers-swarm-refreshSeconds" title="#providers-swarm-refreshSeconds">`providers.swarm.refreshSeconds`</a> | Defines the polling interval for Swarm Mode. | "15s" | No |
| <a id="providers-swarm-httpClientTimeout" href="#providers-swarm-httpClientTimeout" title="#providers-swarm-httpClientTimeout">`providers.swarm.httpClientTimeout`</a> | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set. | 0 | No |
| <a id="providers-swarm-watch" href="#providers-swarm-watch" title="#providers-swarm-watch">`providers.swarm.watch`</a> | Instructs Traefik to watch Docker events or not. | True | No |
| <a id="providers-swarm-constraints" href="#providers-swarm-constraints" title="#providers-swarm-constraints">`providers.swarm.constraints`</a> | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| <a id="providers-swarm-allowEmptyServices" href="#providers-swarm-allowEmptyServices" title="#providers-swarm-allowEmptyServices">`providers.swarm.allowEmptyServices`</a> | Instructs the provider to create any [servers load balancer](../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| <a id="providers-swarm-tls-ca" href="#providers-swarm-tls-ca" title="#providers-swarm-tls-ca">`providers.swarm.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to Docker, it defaults to the system bundle. | "" | No |
| <a id="providers-swarm-tls-cert" href="#providers-swarm-tls-cert" title="#providers-swarm-tls-cert">`providers.swarm.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to Docker. When using this option, setting the `key` option is required. | "" | Yes |
| <a id="providers-swarm-tls-key" href="#providers-swarm-tls-key" title="#providers-swarm-tls-key">`providers.swarm.tls.key`</a> | Defines the path to the private key used for the secure connection to Docker. When using this option, setting the `cert` option is required. | "" | Yes |
| <a id="providers-swarm-tls-insecureSkipVerify" href="#providers-swarm-tls-insecureSkipVerify" title="#providers-swarm-tls-insecureSkipVerify">`providers.swarm.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by the Docker server when establishing a TLS connection, regardless of the hostnames the certificate covers. | false | No |
### `endpoint`
@@ -97,7 +97,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
```
```bash tab="CLI"
--providers.docker.endpoint=unix:///var/run/docker.sock
--providers.swarm.endpoint=unix:///var/run/docker.sock
# ...
```
@@ -198,13 +198,13 @@ but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that
| port label | Container's binding | Routes to |
|--------------------|----------------------------------------------------|----------------|
| - | - | IntIP:IntPort |
| - | ExtPort:IntPort | IntIP:IntPort |
| - | ExtIp:ExtPort:IntPort | ExtIp:ExtPort |
| LblPort | - | IntIp:LblPort |
| LblPort | ExtIp:ExtPort:LblPort | ExtIp:ExtPort |
| LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort |
| LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
| <a id="row" href="#row" title="#row">-</a> | - | IntIP:IntPort |
| <a id="row-2" href="#row-2" title="#row-2">-</a> | ExtPort:IntPort | IntIP:IntPort |
| <a id="row-3" href="#row-3" title="#row-3">-</a> | ExtIp:ExtPort:IntPort | ExtIp:ExtPort |
| <a id="LblPort" href="#LblPort" title="#LblPort">LblPort</a> | - | IntIp:LblPort |
| <a id="LblPort-2" href="#LblPort-2" title="#LblPort-2">LblPort</a> | ExtIp:ExtPort:LblPort | ExtIp:ExtPort |
| <a id="LblPort-3" href="#LblPort-3" title="#LblPort-3">LblPort</a> | ExtIp:ExtPort:OtherPort | IntIp:LblPort |
| <a id="LblPort-4" href="#LblPort-4" title="#LblPort-4">LblPort</a> | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
!!! info ""
In the above table:

46
docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
View File

@@ -75,28 +75,30 @@ ACME certificate resolvers have the following configuration options:
| Field | Description | Default | Required |
|:--------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------|
| `acme.email` | Email address used for registration. | "" | Yes |
| `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No |
| `acme.preferredChain` | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No |
| `acme.keyType` | KeyType to use. | "RSA4096" | No |
| `acme.eab` | Enable external account binding. | | No |
| `acme.eab.kid` | Key identifier from External CA. | "" | No |
| `acme.eab.hmacEncoded` | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No |
| `acme.certificatesDuration` | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No |
| `acme.clientTimeout` | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No |
| `acme.clientResponseHeaderTimeout` | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No |
| `acme.dnsChallenge` | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No |
| `acme.dnsChallenge.provider` | DNS provider to use. | "" | No |
| `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority. | [] | No |
| `acme.dnsChallenge.propagation.delayBeforeChecks` | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. This is Useful if internal networks block external DNS queries. | 0s | No |
| `acme.dnsChallenge.propagation.disableChecks` | Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. Please note that disabling checks can prevent the challenge from succeeding. | false | No |
| `acme.dnsChallenge.propagation.requireAllRNS` | Enables the challenge TXT record to be propagated to all recursive nameservers. If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`), it is recommended to check all recursive nameservers instead. | false | No |
| `acme.dnsChallenge.propagation.disableANSChecks` | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. | false | No |
| `acme.httpChallenge` | Enable HTTP-01 challenge. More information [here](#httpchallenge). | | No |
| `acme.httpChallenge.entryPoint` | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes |
| `acme.httpChallenge.delay` | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
| `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No |
| `acme.storage` | File path used for certificates storage. | "acme.json" | Yes |
| <a id="acme-email" href="#acme-email" title="#acme-email">`acme.email`</a> | Email address used for registration. | "" | Yes |
| <a id="acme-caServer" href="#acme-caServer" title="#acme-caServer">`acme.caServer`</a> | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No |
| <a id="acme-preferredChain" href="#acme-preferredChain" title="#acme-preferredChain">`acme.preferredChain`</a> | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No |
| <a id="acme-keyType" href="#acme-keyType" title="#acme-keyType">`acme.keyType`</a> | KeyType to use. | "RSA4096" | No |
| <a id="acme-disableCommonName" href="#acme-disableCommonName" title="#acme-disableCommonName">`acme.disableCommonName`</a> | Disable common name inside CSR and certificates. | false | No |
| <a id="acme-eab" href="#acme-eab" title="#acme-eab">`acme.eab`</a> | Enable external account binding. | | No |
| <a id="acme-eab-kid" href="#acme-eab-kid" title="#acme-eab-kid">`acme.eab.kid`</a> | Key identifier from External CA. | "" | No |
| <a id="acme-eab-hmacEncoded" href="#acme-eab-hmacEncoded" title="#acme-eab-hmacEncoded">`acme.eab.hmacEncoded`</a> | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No |
| <a id="acme-certificatesDuration" href="#acme-certificatesDuration" title="#acme-certificatesDuration">`acme.certificatesDuration`</a> | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No |
| <a id="acme-clientTimeout" href="#acme-clientTimeout" title="#acme-clientTimeout">`acme.clientTimeout`</a> | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No |
| <a id="acme-clientResponseHeaderTimeout" href="#acme-clientResponseHeaderTimeout" title="#acme-clientResponseHeaderTimeout">`acme.clientResponseHeaderTimeout`</a> | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No |
| <a id="acme-dnsChallenge" href="#acme-dnsChallenge" title="#acme-dnsChallenge">`acme.dnsChallenge`</a> | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No |
| <a id="acme-dnsChallenge-provider" href="#acme-dnsChallenge-provider" title="#acme-dnsChallenge-provider">`acme.dnsChallenge.provider`</a> | DNS provider to use. | "" | No |
| <a id="acme-dnsChallenge-resolvers" href="#acme-dnsChallenge-resolvers" title="#acme-dnsChallenge-resolvers">`acme.dnsChallenge.resolvers`</a> | DNS servers to resolve the FQDN authority. | [] | No |
| <a id="acme-dnsChallenge-propagation-delayBeforeChecks" href="#acme-dnsChallenge-propagation-delayBeforeChecks" title="#acme-dnsChallenge-propagation-delayBeforeChecks">`acme.dnsChallenge.propagation.delayBeforeChecks`</a> | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. This is Useful if internal networks block external DNS queries. | 0s | No |
| <a id="acme-dnsChallenge-propagation-disableChecks" href="#acme-dnsChallenge-propagation-disableChecks" title="#acme-dnsChallenge-propagation-disableChecks">`acme.dnsChallenge.propagation.disableChecks`</a> | Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. Please note that disabling checks can prevent the challenge from succeeding. | false | No |
| <a id="acme-dnsChallenge-propagation-requireAllRNS" href="#acme-dnsChallenge-propagation-requireAllRNS" title="#acme-dnsChallenge-propagation-requireAllRNS">`acme.dnsChallenge.propagation.requireAllRNS`</a> | Enables the challenge TXT record to be propagated to all recursive nameservers. If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`), it is recommended to check all recursive nameservers instead. | false | No |
| <a id="acme-dnsChallenge-propagation-disableANSChecks" href="#acme-dnsChallenge-propagation-disableANSChecks" title="#acme-dnsChallenge-propagation-disableANSChecks">`acme.dnsChallenge.propagation.disableANSChecks`</a> | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. | false | No |
| <a id="acme-httpChallenge" href="#acme-httpChallenge" title="#acme-httpChallenge">`acme.httpChallenge`</a> | Enable HTTP-01 challenge. More information [here](#httpchallenge). | | No |
| <a id="acme-httpChallenge-entryPoint" href="#acme-httpChallenge-entryPoint" title="#acme-httpChallenge-entryPoint">`acme.httpChallenge.entryPoint`</a> | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes |
| <a id="acme-httpChallenge-delay" href="#acme-httpChallenge-delay" title="#acme-httpChallenge-delay">`acme.httpChallenge.delay`</a> | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
| <a id="acme-tlsChallenge" href="#acme-tlsChallenge" title="#acme-tlsChallenge">`acme.tlsChallenge`</a> | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No |
| <a id="acme-tlschallenge-delay" href="#acme-tlschallenge-delay" title="#acme-tlschallenge-delay">`acme.tlschallenge.delay`</a> | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
| <a id="acme-storage" href="#acme-storage" title="#acme-storage">`acme.storage`</a> | File path used for certificates storage. | "acme.json" | Yes |
## Automatic Certificate Renewal

2
docs/content/reference/install-configuration/tls/ocsp.md
View File

@@ -67,5 +67,5 @@ ocsp:
```bash tab="CLI"
## Static configuration
-ocsp.responderoverrides.foo=bar
--ocsp.responderoverrides.foo=bar
```

28
docs/content/reference/routing-configuration/http/load-balancing/serverstransport.md
View File

@@ -96,17 +96,17 @@ labels:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `serverName` | Configures the server name that will be used as the SNI. | "" | No |
| `certificates` | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS. | [] | No |
| `insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. | false | No |
| `rootcas` | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). | [] | No |
| `maxIdleConnsPerHost` | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
| `disableHTTP2` | Disables HTTP/2 for connections with servers. | false | No |
| `peerCertURI` | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
| `forwardingTimeouts.dialTimeout` | Amount of time to wait until a connection to a server can be established.<br />0 = no timeout | 30s | No |
| `forwardingTimeouts.responseHeaderTimeout` | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />0 = no timeout | 0s | No |
| `forwardingTimeouts.idleConnTimeout` | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />0 = no timeout | 90s | No |
| `forwardingTimeouts.readIdleTimeout` | Defines the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection. | 0s | No |
| `forwardingTimeouts.pingTimeout` | Defines the timeout after which the HTTP/2 connection will be closed if a response to ping is not received. | 15s | No |
| `spiffe.ids` | Defines the allowed SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. | [] | No |
| `spiffe.trustDomain` | Defines the SPIFFE trust domain. | "" | No |
| <a id="serverName" href="#serverName" title="#serverName">`serverName`</a> | Configures the server name that will be used as the SNI. | "" | No |
| <a id="certificates" href="#certificates" title="#certificates">`certificates`</a> | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS. | [] | No |
| <a id="insecureSkipVerify" href="#insecureSkipVerify" title="#insecureSkipVerify">`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified. | false | No |
| <a id="rootcas" href="#rootcas" title="#rootcas">`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). | [] | No |
| <a id="maxIdleConnsPerHost" href="#maxIdleConnsPerHost" title="#maxIdleConnsPerHost">`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
| <a id="disableHTTP2" href="#disableHTTP2" title="#disableHTTP2">`disableHTTP2`</a> | Disables HTTP/2 for connections with servers. | false | No |
| <a id="peerCertURI" href="#peerCertURI" title="#peerCertURI">`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
| <a id="forwardingTimeouts-dialTimeout" href="#forwardingTimeouts-dialTimeout" title="#forwardingTimeouts-dialTimeout">`forwardingTimeouts.dialTimeout`</a> | Amount of time to wait until a connection to a server can be established.<br />0 = no timeout | 30s | No |
| <a id="forwardingTimeouts-responseHeaderTimeout" href="#forwardingTimeouts-responseHeaderTimeout" title="#forwardingTimeouts-responseHeaderTimeout">`forwardingTimeouts.responseHeaderTimeout`</a> | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />0 = no timeout | 0s | No |
| <a id="forwardingTimeouts-idleConnTimeout" href="#forwardingTimeouts-idleConnTimeout" title="#forwardingTimeouts-idleConnTimeout">`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />0 = no timeout | 90s | No |
| <a id="forwardingTimeouts-readIdleTimeout" href="#forwardingTimeouts-readIdleTimeout" title="#forwardingTimeouts-readIdleTimeout">`forwardingTimeouts.readIdleTimeout`</a> | Defines the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection. | 0s | No |
| <a id="forwardingTimeouts-pingTimeout" href="#forwardingTimeouts-pingTimeout" title="#forwardingTimeouts-pingTimeout">`forwardingTimeouts.pingTimeout`</a> | Defines the timeout after which the HTTP/2 connection will be closed if a response to ping is not received. | 15s | No |
| <a id="spiffe-ids" href="#spiffe-ids" title="#spiffe-ids">`spiffe.ids`</a> | Defines the allowed SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. | [] | No |
| <a id="spiffe-trustDomain" href="#spiffe-trustDomain" title="#spiffe-trustDomain">`spiffe.trustDomain`</a> | Defines the SPIFFE trust domain. | "" | No |

80
docs/content/reference/routing-configuration/http/load-balancing/service.md
View File

@@ -27,6 +27,9 @@ http:
path: "/health"
interval: "10s"
timeout: "3s"
passiveHealthcheck:
failureWindow: "3s"
maxFailedAttempts: "3"
passHostHeader: true
serversTransport: "customTransport@file"
responseForwarding:
@@ -46,6 +49,10 @@ http:
path = "/health"
interval = "10s"
timeout = "3s"
[http.services.my-service.loadBalancer.passiveHealthcheck]
failureWindow = "3s"
maxFailedAttempts = "3"
passHostHeader = true
serversTransport = "customTransport@file"
@@ -63,6 +70,8 @@ labels:
- "traefik.http.services.my-service.loadBalancer.healthcheck.path=/health"
- "traefik.http.services.my-service.loadBalancer.healthcheck.interval=10s"
- "traefik.http.services.my-service.loadBalancer.healthcheck.timeout=3s"
- "traefik.http.services.my-service.loadBalancer.passiveHealthcheck.failureWindow=3s"
- "traefik.http.services.my-service.loadBalancer.passiveHealthcheck.maxFailedAttempts=3"
- "traefik.http.services.my-service.loadBalancer.passHostHeader=true"
- "traefik.http.services.my-service.loadBalancer.serversTransport=customTransport@file"
- "traefik.http.services.my-service.loadBalancer.responseForwarding.flushInterval=150ms"
@@ -78,6 +87,8 @@ labels:
"traefik.http.services.my-service.loadBalancer.healthcheck.path=/health",
"traefik.http.services.my-service.loadBalancer.healthcheck.interval=10s",
"traefik.http.services.my-service.loadBalancer.healthcheck.timeout=3s",
"traefik.http.services.my-service.loadBalancer.passiveHealthcheck.failureWindow=3s",
"traefik.http.services.my-service.loadBalancer.passiveHealthcheck.maxFailedAttempts=3",
"traefik.http.services.my-service.loadBalancer.passHostHeader=true",
"traefik.http.services.my-service.loadBalancer.serversTransport=customTransport@file",
"traefik.http.services.my-service.loadBalancer.responseForwarding.flushInterval=150ms"
@@ -89,13 +100,14 @@ labels:
| Field | Description | Required |
|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| `servers` | Represents individual backend instances for your service | Yes |
| `sticky` | Defines a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response. | No |
| `healthcheck` | Configures health check to remove unhealthy servers from the load balancing rotation. | No |
| `passHostHeader` | Allows forwarding of the client Host header to server. By default, `passHostHeader` is true. | No |
| `serversTransport` | Allows to reference an [HTTP ServersTransport](./serverstransport.md) configuration for the communication between Traefik and your servers. If no `serversTransport` is specified, the `default@internal` will be used. | No |
| `responseForwarding` | Configures how Traefik forwards the response from the backend server to the client. | No |
| `responseForwarding.FlushInterval` | Specifies the interval in between flushes to the client while copying the response body. It is a duration in milliseconds, defaulting to 100ms. A negative value means to flush immediately after each write to the client. The `FlushInterval` is ignored when ReverseProxy recognizes a response as a streaming response; for such responses, writes are flushed to the client immediately. | No |
| <a id="servers" href="#servers" title="#servers">`servers`</a> | Represents individual backend instances for your service | Yes |
| <a id="sticky" href="#sticky" title="#sticky">`sticky`</a> | Defines a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response. | No |
| <a id="healthcheck" href="#healthcheck" title="#healthcheck">`healthcheck`</a> | Configures health check to remove unhealthy servers from the load balancing rotation. | No |
| <a id="passiveHealthcheck" href="#passiveHealthcheck" title="#passiveHealthcheck">`passiveHealthcheck`</a> | Configures the passive health check to remove unhealthy servers from the load balancing rotation. | No |
| <a id="passHostHeader" href="#passHostHeader" title="#passHostHeader">`passHostHeader`</a> | Allows forwarding of the client Host header to server. By default, `passHostHeader` is true. | No |
| <a id="serversTransport" href="#serversTransport" title="#serversTransport">`serversTransport`</a> | Allows to reference an [HTTP ServersTransport](./serverstransport.md) configuration for the communication between Traefik and your servers. If no `serversTransport` is specified, the `default@internal` will be used. | No |
| <a id="responseForwarding" href="#responseForwarding" title="#responseForwarding">`responseForwarding`</a> | Configures how Traefik forwards the response from the backend server to the client. | No |
| <a id="responseForwarding-FlushInterval" href="#responseForwarding-FlushInterval" title="#responseForwarding-FlushInterval">`responseForwarding.FlushInterval`</a> | Specifies the interval in between flushes to the client while copying the response body. It is a duration in milliseconds, defaulting to 100ms. A negative value means to flush immediately after each write to the client. The `FlushInterval` is ignored when ReverseProxy recognizes a response as a streaming response; for such responses, writes are flushed to the client immediately. | No |
#### Servers
@@ -105,13 +117,15 @@ Servers represent individual backend instances for your service. The [service lo
| Field | Description | Required |
|----------------|----------------------------------------------------|----------------------------------------------------------------------------------|
| `url` | Points to a specific instance. | Yes for File provider, No for [Docker provider](../../other-providers/docker.md) |
| `weight` | Allows for weighted load balancing on the servers. | No |
| `preservePath` | Allows to preserve the URL path. | No |
| <a id="url" href="#url" title="#url">`url`</a> | Points to a specific instance. | Yes for File provider, No for [Docker provider](../../other-providers/docker.md) |
| <a id="weight" href="#weight" title="#weight">`weight`</a> | Allows for weighted load balancing on the servers. | No |
| <a id="preservePath" href="#preservePath" title="#preservePath">`preservePath`</a> | Allows to preserve the URL path. | No |
#### Health Check
The `healthcheck` option configures health check to remove unhealthy servers from the load balancing rotation. Traefik will consider HTTP(s) servers healthy as long as they return a status code to the health check request (carried out every interval) between `2XX` and `3XX`, or matching the configured status. For gRPC servers, Traefik will consider them healthy as long as they return SERVING to [gRPC health check v1 requests](https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
The `healthcheck` option configures health check to remove unhealthy servers from the load balancing rotation.
Traefik will consider HTTP(s) servers healthy as long as they return a status code to the health check request (carried out every interval) between `2XX` and `3XX`, or matching the configured status.
For gRPC servers, Traefik will consider them healthy as long as they return SERVING to [gRPC health check v1 requests](https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
To propagate status changes (e.g. all servers of this service are down) upwards, HealthCheck must also be enabled on the parent(s) of this service.
@@ -119,19 +133,19 @@ Below are the available options for the health check mechanism:
| Field | Description | Default | Required |
|---------------------|-------------------------------------------------------------------------------------------------------------------------------|---------|----------|
| `path` | Defines the server URL path for the health check endpoint. | "" | Yes |
| `scheme` | Replaces the server URL scheme for the health check endpoint. | | No |
| `mode` | If defined to `grpc`, will use the gRPC health check protocol to probe the server. | http | No |
| `hostname` | Defines the value of hostname in the Host header of the health check request. | "" | No |
| `port` | Replaces the server URL port for the health check endpoint. | | No |
| `interval` | Defines the frequency of the health check calls for healthy targets. | 30s | No |
| `unhealthyInterval` | Defines the frequency of the health check calls for unhealthy targets. When not defined, it defaults to the `interval` value. | 30s | No |
| `timeout` | Defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. | 5s | No |
| `headers` | Defines custom headers to be sent to the health check endpoint. | | No |
| `followRedirects` | Defines whether redirects should be followed during the health check calls. | true | No |
| `hostname` | Defines the value of hostname in the Host header of the health check request. | "" | No |
| `method` | Defines the HTTP method that will be used while connecting to the endpoint. | GET | No |
| `status` | Defines the expected HTTP status code of the response to the health check request. | | No |
| <a id="path" href="#path" title="#path">`path`</a> | Defines the server URL path for the health check endpoint. | "" | Yes |
| <a id="scheme" href="#scheme" title="#scheme">`scheme`</a> | Replaces the server URL scheme for the health check endpoint. | | No |
| <a id="mode" href="#mode" title="#mode">`mode`</a> | If defined to `grpc`, will use the gRPC health check protocol to probe the server. | http | No |
| <a id="hostname" href="#hostname" title="#hostname">`hostname`</a> | Defines the value of hostname in the Host header of the health check request. | "" | No |
| <a id="port" href="#port" title="#port">`port`</a> | Replaces the server URL port for the health check endpoint. | | No |
| <a id="interval" href="#interval" title="#interval">`interval`</a> | Defines the frequency of the health check calls for healthy targets. | 30s | No |
| <a id="unhealthyInterval" href="#unhealthyInterval" title="#unhealthyInterval">`unhealthyInterval`</a> | Defines the frequency of the health check calls for unhealthy targets. When not defined, it defaults to the `interval` value. | 30s | No |
| <a id="timeout" href="#timeout" title="#timeout">`timeout`</a> | Defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. | 5s | No |
| <a id="headers" href="#headers" title="#headers">`headers`</a> | Defines custom headers to be sent to the health check endpoint. | | No |
| <a id="followRedirects" href="#followRedirects" title="#followRedirects">`followRedirects`</a> | Defines whether redirects should be followed during the health check calls. | true | No |
| <a id="hostname-2" href="#hostname-2" title="#hostname-2">`hostname`</a> | Defines the value of hostname in the Host header of the health check request. | "" | No |
| <a id="method" href="#method" title="#method">`method`</a> | Defines the HTTP method that will be used while connecting to the endpoint. | GET | No |
| <a id="status" href="#status" title="#status">`status`</a> | Defines the expected HTTP status code of the response to the health check request. | | No |
#### Sticky sessions
@@ -291,6 +305,24 @@ On subsequent requests, to keep the session alive with the same server, the clie
curl -b "lvl1=whoami1; lvl2=http://127.0.0.1:8081" http://localhost:8000
```
#### Passive Health Check
The `passiveHealthcheck` option configures passive health check to remove unhealthy servers from the load balancing rotation.
Passive health checks rely on real traffic to assess server health.
Traefik forwards requests as usual and evaluates each response or timeout,
incrementing a failure counter whenever a request fails.
If the number of successive failures within a specified time window exceeds the configured threshold,
Traefik will automatically stop routing traffic to that server until it recovers.
A server will be considered healthy again after the configured failure window has passed.
Below are the available options for the passive health check mechanism:
| Field | Description | Default | Required |
|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
| <a id="failureWindow" href="#failureWindow" title="#failureWindow">`failureWindow`</a> | Defines the time window during which the failed attempts must occur for the server to be marked as unhealthy. It also defines for how long the server will be considered unhealthy. | 10s | No |
| <a id="maxFailedAttempts" href="#maxFailedAttempts" title="#maxFailedAttempts">`maxFailedAttempts`</a> | Defines the number of consecutive failed attempts allowed within the failure window before marking the server as unhealthy. | 1 | No |
## Weighted Round Robin (WRR)
The WRR is able to load balance the requests between multiple services based on weights.

2
docs/content/reference/routing-configuration/http/middlewares/addprefix.md
View File

@@ -54,4 +54,4 @@ spec:
| Field | Description | Default | Required |
|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `prefix` | String to add **before** the current path in the requested URL. It should include a leading slash (`/`). | "" | Yes |
| <a id="prefix" href="#prefix" title="#prefix">`prefix`</a> | String to add **before** the current path in the requested URL. It should include a leading slash (`/`). | "" | Yes |

12
docs/content/reference/routing-configuration/http/middlewares/apikey.md
View File

@@ -46,11 +46,11 @@ stringData:
| Field | Description | Default | Required |
|:-----------------------------|:------------------------------------------------|:--------|:---------|
| `keySource.header` | Defines the header name containing the secret sent by the client.<br /> Either `keySource.header` or `keySource.query` or `keySource.cookie` must be set. | "" | No |
| `keySource.headerAuthScheme` | Defines the scheme when using `Authorization` as header name. <br /> Check out the `Authorization` header [documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization#syntax). | "" | No |
| `keySource.query` | Defines the query parameter name containing the secret sent by the client.<br /> Either `keySource.header` or `keySource.query` or `keySource.cookie` must be set. | "" | No |
| `keySource.cookie` | Defines the cookie name containing the secret sent by the client.<br /> Either `keySource.header` or `keySource.query` or `keySource.cookie` must be set. | "" | No |
| `secretNonBase64Encoded` | Defines whether the secret sent by the client is base64 encoded. | false | No |
| `secretValues` | Contain the hash of the API keys. <br /> Supported hashing algorithms are Bcrypt, SHA1 and MD5. <br /> The hash should be generated using `htpasswd`.<br />Can reference a Kubernetes Secret using the URN format: `urn:k8s:secret:[name]:[valueKey]` | [] | Yes |
| <a id="keySource-header" href="#keySource-header" title="#keySource-header">`keySource.header`</a> | Defines the header name containing the secret sent by the client.<br /> Either `keySource.header` or `keySource.query` or `keySource.cookie` must be set. | "" | No |
| <a id="keySource-headerAuthScheme" href="#keySource-headerAuthScheme" title="#keySource-headerAuthScheme">`keySource.headerAuthScheme`</a> | Defines the scheme when using `Authorization` as header name. <br /> Check out the `Authorization` header [documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization#syntax). | "" | No |
| <a id="keySource-query" href="#keySource-query" title="#keySource-query">`keySource.query`</a> | Defines the query parameter name containing the secret sent by the client.<br /> Either `keySource.header` or `keySource.query` or `keySource.cookie` must be set. | "" | No |
| <a id="keySource-cookie" href="#keySource-cookie" title="#keySource-cookie">`keySource.cookie`</a> | Defines the cookie name containing the secret sent by the client.<br /> Either `keySource.header` or `keySource.query` or `keySource.cookie` must be set. | "" | No |
| <a id="secretNonBase64Encoded" href="#secretNonBase64Encoded" title="#secretNonBase64Encoded">`secretNonBase64Encoded`</a> | Defines whether the secret sent by the client is base64 encoded. | false | No |
| <a id="secretValues" href="#secretValues" title="#secretValues">`secretValues`</a> | Contain the hash of the API keys. <br /> Supported hashing algorithms are Bcrypt, SHA1 and MD5. <br /> The hash should be generated using `htpasswd`.<br />Can reference a Kubernetes Secret using the URN format: `urn:k8s:secret:[name]:[valueKey]` | [] | Yes |
{!traefik-for-business-applications.md!}

10
docs/content/reference/routing-configuration/http/middlewares/basicauth.md
View File

@@ -64,11 +64,11 @@ spec:
| Field | Description | Default | Required |
|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `users` | Array of authorized users. Each user must be declared using the `name:hashed-password` format. (More information [here](#users))| "" | No |
| `usersFile` | Path to an external file that contains the authorized users for the middleware. <br />The file content is a list of `name:hashed-password`. (More information [here](#usersfile)) | "" | No |
| `realm` | Allow customizing the realm for the authentication.| "traefik" | No |
| `headerField` | Allow defining a header field to store the authenticated user.| "" | No |
| `removeHeader` | Allow removing the authorization header before forwarding the request to your service. | false | No |
| <a id="users" href="#users" title="#users">`users`</a> | Array of authorized users. Each user must be declared using the `name:hashed-password` format. (More information [here](#users))| "" | No |
| <a id="usersFile" href="#usersFile" title="#usersFile">`usersFile`</a> | Path to an external file that contains the authorized users for the middleware. <br />The file content is a list of `name:hashed-password`. (More information [here](#usersfile)) | "" | No |
| <a id="realm" href="#realm" title="#realm">`realm`</a> | Allow customizing the realm for the authentication.| "traefik" | No |
| <a id="headerField" href="#headerField" title="#headerField">`headerField`</a> | Allow defining a header field to store the authenticated user.| "" | No |
| <a id="removeHeader" href="#removeHeader" title="#removeHeader">`removeHeader`</a> | Allow removing the authorization header before forwarding the request to your service. | false | No |
### Passwords format

10
docs/content/reference/routing-configuration/http/middlewares/buffering.md
View File

@@ -58,11 +58,11 @@ spec:
| Field | Description | Default | Required |
|:------|:------------|:--------|:---------|
| `maxRequestBodyBytes` | Maximum allowed body size for the request (in bytes). <br /> If the request exceeds the allowed size, it is not forwarded to the Service, and the client gets a `413` (Request Entity Too Large) response. | 0 | No |
| `memRequestBodyBytes` | Threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.| 1048576 | No |
| `maxResponseBodyBytes` | Maximum allowed response size from the Service (in bytes). <br /> If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `500` (Internal Server Error) response instead. | 0 | No |
| `memResponseBodyBytes` | Threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.| 1048576 | No |
| `retryExpression` | Replay the request using `retryExpression`.<br /> More information [here](#retryexpression). | "" | No |
| <a id="maxRequestBodyBytes" href="#maxRequestBodyBytes" title="#maxRequestBodyBytes">`maxRequestBodyBytes`</a> | Maximum allowed body size for the request (in bytes). <br /> If the request exceeds the allowed size, it is not forwarded to the Service, and the client gets a `413` (Request Entity Too Large) response. | 0 | No |
| <a id="memRequestBodyBytes" href="#memRequestBodyBytes" title="#memRequestBodyBytes">`memRequestBodyBytes`</a> | Threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.| 1048576 | No |
| <a id="maxResponseBodyBytes" href="#maxResponseBodyBytes" title="#maxResponseBodyBytes">`maxResponseBodyBytes`</a> | Maximum allowed response size from the Service (in bytes). <br /> If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `500` (Internal Server Error) response instead. | 0 | No |
| <a id="memResponseBodyBytes" href="#memResponseBodyBytes" title="#memResponseBodyBytes">`memResponseBodyBytes`</a> | Threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.| 1048576 | No |
| <a id="retryExpression" href="#retryExpression" title="#retryExpression">`retryExpression`</a> | Replay the request using `retryExpression`.<br /> More information [here](#retryexpression). | "" | No |
### retryExpression

2
docs/content/reference/routing-configuration/http/middlewares/chain.md
View File

@@ -168,4 +168,4 @@ spec:
| Field | Description | Default | Required |
|:------|:------------|:--------|:---------|
| `middlewares` | List of middlewares to chain.<br /> The middlewares have to be in the same namespace as the `chain` middleware. | [] | Yes |
| <a id="middlewares" href="#middlewares" title="#middlewares">`middlewares`</a> | List of middlewares to chain.<br /> The middlewares have to be in the same namespace as the `chain` middleware. | [] | Yes |

16
docs/content/reference/routing-configuration/http/middlewares/circuitbreaker.md
View File

@@ -65,11 +65,11 @@ spec:
| Field | Description | Default | Required |
|:------|:------------|:--------|:---------|
| `expression` | Condition to open the circuit breaker and applies the fallback mechanism instead of calling your services.<br />More information [here](#expression) | 100ms | No |
| `checkPeriod` | The interval between successive checks of the circuit breaker condition (when in standby state). | 100ms | No |
| `fallbackDuration` | The duration for which the circuit breaker will wait before trying to recover (from a tripped state). | 10s | No |
| `recoveryDuration` | The duration for which the circuit breaker will try to recover (as soon as it is in recovering state). | 10s | No |
| `responseCode` | The status code that the circuit breaker will return while it is in the open state. | 503 | No |
| <a id="expression" href="#expression" title="#expression">`expression`</a> | Condition to open the circuit breaker and applies the fallback mechanism instead of calling your services.<br />More information [here](#expression) | 100ms | No |
| <a id="checkPeriod" href="#checkPeriod" title="#checkPeriod">`checkPeriod`</a> | The interval between successive checks of the circuit breaker condition (when in standby state). | 100ms | No |
| <a id="fallbackDuration" href="#fallbackDuration" title="#fallbackDuration">`fallbackDuration`</a> | The duration for which the circuit breaker will wait before trying to recover (from a tripped state). | 10s | No |
| <a id="recoveryDuration" href="#recoveryDuration" title="#recoveryDuration">`recoveryDuration`</a> | The duration for which the circuit breaker will try to recover (as soon as it is in recovering state). | 10s | No |
| <a id="responseCode" href="#responseCode" title="#responseCode">`responseCode`</a> | The status code that the circuit breaker will return while it is in the open state. | 503 | No |
### expression
@@ -77,9 +77,9 @@ The `expression` option can check three different metrics:
| Metrics | Description | Example |
|:------|:------------|:--------|
| `NetworkErrorRatio` | The network error ratio to open the circuit breaker. | `NetworkErrorRatio() > 0.30` opens the circuit breaker at a 30% ratio of network errors |
| `ResponseCodeRatio` | The status code ratio to open the circuit breaker.<br />More information [below](#responsecoderatio) | `ResponseCodeRatio(500, 600, 0, 600) > 0.25` opens the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX) |
| `LatencyAtQuantileMS` | The latency at a quantile in milliseconds to open the circuit breaker when a given proportion of your requests become too slow.<br /> Only floating point number (with the trailing .0) for the quantile value. | `LatencyAtQuantileMS(50.0) > 100` opens the circuit breaker when the median latency (quantile 50) reaches 100ms. |
| <a id="NetworkErrorRatio" href="#NetworkErrorRatio" title="#NetworkErrorRatio">`NetworkErrorRatio`</a> | The network error ratio to open the circuit breaker. | `NetworkErrorRatio() > 0.30` opens the circuit breaker at a 30% ratio of network errors |
| <a id="ResponseCodeRatio" href="#ResponseCodeRatio" title="#ResponseCodeRatio">`ResponseCodeRatio`</a> | The status code ratio to open the circuit breaker.<br />More information [below](#responsecoderatio) | `ResponseCodeRatio(500, 600, 0, 600) > 0.25` opens the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX) |
| <a id="LatencyAtQuantileMS" href="#LatencyAtQuantileMS" title="#LatencyAtQuantileMS">`LatencyAtQuantileMS`</a> | The latency at a quantile in milliseconds to open the circuit breaker when a given proportion of your requests become too slow.<br /> Only floating point number (with the trailing .0) for the quantile value. | `LatencyAtQuantileMS(50.0) > 100` opens the circuit breaker when the median latency (quantile 50) reaches 100ms. |
#### ResponseCodeRatio

10
docs/content/reference/routing-configuration/http/middlewares/compress.md
View File

@@ -51,11 +51,11 @@ spec:
| Field | Description | Default | Required |
|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
|`excludedContentTypes` | List of content types to compare the `Content-Type` header of the incoming requests and responses before compressing. <br /> The responses with content types defined in `excludedContentTypes` are not compressed. <br /> Content types are compared in a case-insensitive, whitespace-ignored manner. <br /> **The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.** | "" | No |
|`defaultEncoding` | specifies the default encoding if the `Accept-Encoding` header is not in the request or contains a wildcard (`*`). | "" | No |
|`encodings` | Specifies the list of supported compression encodings. At least one encoding value must be specified, and valid entries are `zstd` (Zstandard), `br` (Brotli), and `gzip` (Gzip). The order of the list also sets the priority, the top entry has the highest priority. | zstd, br, gzip | No |
| `includedContentTypes` | List of content types to compare the `Content-Type` header of the responses before compressing. <br /> The responses with content types defined in `includedContentTypes` are compressed. <br /> Content types are compared in a case-insensitive, whitespace-ignored manner.<br /> **The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.** | "" | No |
| `minResponseBodyBytes` | `Minimum amount of bytes a response body must have to be compressed. <br />Responses smaller than the specified values will **not** be compressed. | 1024 | No |
| <a id="excludedContentTypes" href="#excludedContentTypes" title="#excludedContentTypes">`excludedContentTypes`</a> | List of content types to compare the `Content-Type` header of the incoming requests and responses before compressing. <br /> The responses with content types defined in `excludedContentTypes` are not compressed. <br /> Content types are compared in a case-insensitive, whitespace-ignored manner. <br /> **The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.** | "" | No |
| <a id="defaultEncoding" href="#defaultEncoding" title="#defaultEncoding">`defaultEncoding`</a> | specifies the default encoding if the `Accept-Encoding` header is not in the request or contains a wildcard (`*`). | "" | No |
| <a id="encodings" href="#encodings" title="#encodings">`encodings`</a> | Specifies the list of supported compression encodings. At least one encoding value must be specified, and valid entries are `zstd` (Zstandard), `br` (Brotli), and `gzip` (Gzip). The order of the list also sets the priority, the top entry has the highest priority. | zstd, br, gzip | No |
| <a id="includedContentTypes" href="#includedContentTypes" title="#includedContentTypes">`includedContentTypes`</a> | List of content types to compare the `Content-Type` header of the responses before compressing. <br /> The responses with content types defined in `includedContentTypes` are compressed. <br /> Content types are compared in a case-insensitive, whitespace-ignored manner.<br /> **The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.** | "" | No |
| <a id="minResponseBodyBytes" href="#minResponseBodyBytes" title="#minResponseBodyBytes">`minResponseBodyBytes`</a> | `Minimum amount of bytes a response body must have to be compressed. <br />Responses smaller than the specified values will **not** be compressed. | 1024 | No |
## Compression activation

10
docs/content/reference/routing-configuration/http/middlewares/digestauth.md
View File

@@ -59,11 +59,11 @@ spec:
| Field | Description | Default | Required |
|:-----------|:---------------------------------------------------------------------------------|:--------|:---------|
| `users` | Array of authorized users. Each user must be declared using the `name:realm:encoded-password` format.<br /> The option `users` supports Kubernetes secrets.<br />(More information [here](#users--usersfile))| [] | No |
| `usersFile` | Path to an external file that contains the authorized users for the middleware. <br />The file content is a list of `name:realm:encoded-password`. (More information [here](#users--usersfile)) | "" | No |
| `realm` | Allow customizing the realm for the authentication.| "traefik" | No |
| `headerField` | Allow defining a header field to store the authenticated user.| "" | No |
| `removeHeader` | Allow removing the authorization header before forwarding the request to your service. | false | No |
| <a id="users" href="#users" title="#users">`users`</a> | Array of authorized users. Each user must be declared using the `name:realm:encoded-password` format.<br /> The option `users` supports Kubernetes secrets.<br />(More information [here](#users--usersfile))| [] | No |
| <a id="usersFile" href="#usersFile" title="#usersFile">`usersFile`</a> | Path to an external file that contains the authorized users for the middleware. <br />The file content is a list of `name:realm:encoded-password`. (More information [here](#users--usersfile)) | "" | No |
| <a id="realm" href="#realm" title="#realm">`realm`</a> | Allow customizing the realm for the authentication.| "traefik" | No |
| <a id="headerField" href="#headerField" title="#headerField">`headerField`</a> | Allow defining a header field to store the authenticated user.| "" | No |
| <a id="removeHeader" href="#removeHeader" title="#removeHeader">`removeHeader`</a> | Allow removing the authorization header before forwarding the request to your service. | false | No |
### Passwords format

183
docs/content/reference/routing-configuration/http/middlewares/distributed-ratelimit.md Normal file
View File

@@ -0,0 +1,183 @@
---
title: "Distributed RateLimit"
description: "Traefik Hub API Gateway - The Distributed RateLimit middleware ensures Services receive fair amounts of requests throughout your cluster and not only on an individual proxy."
---
!!! info "Traefik Hub Feature"
This middleware is available exclusively in [Traefik Hub](https://traefik.io/traefik-hub/). Learn more about [Traefik Hub's advanced features](https://doc.traefik.io/traefik-hub/api-gateway/intro).
The Distributed RateLimit middleware ensures that requests are limited over time throughout your cluster and not only on an individual proxy.
It is based on a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) implementation.
---
## Configuration Example
Below is an advanced configuration that enables the Distributed RateLimit middleware with Redis backend for cluster-wide rate limiting.
```yaml tab="Middleware Distributed Rate Limit"
# Here, a limit of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-distributedratelimit
namespace: traefik
spec:
plugin:
distributedRateLimit:
burst: 200
denyOnError: false
limit: 100
period: 1s
responseHeaders: true
sourceCriterion:
ipStrategy:
excludedIPs:
- 172.20.176.201
store:
redis:
endpoints:
- my-release-redis-master.default.svc.cluster.local:6379
# Use the field password of the Secret redis in the same namespace
password: urn:k8s:secret:redis:password
timeout: 500ms
```
```yaml tab="Kubernetes Secret"
apiVersion: v1
kind: Secret
metadata:
name: redis
namespace: traefik
stringData:
password: mysecret12345678
```
## Rate and Burst
The rate is defined by dividing `limit` by `period`.
For a rate below 1 req/s, define a `period` larger than a second
The middleware is based on a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) implementation.
In this analogy, the `limit` and `period` parameters define the **rate** at which the bucket refills, and the `burst` is the size (volume) of the bucket.
```yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
plugin:
distributedRateLimit:
burst: 100
period: 1m
limit: 6
```
In the example above, the middleware allows up to 100 connections in parallel (`burst`).
Each connection consume a token, once the 100 tokens are consumed, the other ones are blocked until at least one token is available in the bucket.
When the bucket is not full, on token is generated every 10 seconds (6 every 1 minutes (`period` / `limit`)).
## Configuration Options
| Field | Description | Default | Required |
|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| <a id="limit" href="#limit" title="#limit">`limit`</a> | Number of requests used to define the rate using the `period`.<br /> 0 means **no rate limiting**.<br />More information [here](#rate-and-burst).| 0 | No |
| <a id="period" href="#period" title="#period">`period`</a> | Period of time used to define the rate.<br />More information [here](#rate-and-burst).| 1s | No |
| <a id="burst" href="#burst" title="#burst">`burst`</a> | Maximum number of requests allowed to go through at the very same moment.<br />More information [here](#rate-and-burst). | 1 | No |
| <a id="denyOnError" href="#denyOnError" title="#denyOnError">`denyOnError`</a> | Forces to return a 429 error if the number of remaining requests accepted cannot be get.<br /> Set to `false`, this option allows the request to reach the backend. | true | No |
| <a id="responseHeaders" href="#responseHeaders" title="#responseHeaders">`responseHeaders`</a> | Injects the following rate limiting headers in the response:<br />- X-Rate-Limit-Remaining<br />- X-Rate-Limit-Limit<br />- X-Rate-Limit-Period<br />- X-Rate-Limit-Reset<br />The added headers indicate how many tokens are left in the bucket (in the token bucket analogy) after the reservation for the request was made. | false | No |
| <a id="store-redis-endpoints" href="#store-redis-endpoints" title="#store-redis-endpoints">`store.redis.endpoints`</a> | Endpoints of the Redis instances to connect to (example: `redis.traefik-hub.svc.cluster.local:6379`) | "" | Yes |
| <a id="store-redis-username" href="#store-redis-username" title="#store-redis-username">`store.redis.username`</a> | The username Traefik Hub will use to connect to Redis | "" | No |
| <a id="store-redis-password" href="#store-redis-password" title="#store-redis-password">`store.redis.password`</a> | The password Traefik Hub will use to connect to Redis | "" | No |
| <a id="store-redis-database" href="#store-redis-database" title="#store-redis-database">`store.redis.database`</a> | The database Traefik Hub will use to sore information (default: `0`) | "" | No |
| <a id="store-redis-cluster" href="#store-redis-cluster" title="#store-redis-cluster">`store.redis.cluster`</a> | Enable Redis Cluster | "" | No |
| <a id="store-redis-tls-caBundle" href="#store-redis-tls-caBundle" title="#store-redis-tls-caBundle">`store.redis.tls.caBundle`</a> | Custom CA bundle | "" | No |
| <a id="store-redis-tls-cert" href="#store-redis-tls-cert" title="#store-redis-tls-cert">`store.redis.tls.cert`</a> | TLS certificate | "" | No |
| <a id="store-redis-tls-key" href="#store-redis-tls-key" title="#store-redis-tls-key">`store.redis.tls.key`</a> | TLS key | "" | No |
| <a id="store-redis-tls-insecureSkipVerify" href="#store-redis-tls-insecureSkipVerify" title="#store-redis-tls-insecureSkipVerify">`store.redis.tls.insecureSkipVerify`</a> | Allow skipping the TLS verification | "" | No |
| <a id="store-redis-sentinel-masterSet" href="#store-redis-sentinel-masterSet" title="#store-redis-sentinel-masterSet">`store.redis.sentinel.masterSet`</a> | Name of the set of main nodes to use for main selection. Required when using Sentinel. | "" | No |
| <a id="store-redis-sentinel-username" href="#store-redis-sentinel-username" title="#store-redis-sentinel-username">`store.redis.sentinel.username`</a> | Username to use for sentinel authentication (can be different from `username`) | "" | No |
| <a id="store-redis-sentinel-password" href="#store-redis-sentinel-password" title="#store-redis-sentinel-password">`store.redis.sentinel.password`</a> | Password to use for sentinel authentication (can be different from `password`) | "" | No |
| <a id="sourceCriterion-requestHost" href="#sourceCriterion-requestHost" title="#sourceCriterion-requestHost">`sourceCriterion.requestHost`</a> | Whether to consider the request host as the source.<br />More information about `sourceCriterion`[here](#sourcecriterion). | false | No |
| <a id="sourceCriterion-requestHeaderName" href="#sourceCriterion-requestHeaderName" title="#sourceCriterion-requestHeaderName">`sourceCriterion.requestHeaderName`</a> | Name of the header used to group incoming requests.<br />More information about `sourceCriterion`[here](#sourcecriterion). | "" | No |
| <a id="sourceCriterion-ipStrategy-depth" href="#sourceCriterion-ipStrategy-depth" title="#sourceCriterion-ipStrategy-depth">`sourceCriterion.ipStrategy.depth`</a> | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br />If higher than 0, the `excludedIPs` options is not evaluated.<br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy`](#ipstrategy), and [`depth`](#sourcecriterionipstrategydepth) below. | 0 | No |
| <a id="sourceCriterion-ipStrategy-excludedIPs" href="#sourceCriterion-ipStrategy-excludedIPs" title="#sourceCriterion-ipStrategy-excludedIPs">`sourceCriterion.ipStrategy.excludedIPs`</a> | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy`](#ipstrategy), and [`excludedIPs`](#sourcecriterionipstrategyexcludedips) below. | | No |
### sourceCriterion
The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
If several strategies are defined at the same time, an error will be raised.
If none are set, the default is to use the request's remote address field (as an `ipStrategy`).
Check out the [OIDC + RateLimit & DistributedRateLimit guide](../../../../secure/middleware/drl-oidc.md) to see this option in action.
### ipStrategy
The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
As a middleware, rate-limiting happens before the actual proxying to the backend takes place.
In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, that is after it has already passed through rate-limiting.
Therefore, during rate-limiting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be found and/or relied upon.
### sourceCriterion.ipStrategy.depth
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1" href="#10-0-0-111-0-0-112-0-0-113-0-0-1" title="#10-0-0-111-0-0-112-0-0-113-0-0-1">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `1` | `"13.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-2" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-2" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-2">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `3` | `"11.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-3" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-3" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-3">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `5` | `""` |
### sourceCriterion.ipStrategy.excludedIPs
Contrary to what the name might suggest, this option is *not* about excluding an IP from the rate limiter, and therefore cannot be used to deactivate rate limiting for some IPs.
`excludedIPs` is meant to address two classes of somewhat distinct use-cases:
1. Distinguish IPs which are behind the same (set of) reverse-proxies so that each of them contributes, independently to the others, to its own rate-limit "bucket" (cf the [token bucket](https://en.wikipedia.org/wiki/Token_bucket)).
In this case, `excludedIPs` should be set to match the list of `X-Forwarded-For IPs` that are to be excluded, in order to find the actual clientIP.
Example to use each IP as a distinct source:
| X-Forwarded-For | excludedIPs | clientIP |
|--------------------------------|-----------------------|--------------|
| <a id="10-0-0-111-0-0-112-0-0-1" href="#10-0-0-111-0-0-112-0-0-1" title="#10-0-0-111-0-0-112-0-0-1">`"10.0.0.1,11.0.0.1,12.0.0.1"`</a> | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
| <a id="10-0-0-211-0-0-112-0-0-1" href="#10-0-0-211-0-0-112-0-0-1" title="#10-0-0-211-0-0-112-0-0-1">`"10.0.0.2,11.0.0.1,12.0.0.1"`</a> | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
2. Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source, and all contribute to the same rate-limit bucket.
Example to group IPs together as same source:
| X-Forwarded-For | excludedIPs | clientIP |
|--------------------------------|--------------|--------------|
| <a id="10-0-0-111-0-0-112-0-0-1-2" href="#10-0-0-111-0-0-112-0-0-1-2" title="#10-0-0-111-0-0-112-0-0-1-2">`"10.0.0.1,11.0.0.1,12.0.0.1"`</a> | `"12.0.0.1"` | `"11.0.0.1"` |
| <a id="10-0-0-211-0-0-112-0-0-1-2" href="#10-0-0-211-0-0-112-0-0-1-2" title="#10-0-0-211-0-0-112-0-0-1-2">`"10.0.0.2,11.0.0.1,12.0.0.1"`</a> | `"12.0.0.1"` | `"11.0.0.1"` |
| <a id="10-0-0-311-0-0-112-0-0-1" href="#10-0-0-311-0-0-112-0-0-1" title="#10-0-0-311-0-0-112-0-0-1">`"10.0.0.3,11.0.0.1,12.0.0.1"`</a> | `"12.0.0.1"` | `"11.0.0.1"` |
### store
A Distributed Rate Limit middleware uses a persistent KV storage to store data.
Refer to the [redis options](#configuration-options) to configure the Redis connection.
Connection parameters to your [Redis](https://redis.io/ "Link to website of Redis") server are attached to your Middleware deployment.
The following Redis modes are supported:
- Single instance mode
- [Redis Cluster](https://redis.io/docs/management/scaling "Link to official Redis documentation about Redis Cluster mode")
- [Redis Sentinel](https://redis.io/docs/management/sentinel "Link to official Redis documentation about Redis Sentinel mode")
For more information about Redis, we recommend the [official Redis documentation](https://redis.io/docs/ "Link to official Redis documentation").
!!! info
If you use Redis in single instance mode or Redis Sentinel, you can configure the `database` field.
This value won't be taken into account if you use Redis Cluster (only database `0` is available).
In this case, a warning is displayed, and the value is ignored.

10
docs/content/reference/routing-configuration/http/middlewares/errorpages.md
View File

@@ -81,9 +81,9 @@ spec:
| Field | Description | Default | Required |
|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `status` | Defines which status or range of statuses should result in an error page.<br/> The status code ranges are inclusive (`505-599` will trigger with every code between `505` and `599`, `505` and `599` included).<br /> You can define either a status code as a number (`500`), as multiple comma-separated numbers (`500,502`), as ranges by separating two codes with a dash (`505-599`), or a combination of the two (`404,418,505-599`). | [] | No |
| `service` | The service that will serve the new requested error page.<br /> More information [here](#service-and-hostheader). | "" | No |
| `query` | The URL for the error page (hosted by `service`).<br /> More information [here](#query) | "" | No |
| <a id="status" href="#status" title="#status">`status`</a> | Defines which status or range of statuses should result in an error page.<br/> The status code ranges are inclusive (`505-599` will trigger with every code between `505` and `599`, `505` and `599` included).<br /> You can define either a status code as a number (`500`), as multiple comma-separated numbers (`500,502`), as ranges by separating two codes with a dash (`505-599`), or a combination of the two (`404,418,505-599`). | [] | No |
| <a id="service" href="#service" title="#service">`service`</a> | The service that will serve the new requested error page.<br /> More information [here](#service-and-hostheader). | "" | No |
| <a id="query" href="#query" title="#query">`query`</a> | The URL for the error page (hosted by `service`).<br /> More information [here](#query) | "" | No |
### service and HostHeader
@@ -102,5 +102,5 @@ The table below lists all the available variables and their associated values.
| Variable | Value |
|------------|------------------------------------------------------------------|
| `{status}` | The response status code. |
| `{url}` | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL.|
| <a id="status-2" href="#status-2" title="#status-2">`{status}`</a> | The response status code. |
| <a id="url" href="#url" title="#url">`{url}`</a> | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL.|

44
docs/content/reference/routing-configuration/http/middlewares/forwardauth.md
View File

@@ -55,23 +55,23 @@ spec:
| Field | Description | Default | Required |
|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `address` | Authentication server address. | "" | Yes |
| `trustForwardHeader` | Trust all `X-Forwarded-*` headers. | false | No |
| `authResponseHeaders` | List of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers. | [] | No |
| `authResponseHeadersRegex` | Regex to match by the headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.<br /> More information [here](#authresponseheadersregex). | "" | No |
| `authRequestHeaders` | List of the headers to copy from the request to the authentication server. <br /> It allows filtering headers that should not be passed to the authentication server. <br /> If not set or empty, then all request headers are passed. | [] | No |
| `addAuthCookiesToResponse` | List of cookies to copy from the authentication server to the response, replacing any existing conflicting cookie from the forwarded response.<br /> Please note that all backend cookies matching the configured list will not be added to the response. | [] | No |
| `forwardBody` | Sets the `forwardBody` option to `true` to send the Body. As body is read inside Traefik before forwarding, this breaks streaming. | false | No |
| `maxBodySize` | Set the `maxBodySize` to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized). | -1 | No |
| `headerField` | Defines a header field to store the authenticated user. | "" | No |
| `preserveLocationHeader` | Defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server. | false | No |
| `PreserveRequestMethod` | Defines whether to preserve the original request method while forwarding the request to the authentication server. | false | No |
| `tls.ca` | Sets the path to the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. | "" | No |
| `tls.cert` | Sets the path to the public certificate used for the secure connection to the authentication server. When using this option, setting the key option is required. | "" | No |
| `tls.key` | Sets the path to the private key used for the secure connection to the authentication server. When using this option, setting the `cert` option is required. | "" | No |
| `tls.caSecret` | Defines the secret that contains the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. **This option is only available for the Kubernetes CRD**. | | No |
| `tls.certSecret` | Defines the secret that contains both the private and public certificates used for the secure connection to the authentication server. **This option is only available for the Kubernetes CRD**. | | No |
| `tls.insecureSkipVerify` | During TLS connections, if this option is set to `true`, the authentication server will accept any certificate presented by the server regardless of the host names it covers. | false | No |
| <a id="address" href="#address" title="#address">`address`</a> | Authentication server address. | "" | Yes |
| <a id="trustForwardHeader" href="#trustForwardHeader" title="#trustForwardHeader">`trustForwardHeader`</a> | Trust all `X-Forwarded-*` headers. | false | No |
| <a id="authResponseHeaders" href="#authResponseHeaders" title="#authResponseHeaders">`authResponseHeaders`</a> | List of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers. | [] | No |
| <a id="authResponseHeadersRegex" href="#authResponseHeadersRegex" title="#authResponseHeadersRegex">`authResponseHeadersRegex`</a> | Regex to match by the headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.<br /> More information [here](#authresponseheadersregex). | "" | No |
| <a id="authRequestHeaders" href="#authRequestHeaders" title="#authRequestHeaders">`authRequestHeaders`</a> | List of the headers to copy from the request to the authentication server. <br /> It allows filtering headers that should not be passed to the authentication server. <br /> If not set or empty, then all request headers are passed. | [] | No |
| <a id="addAuthCookiesToResponse" href="#addAuthCookiesToResponse" title="#addAuthCookiesToResponse">`addAuthCookiesToResponse`</a> | List of cookies to copy from the authentication server to the response, replacing any existing conflicting cookie from the forwarded response.<br /> Please note that all backend cookies matching the configured list will not be added to the response. | [] | No |
| <a id="forwardBody" href="#forwardBody" title="#forwardBody">`forwardBody`</a> | Sets the `forwardBody` option to `true` to send the Body. As body is read inside Traefik before forwarding, this breaks streaming. | false | No |
| <a id="maxBodySize" href="#maxBodySize" title="#maxBodySize">`maxBodySize`</a> | Set the `maxBodySize` to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized). | -1 | No |
| <a id="headerField" href="#headerField" title="#headerField">`headerField`</a> | Defines a header field to store the authenticated user. | "" | No |
| <a id="preserveLocationHeader" href="#preserveLocationHeader" title="#preserveLocationHeader">`preserveLocationHeader`</a> | Defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server. | false | No |
| <a id="PreserveRequestMethod" href="#PreserveRequestMethod" title="#PreserveRequestMethod">`PreserveRequestMethod`</a> | Defines whether to preserve the original request method while forwarding the request to the authentication server. | false | No |
| <a id="tls-ca" href="#tls-ca" title="#tls-ca">`tls.ca`</a> | Sets the path to the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. | "" | No |
| <a id="tls-cert" href="#tls-cert" title="#tls-cert">`tls.cert`</a> | Sets the path to the public certificate used for the secure connection to the authentication server. When using this option, setting the key option is required. | "" | No |
| <a id="tls-key" href="#tls-key" title="#tls-key">`tls.key`</a> | Sets the path to the private key used for the secure connection to the authentication server. When using this option, setting the `cert` option is required. | "" | No |
| <a id="tls-caSecret" href="#tls-caSecret" title="#tls-caSecret">`tls.caSecret`</a> | Defines the secret that contains the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. **This option is only available for the Kubernetes CRD**. | | No |
| <a id="tls-certSecret" href="#tls-certSecret" title="#tls-certSecret">`tls.certSecret`</a> | Defines the secret that contains both the private and public certificates used for the secure connection to the authentication server. **This option is only available for the Kubernetes CRD**. | | No |
| <a id="tls-insecureSkipVerify" href="#tls-insecureSkipVerify" title="#tls-insecureSkipVerify">`tls.insecureSkipVerify`</a> | During TLS connections, if this option is set to `true`, the authentication server will accept any certificate presented by the server regardless of the host names it covers. | false | No |
### authResponseHeadersRegex
@@ -87,10 +87,10 @@ The following request properties are provided to the forward-auth target endpoin
| Property | Forward-Request Header |
|-------------------|------------------------|
| HTTP Method | X-Forwarded-Method |
| Protocol | X-Forwarded-Proto |
| Host | X-Forwarded-Host |
| Request URI | X-Forwarded-Uri |
| Source IP-Address | X-Forwarded-For |
| <a id="HTTP-Method" href="#HTTP-Method" title="#HTTP-Method">HTTP Method</a> | X-Forwarded-Method |
| <a id="Protocol" href="#Protocol" title="#Protocol">Protocol</a> | X-Forwarded-Proto |
| <a id="Host" href="#Host" title="#Host">Host</a> | X-Forwarded-Host |
| <a id="Request-URI" href="#Request-URI" title="#Request-URI">Request URI</a> | X-Forwarded-Uri |
| <a id="Source-IP-Address" href="#Source-IP-Address" title="#Source-IP-Address">Source IP-Address</a> | X-Forwarded-For |
{!traefik-for-business-applications.md!}

2
docs/content/reference/routing-configuration/http/middlewares/grpcweb.md
View File

@@ -56,7 +56,7 @@ spec:
| Field | Description | Default | Required |
|:-----------------------------|:------------------------------------------|:--------|:---------|
| `allowOrigins` | List of allowed origins. <br /> A wildcard origin `*` can also be configured to match all requests.<br /> More information [here](#alloworigins). | [] | No |
| <a id="allowOrigins" href="#allowOrigins" title="#allowOrigins">`allowOrigins`</a> | List of allowed origins. <br /> A wildcard origin `*` can also be configured to match all requests.<br /> More information [here](#alloworigins). | [] | No |
### allowOrigins

66
docs/content/reference/routing-configuration/http/middlewares/headers.md
View File

@@ -9,11 +9,11 @@ By default, the following headers are automatically added when proxying requests
| Property | HTTP Header |
|---------------------------|----------------------------|
| Client's IP | X-Forwarded-For, X-Real-Ip |
| Host | X-Forwarded-Host |
| Port | X-Forwarded-Port |
| Protocol | X-Forwarded-Proto |
| Proxy Server's Hostname | X-Forwarded-Server |
| <a id="Clients-IP" href="#Clients-IP" title="#Clients-IP">Client's IP</a> | X-Forwarded-For, X-Real-Ip |
| <a id="Host" href="#Host" title="#Host">Host</a> | X-Forwarded-Host |
| <a id="Port" href="#Port" title="#Port">Port</a> | X-Forwarded-Port |
| <a id="Protocol" href="#Protocol" title="#Protocol">Protocol</a> | X-Forwarded-Proto |
| <a id="Proxy-Servers-Hostname" href="#Proxy-Servers-Hostname" title="#Proxy-Servers-Hostname">Proxy Server's Hostname</a> | X-Forwarded-Server |
## Configuration Examples
@@ -266,34 +266,34 @@ spec:
| Field | Description | Default | Required |
| ----------------------------- | ------------------------------------------------- | --------- | -------- |
| `customRequestHeaders` | Lists the header names and values for requests. | [] | No |
| `customResponseHeaders` | Lists the header names and values for responses. | [] | No |
| `accessControlAllowCredentials` | Indicates if the request can include user credentials.| false | No |
| `accessControlAllowHeaders` | Specifies allowed request header names. | [] | No |
| `accessControlAllowMethods` | Specifies allowed request methods. | [] | No |
| `accessControlAllowOriginList` | Specifies allowed origins. More information [here](#accesscontrolalloworiginlist) | [] | No |
| `accessControlAllowOriginListRegex` | Allows origins matching regex. More information [here](#accesscontrolalloworiginlistregex) | [] | No |
| `accessControlExposeHeaders` | Specifies which headers are safe to expose to the API of a CORS API specification. | [] | No |
| `accessControlMaxAge` | Time (in seconds) to cache preflight requests. | 0 | No |
| `addVaryHeader` | Used in conjunction with `accessControlAllowOriginList` to determine whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header. | false | No |
| `allowedHosts` | Lists allowed domain names. | [] | No |
| `hostsProxyHeaders` | Specifies header keys for proxied hostname. | [] | No |
| `sslProxyHeaders` | Defines a set of header keys with associated values that would indicate a valid HTTPS request. It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`). | {} | No |
| `stsSeconds` | Max age for `Strict-Transport-Security` header. | 0 | No |
| `stsIncludeSubdomains` | If set to `true`, the `includeSubDomains` directive is appended to the `Strict-Transport-Security` header. | false | No |
| `stsPreload` | Adds preload flag to STS header. | false | No |
| `forceSTSHeader` | Adds STS header for HTTP connections. | false | No |
| `frameDeny` | Set `frameDeny` to `true` to add the `X-Frame-Options` header with the value of `DENY`. | false | No |
| `customFrameOptionsValue` | allows the `X-Frame-Options` header value to be set with a custom value. This overrides the `FrameDeny` option. | "" | No |
| `contentTypeNosniff` | Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`. | false | No |
| `browserXssFilter` | Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`. | false | No |
| `customBrowserXSSValue` | allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the `BrowserXssFilter` option. | false | No |
| `contentSecurityPolicy` | allows the `Content-Security-Policy` header value to be set with a custom value. | false | No |
| `contentSecurityPolicyReportOnly` | allows the `Content-Security-Policy-Report-Only` header value to be set with a custom value. | "" | No |
| `publicKey` | Implements HPKP for certificate pinning. | "" | No |
| `referrerPolicy` | Controls forwarding of `Referer` header. | "" | No |
| `permissionsPolicy` | allows sites to control browser features. | "" | No |
| `isDevelopment` | Set `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options. Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain. | false | No |
| <a id="customRequestHeaders" href="#customRequestHeaders" title="#customRequestHeaders">`customRequestHeaders`</a> | Lists the header names and values for requests. | [] | No |
| <a id="customResponseHeaders" href="#customResponseHeaders" title="#customResponseHeaders">`customResponseHeaders`</a> | Lists the header names and values for responses. | [] | No |
| <a id="accessControlAllowCredentials" href="#accessControlAllowCredentials" title="#accessControlAllowCredentials">`accessControlAllowCredentials`</a> | Indicates if the request can include user credentials.| false | No |
| <a id="accessControlAllowHeaders" href="#accessControlAllowHeaders" title="#accessControlAllowHeaders">`accessControlAllowHeaders`</a> | Specifies allowed request header names. | [] | No |
| <a id="accessControlAllowMethods" href="#accessControlAllowMethods" title="#accessControlAllowMethods">`accessControlAllowMethods`</a> | Specifies allowed request methods. | [] | No |
| <a id="accessControlAllowOriginList" href="#accessControlAllowOriginList" title="#accessControlAllowOriginList">`accessControlAllowOriginList`</a> | Specifies allowed origins. More information [here](#accesscontrolalloworiginlist) | [] | No |
| <a id="accessControlAllowOriginListRegex" href="#accessControlAllowOriginListRegex" title="#accessControlAllowOriginListRegex">`accessControlAllowOriginListRegex`</a> | Allows origins matching regex. More information [here](#accesscontrolalloworiginlistregex) | [] | No |
| <a id="accessControlExposeHeaders" href="#accessControlExposeHeaders" title="#accessControlExposeHeaders">`accessControlExposeHeaders`</a> | Specifies which headers are safe to expose to the API of a CORS API specification. | [] | No |
| <a id="accessControlMaxAge" href="#accessControlMaxAge" title="#accessControlMaxAge">`accessControlMaxAge`</a> | Time (in seconds) to cache preflight requests. | 0 | No |
| <a id="addVaryHeader" href="#addVaryHeader" title="#addVaryHeader">`addVaryHeader`</a> | Used in conjunction with `accessControlAllowOriginList` to determine whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header. | false | No |
| <a id="allowedHosts" href="#allowedHosts" title="#allowedHosts">`allowedHosts`</a> | Lists allowed domain names. | [] | No |
| <a id="hostsProxyHeaders" href="#hostsProxyHeaders" title="#hostsProxyHeaders">`hostsProxyHeaders`</a> | Specifies header keys for proxied hostname. | [] | No |
| <a id="sslProxyHeaders" href="#sslProxyHeaders" title="#sslProxyHeaders">`sslProxyHeaders`</a> | Defines a set of header keys with associated values that would indicate a valid HTTPS request. It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`). | {} | No |
| <a id="stsSeconds" href="#stsSeconds" title="#stsSeconds">`stsSeconds`</a> | Max age for `Strict-Transport-Security` header. | 0 | No |
| <a id="stsIncludeSubdomains" href="#stsIncludeSubdomains" title="#stsIncludeSubdomains">`stsIncludeSubdomains`</a> | If set to `true`, the `includeSubDomains` directive is appended to the `Strict-Transport-Security` header. | false | No |
| <a id="stsPreload" href="#stsPreload" title="#stsPreload">`stsPreload`</a> | Adds preload flag to STS header. | false | No |
| <a id="forceSTSHeader" href="#forceSTSHeader" title="#forceSTSHeader">`forceSTSHeader`</a> | Adds STS header for HTTP connections. | false | No |
| <a id="frameDeny" href="#frameDeny" title="#frameDeny">`frameDeny`</a> | Set `frameDeny` to `true` to add the `X-Frame-Options` header with the value of `DENY`. | false | No |
| <a id="customFrameOptionsValue" href="#customFrameOptionsValue" title="#customFrameOptionsValue">`customFrameOptionsValue`</a> | allows the `X-Frame-Options` header value to be set with a custom value. This overrides the `FrameDeny` option. | "" | No |
| <a id="contentTypeNosniff" href="#contentTypeNosniff" title="#contentTypeNosniff">`contentTypeNosniff`</a> | Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`. | false | No |
| <a id="browserXssFilter" href="#browserXssFilter" title="#browserXssFilter">`browserXssFilter`</a> | Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`. | false | No |
| <a id="customBrowserXSSValue" href="#customBrowserXSSValue" title="#customBrowserXSSValue">`customBrowserXSSValue`</a> | allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the `BrowserXssFilter` option. | false | No |
| <a id="contentSecurityPolicy" href="#contentSecurityPolicy" title="#contentSecurityPolicy">`contentSecurityPolicy`</a> | allows the `Content-Security-Policy` header value to be set with a custom value. | false | No |
| <a id="contentSecurityPolicyReportOnly" href="#contentSecurityPolicyReportOnly" title="#contentSecurityPolicyReportOnly">`contentSecurityPolicyReportOnly`</a> | allows the `Content-Security-Policy-Report-Only` header value to be set with a custom value. | "" | No |
| <a id="publicKey" href="#publicKey" title="#publicKey">`publicKey`</a> | Implements HPKP for certificate pinning. | "" | No |
| <a id="referrerPolicy" href="#referrerPolicy" title="#referrerPolicy">`referrerPolicy`</a> | Controls forwarding of `Referer` header. | "" | No |
| <a id="permissionsPolicy" href="#permissionsPolicy" title="#permissionsPolicy">`permissionsPolicy`</a> | allows sites to control browser features. | "" | No |
| <a id="isDevelopment" href="#isDevelopment" title="#isDevelopment">`isDevelopment`</a> | Set `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options. Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain. | false | No |
### `accessControlAllowOriginList`

26
docs/content/reference/routing-configuration/http/middlewares/hmac.md
View File

@@ -52,9 +52,9 @@ spec:
| Field | Description | Default | Required |
|:------------------|:---------------------------------------------|:--------|:---------|
| `keys` | A static set of secret keys to be used by HMAC middleware. | | Yes |
| `validateDigest` | Determines whether the middleware should validate the digest sum of the request body. | true | No |
| `enforcedHeaders` | A set of headers that must be included in the computation of the signature of the request. | | No |
| <a id="keys" href="#keys" title="#keys">`keys`</a> | A static set of secret keys to be used by HMAC middleware. | | Yes |
| <a id="validateDigest" href="#validateDigest" title="#validateDigest">`validateDigest`</a> | Determines whether the middleware should validate the digest sum of the request body. | true | No |
| <a id="enforcedHeaders" href="#enforcedHeaders" title="#enforcedHeaders">`enforcedHeaders`</a> | A set of headers that must be included in the computation of the signature of the request. | | No |
## Authentication Mechanism
@@ -72,12 +72,12 @@ Authorization: Hmac keyId="secret-id-1",algorithm="hmac-sha256",headers="(reques
| Parameter | Description | Example |
|-------------|--------------------------------|------------------------------------|
| `keyId` | Identifier of the key being used by the sender to build the signature | `keyId="secret-key-1"` |
| `algorithm` | Algorithm used to generate the signature.<br /> Supported values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384` and `hmac-sha512`. | `algorithm="hmac-sha512"` |
| `headers` | List of headers to use in order to build the signature string.<br /> Each item **must** be lowercase. | `headers="host content-type"` |
| `signature` | Digital Signature of the request. See [computing the signature](#computing-the-signature). | `signature="c29tZXNpZ25hdHVyZQ=="` |
| `created` | Unix timestamp of the signature creation. | `created="1574453022"` |
| `expires` | Unix timestamp of the signature expiration. | `expires="1574453022"` |
| <a id="keyId" href="#keyId" title="#keyId">`keyId`</a> | Identifier of the key being used by the sender to build the signature | `keyId="secret-key-1"` |
| <a id="algorithm" href="#algorithm" title="#algorithm">`algorithm`</a> | Algorithm used to generate the signature.<br /> Supported values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384` and `hmac-sha512`. | `algorithm="hmac-sha512"` |
| <a id="headers" href="#headers" title="#headers">`headers`</a> | List of headers to use in order to build the signature string.<br /> Each item **must** be lowercase. | `headers="host content-type"` |
| <a id="signature" href="#signature" title="#signature">`signature`</a> | Digital Signature of the request. See [computing the signature](#computing-the-signature). | `signature="c29tZXNpZ25hdHVyZQ=="` |
| <a id="created" href="#created" title="#created">`created`</a> | Unix timestamp of the signature creation. | `created="1574453022"` |
| <a id="expires" href="#expires" title="#expires">`expires`</a> | Unix timestamp of the signature expiration. | `expires="1574453022"` |
!!! danger "Time sensitivity"
If the `created` timestamp is in the future or the `expires` timestamp is in the past, the middleware will refuse the request.
@@ -120,9 +120,9 @@ To allow this, the `headers` parameter accepts special header names that can be
| Value | Description | Signature String Example |
| --------------------- | ------------------------------------------------------------- |------------------------- |
| `(request-target)` | Obtained by concatenating the lowercase `:method`, an ASCII space, and the `:path` pseudo-headers ([as specified in HTTP/2](https://tools.ietf.org/html/rfc7540#section-8.1.2.3)). | `(request-target): get /api/V1/resource?query=foo` |
| `(created)` | Value of the authorization header `created` parameter. | `(created): 1584453022` |
| `(expires)` | Value of the authorization header `expires` parameter. | `(expires): 1584453082` |
| <a id="request-target" href="#request-target" title="#request-target">`(request-target)`</a> | Obtained by concatenating the lowercase `:method`, an ASCII space, and the `:path` pseudo-headers ([as specified in HTTP/2](https://tools.ietf.org/html/rfc7540#section-8.1.2.3)). | `(request-target): get /api/V1/resource?query=foo` |
| <a id="created-2" href="#created-2" title="#created-2">`(created)`</a> | Value of the authorization header `created` parameter. | `(created): 1584453022` |
| <a id="expires-2" href="#expires-2" title="#expires-2">`(expires)`</a> | Value of the authorization header `expires` parameter. | `(expires): 1584453082` |
Their evaluated value is obtained by appending the special header name with an ASCII colon `:` an ASCII space \` \` then the designated value.
@@ -204,4 +204,4 @@ Only SHA-256 and SHA-512 checksums are supported for checksum computation.
To disable this feature and only perform authentication, set the `validateDigest` option to `false` in the middleware configuration.
{!traefik-for-business-applications.md!}
{!traefik-for-business-applications.md!}

34
docs/content/reference/routing-configuration/http/middlewares/inflightreq.md
View File

@@ -54,12 +54,12 @@ spec:
| Field | Description | Default | Required |
|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `amount` | The `amount` option defines the maximum amount of allowed simultaneous in-flight request. <br /> The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy). | 0 | No |
| `sourceCriterion.requestHost` | Whether to consider the request host as the source.<br /> More information about `sourceCriterion`[here](#sourcecriterion). | false | No |
| `sourceCriterion.requestHeaderName` | Name of the header used to group incoming requests.<br /> More information about `sourceCriterion`[here](#sourcecriterion). | "" | No |
| `sourceCriterion.ipStrategy.depth` | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br />If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy](#ipstrategy), and [`depth`](#example-of-depth--x-forwarded-for) below. | 0 | No |
| `sourceCriterion.ipStrategy.excludedIPs` | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy](#ipstrategy), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. | | No |
| `sourceCriterion.ipStrategy.ipv6Subnet` | If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br /> More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. | | No |
| <a id="amount" href="#amount" title="#amount">`amount`</a> | The `amount` option defines the maximum amount of allowed simultaneous in-flight request. <br /> The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy). | 0 | No |
| <a id="sourceCriterion-requestHost" href="#sourceCriterion-requestHost" title="#sourceCriterion-requestHost">`sourceCriterion.requestHost`</a> | Whether to consider the request host as the source.<br /> More information about `sourceCriterion`[here](#sourcecriterion). | false | No |
| <a id="sourceCriterion-requestHeaderName" href="#sourceCriterion-requestHeaderName" title="#sourceCriterion-requestHeaderName">`sourceCriterion.requestHeaderName`</a> | Name of the header used to group incoming requests.<br /> More information about `sourceCriterion`[here](#sourcecriterion). | "" | No |
| <a id="sourceCriterion-ipStrategy-depth" href="#sourceCriterion-ipStrategy-depth" title="#sourceCriterion-ipStrategy-depth">`sourceCriterion.ipStrategy.depth`</a> | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br />If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy](#ipstrategy), and [`depth`](#example-of-depth--x-forwarded-for) below. | 0 | No |
| <a id="sourceCriterion-ipStrategy-excludedIPs" href="#sourceCriterion-ipStrategy-excludedIPs" title="#sourceCriterion-ipStrategy-excludedIPs">`sourceCriterion.ipStrategy.excludedIPs`</a> | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy](#ipstrategy), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. | | No |
| <a id="sourceCriterion-ipStrategy-ipv6Subnet" href="#sourceCriterion-ipStrategy-ipv6Subnet" title="#sourceCriterion-ipStrategy-ipv6Subnet">`sourceCriterion.ipStrategy.ipv6Subnet`</a> | If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br /> More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. | | No |
### sourceCriterion
@@ -90,9 +90,9 @@ If `ipv6Subnet` is provided, the IP is transformed in the following way.
| IP | ipv6Subnet | clientIP |
|---------------------------|--------------|-----------------------|
| `"::abcd:1111:2222:3333"` | `64` | `"::0:0:0:0"` |
| `"::abcd:1111:2222:3333"` | `80` | `"::abcd:0:0:0:0"` |
| `"::abcd:1111:2222:3333"` | `96` | `"::abcd:1111:0:0:0"` |
| <a id="abcd111122223333" href="#abcd111122223333" title="#abcd111122223333">`"::abcd:1111:2222:3333"`</a> | `64` | `"::0:0:0:0"` |
| <a id="abcd111122223333-2" href="#abcd111122223333-2" title="#abcd111122223333-2">`"::abcd:1111:2222:3333"`</a> | `80` | `"::abcd:0:0:0:0"` |
| <a id="abcd111122223333-3" href="#abcd111122223333-3" title="#abcd111122223333-3">`"::abcd:1111:2222:3333"`</a> | `96` | `"::abcd:1111:0:0:0"` |
### Example of Depth & X-Forwarded-For
@@ -100,16 +100,16 @@ If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,1
| X-Forwarded-For | depth | clientIP |
|-----------------------------------------|---------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1" href="#10-0-0-111-0-0-112-0-0-113-0-0-1" title="#10-0-0-111-0-0-112-0-0-113-0-0-1">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `1` | `"13.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-2" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-2" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-2">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `3` | `"11.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-3" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-3" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-3">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `5` | `""` |
### Example of ExcludedIPs & X-Forwarded-For
| X-Forwarded-For | excludedIPs | clientIP |
|-----------------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-4" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-4" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-4">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-5" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-5" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-5">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-6" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-6" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-6">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-7" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-7" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-7">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| <a id="10-0-0-111-0-0-1" href="#10-0-0-111-0-0-1" title="#10-0-0-111-0-0-1">`"10.0.0.1,11.0.0.1"`</a> | `"10.0.0.1,11.0.0.1"` | `""` |

30
docs/content/reference/routing-configuration/http/middlewares/ipallowlist.md
View File

@@ -56,10 +56,10 @@ spec:
| Field | Description | Default | Required |
|:-----------|:------------------------------|:--------|:---------|
| `sourceRange` | List of allowed IPs (or ranges of allowed IPs by using CIDR notation). | | Yes |
| `ipStrategy.depth` | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br /> If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`ipStrategy](#ipstrategy), and [`depth`](#example-of-depth--x-forwarded-for) below. | 0 | No |
| `ipStrategy.excludedIPs` | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`ipStrategy](#ipstrategy), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. | | No |
| `ipStrategy.ipv6Subnet` | If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. | | No |
| <a id="sourceRange" href="#sourceRange" title="#sourceRange">`sourceRange`</a> | List of allowed IPs (or ranges of allowed IPs by using CIDR notation). | | Yes |
| <a id="ipStrategy-depth" href="#ipStrategy-depth" title="#ipStrategy-depth">`ipStrategy.depth`</a> | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br /> If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`ipStrategy](#ipstrategy), and [`depth`](#example-of-depth--x-forwarded-for) below. | 0 | No |
| <a id="ipStrategy-excludedIPs" href="#ipStrategy-excludedIPs" title="#ipStrategy-excludedIPs">`ipStrategy.excludedIPs`</a> | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`ipStrategy](#ipstrategy), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. | | No |
| <a id="ipStrategy-ipv6Subnet" href="#ipStrategy-ipv6Subnet" title="#ipStrategy-ipv6Subnet">`ipStrategy.ipv6Subnet`</a> | If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. | | No |
### ipStrategy
@@ -95,9 +95,9 @@ If `ipv6Subnet` is provided, the IP is transformed in the following way.
| IP | ipv6Subnet | clientIP |
|---------------------------|--------------|-----------------------|
| `"::abcd:1111:2222:3333"` | `64` | `"::0:0:0:0"` |
| `"::abcd:1111:2222:3333"` | `80` | `"::abcd:0:0:0:0"` |
| `"::abcd:1111:2222:3333"` | `96` | `"::abcd:1111:0:0:0"` |
| <a id="abcd111122223333" href="#abcd111122223333" title="#abcd111122223333">`"::abcd:1111:2222:3333"`</a> | `64` | `"::0:0:0:0"` |
| <a id="abcd111122223333-2" href="#abcd111122223333-2" title="#abcd111122223333-2">`"::abcd:1111:2222:3333"`</a> | `80` | `"::abcd:0:0:0:0"` |
| <a id="abcd111122223333-3" href="#abcd111122223333-3" title="#abcd111122223333-3">`"::abcd:1111:2222:3333"`</a> | `96` | `"::abcd:1111:0:0:0"` |
### Example of Depth & X-Forwarded-For
@@ -105,16 +105,16 @@ If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,1
| X-Forwarded-For | depth | clientIP |
|-----------------------------------------|---------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1" href="#10-0-0-111-0-0-112-0-0-113-0-0-1" title="#10-0-0-111-0-0-112-0-0-113-0-0-1">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `1` | `"13.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-2" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-2" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-2">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `3` | `"11.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-3" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-3" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-3">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `5` | `""` |
### Example of ExcludedIPs & X-Forwarded-For
| X-Forwarded-For | excludedIPs | clientIP |
|-----------------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-4" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-4" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-4">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-5" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-5" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-5">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-6" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-6" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-6">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-7" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-7" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-7">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| <a id="10-0-0-111-0-0-1" href="#10-0-0-111-0-0-1" title="#10-0-0-111-0-0-1">`"10.0.0.1,11.0.0.1"`</a> | `"10.0.0.1,11.0.0.1"` | `""` |

52
docs/content/reference/routing-configuration/http/middlewares/jwt.md
View File

@@ -36,22 +36,22 @@ spec:
| Field | Description | Default | Required |
|:----------------|:------------------------------------------------|:--------|:---------|
| `signingSecret` | Defines the secret used for signing the JWT certificates. <br /> It is then used by the middleware to verify incoming requests. <br /> At least one of `signingSecret`, `publicKey`, `jwksFile` or `jwksUrl` options must be set. (More information [here](#signingsecret)) | "" | No |
| `signingSecretBase64Encoded` | Defines whether the `signingSecret` is base64-encoded. <br /> If set to `true`, the `signingSecret` is base64-decoded before being used. | false | No |
| `publicKey` | Defines the public key used to verify secret signature in incoming requests. <br /> In that case, users should sign their token using a private key corresponding to the configured public key. <br /> At least one of `signingSecret`, `publicKey`, `jwksFile` or `jwksUrl` options must be set. | "" | No |
| `jwksFile` | Defines a set of [JWK](https://tools.ietf.org/html/rfc7517) to be used to verify the signature of JWTs. <br /> The option can either be a path to a file mounted on the API Gateway or directly the content of a JWK set file. <br /> At least one of `signingSecret`, `publicKey`, `jwksFile` or `jwksUrl` options must be set. (More information [here](#jwksfile)) | "" | No |
| `jwksUrl` | Defines the URL of the host serving a [JWK](https://tools.ietf.org/html/rfc7517) set. <br />The keys are cached if the HTTP Cache Control allows for caching. <br /> At least one of `signingSecret`, `publicKey`, `jwksFile` or `jwksUrl` options must be set.<br />(More information [here](#jwksurl)) | "" | No |
| `forwardAuthorization` | Defines whether the authorization header will be forwarded or stripped from a request after it has been approved by the middleware. | false | No |
| `tokenKey` | Defines the name of the query and form data parameter used for passing the JWT, for applications that can't pass it in the `Authorization` header. <br /> The middleware always looks in the `Authorization` header first, even with this option enabled. <br /> This option should only be enabled if the JWT cannot be passed as an Authorization header, as it is not recommended by the [RFC](https://www.rfc-editor.org/rfc/rfc6750#section-2). | "" | No |
| `claims` | Defines the claims to validate in order to authorize the request. <br /> The `claims` option can only be used with JWT-formatted token. (More information [here](#claims)) | "" | No |
| `usernameClaim` | Defines the claim that will be evaluated to populate the `clientusername` in the access logs. <br /> The `usernameClaim` option can only be used with JWT-formatted token.| "" | No |
| `forwardHeaders` | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | [] | No |
| `clientConfig.tls.ca` | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.cert` | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.key` | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.insecureSkipVerify` | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | "" | No |
| `clientConfig.timeoutSeconds` | Defines the time before giving up requests to the authorization server. | 5 | No |
| `clientConfig.maxRetries` | Defines the number of retries for requests to authorization server that fail. | 3 | No |
| <a id="signingSecret" href="#signingSecret" title="#signingSecret">`signingSecret`</a> | Defines the secret used for signing the JWT certificates. <br /> It is then used by the middleware to verify incoming requests. <br /> At least one of `signingSecret`, `publicKey`, `jwksFile` or `jwksUrl` options must be set. (More information [here](#signingsecret)) | "" | No |
| <a id="signingSecretBase64Encoded" href="#signingSecretBase64Encoded" title="#signingSecretBase64Encoded">`signingSecretBase64Encoded`</a> | Defines whether the `signingSecret` is base64-encoded. <br /> If set to `true`, the `signingSecret` is base64-decoded before being used. | false | No |
| <a id="publicKey" href="#publicKey" title="#publicKey">`publicKey`</a> | Defines the public key used to verify secret signature in incoming requests. <br /> In that case, users should sign their token using a private key corresponding to the configured public key. <br /> At least one of `signingSecret`, `publicKey`, `jwksFile` or `jwksUrl` options must be set. | "" | No |
| <a id="jwksFile" href="#jwksFile" title="#jwksFile">`jwksFile`</a> | Defines a set of [JWK](https://tools.ietf.org/html/rfc7517) to be used to verify the signature of JWTs. <br /> The option can either be a path to a file mounted on the API Gateway or directly the content of a JWK set file. <br /> At least one of `signingSecret`, `publicKey`, `jwksFile` or `jwksUrl` options must be set. (More information [here](#jwksfile)) | "" | No |
| <a id="jwksUrl" href="#jwksUrl" title="#jwksUrl">`jwksUrl`</a> | Defines the URL of the host serving a [JWK](https://tools.ietf.org/html/rfc7517) set. <br />The keys are cached if the HTTP Cache Control allows for caching. <br /> At least one of `signingSecret`, `publicKey`, `jwksFile` or `jwksUrl` options must be set.<br />(More information [here](#jwksurl)) | "" | No |
| <a id="forwardAuthorization" href="#forwardAuthorization" title="#forwardAuthorization">`forwardAuthorization`</a> | Defines whether the authorization header will be forwarded or stripped from a request after it has been approved by the middleware. | false | No |
| <a id="tokenKey" href="#tokenKey" title="#tokenKey">`tokenKey`</a> | Defines the name of the query and form data parameter used for passing the JWT, for applications that can't pass it in the `Authorization` header. <br /> The middleware always looks in the `Authorization` header first, even with this option enabled. <br /> This option should only be enabled if the JWT cannot be passed as an Authorization header, as it is not recommended by the [RFC](https://www.rfc-editor.org/rfc/rfc6750#section-2). | "" | No |
| <a id="claims" href="#claims" title="#claims">`claims`</a> | Defines the claims to validate in order to authorize the request. <br /> The `claims` option can only be used with JWT-formatted token. (More information [here](#claims)) | "" | No |
| <a id="usernameClaim" href="#usernameClaim" title="#usernameClaim">`usernameClaim`</a> | Defines the claim that will be evaluated to populate the `clientusername` in the access logs. <br /> The `usernameClaim` option can only be used with JWT-formatted token.| "" | No |
| <a id="forwardHeaders" href="#forwardHeaders" title="#forwardHeaders">`forwardHeaders`</a> | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | [] | No |
| <a id="clientConfig-tls-ca" href="#clientConfig-tls-ca" title="#clientConfig-tls-ca">`clientConfig.tls.ca`</a> | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-cert" href="#clientConfig-tls-cert" title="#clientConfig-tls-cert">`clientConfig.tls.cert`</a> | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-key" href="#clientConfig-tls-key" title="#clientConfig-tls-key">`clientConfig.tls.key`</a> | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-insecureSkipVerify" href="#clientConfig-tls-insecureSkipVerify" title="#clientConfig-tls-insecureSkipVerify">`clientConfig.tls.insecureSkipVerify`</a> | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-timeoutSeconds" href="#clientConfig-timeoutSeconds" title="#clientConfig-timeoutSeconds">`clientConfig.timeoutSeconds`</a> | Defines the time before giving up requests to the authorization server. | 5 | No |
| <a id="clientConfig-maxRetries" href="#clientConfig-maxRetries" title="#clientConfig-maxRetries">`clientConfig.maxRetries`</a> | Defines the number of retries for requests to authorization server that fail. | 3 | No |
### claims
@@ -61,20 +61,20 @@ The following functions are supported in `claims`:
| Function | Description | Example |
|-------------------|--------------------|-----------------|
| Equals | Validates the equality of the value in `key` with `value`. | Equals(\`grp\`, \`admin\`) |
| Prefix | Validates the value in `key` has the prefix of `value`. | Prefix(\`referrer\`, \`http://example.com\`) |
| Contains (string) | Validates the value in `key` contains `value`. | Contains(\`referrer\`, \`/foo/\`) |
| Contains (array) | Validates the `key` array contains the `value`. | Contains(\`areas\`, \`home\`) |
| SplitContains | Validates the value in `key` contains the `value` once split by the separator. | SplitContains(\`scope\`, \` \`, \`writer\`) |
| OneOf | Validates the `key` array contains one of the `values`. | OneOf(\`areas\`, \`office\`, \`lab\`) |
| <a id="Equals" href="#Equals" title="#Equals">Equals</a> | Validates the equality of the value in `key` with `value`. | Equals(\`grp\`, \`admin\`) |
| <a id="Prefix" href="#Prefix" title="#Prefix">Prefix</a> | Validates the value in `key` has the prefix of `value`. | Prefix(\`referrer\`, \`http://example.com\`) |
| <a id="Contains-string" href="#Contains-string" title="#Contains-string">Contains (string)</a> | Validates the value in `key` contains `value`. | Contains(\`referrer\`, \`/foo/\`) |
| <a id="Contains-array" href="#Contains-array" title="#Contains-array">Contains (array)</a> | Validates the `key` array contains the `value`. | Contains(\`areas\`, \`home\`) |
| <a id="SplitContains" href="#SplitContains" title="#SplitContains">SplitContains</a> | Validates the value in `key` contains the `value` once split by the separator. | SplitContains(\`scope\`, \` \`, \`writer\`) |
| <a id="OneOf" href="#OneOf" title="#OneOf">OneOf</a> | Validates the `key` array contains one of the `values`. | OneOf(\`areas\`, \`office\`, \`lab\`) |
All functions can be joined by boolean operands. The supported operands are:
| Operand | Description | Example |
|---------|--------------------|-----------------|
| && | Compares two functions and returns true only if both evaluate to true. | Equals(\`grp\`, \`admin\`) && Equals(\`active\`, \`true\`) |
| \|\| | Compares two functions and returns true if either evaluate to true. | Equals(\`grp\`, \`admin\`) \|\| Equals(\`active\`, \`true\`) |
| ! | Returns false if the function is true, otherwise returns true. | !Equals(\`grp\`, \`testers\`) |
| <a id="row" href="#row" title="#row">&&</a> | Compares two functions and returns true only if both evaluate to true. | Equals(\`grp\`, \`admin\`) && Equals(\`active\`, \`true\`) |
| <a id="row-2" href="#row-2" title="#row-2">\|\|</a> | Compares two functions and returns true if either evaluate to true. | Equals(\`grp\`, \`admin\`) \|\| Equals(\`active\`, \`true\`) |
| <a id="row-3" href="#row-3" title="#row-3">!</a> | Returns false if the function is true, otherwise returns true. | !Equals(\`grp\`, \`testers\`) |
All examples will return true for the following data structure:
@@ -230,4 +230,4 @@ The reference to a Kubernetes secret takes the form of a URN:
urn:k8s:secret:[name]:[valueKey]
```
{!traefik-for-business-applications.md!}
{!traefik-for-business-applications.md!}

38
docs/content/reference/routing-configuration/http/middlewares/ldap.md
View File

@@ -64,24 +64,24 @@ spec:
| Field | Description | Default | Required |
|:------|:------------|:--------|:---------|
| `url` | LDAP server URL. Either the `ldaps` or `ldap` protocol and end with a port (ex: `ldaps://ldap.example.org:636`). | "" | Yes |
| `startTLS` | Enable [`StartTLS`](https://tools.ietf.org/html/rfc4511#section-4.14) request when initializing the connection with the LDAP server. | false | No |
| `certificateAuthority` | PEM-encoded certificate to use to establish a connection with the LDAP server if the connection uses TLS but that the certificate was signed by a custom Certificate Authority. | "" | No |
| `insecureSkipVerify` | Allow proceeding and operating even for server TLS connections otherwise considered insecure. | false | No |
| `bindDN` | Domain name to bind to in order to authenticate to the LDAP server when running on search mode.<br /> Leaving this empty with search mode means binds are anonymous, which is rarely expected behavior.<br /> Not used when running in [bind mode](#bind-mode-vs-search-mode). | "" | No |
| `bindPassword` | Password for the `bindDN` used in search mode to authenticate with the LDAP server. More information [here](#bindpassword) | "" | No |
| `connPool` | Pool of connections to the LDAP server (to minimize the impact on the performance). | None | No |
| `connPool.size` | Number of connections managed by the pool can be customized with the `size` property. | 10 | No |
| `connPool.burst` | Ephemeral connections that are opened when the pool is already full. Once the number of connection exceeds `size` + `burst`, a `Too Many Connections` error is returned. | 5 | No |
| `connPool.ttl` | Pooled connections are still meant to be short-lived, so they are closed after roughly one minute by default. This behavior can be modified with the `ttl` property. | 60s | No |
| `baseDN` | Base domain name that should be used for bind and search queries. | "" | Yes |
| `attribute` | The attribute used to bind a user. Bind queries use this pattern: `<attr>=<username>,<baseDN>`, where the username is extracted from the request header. | cn | Yes |
| `forwardUsername` | Forward the username in a specific header, defined using the `forwardUsernameHeader` option. | "" | No |
| `forwardUsernameHeader` | Name of the header to put the username in when forwarding it. This is not used if the `forwardUsername` option is set to `false`. | Username | Yes |
| `forwardAuthorization` | Enable to forward the authorization header from the request after it has been approved by the middleware. | false | Yes |
| `searchFilter` | If not empty, the middleware will run in [search mode](#bind-mode-vs-search-mode), filtering search results with the given query.<br />Filter queries can use the `%s` placeholder that is replaced by the username provided in the `Authorization` header of the request (for example: `(&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s))`). | "" | No |
| `wwwAuthenticateHeader` | Allow setting a `WWW-Authenticate` header in the `401 Unauthorized` response. See [the WWW-Authenticate header documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate) for more information.<br /> The `realm` directive of the `WWW-Authenticate` header can be customized with the `wwwAuthenticateHeaderRealm` option. | false | No |
| `wwwAuthenticateHeaderRealm` | Realm name to set in the `WWW-Authenticate` header. This option is ineffective unless the `wwwAuthenticateHeader` option is set to `true`. | "" | No |
| <a id="url" href="#url" title="#url">`url`</a> | LDAP server URL. Either the `ldaps` or `ldap` protocol and end with a port (ex: `ldaps://ldap.example.org:636`). | "" | Yes |
| <a id="startTLS" href="#startTLS" title="#startTLS">`startTLS`</a> | Enable [`StartTLS`](https://tools.ietf.org/html/rfc4511#section-4.14) request when initializing the connection with the LDAP server. | false | No |
| <a id="certificateAuthority" href="#certificateAuthority" title="#certificateAuthority">`certificateAuthority`</a> | PEM-encoded certificate to use to establish a connection with the LDAP server if the connection uses TLS but that the certificate was signed by a custom Certificate Authority. | "" | No |
| <a id="insecureSkipVerify" href="#insecureSkipVerify" title="#insecureSkipVerify">`insecureSkipVerify`</a> | Allow proceeding and operating even for server TLS connections otherwise considered insecure. | false | No |
| <a id="bindDN" href="#bindDN" title="#bindDN">`bindDN`</a> | Domain name to bind to in order to authenticate to the LDAP server when running on search mode.<br /> Leaving this empty with search mode means binds are anonymous, which is rarely expected behavior.<br /> Not used when running in [bind mode](#bind-mode-vs-search-mode). | "" | No |
| <a id="bindPassword" href="#bindPassword" title="#bindPassword">`bindPassword`</a> | Password for the `bindDN` used in search mode to authenticate with the LDAP server. More information [here](#bindpassword) | "" | No |
| <a id="connPool" href="#connPool" title="#connPool">`connPool`</a> | Pool of connections to the LDAP server (to minimize the impact on the performance). | None | No |
| <a id="connPool-size" href="#connPool-size" title="#connPool-size">`connPool.size`</a> | Number of connections managed by the pool can be customized with the `size` property. | 10 | No |
| <a id="connPool-burst" href="#connPool-burst" title="#connPool-burst">`connPool.burst`</a> | Ephemeral connections that are opened when the pool is already full. Once the number of connection exceeds `size` + `burst`, a `Too Many Connections` error is returned. | 5 | No |
| <a id="connPool-ttl" href="#connPool-ttl" title="#connPool-ttl">`connPool.ttl`</a> | Pooled connections are still meant to be short-lived, so they are closed after roughly one minute by default. This behavior can be modified with the `ttl` property. | 60s | No |
| <a id="baseDN" href="#baseDN" title="#baseDN">`baseDN`</a> | Base domain name that should be used for bind and search queries. | "" | Yes |
| <a id="attribute" href="#attribute" title="#attribute">`attribute`</a> | The attribute used to bind a user. Bind queries use this pattern: `<attr>=<username>,<baseDN>`, where the username is extracted from the request header. | cn | Yes |
| <a id="forwardUsername" href="#forwardUsername" title="#forwardUsername">`forwardUsername`</a> | Forward the username in a specific header, defined using the `forwardUsernameHeader` option. | "" | No |
| <a id="forwardUsernameHeader" href="#forwardUsernameHeader" title="#forwardUsernameHeader">`forwardUsernameHeader`</a> | Name of the header to put the username in when forwarding it. This is not used if the `forwardUsername` option is set to `false`. | Username | Yes |
| <a id="forwardAuthorization" href="#forwardAuthorization" title="#forwardAuthorization">`forwardAuthorization`</a> | Enable to forward the authorization header from the request after it has been approved by the middleware. | false | Yes |
| <a id="searchFilter" href="#searchFilter" title="#searchFilter">`searchFilter`</a> | If not empty, the middleware will run in [search mode](#bind-mode-vs-search-mode), filtering search results with the given query.<br />Filter queries can use the `%s` placeholder that is replaced by the username provided in the `Authorization` header of the request (for example: `(&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s))`). | "" | No |
| <a id="wwwAuthenticateHeader" href="#wwwAuthenticateHeader" title="#wwwAuthenticateHeader">`wwwAuthenticateHeader`</a> | Allow setting a `WWW-Authenticate` header in the `401 Unauthorized` response. See [the WWW-Authenticate header documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate) for more information.<br /> The `realm` directive of the `WWW-Authenticate` header can be customized with the `wwwAuthenticateHeaderRealm` option. | false | No |
| <a id="wwwAuthenticateHeaderRealm" href="#wwwAuthenticateHeaderRealm" title="#wwwAuthenticateHeaderRealm">`wwwAuthenticateHeaderRealm`</a> | Realm name to set in the `WWW-Authenticate` header. This option is ineffective unless the `wwwAuthenticateHeader` option is set to `true`. | "" | No |
### bindPassword
@@ -102,4 +102,4 @@ and a `bindPassword`, then the middleware runs in search mode. In this mode, a s
issued to the LDAP server before trying to bind. If result of this search returns only 1 record,
it tries to issue a bind request with this record, otherwise it aborts a `401 Unauthorized` status code.
{!traefik-for-business-applications.md!}
{!traefik-for-business-applications.md!}

70
docs/content/reference/routing-configuration/http/middlewares/oauth2-client-credentials.md
View File

@@ -49,32 +49,32 @@ stringData:
| Field | Description | Default | Required |
|:------|:--------------------------------------------------------------------------------------------|:--------|:---------|
| `audience` | Defines the audience configured in your authorization server. <br /> The audience value is the base address of the resource being accessed, for example: https://api.example.com. | "" | Yes |
| `claims` | Defines the claims to validate in order to authorize the request. <br /> The `claims` option can only be used with JWT-formatted token. (More information [here](#claims)) | "" | No |
| `clientConfig.tls.ca` | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.cert` | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.key` | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.insecureSkipVerify` | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | "" | No |
| `clientConfig.timeoutSeconds` | Defines the time before giving up requests to the authorization server. | 5 | No |
| `clientConfig.maxRetries` | Defines the number of retries for requests to authorization server that fail. | 3 | No |
| `clientID` | Defines the unique client identifier for an account on the OpenID Connect provider, must be set when the `clientSecret` option is set.<br />More information [here](#storing-secret-values-in-kubernetes-secrets). | "" | Yes |
| `clientSecret` | Defines the unique client secret for an account on the OpenID Connect provider, must be set when the `clientID` option is set.<br />More information [here](#storing-secret-values-in-kubernetes-secrets). | "" | Yes |
| `forwardHeaders` | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | [] | No |
| `store.keyPrefix` | Defines the prefix of the key for the entries that store the sessions. | "" | No |
| `store.redis.endpoints` | Endpoints of the Redis instances to connect to (example: `redis.traefik-hub.svc.cluster.local:6379`) | "" | Yes |
| `store.redis.username` | The username Traefik Hub will use to connect to Redis | "" | No |
| `store.redis.password` | The password Traefik Hub will use to connect to Redis | "" | No |
| `store.redis.database` | The database Traefik Hub will use to sore information (default: `0`) | "" | No |
| `store.redis.cluster` | Enable Redis Cluster | "" | No |
| `store.redis.tls.caBundle` | Custom CA bundle | "" | No |
| `store.redis.tls.cert` | TLS certificate | "" | No |
| `store.redis.tls.key` | TLS | "" | No |
| `store.redis.tls.insecureSkipVerify` | Allow skipping the TLS verification | "" | No |
| `store.redis.sentinel.masterSet` | Name of the set of main nodes to use for main selection. Required when using Sentinel. | "" | No |
| `store.redis.sentinel.username` | Username to use for sentinel authentication (can be different from `username`) | "" | No |
| `store.redis.sentinel.password` | Password to use for sentinel authentication (can be different from `password`) | "" | No |
| `url` | Defines the authorization server URL (for example: `https://tenant.auth0.com/oauth/token`). | "" | Yes |
| `usernameClaim` | Defines the claim that will be evaluated to populate the `clientusername` in the access logs. <br /> The `usernameClaim` option can only be used with JWT-formatted token.| "" | No |
| <a id="audience" href="#audience" title="#audience">`audience`</a> | Defines the audience configured in your authorization server. <br /> The audience value is the base address of the resource being accessed, for example: https://api.example.com. | "" | Yes |
| <a id="claims" href="#claims" title="#claims">`claims`</a> | Defines the claims to validate in order to authorize the request. <br /> The `claims` option can only be used with JWT-formatted token. (More information [here](#claims)) | "" | No |
| <a id="clientConfig-tls-ca" href="#clientConfig-tls-ca" title="#clientConfig-tls-ca">`clientConfig.tls.ca`</a> | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-cert" href="#clientConfig-tls-cert" title="#clientConfig-tls-cert">`clientConfig.tls.cert`</a> | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-key" href="#clientConfig-tls-key" title="#clientConfig-tls-key">`clientConfig.tls.key`</a> | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-insecureSkipVerify" href="#clientConfig-tls-insecureSkipVerify" title="#clientConfig-tls-insecureSkipVerify">`clientConfig.tls.insecureSkipVerify`</a> | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-timeoutSeconds" href="#clientConfig-timeoutSeconds" title="#clientConfig-timeoutSeconds">`clientConfig.timeoutSeconds`</a> | Defines the time before giving up requests to the authorization server. | 5 | No |
| <a id="clientConfig-maxRetries" href="#clientConfig-maxRetries" title="#clientConfig-maxRetries">`clientConfig.maxRetries`</a> | Defines the number of retries for requests to authorization server that fail. | 3 | No |
| <a id="clientID" href="#clientID" title="#clientID">`clientID`</a> | Defines the unique client identifier for an account on the OpenID Connect provider, must be set when the `clientSecret` option is set.<br />More information [here](#storing-secret-values-in-kubernetes-secrets). | "" | Yes |
| <a id="clientSecret" href="#clientSecret" title="#clientSecret">`clientSecret`</a> | Defines the unique client secret for an account on the OpenID Connect provider, must be set when the `clientID` option is set.<br />More information [here](#storing-secret-values-in-kubernetes-secrets). | "" | Yes |
| <a id="forwardHeaders" href="#forwardHeaders" title="#forwardHeaders">`forwardHeaders`</a> | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | [] | No |
| <a id="store-keyPrefix" href="#store-keyPrefix" title="#store-keyPrefix">`store.keyPrefix`</a> | Defines the prefix of the key for the entries that store the sessions. | "" | No |
| <a id="store-redis-endpoints" href="#store-redis-endpoints" title="#store-redis-endpoints">`store.redis.endpoints`</a> | Endpoints of the Redis instances to connect to (example: `redis.traefik-hub.svc.cluster.local:6379`) | "" | Yes |
| <a id="store-redis-username" href="#store-redis-username" title="#store-redis-username">`store.redis.username`</a> | The username Traefik Hub will use to connect to Redis | "" | No |
| <a id="store-redis-password" href="#store-redis-password" title="#store-redis-password">`store.redis.password`</a> | The password Traefik Hub will use to connect to Redis | "" | No |
| <a id="store-redis-database" href="#store-redis-database" title="#store-redis-database">`store.redis.database`</a> | The database Traefik Hub will use to sore information (default: `0`) | "" | No |
| <a id="store-redis-cluster" href="#store-redis-cluster" title="#store-redis-cluster">`store.redis.cluster`</a> | Enable Redis Cluster | "" | No |
| <a id="store-redis-tls-caBundle" href="#store-redis-tls-caBundle" title="#store-redis-tls-caBundle">`store.redis.tls.caBundle`</a> | Custom CA bundle | "" | No |
| <a id="store-redis-tls-cert" href="#store-redis-tls-cert" title="#store-redis-tls-cert">`store.redis.tls.cert`</a> | TLS certificate | "" | No |
| <a id="store-redis-tls-key" href="#store-redis-tls-key" title="#store-redis-tls-key">`store.redis.tls.key`</a> | TLS | "" | No |
| <a id="store-redis-tls-insecureSkipVerify" href="#store-redis-tls-insecureSkipVerify" title="#store-redis-tls-insecureSkipVerify">`store.redis.tls.insecureSkipVerify`</a> | Allow skipping the TLS verification | "" | No |
| <a id="store-redis-sentinel-masterSet" href="#store-redis-sentinel-masterSet" title="#store-redis-sentinel-masterSet">`store.redis.sentinel.masterSet`</a> | Name of the set of main nodes to use for main selection. Required when using Sentinel. | "" | No |
| <a id="store-redis-sentinel-username" href="#store-redis-sentinel-username" title="#store-redis-sentinel-username">`store.redis.sentinel.username`</a> | Username to use for sentinel authentication (can be different from `username`) | "" | No |
| <a id="store-redis-sentinel-password" href="#store-redis-sentinel-password" title="#store-redis-sentinel-password">`store.redis.sentinel.password`</a> | Password to use for sentinel authentication (can be different from `password`) | "" | No |
| <a id="url" href="#url" title="#url">`url`</a> | Defines the authorization server URL (for example: `https://tenant.auth0.com/oauth/token`). | "" | Yes |
| <a id="usernameClaim" href="#usernameClaim" title="#usernameClaim">`usernameClaim`</a> | Defines the claim that will be evaluated to populate the `clientusername` in the access logs. <br /> The `usernameClaim` option can only be used with JWT-formatted token.| "" | No |
### Storing secret values in Kubernetes secrets
@@ -93,20 +93,20 @@ The following functions are supported in `claims`:
| Function | Description | Example |
|-------------------|--------------------|-----------------|
| Equals | Validates the equality of the value in `key` with `value`. | Equals(\`grp\`, \`admin\`) |
| Prefix | Validates the value in `key` has the prefix of `value`. | Prefix(\`referrer\`, \`http://example.com\`) |
| Contains (string) | Validates the value in `key` contains `value`. | Contains(\`referrer\`, \`/foo/\`) |
| Contains (array) | Validates the `key` array contains the `value`. | Contains(\`areas\`, \`home\`) |
| SplitContains | Validates the value in `key` contains the `value` once split by the separator. | SplitContains(\`scope\`, \` \`, \`writer\`) |
| OneOf | Validates the `key` array contains one of the `values`. | OneOf(\`areas\`, \`office\`, \`lab\`) |
| <a id="Equals" href="#Equals" title="#Equals">Equals</a> | Validates the equality of the value in `key` with `value`. | Equals(\`grp\`, \`admin\`) |
| <a id="Prefix" href="#Prefix" title="#Prefix">Prefix</a> | Validates the value in `key` has the prefix of `value`. | Prefix(\`referrer\`, \`http://example.com\`) |
| <a id="Contains-string" href="#Contains-string" title="#Contains-string">Contains (string)</a> | Validates the value in `key` contains `value`. | Contains(\`referrer\`, \`/foo/\`) |
| <a id="Contains-array" href="#Contains-array" title="#Contains-array">Contains (array)</a> | Validates the `key` array contains the `value`. | Contains(\`areas\`, \`home\`) |
| <a id="SplitContains" href="#SplitContains" title="#SplitContains">SplitContains</a> | Validates the value in `key` contains the `value` once split by the separator. | SplitContains(\`scope\`, \` \`, \`writer\`) |
| <a id="OneOf" href="#OneOf" title="#OneOf">OneOf</a> | Validates the `key` array contains one of the `values`. | OneOf(\`areas\`, \`office\`, \`lab\`) |
All functions can be joined by boolean operands. The supported operands are:
| Operand | Description | Example |
|---------|--------------------|-----------------|
| && | Compares two functions and returns true only if both evaluate to true. | Equals(\`grp\`, \`admin\`) && Equals(\`active\`, \`true\`) |
| \|\| | Compares two functions and returns true if either evaluate to true. | Equals(\`grp\`, \`admin\`) \|\| Equals(\`active\`, \`true\`) |
| ! | Returns false if the function is true, otherwise returns true. | !Equals(\`grp\`, \`testers\`) |
| <a id="row" href="#row" title="#row">&&</a> | Compares two functions and returns true only if both evaluate to true. | Equals(\`grp\`, \`admin\`) && Equals(\`active\`, \`true\`) |
| <a id="row-2" href="#row-2" title="#row-2">\|\|</a> | Compares two functions and returns true if either evaluate to true. | Equals(\`grp\`, \`admin\`) \|\| Equals(\`active\`, \`true\`) |
| <a id="row-3" href="#row-3" title="#row-3">!</a> | Returns false if the function is true, otherwise returns true. | !Equals(\`grp\`, \`testers\`) |
All examples will return true for the following data structure:

52
docs/content/reference/routing-configuration/http/middlewares/oauth2-token-introspection.md
View File

@@ -40,23 +40,23 @@ spec:
| Field | Description | Default | Required |
|:------|:------------|:--------|:---------|
| `claims` | Defines the claims to validate in order to authorize the request. <br /> The `claims` option can only be used with JWT-formatted token. (More information [here](#claims)) | "" | No |
| `clientConfig.url` | Defines the introspection endpoint URL. It must include the scheme and path. | "" | Yes |
| `clientConfig.headers` | Defines the headers to send in every introspection request. Values can be plain strings or a valid [Go template](https://pkg.go.dev/text/template). <br /> Currently, a variable of type [`Request`](https://pkg.go.dev/net/http#Request) corresponding to the request being introspected is accessible in templates. | "" | No |
| `clientConfig.tokenTypeHint` | Defines the type of token being introspected, sent as a hint to the introspection server. <br /> Please refer to the [official documentation](https://tools.ietf.org/html/rfc7662) for more details. | "" | No |
| `clientConfig.tls.ca` | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.cert` | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.key` | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.insecureSkipVerify` | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | "" | No |
| `clientConfig.timeoutSeconds` | Defines the time before giving up requests to the authorization server. | 5 | No |
| `clientConfig.maxRetries` | Defines the number of retries for requests to authorization server that fail. | 3 | No |
| `forwardAuthorization` | Defines whether the authorization header will be forwarded or stripped from a request after it has been approved by the middleware. | false | No |
| `forwardHeaders` | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | [] | No |
| `tokenSource.header` | Defines the header name containing the secret sent by the client.<br />At least one `tokenSource`option must be set.| "" | No |
| `tokenSource.headerAuthScheme` | Defines the scheme when using `Authorization` as header name. <br /> Check out the `Authorization` header [documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization#syntax).<br />At least one `tokenSource`option must be set. | "" | No |
| `tokenSource.query` | Defines the query parameter name containing the secret sent by the client.<br />At least one `tokenSource`option must be set.| "" | No |
| `tokenSource.cookie` | Defines the cookie name containing the secret sent by the client.<br />At least one `tokenSource`option must be set.| "" | No |
| `usernameClaim` | Defines the claim that will be evaluated to populate the `clientusername` in the access logs. <br /> The `usernameClaim` option can only be used with JWT-formatted token.| "" | No |
| <a id="claims" href="#claims" title="#claims">`claims`</a> | Defines the claims to validate in order to authorize the request. <br /> The `claims` option can only be used with JWT-formatted token. (More information [here](#claims)) | "" | No |
| <a id="clientConfig-url" href="#clientConfig-url" title="#clientConfig-url">`clientConfig.url`</a> | Defines the introspection endpoint URL. It must include the scheme and path. | "" | Yes |
| <a id="clientConfig-headers" href="#clientConfig-headers" title="#clientConfig-headers">`clientConfig.headers`</a> | Defines the headers to send in every introspection request. Values can be plain strings or a valid [Go template](https://pkg.go.dev/text/template). <br /> Currently, a variable of type [`Request`](https://pkg.go.dev/net/http#Request) corresponding to the request being introspected is accessible in templates. | "" | No |
| <a id="clientConfig-tokenTypeHint" href="#clientConfig-tokenTypeHint" title="#clientConfig-tokenTypeHint">`clientConfig.tokenTypeHint`</a> | Defines the type of token being introspected, sent as a hint to the introspection server. <br /> Please refer to the [official documentation](https://tools.ietf.org/html/rfc7662) for more details. | "" | No |
| <a id="clientConfig-tls-ca" href="#clientConfig-tls-ca" title="#clientConfig-tls-ca">`clientConfig.tls.ca`</a> | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-cert" href="#clientConfig-tls-cert" title="#clientConfig-tls-cert">`clientConfig.tls.cert`</a> | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-key" href="#clientConfig-tls-key" title="#clientConfig-tls-key">`clientConfig.tls.key`</a> | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-insecureSkipVerify" href="#clientConfig-tls-insecureSkipVerify" title="#clientConfig-tls-insecureSkipVerify">`clientConfig.tls.insecureSkipVerify`</a> | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-timeoutSeconds" href="#clientConfig-timeoutSeconds" title="#clientConfig-timeoutSeconds">`clientConfig.timeoutSeconds`</a> | Defines the time before giving up requests to the authorization server. | 5 | No |
| <a id="clientConfig-maxRetries" href="#clientConfig-maxRetries" title="#clientConfig-maxRetries">`clientConfig.maxRetries`</a> | Defines the number of retries for requests to authorization server that fail. | 3 | No |
| <a id="forwardAuthorization" href="#forwardAuthorization" title="#forwardAuthorization">`forwardAuthorization`</a> | Defines whether the authorization header will be forwarded or stripped from a request after it has been approved by the middleware. | false | No |
| <a id="forwardHeaders" href="#forwardHeaders" title="#forwardHeaders">`forwardHeaders`</a> | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | [] | No |
| <a id="tokenSource-header" href="#tokenSource-header" title="#tokenSource-header">`tokenSource.header`</a> | Defines the header name containing the secret sent by the client.<br />At least one `tokenSource`option must be set.| "" | No |
| <a id="tokenSource-headerAuthScheme" href="#tokenSource-headerAuthScheme" title="#tokenSource-headerAuthScheme">`tokenSource.headerAuthScheme`</a> | Defines the scheme when using `Authorization` as header name. <br /> Check out the `Authorization` header [documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization#syntax).<br />At least one `tokenSource`option must be set. | "" | No |
| <a id="tokenSource-query" href="#tokenSource-query" title="#tokenSource-query">`tokenSource.query`</a> | Defines the query parameter name containing the secret sent by the client.<br />At least one `tokenSource`option must be set.| "" | No |
| <a id="tokenSource-cookie" href="#tokenSource-cookie" title="#tokenSource-cookie">`tokenSource.cookie`</a> | Defines the cookie name containing the secret sent by the client.<br />At least one `tokenSource`option must be set.| "" | No |
| <a id="usernameClaim" href="#usernameClaim" title="#usernameClaim">`usernameClaim`</a> | Defines the claim that will be evaluated to populate the `clientusername` in the access logs. <br /> The `usernameClaim` option can only be used with JWT-formatted token.| "" | No |
### claims
@@ -66,20 +66,20 @@ The following functions are supported in `claims`:
| Function | Description | Example |
|-------------------|--------------------|-----------------|
| Equals | Validates the equality of the value in `key` with `value`. | Equals(\`grp\`, \`admin\`) |
| Prefix | Validates the value in `key` has the prefix of `value`. | Prefix(\`referrer\`, \`http://example.com\`) |
| Contains (string) | Validates the value in `key` contains `value`. | Contains(\`referrer\`, \`/foo/\`) |
| Contains (array) | Validates the `key` array contains the `value`. | Contains(\`areas\`, \`home\`) |
| SplitContains | Validates the value in `key` contains the `value` once split by the separator. | SplitContains(\`scope\`, \` \`, \`writer\`) |
| OneOf | Validates the `key` array contains one of the `values`. | OneOf(\`areas\`, \`office\`, \`lab\`) |
| <a id="Equals" href="#Equals" title="#Equals">Equals</a> | Validates the equality of the value in `key` with `value`. | Equals(\`grp\`, \`admin\`) |
| <a id="Prefix" href="#Prefix" title="#Prefix">Prefix</a> | Validates the value in `key` has the prefix of `value`. | Prefix(\`referrer\`, \`http://example.com\`) |
| <a id="Contains-string" href="#Contains-string" title="#Contains-string">Contains (string)</a> | Validates the value in `key` contains `value`. | Contains(\`referrer\`, \`/foo/\`) |
| <a id="Contains-array" href="#Contains-array" title="#Contains-array">Contains (array)</a> | Validates the `key` array contains the `value`. | Contains(\`areas\`, \`home\`) |
| <a id="SplitContains" href="#SplitContains" title="#SplitContains">SplitContains</a> | Validates the value in `key` contains the `value` once split by the separator. | SplitContains(\`scope\`, \` \`, \`writer\`) |
| <a id="OneOf" href="#OneOf" title="#OneOf">OneOf</a> | Validates the `key` array contains one of the `values`. | OneOf(\`areas\`, \`office\`, \`lab\`) |
All functions can be joined by boolean operands. The supported operands are:
| Operand | Description | Example |
|---------|--------------------|-----------------|
| && | Compares two functions and returns true only if both evaluate to true. | Equals(\`grp\`, \`admin\`) && Equals(\`active\`, \`true\`) |
| \|\| | Compares two functions and returns true if either evaluate to true. | Equals(\`grp\`, \`admin\`) \|\| Equals(\`active\`, \`true\`) |
| ! | Returns false if the function is true, otherwise returns true. | !Equals(\`grp\`, \`testers\`) |
| <a id="row" href="#row" title="#row">&&</a> | Compares two functions and returns true only if both evaluate to true. | Equals(\`grp\`, \`admin\`) && Equals(\`active\`, \`true\`) |
| <a id="row-2" href="#row-2" title="#row-2">\|\|</a> | Compares two functions and returns true if either evaluate to true. | Equals(\`grp\`, \`admin\`) \|\| Equals(\`active\`, \`true\`) |
| <a id="row-3" href="#row-3" title="#row-3">!</a> | Returns false if the function is true, otherwise returns true. | !Equals(\`grp\`, \`testers\`) |
All examples will return true for the following data structure:

140
docs/content/reference/routing-configuration/http/middlewares/oidc.md
View File

@@ -60,61 +60,61 @@ stringData:
| Field | Description | Default | Required |
|:------|:------------|:--------|:---------|
| `issuer` | Defines the URL to the OpenID Connect provider (for example, `https://accounts.google.com`). <br /> It should point to the server which provides the OpenID Connect configuration. | "" | Yes |
| `redirectUrl` | Defines the URL used by the OpenID Connect provider to redirect back to the middleware once the authorization is complete. (More information [here](#redirecturl)) | "" | Yes |
| `clientID` | Defines the unique client identifier for an account on the OpenID Connect provider, must be set when the `clientSecret` option is set. (More information [here](#clientid-clientsecret)) | "" | Yes |
| `clientSecret` | Defines the unique client secret for an account on the OpenID Connect provider, must be set when the `clientID` option is set. (More information [here](#clientid-clientsecret)) | "" | Yes |
| `claims` | Defines the claims to validate in order to authorize the request. <br /> The `claims` option can only be used with JWT-formatted token. (More information [here](#claims)) | "" | No |
| `usernameClaim` | Defines the claim that will be evaluated to populate the `clientusername` in the access logs. <br /> The `usernameClaim` option can only be used with JWT-formatted token.| "" | No |
| `forwardHeaders` | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | [] | No |
| `clientConfig.tls.ca` | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.cert` | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.key` | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | "" | No |
| `clientConfig.tls.insecureSkipVerify` | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | "" | No |
| `clientConfig.timeoutSeconds` | Defines the time before giving up requests to the authorization server. | 5 | No |
| `clientConfig.maxRetries` | Defines the number of retries for requests to authorization server that fail. | 3 | No |
| `pkce` | Defines the Proof Key for Code Exchange as described in [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636). | false | No |
| `discoveryParams` | A map of arbitrary query parameters to be added to the openid-configuration well-known URI during the discovery mechanism. | "" | No |
| `scopes` | The scopes to request. Must include `openid`. | openid | No |
| `authParams` | A map of the arbitrary query parameters to be passed to the Authentication Provider. <br />When a `prompt` key is set to an empty string in the AuthParams,the prompt parameter is not added to the OAuth2 authorization URL Which means the user won't be prompted for consent.| "" | No |
| `disableLogin` | Disables redirections to the authentication provider <br /> This can be useful for protecting APIs where redirecting to a login page is undesirable. | false | No |
| `loginUrl` | Defines the URL used to start authorization when needed. <br /> All other requests that are not already authorized will return a 401 Unauthorized. When left empty, all requests can start authorization. <br /> It can be a path (`/login` for example), a host and a path (`example.com/login`) or a complete URL (`https://example.com/login`). <br /> Only `http` and `https` schemes are supported.| "" | No |
| `logoutUrl` |Defines the URL on which the session should be deleted in order to log users out. <br /> It can be a path (`/logout` for example), a host and a path (`example.com/logout`) or a complete URL (`https://example.com/logout`). <br /> Only `http` and `https` schemes are supported.| "" | No |
| `postLoginRedirectUrl` |If set and used in conjunction with `loginUrl`, the middleware will redirect to this URL after successful login. <br /> It can be a path (`/after/login` for example), a host and a path (`example.com/after/login`) or a complete URL (`https://example.com/after/login`). <br /> Only `http` and `https` schemes are supported. | "" | No |
| `postLogoutRedirectUrl` | If set and used in conjunction with `logoutUrl`, the middleware will redirect to this URL after logout. <br /> It can be a path (`/after/logout` for example), a host and a path (`example.com/after/logout`) or a complete URL (`https://example.com/after/logout`). <br /> Only `http` and `https` schemes are supported. | "" | No |
| `backchannelLogoutUrl` | Defines the URL called by the OIDC provider when a user logs out (see https://openid.net/specs/openid-connect-rpinitiated-1_0.html#OpenID.BackChannel). <br /> It can be a path (`/backchannel-logout` for example), a host and a path (`example.com/backchannel-logout`) or a complete URL (`https://example.com/backchannel-logout`). <br /> Only `http` and `https` schemes are supported. <br /> This feature is currently in an experimental state and has been tested exclusively with the Keycloak OIDC provider. | "" | No |
| `backchannelLogoutSessionsRequired` | This specifies whether the OIDC provider includes the sid (session ID) Claim in the Logout Token to identify the user session (see https://openid.net/specs/openid-connect-backchannel-1_0.html#BCRegistration). <br/> If omitted, the default value is false. <br /> This feature is currently in an experimental state and has been tested exclusively with the Keycloak OIDC provider. | false | No |
| `stateCookie.name` | Defines the name of the state cookie. |"`MIDDLEWARE_NAME`-state" | No |
| `stateCookie.path` | Defines the URL path that must exist in the requested URL in order to send the Cookie header. <br /> The `%x2F` ('/') character is considered a directory separator, and subdirectories will match as well. <br /> For example, if `stateCookie.path` is set to `/docs`, these paths will match: `/docs`,`/docs/web/`,`/docs/web/http`.| "/" | No |
| `stateCookie.domain` | Defines the hosts that are allowed to receive the cookie. <br />If specified, then subdomains are always included. <br /> For example, if it is set to `example.com`, then cookies are included on subdomains like `api.example.com`. | "" | No |
| `stateCookie.maxAge` |Defines the number of seconds after which the state cookie should expire. <br /> A zero or negative number will expire the cookie immediately. | 600 | No |
| `stateCookie.sameSite` | Informsbrowsers how they should handle the state cookie on cross-site requests. <br /> Setting it to `lax` or `strict` can provide some protection against cross-site request forgery attacks ([CSRF](https://developer.mozilla.org/en-US/docs/Glossary/CSRF)). <br /> More information [here](#samesite---accepted-values). | lax | No |
| `stateCookie.httpOnly` | Forbids JavaScript from accessing the cookie. <br /> For example, through the `Document.cookie` property, the `XMLHttpRequest` API, or the `Request` API. <br /> This mitigates attacks against cross-site scripting ([XSS](https://developer.mozilla.org/en-US/docs/Glossary/XSS)). | true | No |
| `stateCookie.secure` | Defines whether the state cookie is only sent to the server when a request is made with the `https` scheme. | false | No |
| `session.name` | The name of the session cookie. |"`MIDDLEWARE_NAME`-session"| No |
| `session.path` | Defines the URL path that must exist in the requested URL in order to send the Cookie header. <br />The `%x2F` ('/'') character is considered a directory separator, and subdirectories will match as well. <br /> For example, if `stateCookie.path` is set to `/docs`, these paths will match: `/docs`,`/docs/web/`,`/docs/web/http`.| "/" | No |
| `session.domain` | Specifies the hosts that are allowed to receive the cookie. If specified, then subdomains are always included. If specified, then subdomains are always included. <br /> For example, if it is set to `example.com`, then cookies are included on subdomains like `api.example.com`.| "" | No |
| `session.expiry` | Number of seconds after which the session should expire. A zero or negative number is **prohibited**. | 86400 (24h) | No |
| `session.sliding` | Forces the middleware to renew the session cookie each time an authenticated request is received. | true | No |
| `session.refresh` | Enables the access token refresh when it expires. | true | No |
| `session.sameSite` | Inform browsers how they should handle the session cookie on cross-site requests. <br /> Setting it to `lax` or `strict` can provide some protection against cross-site request forgery attacks ([CSRF](https://developer.mozilla.org/en-US/docs/Glossary/CSRF)). <br /> More information [here](#samesite---accepted-values). | lax | No |
| `session.httpOnly` | Forbids JavaScript from accessing the cookie. <br /> For example, through the `Document.cookie` property, the `XMLHttpRequest` API, or the `Request` API. <br /> This mitigates attacks against cross-site scripting ([XSS](https://developer.mozilla.org/en-US/docs/Glossary/XSS)). | true | No |
| `session.secure` | Defines whether the session cookie is only sent to the server when a request is made with the `https` scheme. | false | No |
| `session.store.redis.endpoints` | Endpoints of the Redis instances to connect to (example: `redis.traefik-hub.svc.cluster.local:6379`) | "" | Yes |
| `session.store.redis.username` | The username Traefik Hub will use to connect to Redis | "" | No |
| `session.store.redis.password` | The password Traefik Hub will use to connect to Redis | "" | No |
| `session.store.redis.database` | The database Traefik Hub will use to sore information (default: `0`) | "" | No |
| `session.store.redis.cluster` | Enable Redis Cluster | "" | No |
| `session.store.redis.tls.caBundle` | Custom CA bundle | "" | No |
| `session.store.redis.tls.cert` | TLS certificate | "" | No |
| `session.store.redis.tls.key` | TLS key | "" | No |
| `session.store.redis.tls.insecureSkipVerify` | Allow skipping the TLS verification | "" | No |
| `session.store.redis.sentinel.masterSet` | Name of the set of main nodes to use for main selection. Required when using Sentinel. | "" | No |
| `session.store.redis.sentinel.username` | Username to use for sentinel authentication (can be different from `username`) | "" | No |
| `session.store.redis.sentinel.password` | Password to use for sentinel authentication (can be different from `password`) | "" | No |
| `csrf` | When enabled, a CSRF cookie, named `traefikee-csrf-token`, is bound to the OIDC session to protect service from CSRF attacks. <br /> It is based on the [Signed Double Submit Cookie](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#signed-double-submit-cookie) implementation as defined by the OWASP Foundation.<br />Moreinformation [here](#csrf). | "" | No |
| `csrf.secure` | Defines whether the CSRF cookie is only sent to the server when a request is made with the `https` scheme. | false | No |
| `csrf.headerName` | Defines the name of the header used to send the CSRF token value received previously in the CSRF cookie. | TraefikHub-Csrf-Token | No |
| <a id="issuer" href="#issuer" title="#issuer">`issuer`</a> | Defines the URL to the OpenID Connect provider (for example, `https://accounts.google.com`). <br /> It should point to the server which provides the OpenID Connect configuration. | "" | Yes |
| <a id="redirectUrl" href="#redirectUrl" title="#redirectUrl">`redirectUrl`</a> | Defines the URL used by the OpenID Connect provider to redirect back to the middleware once the authorization is complete. (More information [here](#redirecturl)) | "" | Yes |
| <a id="clientID" href="#clientID" title="#clientID">`clientID`</a> | Defines the unique client identifier for an account on the OpenID Connect provider, must be set when the `clientSecret` option is set. (More information [here](#clientid-clientsecret)) | "" | Yes |
| <a id="clientSecret" href="#clientSecret" title="#clientSecret">`clientSecret`</a> | Defines the unique client secret for an account on the OpenID Connect provider, must be set when the `clientID` option is set. (More information [here](#clientid-clientsecret)) | "" | Yes |
| <a id="claims" href="#claims" title="#claims">`claims`</a> | Defines the claims to validate in order to authorize the request. <br /> The `claims` option can only be used with JWT-formatted token. (More information [here](#claims)) | "" | No |
| <a id="usernameClaim" href="#usernameClaim" title="#usernameClaim">`usernameClaim`</a> | Defines the claim that will be evaluated to populate the `clientusername` in the access logs. <br /> The `usernameClaim` option can only be used with JWT-formatted token.| "" | No |
| <a id="forwardHeaders" href="#forwardHeaders" title="#forwardHeaders">`forwardHeaders`</a> | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | [] | No |
| <a id="clientConfig-tls-ca" href="#clientConfig-tls-ca" title="#clientConfig-tls-ca">`clientConfig.tls.ca`</a> | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-cert" href="#clientConfig-tls-cert" title="#clientConfig-tls-cert">`clientConfig.tls.cert`</a> | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-key" href="#clientConfig-tls-key" title="#clientConfig-tls-key">`clientConfig.tls.key`</a> | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-tls-insecureSkipVerify" href="#clientConfig-tls-insecureSkipVerify" title="#clientConfig-tls-insecureSkipVerify">`clientConfig.tls.insecureSkipVerify`</a> | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | "" | No |
| <a id="clientConfig-timeoutSeconds" href="#clientConfig-timeoutSeconds" title="#clientConfig-timeoutSeconds">`clientConfig.timeoutSeconds`</a> | Defines the time before giving up requests to the authorization server. | 5 | No |
| <a id="clientConfig-maxRetries" href="#clientConfig-maxRetries" title="#clientConfig-maxRetries">`clientConfig.maxRetries`</a> | Defines the number of retries for requests to authorization server that fail. | 3 | No |
| <a id="pkce" href="#pkce" title="#pkce">`pkce`</a> | Defines the Proof Key for Code Exchange as described in [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636). | false | No |
| <a id="discoveryParams" href="#discoveryParams" title="#discoveryParams">`discoveryParams`</a> | A map of arbitrary query parameters to be added to the openid-configuration well-known URI during the discovery mechanism. | "" | No |
| <a id="scopes" href="#scopes" title="#scopes">`scopes`</a> | The scopes to request. Must include `openid`. | openid | No |
| <a id="authParams" href="#authParams" title="#authParams">`authParams`</a> | A map of the arbitrary query parameters to be passed to the Authentication Provider. <br />When a `prompt` key is set to an empty string in the AuthParams,the prompt parameter is not added to the OAuth2 authorization URL Which means the user won't be prompted for consent.| "" | No |
| <a id="disableLogin" href="#disableLogin" title="#disableLogin">`disableLogin`</a> | Disables redirections to the authentication provider <br /> This can be useful for protecting APIs where redirecting to a login page is undesirable. | false | No |
| <a id="loginUrl" href="#loginUrl" title="#loginUrl">`loginUrl`</a> | Defines the URL used to start authorization when needed. <br /> All other requests that are not already authorized will return a 401 Unauthorized. When left empty, all requests can start authorization. <br /> It can be a path (`/login` for example), a host and a path (`example.com/login`) or a complete URL (`https://example.com/login`). <br /> Only `http` and `https` schemes are supported.| "" | No |
| <a id="logoutUrl" href="#logoutUrl" title="#logoutUrl">`logoutUrl`</a> |Defines the URL on which the session should be deleted in order to log users out. <br /> It can be a path (`/logout` for example), a host and a path (`example.com/logout`) or a complete URL (`https://example.com/logout`). <br /> Only `http` and `https` schemes are supported.| "" | No |
| <a id="postLoginRedirectUrl" href="#postLoginRedirectUrl" title="#postLoginRedirectUrl">`postLoginRedirectUrl`</a> |If set and used in conjunction with `loginUrl`, the middleware will redirect to this URL after successful login. <br /> It can be a path (`/after/login` for example), a host and a path (`example.com/after/login`) or a complete URL (`https://example.com/after/login`). <br /> Only `http` and `https` schemes are supported. | "" | No |
| <a id="postLogoutRedirectUrl" href="#postLogoutRedirectUrl" title="#postLogoutRedirectUrl">`postLogoutRedirectUrl`</a> | If set and used in conjunction with `logoutUrl`, the middleware will redirect to this URL after logout. <br /> It can be a path (`/after/logout` for example), a host and a path (`example.com/after/logout`) or a complete URL (`https://example.com/after/logout`). <br /> Only `http` and `https` schemes are supported. | "" | No |
| <a id="backchannelLogoutUrl" href="#backchannelLogoutUrl" title="#backchannelLogoutUrl">`backchannelLogoutUrl`</a> | Defines the URL called by the OIDC provider when a user logs out (see https://openid.net/specs/openid-connect-rpinitiated-1_0.html#OpenID.BackChannel). <br /> It can be a path (`/backchannel-logout` for example), a host and a path (`example.com/backchannel-logout`) or a complete URL (`https://example.com/backchannel-logout`). <br /> Only `http` and `https` schemes are supported. <br /> This feature is currently in an experimental state and has been tested exclusively with the Keycloak OIDC provider. | "" | No |
| <a id="backchannelLogoutSessionsRequired" href="#backchannelLogoutSessionsRequired" title="#backchannelLogoutSessionsRequired">`backchannelLogoutSessionsRequired`</a> | This specifies whether the OIDC provider includes the sid (session ID) Claim in the Logout Token to identify the user session (see https://openid.net/specs/openid-connect-backchannel-1_0.html#BCRegistration). <br/> If omitted, the default value is false. <br /> This feature is currently in an experimental state and has been tested exclusively with the Keycloak OIDC provider. | false | No |
| <a id="stateCookie-name" href="#stateCookie-name" title="#stateCookie-name">`stateCookie.name`</a> | Defines the name of the state cookie. |"`MIDDLEWARE_NAME`-state" | No |
| <a id="stateCookie-path" href="#stateCookie-path" title="#stateCookie-path">`stateCookie.path`</a> | Defines the URL path that must exist in the requested URL in order to send the Cookie header. <br /> The `%x2F` ('/') character is considered a directory separator, and subdirectories will match as well. <br /> For example, if `stateCookie.path` is set to `/docs`, these paths will match: `/docs`,`/docs/web/`,`/docs/web/http`.| "/" | No |
| <a id="stateCookie-domain" href="#stateCookie-domain" title="#stateCookie-domain">`stateCookie.domain`</a> | Defines the hosts that are allowed to receive the cookie. <br />If specified, then subdomains are always included. <br /> For example, if it is set to `example.com`, then cookies are included on subdomains like `api.example.com`. | "" | No |
| <a id="stateCookie-maxAge" href="#stateCookie-maxAge" title="#stateCookie-maxAge">`stateCookie.maxAge`</a> |Defines the number of seconds after which the state cookie should expire. <br /> A zero or negative number will expire the cookie immediately. | 600 | No |
| <a id="stateCookie-sameSite" href="#stateCookie-sameSite" title="#stateCookie-sameSite">`stateCookie.sameSite`</a> | Informsbrowsers how they should handle the state cookie on cross-site requests. <br /> Setting it to `lax` or `strict` can provide some protection against cross-site request forgery attacks ([CSRF](https://developer.mozilla.org/en-US/docs/Glossary/CSRF)). <br /> More information [here](#samesite---accepted-values). | lax | No |
| <a id="stateCookie-httpOnly" href="#stateCookie-httpOnly" title="#stateCookie-httpOnly">`stateCookie.httpOnly`</a> | Forbids JavaScript from accessing the cookie. <br /> For example, through the `Document.cookie` property, the `XMLHttpRequest` API, or the `Request` API. <br /> This mitigates attacks against cross-site scripting ([XSS](https://developer.mozilla.org/en-US/docs/Glossary/XSS)). | true | No |
| <a id="stateCookie-secure" href="#stateCookie-secure" title="#stateCookie-secure">`stateCookie.secure`</a> | Defines whether the state cookie is only sent to the server when a request is made with the `https` scheme. | false | No |
| <a id="session-name" href="#session-name" title="#session-name">`session.name`</a> | The name of the session cookie. |"`MIDDLEWARE_NAME`-session"| No |
| <a id="session-path" href="#session-path" title="#session-path">`session.path`</a> | Defines the URL path that must exist in the requested URL in order to send the Cookie header. <br />The `%x2F` ('/'') character is considered a directory separator, and subdirectories will match as well. <br /> For example, if `stateCookie.path` is set to `/docs`, these paths will match: `/docs`,`/docs/web/`,`/docs/web/http`.| "/" | No |
| <a id="session-domain" href="#session-domain" title="#session-domain">`session.domain`</a> | Specifies the hosts that are allowed to receive the cookie. If specified, then subdomains are always included. If specified, then subdomains are always included. <br /> For example, if it is set to `example.com`, then cookies are included on subdomains like `api.example.com`.| "" | No |
| <a id="session-expiry" href="#session-expiry" title="#session-expiry">`session.expiry`</a> | Number of seconds after which the session should expire. A zero or negative number is **prohibited**. | 86400 (24h) | No |
| <a id="session-sliding" href="#session-sliding" title="#session-sliding">`session.sliding`</a> | Forces the middleware to renew the session cookie each time an authenticated request is received. | true | No |
| <a id="session-refresh" href="#session-refresh" title="#session-refresh">`session.refresh`</a> | Enables the access token refresh when it expires. | true | No |
| <a id="session-sameSite" href="#session-sameSite" title="#session-sameSite">`session.sameSite`</a> | Inform browsers how they should handle the session cookie on cross-site requests. <br /> Setting it to `lax` or `strict` can provide some protection against cross-site request forgery attacks ([CSRF](https://developer.mozilla.org/en-US/docs/Glossary/CSRF)). <br /> More information [here](#samesite---accepted-values). | lax | No |
| <a id="session-httpOnly" href="#session-httpOnly" title="#session-httpOnly">`session.httpOnly`</a> | Forbids JavaScript from accessing the cookie. <br /> For example, through the `Document.cookie` property, the `XMLHttpRequest` API, or the `Request` API. <br /> This mitigates attacks against cross-site scripting ([XSS](https://developer.mozilla.org/en-US/docs/Glossary/XSS)). | true | No |
| <a id="session-secure" href="#session-secure" title="#session-secure">`session.secure`</a> | Defines whether the session cookie is only sent to the server when a request is made with the `https` scheme. | false | No |
| <a id="session-store-redis-endpoints" href="#session-store-redis-endpoints" title="#session-store-redis-endpoints">`session.store.redis.endpoints`</a> | Endpoints of the Redis instances to connect to (example: `redis.traefik-hub.svc.cluster.local:6379`) | "" | Yes |
| <a id="session-store-redis-username" href="#session-store-redis-username" title="#session-store-redis-username">`session.store.redis.username`</a> | The username Traefik Hub will use to connect to Redis | "" | No |
| <a id="session-store-redis-password" href="#session-store-redis-password" title="#session-store-redis-password">`session.store.redis.password`</a> | The password Traefik Hub will use to connect to Redis | "" | No |
| <a id="session-store-redis-database" href="#session-store-redis-database" title="#session-store-redis-database">`session.store.redis.database`</a> | The database Traefik Hub will use to sore information (default: `0`) | "" | No |
| <a id="session-store-redis-cluster" href="#session-store-redis-cluster" title="#session-store-redis-cluster">`session.store.redis.cluster`</a> | Enable Redis Cluster | "" | No |
| <a id="session-store-redis-tls-caBundle" href="#session-store-redis-tls-caBundle" title="#session-store-redis-tls-caBundle">`session.store.redis.tls.caBundle`</a> | Custom CA bundle | "" | No |
| <a id="session-store-redis-tls-cert" href="#session-store-redis-tls-cert" title="#session-store-redis-tls-cert">`session.store.redis.tls.cert`</a> | TLS certificate | "" | No |
| <a id="session-store-redis-tls-key" href="#session-store-redis-tls-key" title="#session-store-redis-tls-key">`session.store.redis.tls.key`</a> | TLS key | "" | No |
| <a id="session-store-redis-tls-insecureSkipVerify" href="#session-store-redis-tls-insecureSkipVerify" title="#session-store-redis-tls-insecureSkipVerify">`session.store.redis.tls.insecureSkipVerify`</a> | Allow skipping the TLS verification | "" | No |
| <a id="session-store-redis-sentinel-masterSet" href="#session-store-redis-sentinel-masterSet" title="#session-store-redis-sentinel-masterSet">`session.store.redis.sentinel.masterSet`</a> | Name of the set of main nodes to use for main selection. Required when using Sentinel. | "" | No |
| <a id="session-store-redis-sentinel-username" href="#session-store-redis-sentinel-username" title="#session-store-redis-sentinel-username">`session.store.redis.sentinel.username`</a> | Username to use for sentinel authentication (can be different from `username`) | "" | No |
| <a id="session-store-redis-sentinel-password" href="#session-store-redis-sentinel-password" title="#session-store-redis-sentinel-password">`session.store.redis.sentinel.password`</a> | Password to use for sentinel authentication (can be different from `password`) | "" | No |
| <a id="csrf" href="#csrf" title="#csrf">`csrf`</a> | When enabled, a CSRF cookie, named `traefikee-csrf-token`, is bound to the OIDC session to protect service from CSRF attacks. <br /> It is based on the [Signed Double Submit Cookie](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#signed-double-submit-cookie) implementation as defined by the OWASP Foundation.<br />Moreinformation [here](#csrf). | "" | No |
| <a id="csrf-secure" href="#csrf-secure" title="#csrf-secure">`csrf.secure`</a> | Defines whether the CSRF cookie is only sent to the server when a request is made with the `https` scheme. | false | No |
| <a id="csrf-headerName" href="#csrf-headerName" title="#csrf-headerName">`csrf.headerName`</a> | Defines the name of the header used to send the CSRF token value received previously in the CSRF cookie. | TraefikHub-Csrf-Token | No |
### redirectUrl
@@ -154,19 +154,19 @@ See the following examples.
| Request URL | RedirectURL| Result |
|:------------|:-----------|:-------|
| `http://expl.co` | `/cback` | `http://expl.co/cback` |
| <a id="httpexpl-co" href="#httpexpl-co" title="#httpexpl-co">`http://expl.co`</a> | `/cback` | `http://expl.co/cback` |
#### Inherit the Protocol from the Request and Uses the Redirecturls Domain and Path
| Request URL | RedirectURL| Result |
|:------------|:-----------|:-------|
| `https://scur.co` | `expl.co/cback`| `https://expl.co/cback` |
| <a id="httpsscur-co" href="#httpsscur-co" title="#httpsscur-co">`https://scur.co`</a> | `expl.co/cback`| `https://expl.co/cback` |
#### Replace the Request URL with the Redirect URL since It Is an Absolute URL
| Request URL | RedirectURL| Result |
|:------------|:-----------|:-------|
| `https://scur.co` | `http://expl.co/cback` | `http://expl.co/cback` |
| <a id="httpsscur-co-2" href="#httpsscur-co-2" title="#httpsscur-co-2">`https://scur.co`</a> | `http://expl.co/cback` | `http://expl.co/cback` |
!!! note "Supported Schemes"
@@ -205,20 +205,20 @@ The following functions are supported in `claims`:
| Function | Description | Example |
|-------------------|--------------------|-----------------|
| Equals | Validates the equality of the value in `key` with `value`. | Equals(\`grp\`, \`admin\`) |
| Prefix | Validates the value in `key` has the prefix of `value`. | Prefix(\`referrer\`, \`http://example.com\`) |
| Contains (string) | Validates the value in `key` contains `value`. | Contains(\`referrer\`, \`/foo/\`) |
| Contains (array) | Validates the `key` array contains the `value`. | Contains(\`areas\`, \`home\`) |
| SplitContains | Validates the value in `key` contains the `value` once split by the separator. | SplitContains(\`scope\`, \` \`, \`writer\`) |
| OneOf | Validates the `key` array contains one of the `values`. | OneOf(\`areas\`, \`office\`, \`lab\`) |
| <a id="Equals" href="#Equals" title="#Equals">Equals</a> | Validates the equality of the value in `key` with `value`. | Equals(\`grp\`, \`admin\`) |
| <a id="Prefix" href="#Prefix" title="#Prefix">Prefix</a> | Validates the value in `key` has the prefix of `value`. | Prefix(\`referrer\`, \`http://example.com\`) |
| <a id="Contains-string" href="#Contains-string" title="#Contains-string">Contains (string)</a> | Validates the value in `key` contains `value`. | Contains(\`referrer\`, \`/foo/\`) |
| <a id="Contains-array" href="#Contains-array" title="#Contains-array">Contains (array)</a> | Validates the `key` array contains the `value`. | Contains(\`areas\`, \`home\`) |
| <a id="SplitContains" href="#SplitContains" title="#SplitContains">SplitContains</a> | Validates the value in `key` contains the `value` once split by the separator. | SplitContains(\`scope\`, \` \`, \`writer\`) |
| <a id="OneOf" href="#OneOf" title="#OneOf">OneOf</a> | Validates the `key` array contains one of the `values`. | OneOf(\`areas\`, \`office\`, \`lab\`) |
All functions can be joined by boolean operands. The supported operands are:
| Operand | Description | Example |
|---------|--------------------|-----------------|
| && | Compares two functions and returns true only if both evaluate to true. | Equals(\`grp\`, \`admin\`) && Equals(\`active\`, \`true\`) |
| \|\| | Compares two functions and returns true if either evaluate to true. | Equals(\`grp\`, \`admin\`) \|\| Equals(\`active\`, \`true\`) |
| ! | Returns false if the function is true, otherwise returns true. | !Equals(\`grp\`, \`testers\`) |
| <a id="row" href="#row" title="#row">&&</a> | Compares two functions and returns true only if both evaluate to true. | Equals(\`grp\`, \`admin\`) && Equals(\`active\`, \`true\`) |
| <a id="row-2" href="#row-2" title="#row-2">\|\|</a> | Compares two functions and returns true if either evaluate to true. | Equals(\`grp\`, \`admin\`) \|\| Equals(\`active\`, \`true\`) |
| <a id="row-3" href="#row-3" title="#row-3">!</a> | Returns false if the function is true, otherwise returns true. | !Equals(\`grp\`, \`testers\`) |
All examples will return true for the following data structure:
@@ -279,9 +279,9 @@ If the `key` contains a `\`, it needs to be doubled `\\`.
| Example | Description |
| ----------------------------------------- | ------------------------------------------------------------------------------ |
| Equals(\`id_token.grp\`, \`admin\`) | Checks if the value of claim `grp` in the ID token is `admin`. |
| Prefix(\`access_token.referrer\`, \`http://example.com\`) | Checks if the value of claim `referrer` in the access token is prefixed by `http://example.com\`.|
| OneOf(\`areas\`, \`office\`, \`lab\`) | Checks if the value of claim `areas` in the ID token is `office` or `labs`. |
| <a id="Equalsid-token-grp-admin" href="#Equalsid-token-grp-admin" title="#Equalsid-token-grp-admin">Equals(\`id_token.grp\`, \`admin\`)</a> | Checks if the value of claim `grp` in the ID token is `admin`. |
| <a id="Prefixaccess-token-referrer-httpexample-com" href="#Prefixaccess-token-referrer-httpexample-com" title="#Prefixaccess-token-referrer-httpexample-com">Prefix(\`access_token.referrer\`, \`http://example.com\`)</a> | Checks if the value of claim `referrer` in the access token is prefixed by `http://example.com\`.|
| <a id="OneOfareas-office-lab" href="#OneOfareas-office-lab" title="#OneOfareas-office-lab">OneOf(\`areas\`, \`office\`, \`lab\`)</a> | Checks if the value of claim `areas` in the ID token is `office` or `labs`. |
### clientConfig

8
docs/content/reference/routing-configuration/http/middlewares/opa.md
View File

@@ -64,9 +64,9 @@ spec:
| Field | Description | Default | Required |
|:---------|-----------------------|:--------|:----------------------------|
| `policy` | Path or the content of a [policy file](https://www.openpolicyagent.org/docs/v0.66.0/kubernetes-primer/#writing-policies). | "" | No (one of `policy` or `bundlePath` must be set) |
| `bundlePath` | The `bundlePath` option should contain the path to an OPA [bundle](https://www.openpolicyagent.org/docs/v0.66.0/management-bundles/). | "" | No (one of `policy` or `bundlePath` must be set) |
| `allow` | The `allow` option sets the expression to evaluate that determines if the request should be authorized. | "" | No (one of `allow` or `forwardHeaders` must be set) |
| `forwardHeaders` | The `forwardHeaders` option sets the HTTP headers to add to requests and populates them with the result of the given expression. | "" | No (one of `allow` or `forwardHeaders` must be set) |
| <a id="policy" href="#policy" title="#policy">`policy`</a> | Path or the content of a [policy file](https://www.openpolicyagent.org/docs/v0.66.0/kubernetes-primer/#writing-policies). | "" | No (one of `policy` or `bundlePath` must be set) |
| <a id="bundlePath" href="#bundlePath" title="#bundlePath">`bundlePath`</a> | The `bundlePath` option should contain the path to an OPA [bundle](https://www.openpolicyagent.org/docs/v0.66.0/management-bundles/). | "" | No (one of `policy` or `bundlePath` must be set) |
| <a id="allow" href="#allow" title="#allow">`allow`</a> | The `allow` option sets the expression to evaluate that determines if the request should be authorized. | "" | No (one of `allow` or `forwardHeaders` must be set) |
| <a id="forwardHeaders" href="#forwardHeaders" title="#forwardHeaders">`forwardHeaders`</a> | The `forwardHeaders` option sets the HTTP headers to add to requests and populates them with the result of the given expression. | "" | No (one of `allow` or `forwardHeaders` must be set) |
{!traefik-for-business-applications.md!}

46
docs/content/reference/routing-configuration/http/middlewares/overview.md
View File

@@ -20,29 +20,29 @@ Middlewares that use the same protocol can be combined into chains to fit every
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [AddPrefix](addprefix.md) | Adds a Path Prefix | Path Modifier |
| [BasicAuth](basicauth.md) | Adds Basic Authentication | Security, Authentication |
| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
| [Chain](chain.md) | Combines multiple pieces of middleware | Misc |
| [CircuitBreaker](circuitbreaker.md) | Prevents calling unhealthy services | Request Lifecycle |
| [Compress](compress.md) | Compresses the response | Content Modifier |
| [ContentType](contenttype.md) | Handles Content-Type auto-detection | Misc |
| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
| [Errors](errorpages.md) | Defines custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Delegates Authentication | Security, Authentication |
| [GrpcWeb](grpcweb.md) | Converts gRPC Web requests to HTTP/2 gRPC requests. | Request |
| [Headers](headers.md) | Adds / Updates headers | Security |
| [IPAllowList](ipallowlist.md) | Limits the allowed client IPs | Security, Request lifecycle |
| [InFlightReq](inflightreq.md) | Limits the number of simultaneous connections | Security, Request lifecycle |
| [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header | Security |
| [RateLimit](ratelimit.md) | Limits the call frequency | Security, Request lifecycle |
| [RedirectScheme](redirectscheme.md) | Redirects based on scheme | Request lifecycle |
| [RedirectRegex](redirectregex.md) | Redirects based on regex | Request lifecycle |
| [ReplacePath](replacepath.md) | Changes the path of the request | Path Modifier |
| [ReplacePathRegex](replacepathregex.md) | Changes the path of the request | Path Modifier |
| [Retry](retry.md) | Automatically retries in case of error | Request lifecycle |
| [StripPrefix](stripprefix.md) | Changes the path of the request | Path Modifier |
| [StripPrefixRegex](stripprefixregex.md) | Changes the path of the request | Path Modifier |
| <a id="AddPrefix" href="#AddPrefix" title="#AddPrefix">[AddPrefix](addprefix.md)</a> | Adds a Path Prefix | Path Modifier |
| <a id="BasicAuth" href="#BasicAuth" title="#BasicAuth">[BasicAuth](basicauth.md)</a> | Adds Basic Authentication | Security, Authentication |
| <a id="Buffering" href="#Buffering" title="#Buffering">[Buffering](buffering.md)</a> | Buffers the request/response | Request Lifecycle |
| <a id="Chain" href="#Chain" title="#Chain">[Chain](chain.md)</a> | Combines multiple pieces of middleware | Misc |
| <a id="CircuitBreaker" href="#CircuitBreaker" title="#CircuitBreaker">[CircuitBreaker](circuitbreaker.md)</a> | Prevents calling unhealthy services | Request Lifecycle |
| <a id="Compress" href="#Compress" title="#Compress">[Compress](compress.md)</a> | Compresses the response | Content Modifier |
| <a id="ContentType" href="#ContentType" title="#ContentType">[ContentType](contenttype.md)</a> | Handles Content-Type auto-detection | Misc |
| <a id="DigestAuth" href="#DigestAuth" title="#DigestAuth">[DigestAuth](digestauth.md)</a> | Adds Digest Authentication | Security, Authentication |
| <a id="Errors" href="#Errors" title="#Errors">[Errors](errorpages.md)</a> | Defines custom error pages | Request Lifecycle |
| <a id="ForwardAuth" href="#ForwardAuth" title="#ForwardAuth">[ForwardAuth](forwardauth.md)</a> | Delegates Authentication | Security, Authentication |
| <a id="GrpcWeb" href="#GrpcWeb" title="#GrpcWeb">[GrpcWeb](grpcweb.md)</a> | Converts gRPC Web requests to HTTP/2 gRPC requests. | Request |
| <a id="Headers" href="#Headers" title="#Headers">[Headers](headers.md)</a> | Adds / Updates headers | Security |
| <a id="IPAllowList" href="#IPAllowList" title="#IPAllowList">[IPAllowList](ipallowlist.md)</a> | Limits the allowed client IPs | Security, Request lifecycle |
| <a id="InFlightReq" href="#InFlightReq" title="#InFlightReq">[InFlightReq](inflightreq.md)</a> | Limits the number of simultaneous connections | Security, Request lifecycle |
| <a id="PassTLSClientCert" href="#PassTLSClientCert" title="#PassTLSClientCert">[PassTLSClientCert](passtlsclientcert.md)</a> | Adds Client Certificates in a Header | Security |
| <a id="RateLimit" href="#RateLimit" title="#RateLimit">[RateLimit](ratelimit.md)</a> | Limits the call frequency | Security, Request lifecycle |
| <a id="RedirectScheme" href="#RedirectScheme" title="#RedirectScheme">[RedirectScheme](redirectscheme.md)</a> | Redirects based on scheme | Request lifecycle |
| <a id="RedirectRegex" href="#RedirectRegex" title="#RedirectRegex">[RedirectRegex](redirectregex.md)</a> | Redirects based on regex | Request lifecycle |
| <a id="ReplacePath" href="#ReplacePath" title="#ReplacePath">[ReplacePath](replacepath.md)</a> | Changes the path of the request | Path Modifier |
| <a id="ReplacePathRegex" href="#ReplacePathRegex" title="#ReplacePathRegex">[ReplacePathRegex](replacepathregex.md)</a> | Changes the path of the request | Path Modifier |
| <a id="Retry" href="#Retry" title="#Retry">[Retry](retry.md)</a> | Automatically retries in case of error | Request lifecycle |
| <a id="StripPrefix" href="#StripPrefix" title="#StripPrefix">[StripPrefix](stripprefix.md)</a> | Changes the path of the request | Path Modifier |
| <a id="StripPrefixRegex" href="#StripPrefixRegex" title="#StripPrefixRegex">[StripPrefixRegex](stripprefixregex.md)</a> | Changes the path of the request | Path Modifier |
## Community Middlewares

44
docs/content/reference/routing-configuration/http/middlewares/passtlsclientcert.md
View File

@@ -206,28 +206,28 @@ spec:
| Field | Description | Default | Required |
|:-----------|:------------------------------------------------------------|:--------|:---------|
| `pem` | Fills the `X-Forwarded-Tls-Client-Cert` header with the certificate information.<br /> More information [here](#pem). | false | No |
| `info.serialNumber` | Add the `Serial Number` of the certificate.<br /> More information about `info` [here](#info). | false | No |
| `info.notAfter` | Add the `Not After` information from the `Validity` part. <br /> More information about `info` [here](#info). | false | No |
| `info.notBefore` | Add the `Not Before` information from the `Validity` part. <br />More information about `info` [here](#info). | false | No |
| `info.sans` | Add the `Subject Alternative Name` information from the `Subject Alternative Name` part. <br /> More information about `info` [here](#info). | false | No |
| `info.subject` | The `info.subject` selects the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header. <br />More information about `info` [here](#info). | false | No |
| `info.subject.country` | Add the `country` information into the subject.<br /> The data is taken from the subject part with the `C` key. <br />More information about `info` [here](#info). | false | No |
| `info.subject.province` | Add the `province` information into the subject.<br /> The data is taken from the subject part with the `ST` key. <br />More information about `info` [here](#info). | false | No |
| `info.subject.locality` | Add the `locality` information into the subject.<br /> The data is taken from the subject part with the `L` key. <br />More information about `info` [here](#info). | false | No |
| `info.subject.organization` | Add the `organization` information into the subject.<br /> The data is taken from the subject part with the `O` key. <br />More information about `info` [here](#info). | false | No |
| `info.subject.organizationalUnit` | Add the `organizationalUnit` information into the subject.<br /> The data is taken from the subject part with the `OU` key. <br />More information about `info` [here](#info). | false | No |
| `info.subject.commonName` | Add the `commonName` information into the subject.<br /> The data is taken from the subject part with the `CN` key.| false | No |
| `info.subject.serialNumber` | Add the `serialNumber` information into the subject.<br /> The data is taken from the subject part with the `SN` key.| false | No |
| `info.subject.domainComponent` | Add the `domainComponent` information into the subject.<br />The data is taken from the subject part with the `DC` key. <br />More information about `info` [here](#info). | false | No |
| `info.issuer` | The `info.issuer` selects the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header. <br />More information about `info` [here](#info). | false | No |
| `info.issuer.country` | Add the `country` information into the issuer.<br /> The data is taken from the issuer part with the `C` key. <br />More information about `info` [here](#info). | false | No |
| `info.issuer.province` | Add the `province` information into the issuer.<br />The data is taken from the issuer part with the `ST` key. <br />More information about `info` [here](#info). | false | No |
| `info.issuer.locality` | Add the `locality` information into the issuer.<br /> The data is taken from the issuer part with the `L` key. <br />More information about `info` [here](#info). | false | No |
| `info.issuer.organization` | Add the `organization` information into the issuer.<br /> The data is taken from the issuer part with the `O` key. <br />More information about `info` [here](#info). | false | No |
| `info.issuer.commonName` |Add the `commonName` information into the issuer.<br /> The data is taken from the issuer part with the `CN` key. <br />More information about `info` [here](#info). | false | No |
| `info.issuer.serialNumber` |Add the `serialNumber` information into the issuer.<br /> The data is taken from the issuer part with the `SN` key. <br />More information about `info` [here](#info). | false | No |
| `info.issuer.domainComponent` | Add the `domainComponent` information into the issuer.<br /> The data is taken from the issuer part with the `DC` key. <br />More information about `info` [here](#info). | false | No |
| <a id="pem" href="#pem" title="#pem">`pem`</a> | Fills the `X-Forwarded-Tls-Client-Cert` header with the certificate information.<br /> More information [here](#pem). | false | No |
| <a id="info-serialNumber" href="#info-serialNumber" title="#info-serialNumber">`info.serialNumber`</a> | Add the `Serial Number` of the certificate.<br /> More information about `info` [here](#info). | false | No |
| <a id="info-notAfter" href="#info-notAfter" title="#info-notAfter">`info.notAfter`</a> | Add the `Not After` information from the `Validity` part. <br /> More information about `info` [here](#info). | false | No |
| <a id="info-notBefore" href="#info-notBefore" title="#info-notBefore">`info.notBefore`</a> | Add the `Not Before` information from the `Validity` part. <br />More information about `info` [here](#info). | false | No |
| <a id="info-sans" href="#info-sans" title="#info-sans">`info.sans`</a> | Add the `Subject Alternative Name` information from the `Subject Alternative Name` part. <br /> More information about `info` [here](#info). | false | No |
| <a id="info-subject" href="#info-subject" title="#info-subject">`info.subject`</a> | The `info.subject` selects the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header. <br />More information about `info` [here](#info). | false | No |
| <a id="info-subject-country" href="#info-subject-country" title="#info-subject-country">`info.subject.country`</a> | Add the `country` information into the subject.<br /> The data is taken from the subject part with the `C` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-subject-province" href="#info-subject-province" title="#info-subject-province">`info.subject.province`</a> | Add the `province` information into the subject.<br /> The data is taken from the subject part with the `ST` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-subject-locality" href="#info-subject-locality" title="#info-subject-locality">`info.subject.locality`</a> | Add the `locality` information into the subject.<br /> The data is taken from the subject part with the `L` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-subject-organization" href="#info-subject-organization" title="#info-subject-organization">`info.subject.organization`</a> | Add the `organization` information into the subject.<br /> The data is taken from the subject part with the `O` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-subject-organizationalUnit" href="#info-subject-organizationalUnit" title="#info-subject-organizationalUnit">`info.subject.organizationalUnit`</a> | Add the `organizationalUnit` information into the subject.<br /> The data is taken from the subject part with the `OU` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-subject-commonName" href="#info-subject-commonName" title="#info-subject-commonName">`info.subject.commonName`</a> | Add the `commonName` information into the subject.<br /> The data is taken from the subject part with the `CN` key.| false | No |
| <a id="info-subject-serialNumber" href="#info-subject-serialNumber" title="#info-subject-serialNumber">`info.subject.serialNumber`</a> | Add the `serialNumber` information into the subject.<br /> The data is taken from the subject part with the `SN` key.| false | No |
| <a id="info-subject-domainComponent" href="#info-subject-domainComponent" title="#info-subject-domainComponent">`info.subject.domainComponent`</a> | Add the `domainComponent` information into the subject.<br />The data is taken from the subject part with the `DC` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-issuer" href="#info-issuer" title="#info-issuer">`info.issuer`</a> | The `info.issuer` selects the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header. <br />More information about `info` [here](#info). | false | No |
| <a id="info-issuer-country" href="#info-issuer-country" title="#info-issuer-country">`info.issuer.country`</a> | Add the `country` information into the issuer.<br /> The data is taken from the issuer part with the `C` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-issuer-province" href="#info-issuer-province" title="#info-issuer-province">`info.issuer.province`</a> | Add the `province` information into the issuer.<br />The data is taken from the issuer part with the `ST` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-issuer-locality" href="#info-issuer-locality" title="#info-issuer-locality">`info.issuer.locality`</a> | Add the `locality` information into the issuer.<br /> The data is taken from the issuer part with the `L` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-issuer-organization" href="#info-issuer-organization" title="#info-issuer-organization">`info.issuer.organization`</a> | Add the `organization` information into the issuer.<br /> The data is taken from the issuer part with the `O` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-issuer-commonName" href="#info-issuer-commonName" title="#info-issuer-commonName">`info.issuer.commonName`</a> |Add the `commonName` information into the issuer.<br /> The data is taken from the issuer part with the `CN` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-issuer-serialNumber" href="#info-issuer-serialNumber" title="#info-issuer-serialNumber">`info.issuer.serialNumber`</a> |Add the `serialNumber` information into the issuer.<br /> The data is taken from the issuer part with the `SN` key. <br />More information about `info` [here](#info). | false | No |
| <a id="info-issuer-domainComponent" href="#info-issuer-domainComponent" title="#info-issuer-domainComponent">`info.issuer.domainComponent`</a> | Add the `domainComponent` information into the issuer.<br /> The data is taken from the issuer part with the `DC` key. <br />More information about `info` [here](#info). | false | No |
### pem

172
docs/content/reference/routing-configuration/http/middlewares/ratelimit.md
View File

@@ -18,38 +18,108 @@ For a rate below 1 req/s, define a `period` larger than a second
```yaml tab="Structured (YAML)"
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
# Redis distributed rate limiting is configured with all available options.
http:
middlewares:
test-ratelimit:
rateLimit:
average: 100
period: 1s
burst: 200
redis:
endpoints:
- "redis-primary.example.com:6379"
- "redis-replica.example.com:6379"
username: "ratelimit-user"
password: "secure-password"
db: 2
poolSize: 50
minIdleConns: 10
maxActiveConns: 200
readTimeout: 3s
writeTimeout: 3s
dialTimeout: 5s
tls:
ca: "/etc/ssl/redis-ca.crt"
cert: "/etc/ssl/redis-client.crt"
key: "/etc/ssl/redis-client.key"
insecureSkipVerify: false
```
```toml tab="Structured (TOML)"
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
# Redis distributed rate limiting is configured with all available options.
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
period = "1s"
burst = 200
[http.middlewares.test-ratelimit.rateLimit.redis]
endpoints = ["redis-primary.example.com:6379", "redis-replica.example.com:6379"]
username = "ratelimit-user"
password = "secure-password"
db = 2
poolSize = 50
minIdleConns = 10
maxActiveConns = 200
readTimeout = "3s"
writeTimeout = "3s"
dialTimeout = "5s"
[http.middlewares.test-ratelimit.rateLimit.redis.tls]
ca = "/etc/ssl/redis-ca.crt"
cert = "/etc/ssl/redis-client.crt"
key = "/etc/ssl/redis-client.key"
insecureSkipVerify = false
```
```yaml tab="Labels"
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
# Redis distributed rate limiting is configured with all available options.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=200"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.endpoints=redis-primary.example.com:6379,redis-replica.example.com:6379"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.username=ratelimit-user"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.password=secure-password"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.db=2"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.poolSize=50"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.minIdleConns=10"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.maxActiveConns=200"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.readTimeout=3s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.writeTimeout=3s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.dialTimeout=5s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.ca=/etc/ssl/redis-ca.crt"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=/etc/ssl/redis-client.crt"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=/etc/ssl/redis-client.key"
- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.insecureSkipVerify=false"
```
```json tab="Tags"
// Here, an average of 100 requests per second is allowed.
// In addition, a burst of 200 requests is allowed.
// Redis distributed rate limiting is configured with all available options.
{
"Tags": [
"traefik.http.middlewares.test-ratelimit.ratelimit.average=100",
"traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
"traefik.http.middlewares.test-ratelimit.ratelimit.period=1s",
"traefik.http.middlewares.test-ratelimit.ratelimit.burst=200",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.endpoints=redis-primary.example.com:6379,redis-replica.example.com:6379",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.username=ratelimit-user",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.password=secure-password",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.db=2",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.poolSize=50",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.minIdleConns=10",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.maxActiveConns=200",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.readTimeout=3s",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.writeTimeout=3s",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.dialTimeout=5s",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.ca=/etc/ssl/redis-ca.crt",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=/etc/ssl/redis-client.crt",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=/etc/ssl/redis-client.key",
"traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.insecureSkipVerify=false"
]
}
```
@@ -57,6 +127,7 @@ labels:
```yaml tab="Kubernetes"
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
# Redis distributed rate limiting is configured with all available options.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
@@ -64,21 +135,82 @@ metadata:
spec:
rateLimit:
average: 100
period: 1s
burst: 200
redis:
endpoints:
- "redis-primary.example.com:6379"
- "redis-replica.example.com:6379"
secret: redis-credentials
db: 2
poolSize: 50
minIdleConns: 10
maxActiveConns: 200
readTimeout: 3s
writeTimeout: 3s
dialTimeout: 5s
tls:
caSecret: redis-ca
certSecret: redis-client-cert
insecureSkipVerify: false
---
apiVersion: v1
kind: Secret
metadata:
name: redis-credentials
namespace: default
data:
username: cmF0ZWxpbWl0LXVzZXI= # base64 encoded "ratelimit-user"
password: c2VjdXJlLXBhc3N3b3Jk # base64 encoded "secure-password"
---
apiVersion: v1
kind: Secret
metadata:
name: redis-ca
namespace: default
data:
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t...
---
apiVersion: v1
kind: Secret
metadata:
name: redis-client-cert
namespace: default
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t...
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0t...
```
## Configuration Options
| Field | Description | Default | Required |
|:-----------|:-------------------------------------------------------|:--------|:---------|
| `average` | Number of requests used to define the rate using the `period`.<br /> 0 means **no rate limiting**.<br />More information [here](#rate-and-burst). | 0 | No |
| `period` | Period of time used to define the rate.<br />More information [here](#rate-and-burst). | 1s | No |
| `burst` | Maximum number of requests allowed to go through at the very same moment.<br />More information [here](#rate-and-burst).| 1 | No |
| `sourceCriterion.requestHost` | Whether to consider the request host as the source.<br />More information about `sourceCriterion`[here](#sourcecriterion). | false | No |
| `sourceCriterion.requestHeaderName` | Name of the header used to group incoming requests.<br />More information about `sourceCriterion`[here](#sourcecriterion). | "" | No |
| `sourceCriterion.ipStrategy.depth` | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br />If higher than 0, the `excludedIPs` options is not evaluated.<br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy`](#ipstrategy), and [`depth`](#sourcecriterionipstrategydepth) below. | 0 | No |
| `sourceCriterion.ipStrategy.excludedIPs` | Allows scanning the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy`](#ipstrategy), and [`excludedIPs`](#sourcecriterionipstrategyexcludedips) below. | | No |
| `sourceCriterion.ipStrategy.ipv6Subnet` | If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy.ipv6Subnet`](#sourcecriterionipstrategyipv6subnet) below. | | No |
| <a id="average" href="#average" title="#average">`average`</a> | Number of requests used to define the rate using the `period`.<br /> 0 means **no rate limiting**.<br />More information [here](#rate-and-burst). | 0 | No |
| <a id="period" href="#period" title="#period">`period`</a> | Period of time used to define the rate.<br />More information [here](#rate-and-burst). | 1s | No |
| <a id="burst" href="#burst" title="#burst">`burst`</a> | Maximum number of requests allowed to go through at the very same moment.<br />More information [here](#rate-and-burst).| 1 | No |
| <a id="sourceCriterion-requestHost" href="#sourceCriterion-requestHost" title="#sourceCriterion-requestHost">`sourceCriterion.requestHost`</a> | Whether to consider the request host as the source.<br />More information about `sourceCriterion`[here](#sourcecriterion). | false | No |
| <a id="sourceCriterion-requestHeaderName" href="#sourceCriterion-requestHeaderName" title="#sourceCriterion-requestHeaderName">`sourceCriterion.requestHeaderName`</a> | Name of the header used to group incoming requests.<br />More information about `sourceCriterion`[here](#sourcecriterion). | "" | No |
| <a id="sourceCriterion-ipStrategy-depth" href="#sourceCriterion-ipStrategy-depth" title="#sourceCriterion-ipStrategy-depth">`sourceCriterion.ipStrategy.depth`</a> | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br />If higher than 0, the `excludedIPs` options is not evaluated.<br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy`](#ipstrategy), and [`depth`](#sourcecriterionipstrategydepth) below. | 0 | No |
| <a id="sourceCriterion-ipStrategy-excludedIPs" href="#sourceCriterion-ipStrategy-excludedIPs" title="#sourceCriterion-ipStrategy-excludedIPs">`sourceCriterion.ipStrategy.excludedIPs`</a> | Allows scanning the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy`](#ipstrategy), and [`excludedIPs`](#sourcecriterionipstrategyexcludedips) below. | | No |
| <a id="sourceCriterion-ipStrategy-ipv6Subnet" href="#sourceCriterion-ipStrategy-ipv6Subnet" title="#sourceCriterion-ipStrategy-ipv6Subnet">`sourceCriterion.ipStrategy.ipv6Subnet`</a> | If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy.ipv6Subnet`](#sourcecriterionipstrategyipv6subnet) below. | | No |
| <a id="redis" href="#redis" title="#redis">`redis`</a> | The `redis` configuration enables distributed rate limiting by using Redis to store rate limit tokens across multiple Traefik instances. This allows you to enforce consistent rate limits across a cluster of Traefik proxies. <br />When Redis is not configured, Traefik uses in-memory storage for rate limiting, which works only for the individual Traefik instance.| | No |
| <a id="redis-endpoints" href="#redis-endpoints" title="#redis-endpoints">`redis.endpoints`</a> | List of Redis server endpoints for distributed rate limiting. You can specify multiple endpoints for Redis cluster or high availability setups. | "127.0.0.1:6379" | No |
| <a id="redis-username" href="#redis-username" title="#redis-username">`redis.username`</a> | Username for Redis authentication. | "" | No |
| <a id="redis-password" href="#redis-password" title="#redis-password">`redis.password`</a> | Password for Redis authentication. In Kubernetes, these can be provided via secrets. | "" | No |
| <a id="redis-db" href="#redis-db" title="#redis-db">`redis.db`</a> | Redis database number to select. | 0 | No |
| <a id="redis-poolSize" href="#redis-poolSize" title="#redis-poolSize">`redis.poolSize`</a> | Defines the base number of socket connections in the pool. If set to 0, it defaults to 10 connections per CPU core as reported by `runtime.GOMAXPROCS`. <br />If there are not enough connections in the pool, new connections will be allocated beyond `poolSize`, up to `maxActiveConns`. | 0 | No |
| <a id="redis-minIdleConns" href="#redis-minIdleConns" title="#redis-minIdleConns">`redis.minIdleConns`</a> | Minimum number of idle connections to maintain in the pool. This is useful when establishing new connections is slow. A value of 0 means idle connections are not automatically closed. | 0 | No |
| <a id="redis-maxActiveConns" href="#redis-maxActiveConns" title="#redis-maxActiveConns">`redis.maxActiveConns`</a> | Maximum number of connections the pool can allocate at any given time. A value of 0 means no limit. | 0 | No |
| <a id="redis-readTimeout" href="#redis-readTimeout" title="#redis-readTimeout">`redis.readTimeout`</a> | Timeout for socket reads. If reached, commands will fail with a timeout instead of blocking. Zero means no timeout. | 3s | No |
| <a id="redis-writeTimeout" href="#redis-writeTimeout" title="#redis-writeTimeout">`redis.writeTimeout`</a> | Timeout for socket writes. If reached, commands will fail with a timeout instead of blocking. Zero means no timeout. | 3s | No |
| <a id="redis-dialTimeout" href="#redis-dialTimeout" title="#redis-dialTimeout">`redis.dialTimeout`</a> | Timeout for establishing new connections. Zero means no timeout. | 5s | No |
| <a id="redis-tls-ca" href="#redis-tls-ca" title="#redis-tls-ca">`redis.tls.ca`</a> | Path to the certificate authority used for the secure connection to Redis, it defaults to the system bundle. | "" | No |
| <a id="redis-tls-cert" href="#redis-tls-cert" title="#redis-tls-cert">`redis.tls.cert`</a> | Path to the public certificate used for the secure connection to Redis. When this option is set, the `key` option is required. | "" | No |
| <a id="redis-tls-key" href="#redis-tls-key" title="#redis-tls-key">`redis.tls.key`</a> | Path to the private key used for the secure connection to Redis. When this option is set, the `cert` option is required. | "" | No |
| <a id="redis-tls-insecureSkipVerify" href="#redis-tls-insecureSkipVerify" title="#redis-tls-insecureSkipVerify">`redis.tls.insecureSkipVerify`</a> | If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers. | false | No |
### sourceCriterion
@@ -109,9 +241,9 @@ If `ipv6Subnet` is provided, the IP is transformed in the following way.
| `IP` | `ipv6Subnet` | clientIP |
|---------------------------|--------------|-----------------------|
| `"::abcd:1111:2222:3333"` | `64` | `"::0:0:0:0"` |
| `"::abcd:1111:2222:3333"` | `80` | `"::abcd:0:0:0:0"` |
| `"::abcd:1111:2222:3333"` | `96` | `"::abcd:1111:0:0:0"` |
| <a id="abcd111122223333" href="#abcd111122223333" title="#abcd111122223333">`"::abcd:1111:2222:3333"`</a> | `64` | `"::0:0:0:0"` |
| <a id="abcd111122223333-2" href="#abcd111122223333-2" title="#abcd111122223333-2">`"::abcd:1111:2222:3333"`</a> | `80` | `"::abcd:0:0:0:0"` |
| <a id="abcd111122223333-3" href="#abcd111122223333-3" title="#abcd111122223333-3">`"::abcd:1111:2222:3333"`</a> | `96` | `"::abcd:1111:0:0:0"` |
### sourceCriterion.ipStrategy.depth
@@ -119,9 +251,9 @@ If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,1
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1" href="#10-0-0-111-0-0-112-0-0-113-0-0-1" title="#10-0-0-111-0-0-112-0-0-113-0-0-1">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `1` | `"13.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-2" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-2" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-2">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `3` | `"11.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-113-0-0-1-3" href="#10-0-0-111-0-0-112-0-0-113-0-0-1-3" title="#10-0-0-111-0-0-112-0-0-113-0-0-1-3">`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`</a> | `5` | `""` |
### sourceCriterion.ipStrategy.excludedIPs
@@ -136,8 +268,8 @@ Example to use each IP as a distinct source:
| X-Forwarded-For | excludedIPs | clientIP |
|--------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
| `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
| <a id="10-0-0-111-0-0-112-0-0-1" href="#10-0-0-111-0-0-112-0-0-1" title="#10-0-0-111-0-0-112-0-0-1">`"10.0.0.1,11.0.0.1,12.0.0.1"`</a> | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
| <a id="10-0-0-211-0-0-112-0-0-1" href="#10-0-0-211-0-0-112-0-0-1" title="#10-0-0-211-0-0-112-0-0-1">`"10.0.0.2,11.0.0.1,12.0.0.1"`</a> | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
2. Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source, and all contribute to the same rate-limit bucket.
@@ -145,6 +277,6 @@ Example to group IPs together as same source:
| X-Forwarded-For | excludedIPs | clientIP |
|--------------------------------|--------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.3,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
| <a id="10-0-0-111-0-0-112-0-0-1-2" href="#10-0-0-111-0-0-112-0-0-1-2" title="#10-0-0-111-0-0-112-0-0-1-2">`"10.0.0.1,11.0.0.1,12.0.0.1"`</a> | `"12.0.0.1"` | `"11.0.0.1"` |
| <a id="10-0-0-211-0-0-112-0-0-1-2" href="#10-0-0-211-0-0-112-0-0-1-2" title="#10-0-0-211-0-0-112-0-0-1-2">`"10.0.0.2,11.0.0.1,12.0.0.1"`</a> | `"12.0.0.1"` | `"11.0.0.1"` |
| <a id="10-0-0-311-0-0-112-0-0-1" href="#10-0-0-311-0-0-112-0-0-1" title="#10-0-0-311-0-0-112-0-0-1">`"10.0.0.3,11.0.0.1,12.0.0.1"`</a> | `"12.0.0.1"` | `"11.0.0.1"` |

6
docs/content/reference/routing-configuration/http/middlewares/redirectregex.md
View File

@@ -63,9 +63,9 @@ spec:
| Field | Description | Default | Required |
|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `regex` | The `regex` option is the regular expression to match and capture elements from the request URL.| "" | Yes |
| `permanent` | Enable a permanent redirection. | false | No |
| `replacement` | The `replacement` option defines how to modify the URL to have the new target URL..<br /> `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax. | "" | No |
| <a id="regex" href="#regex" title="#regex">`regex`</a> | The `regex` option is the regular expression to match and capture elements from the request URL.| "" | Yes |
| <a id="permanent" href="#permanent" title="#permanent">`permanent`</a> | Enable a permanent redirection. | false | No |
| <a id="replacement" href="#replacement" title="#replacement">`replacement`</a> | The `replacement` option defines how to modify the URL to have the new target URL..<br /> `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax. | "" | No |
### `regex`

6
docs/content/reference/routing-configuration/http/middlewares/redirectscheme.md
View File

@@ -69,6 +69,6 @@ spec:
| Field | Description | Default | Required |
|:-----------------------------|----------------------------------------------------------|:--------|:---------|
| `scheme` | Scheme of the new URL. | "" | Yes |
| `permanent` | Enable a permanent redirection. | false | No |
| `port` | Port of the new URL.<br />Set a string, **not** a numeric value. | "" | No |
| <a id="scheme" href="#scheme" title="#scheme">`scheme`</a> | Scheme of the new URL. | "" | Yes |
| <a id="permanent" href="#permanent" title="#permanent">`permanent`</a> | Enable a permanent redirection. | false | No |
| <a id="port" href="#port" title="#port">`port`</a> | Port of the new URL.<br />Set a string, **not** a numeric value. | "" | No |

2
docs/content/reference/routing-configuration/http/middlewares/replacepath.md
View File

@@ -57,4 +57,4 @@ spec:
| Field | Description |
|:------|:------------|
| `path` | The `path` option defines the path to use as replacement in the request URL. |
| <a id="path" href="#path" title="#path">`path`</a> | The `path` option defines the path to use as replacement in the request URL. |

4
docs/content/reference/routing-configuration/http/middlewares/replacepathregex.md
View File

@@ -57,8 +57,8 @@ labels:
| Field | Description | Default | Required |
|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `regex` | Regular expression to match and capture the path from the request URL. | | Yes |
| `replacement` | Replacement path format, which can include captured variables.<br /> `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax. | | No
| <a id="regex" href="#regex" title="#regex">`regex`</a> | Regular expression to match and capture the path from the request URL. | | Yes |
| <a id="replacement" href="#replacement" title="#replacement">`replacement`</a> | Replacement path format, which can include captured variables.<br /> `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax. | | No
!!! tip

4
docs/content/reference/routing-configuration/http/middlewares/retry.md
View File

@@ -64,5 +64,5 @@ spec:
| Field | Description | Default | Required |
|:------|:------------|:--------|:---------|
| `attempts` | number of times the request should be retried. | | Yes |
| `initialInterval` | First wait time in the exponential backoff series. <br />The maximum interval is calculated as twice the `initialInterval`. <br /> If unspecified, requests will be retried immediately.<br /> Defined in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). | 0 | No |
| <a id="attempts" href="#attempts" title="#attempts">`attempts`</a> | number of times the request should be retried. | | Yes |
| <a id="initialInterval" href="#initialInterval" title="#initialInterval">`initialInterval`</a> | First wait time in the exponential backoff series. <br />The maximum interval is calculated as twice the `initialInterval`. <br /> If unspecified, requests will be retried immediately.<br /> Defined in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). | 0 | No |

2
docs/content/reference/routing-configuration/http/middlewares/stripprefix.md
View File

@@ -61,6 +61,6 @@ spec:
| Field | Description | Default | Required |
|:-----------------------------|:--------------------------------------------------------------|:--------|:---------|
| `prefixes` | List of prefixes to strip from the request URL.<br />If your backend is serving assets (for example, images or JavaScript files), it can use the `X-Forwarded-Prefix` header to construct relative URLs. | [] | No |
| <a id="prefixes" href="#prefixes" title="#prefixes">`prefixes`</a> | List of prefixes to strip from the request URL.<br />If your backend is serving assets (for example, images or JavaScript files), it can use the `X-Forwarded-Prefix` header to construct relative URLs. | [] | No |
{!traefik-for-business-applications.md!}

2
docs/content/reference/routing-configuration/http/middlewares/stripprefixregex.md
View File

@@ -56,7 +56,7 @@ spec:
| Field | Description | Default | Required |
|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| `regex` | List of regular expressions to match the path prefix from the request URL.<br /> For instance, `/products` also matches `/products/shoes` and `/products/shirts`.<br />More information [here](#regex). | | No |
| <a id="regex" href="#regex" title="#regex">`regex`</a> | List of regular expressions to match the path prefix from the request URL.<br /> For instance, `/products` also matches `/products/shoes` and `/products/shirts`.<br />More information [here](#regex). | | No |
### regex

4
docs/content/reference/routing-configuration/http/middlewares/waf.md
View File

@@ -58,7 +58,7 @@ spec:
| Field | Description | Default | Required |
|:---------|:-----------------------|:--------|:----------------------------|
| `directives` | List of WAF rules to enforce. | | Yes |
| `crsEnabled` | Enable [CRS rulesets](https://github.com/corazawaf/coraza-coreruleset/tree/main/rules/%40owasp_crs).<br /> Once the ruleset is enabled, it can be used in the middleware. | false | False |
| <a id="directives" href="#directives" title="#directives">`directives`</a> | List of WAF rules to enforce. | | Yes |
| <a id="crsEnabled" href="#crsEnabled" title="#crsEnabled">`crsEnabled`</a> | Enable [CRS rulesets](https://github.com/corazawaf/coraza-coreruleset/tree/main/rules/%40owasp_crs).<br /> Once the ruleset is enabled, it can be used in the middleware. | false | False |
{!traefik-for-business-applications.md!}

8
docs/content/reference/routing-configuration/http/router/observability.md
View File

@@ -79,10 +79,10 @@ labels:
| Field | Description | Default | Required |
|:-----------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------|:---------|
| `accessLogs` | The `accessLogs` option controls whether the router will produce access-logs. | `true` | No |
| `metrics` | The `metrics` option controls whether the router will produce metrics. | `true` | No |
| `tracing` | The `tracing` option controls whether the router will produce traces. | `true` | No |
| `traceVerbosity` | The `traceVerbosity` option controls the tracing verbosity level for the router. Possible values: `minimal` (default), `detailed`. If not set, the value is inherited from the entryPoint. | `minimal` | No |
| <a id="accessLogs" href="#accessLogs" title="#accessLogs">`accessLogs`</a> | The `accessLogs` option controls whether the router will produce access-logs. | `true` | No |
| <a id="metrics" href="#metrics" title="#metrics">`metrics`</a> | The `metrics` option controls whether the router will produce metrics. | `true` | No |
| <a id="tracing" href="#tracing" title="#tracing">`tracing`</a> | The `tracing` option controls whether the router will produce traces. | `true` | No |
| <a id="traceVerbosity" href="#traceVerbosity" title="#traceVerbosity">`traceVerbosity`</a> | The `traceVerbosity` option controls the tracing verbosity level for the router. Possible values: `minimal` (default), `detailed`. If not set, the value is inherited from the entryPoint. | `minimal` | No |
#### traceVerbosity

70
docs/content/reference/routing-configuration/http/router/rules-and-priority.md
View File

@@ -22,17 +22,17 @@ The table below lists all the available matchers:
| Matcher | Description |
|-----------------------------------------------------------------|:-------------------------------------------------------------------------------|
| [```Header(`key`, `value`)```](#header-and-headerregexp) | Matches requests containing a header named `key` set to `value`. |
| [```HeaderRegexp(`key`, `regexp`)```](#header-and-headerregexp) | Matches requests containing a header named `key` matching `regexp`. |
| [```Host(`domain`)```](#host-and-hostregexp) | Matches requests host set to `domain`. |
| [```HostRegexp(`regexp`)```](#host-and-hostregexp) | Matches requests host matching `regexp`. |
| [```Method(`method`)```](#method) | Matches requests method set to `method`. |
| [```Path(`path`)```](#path-pathprefix-and-pathregexp) | Matches requests path set to `path`. |
| [```PathPrefix(`prefix`)```](#path-pathprefix-and-pathregexp) | Matches requests path prefix set to `prefix`. |
| [```PathRegexp(`regexp`)```](#path-pathprefix-and-pathregexp) | Matches request path using `regexp`. |
| [```Query(`key`, `value`)```](#query-and-queryregexp) | Matches requests query parameters named `key` set to `value`. |
| [```QueryRegexp(`key`, `regexp`)```](#query-and-queryregexp) | Matches requests query parameters named `key` matching `regexp`. |
| [```ClientIP(`ip`)```](#clientip) | Matches requests client IP using `ip`. It accepts IPv4, IPv6 and CIDR formats. |
| <a id="Headerkey-value" href="#Headerkey-value" title="#Headerkey-value">[```Header(`key`, `value`)```](#header-and-headerregexp)</a> | Matches requests containing a header named `key` set to `value`. |
| <a id="HeaderRegexpkey-regexp" href="#HeaderRegexpkey-regexp" title="#HeaderRegexpkey-regexp">[```HeaderRegexp(`key`, `regexp`)```](#header-and-headerregexp)</a> | Matches requests containing a header named `key` matching `regexp`. |
| <a id="Hostdomain" href="#Hostdomain" title="#Hostdomain">[```Host(`domain`)```](#host-and-hostregexp)</a> | Matches requests host set to `domain`. |
| <a id="HostRegexpregexp" href="#HostRegexpregexp" title="#HostRegexpregexp">[```HostRegexp(`regexp`)```](#host-and-hostregexp)</a> | Matches requests host matching `regexp`. |
| <a id="Methodmethod" href="#Methodmethod" title="#Methodmethod">[```Method(`method`)```](#method)</a> | Matches requests method set to `method`. |
| <a id="Pathpath" href="#Pathpath" title="#Pathpath">[```Path(`path`)```](#path-pathprefix-and-pathregexp)</a> | Matches requests path set to `path`. |
| <a id="PathPrefixprefix" href="#PathPrefixprefix" title="#PathPrefixprefix">[```PathPrefix(`prefix`)```](#path-pathprefix-and-pathregexp)</a> | Matches requests path prefix set to `prefix`. |
| <a id="PathRegexpregexp" href="#PathRegexpregexp" title="#PathRegexpregexp">[```PathRegexp(`regexp`)```](#path-pathprefix-and-pathregexp)</a> | Matches request path using `regexp`. |
| <a id="Querykey-value" href="#Querykey-value" title="#Querykey-value">[```Query(`key`, `value`)```](#query-and-queryregexp)</a> | Matches requests query parameters named `key` set to `value`. |
| <a id="QueryRegexpkey-regexp" href="#QueryRegexpkey-regexp" title="#QueryRegexpkey-regexp">[```QueryRegexp(`key`, `regexp`)```](#query-and-queryregexp)</a> | Matches requests query parameters named `key` matching `regexp`. |
| <a id="ClientIPip" href="#ClientIPip" title="#ClientIPip">[```ClientIP(`ip`)```](#clientip)</a> | Matches requests client IP using `ip`. It accepts IPv4, IPv6 and CIDR formats. |
### Header and HeaderRegexp
@@ -40,9 +40,9 @@ The `Header` and `HeaderRegexp` matchers allow matching requests that contain sp
| Behavior | Rule |
|-----------------------------------------------------------------|:------------------------------------------------------------------------|
| Match requests with a `Content-Type` header set to `application/yaml`.| ```Header(`Content-Type`, `application/yaml`)``` |
| Match requests with a `Content-Type` header set to either `application/json` or `application/yaml`. | ```HeaderRegexp(`Content-Type`, `^application/(json\|yaml)$`)``` |
| Match headers [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity). | ```HeaderRegexp(`Content-Type`, `(?i)^application/(json\|yaml)$`)``` |
| <a id="Match-requests-with-a-Content-Type-header-set-to-applicationyaml" href="#Match-requests-with-a-Content-Type-header-set-to-applicationyaml" title="#Match-requests-with-a-Content-Type-header-set-to-applicationyaml">Match requests with a `Content-Type` header set to `application/yaml`.</a> | ```Header(`Content-Type`, `application/yaml`)``` |
| <a id="Match-requests-with-a-Content-Type-header-set-to-either-applicationjson-or-applicationyaml" href="#Match-requests-with-a-Content-Type-header-set-to-either-applicationjson-or-applicationyaml" title="#Match-requests-with-a-Content-Type-header-set-to-either-applicationjson-or-applicationyaml">Match requests with a `Content-Type` header set to either `application/json` or `application/yaml`.</a> | ```HeaderRegexp(`Content-Type`, `^application/(json\|yaml)$`)``` |
| <a id="Match-headers-case-insensitively" href="#Match-headers-case-insensitively" title="#Match-headers-case-insensitively">Match headers [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity).</a> | ```HeaderRegexp(`Content-Type`, `(?i)^application/(json\|yaml)$`)``` |
### Host and HostRegexp
@@ -56,10 +56,10 @@ These matchers will match the request's host in lowercase.
| Behavior | Rule |
|-----------------------------------------------------------------|:------------------------------------------------------------------------|
| Match requests with `Host` set to `example.com`. | ```Host(`example.com`)``` |
| Match requests sent to any subdomain of `example.com`. | ```HostRegexp(`^.+\.example\.com$`)``` |
| Match requests with `Host` set to either `example.com` or `example.org`. | ```HostRegexp(`^example\.(com\|org)$`)``` |
| Match `Host` [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity). | ```HostRegexp(`(?i)^example\.(com\|org)$`)``` |
| <a id="Match-requests-with-Host-set-to-example-com" href="#Match-requests-with-Host-set-to-example-com" title="#Match-requests-with-Host-set-to-example-com">Match requests with `Host` set to `example.com`.</a> | ```Host(`example.com`)``` |
| <a id="Match-requests-sent-to-any-subdomain-of-example-com" href="#Match-requests-sent-to-any-subdomain-of-example-com" title="#Match-requests-sent-to-any-subdomain-of-example-com">Match requests sent to any subdomain of `example.com`.</a> | ```HostRegexp(`^.+\.example\.com$`)``` |
| <a id="Match-requests-with-Host-set-to-either-example-com-or-example-org" href="#Match-requests-with-Host-set-to-either-example-com-or-example-org" title="#Match-requests-with-Host-set-to-either-example-com-or-example-org">Match requests with `Host` set to either `example.com` or `example.org`.</a> | ```HostRegexp(`^example\.(com\|org)$`)``` |
| <a id="Match-Host-case-insensitively" href="#Match-Host-case-insensitively" title="#Match-Host-case-insensitively">Match `Host` [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity).</a> | ```HostRegexp(`(?i)^example\.(com\|org)$`)``` |
### Method
@@ -67,7 +67,7 @@ The `Method` matchers allows matching requests sent based on their HTTP method (
| Behavior | Rule |
|-----------------------------------------------------------------|:------------------------------------------------------------------------|
| Match `OPTIONS` requests. | ```Method(`OPTIONS`)``` |
| <a id="Match-OPTIONS-requests" href="#Match-OPTIONS-requests" title="#Match-OPTIONS-requests">Match `OPTIONS` requests.</a> | ```Method(`OPTIONS`)``` |
### Path, PathPrefix, and PathRegexp
@@ -79,11 +79,11 @@ Path are always starting with a `/`, except for `PathRegexp`.
| Behavior | Rule |
|-----------------------------------------------------------------|:------------------------------------------------------------------------|
| Match `/products` but neither `/products/shoes` nor `/products/`. | ```Path(`/products`)``` |
| Match `/products` as well as everything under `/products`, such as `/products/shoes`, `/products/` but also `/products-for-sale`. | ```PathPrefix(`/products`)``` |
| Match both `/products/shoes` and `/products/socks` with and ID like `/products/shoes/31`. | ```PathRegexp(`^/products/(shoes\|socks)/[0-9]+$`)``` |
| Match requests with a path ending in either `.jpeg`, `.jpg` or `.png`. | ```PathRegexp(`\.(jpeg\|jpg\|png)$`)``` |
| Match `/products` as well as everything under `/products`, such as `/products/shoes`, `/products/` but also `/products-for-sale`, [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity). | ```HostRegexp(`(?i)^/products`)``` |
| <a id="Match-products-but-neither-productsshoes-nor-products" href="#Match-products-but-neither-productsshoes-nor-products" title="#Match-products-but-neither-productsshoes-nor-products">Match `/products` but neither `/products/shoes` nor `/products/`.</a> | ```Path(`/products`)``` |
| <a id="Match-products-as-well-as-everything-under-products-such-as-productsshoes-products-but-also-products-for-sale" href="#Match-products-as-well-as-everything-under-products-such-as-productsshoes-products-but-also-products-for-sale" title="#Match-products-as-well-as-everything-under-products-such-as-productsshoes-products-but-also-products-for-sale">Match `/products` as well as everything under `/products`, such as `/products/shoes`, `/products/` but also `/products-for-sale`.</a> | ```PathPrefix(`/products`)``` |
| <a id="Match-both-productsshoes-and-productssocks-with-and-ID-like-productsshoes31" href="#Match-both-productsshoes-and-productssocks-with-and-ID-like-productsshoes31" title="#Match-both-productsshoes-and-productssocks-with-and-ID-like-productsshoes31">Match both `/products/shoes` and `/products/socks` with and ID like `/products/shoes/31`.</a> | ```PathRegexp(`^/products/(shoes\|socks)/[0-9]+$`)``` |
| <a id="Match-requests-with-a-path-ending-in-either-jpeg-jpg-or-png" href="#Match-requests-with-a-path-ending-in-either-jpeg-jpg-or-png" title="#Match-requests-with-a-path-ending-in-either-jpeg-jpg-or-png">Match requests with a path ending in either `.jpeg`, `.jpg` or `.png`.</a> | ```PathRegexp(`\.(jpeg\|jpg\|png)$`)``` |
| <a id="Match-products-as-well-as-everything-under-products-such-as-productsshoes-products-but-also-products-for-sale-case-insensitively" href="#Match-products-as-well-as-everything-under-products-such-as-productsshoes-products-but-also-products-for-sale-case-insensitively" title="#Match-products-as-well-as-everything-under-products-such-as-productsshoes-products-but-also-products-for-sale-case-insensitively">Match `/products` as well as everything under `/products`, such as `/products/shoes`, `/products/` but also `/products-for-sale`, [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity).</a> | ```HostRegexp(`(?i)^/products`)``` |
### Query and QueryRegexp
@@ -91,11 +91,11 @@ The `Query` and `QueryRegexp` matchers allow matching requests based on query pa
| Behavior | Rule |
|-----------------------------------------------------------------|:------------------------------------------------------------------------|
| Match requests with a `mobile` query parameter set to `true`, such as in `/search?mobile=true`. | ```Query(`mobile`, `true`)``` |
| Match requests with a query parameter `mobile` that has no value, such as in `/search?mobile`. | ```Query(`mobile`)``` |
| Match requests with a `mobile` query parameter set to either `true` or `yes`. | ```QueryRegexp(`mobile`, `^(true\|yes)$`)``` |
| Match requests with a `mobile` query parameter set to any value (including the empty value). | ```QueryRegexp(`mobile`, `^.*$`)``` |
| Match query parameters [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity). | ```QueryRegexp(`mobile`, `(?i)^(true\|yes)$`)``` |
| <a id="Match-requests-with-a-mobile-query-parameter-set-to-true-such-as-in-searchmobiletrue" href="#Match-requests-with-a-mobile-query-parameter-set-to-true-such-as-in-searchmobiletrue" title="#Match-requests-with-a-mobile-query-parameter-set-to-true-such-as-in-searchmobiletrue">Match requests with a `mobile` query parameter set to `true`, such as in `/search?mobile=true`.</a> | ```Query(`mobile`, `true`)``` |
| <a id="Match-requests-with-a-query-parameter-mobile-that-has-no-value-such-as-in-searchmobile" href="#Match-requests-with-a-query-parameter-mobile-that-has-no-value-such-as-in-searchmobile" title="#Match-requests-with-a-query-parameter-mobile-that-has-no-value-such-as-in-searchmobile">Match requests with a query parameter `mobile` that has no value, such as in `/search?mobile`.</a> | ```Query(`mobile`)``` |
| <a id="Match-requests-with-a-mobile-query-parameter-set-to-either-true-or-yes" href="#Match-requests-with-a-mobile-query-parameter-set-to-either-true-or-yes" title="#Match-requests-with-a-mobile-query-parameter-set-to-either-true-or-yes">Match requests with a `mobile` query parameter set to either `true` or `yes`.</a> | ```QueryRegexp(`mobile`, `^(true\|yes)$`)``` |
| <a id="Match-requests-with-a-mobile-query-parameter-set-to-any-value-including-the-empty-value" href="#Match-requests-with-a-mobile-query-parameter-set-to-any-value-including-the-empty-value" title="#Match-requests-with-a-mobile-query-parameter-set-to-any-value-including-the-empty-value">Match requests with a `mobile` query parameter set to any value (including the empty value).</a> | ```QueryRegexp(`mobile`, `^.*$`)``` |
| <a id="Match-query-parameters-case-insensitively" href="#Match-query-parameters-case-insensitively" title="#Match-query-parameters-case-insensitively">Match query parameters [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity).</a> | ```QueryRegexp(`mobile`, `(?i)^(true\|yes)$`)``` |
### ClientIP
@@ -105,10 +105,10 @@ It only matches the request client IP and does not use the `X-Forwarded-For` hea
| Behavior | Rule |
|-----------------------------------------------------------------|:------------------------------------------------------------------------|
| Match requests coming from a given IP (IPv4). | ```ClientIP(`10.76.105.11`)``` |
| Match requests coming from a given IP (IPv6). | ```ClientIP(`::1`)``` |
| Match requests coming from a given subnet (IPv4). | ```ClientIP(`192.168.1.0/24`)``` |
| Match requests coming from a given subnet (IPv6). | ```ClientIP(`fe80::/10`)``` |
| <a id="Match-requests-coming-from-a-given-IP-IPv4" href="#Match-requests-coming-from-a-given-IP-IPv4" title="#Match-requests-coming-from-a-given-IP-IPv4">Match requests coming from a given IP (IPv4).</a> | ```ClientIP(`10.76.105.11`)``` |
| <a id="Match-requests-coming-from-a-given-IP-IPv6" href="#Match-requests-coming-from-a-given-IP-IPv6" title="#Match-requests-coming-from-a-given-IP-IPv6">Match requests coming from a given IP (IPv6).</a> | ```ClientIP(`::1`)``` |
| <a id="Match-requests-coming-from-a-given-subnet-IPv4" href="#Match-requests-coming-from-a-given-subnet-IPv4" title="#Match-requests-coming-from-a-given-subnet-IPv4">Match requests coming from a given subnet (IPv4).</a> | ```ClientIP(`192.168.1.0/24`)``` |
| <a id="Match-requests-coming-from-a-given-subnet-IPv6" href="#Match-requests-coming-from-a-given-subnet-IPv6" title="#Match-requests-coming-from-a-given-subnet-IPv6">Match requests coming from a given subnet (IPv6).</a> | ```ClientIP(`fe80::/10`)``` |
### RuleSyntax
@@ -213,8 +213,8 @@ labels:
| Name | Rule | Priority |
|----------|------------------------------------------|----------|
| Router-1 | ```HostRegexp(`[a-z]+\.traefik\.com`)``` | 34 |
| Router-2 | ```Host(`foobar.traefik.com`)``` | 26 |
| <a id="Router-1" href="#Router-1" title="#Router-1">Router-1</a> | ```HostRegexp(`[a-z]+\.traefik\.com`)``` | 34 |
| <a id="Router-2" href="#Router-2" title="#Router-2">Router-2</a> | ```Host(`foobar.traefik.com`)``` | 26 |
The previous table shows that `Router-1` has a higher priority than `Router-2`.

10
docs/content/reference/routing-configuration/http/tls/tls-options.md
View File

@@ -194,11 +194,11 @@ The `clientAuth.clientAuthType` option governs the behaviour as follows:
| Option | Operation |
| --------- | ----------- |
| `NoClientCert` | Disregards any client certificate.|
| `RequestClientCert` | Asks for a certificate but proceeds anyway if none is provided. |
| `RequireAnyClientCert` | Requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`. |
| `VerifyClientCertIfGiven` | If a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`. Otherwise proceeds without any certificate. |
| `RequireAndVerifyClientCert` | requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`. |
| <a id="NoClientCert" href="#NoClientCert" title="#NoClientCert">`NoClientCert`</a> | Disregards any client certificate.|
| <a id="RequestClientCert" href="#RequestClientCert" title="#RequestClientCert">`RequestClientCert`</a> | Asks for a certificate but proceeds anyway if none is provided. |
| <a id="RequireAnyClientCert" href="#RequireAnyClientCert" title="#RequireAnyClientCert">`RequireAnyClientCert`</a> | Requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`. |
| <a id="VerifyClientCertIfGiven" href="#VerifyClientCertIfGiven" title="#VerifyClientCertIfGiven">`VerifyClientCertIfGiven`</a> | If a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`. Otherwise proceeds without any certificate. |
| <a id="RequireAndVerifyClientCert" href="#RequireAndVerifyClientCert" title="#RequireAndVerifyClientCert">`RequireAndVerifyClientCert`</a> | requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`. |
```yaml tab="Structured (YAML)"
# Dynamic configuration

98
docs/content/reference/routing-configuration/kubernetes/crd/http/ingressroute.md
View File

@@ -76,55 +76,55 @@ spec:
| Field | Description | Default | Required |
|:---------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
| `entryPoints` | List of [entry points](../../../../install-configuration/entrypoints.md) names.<br />If not specified, HTTP routers will accept requests from all EntryPoints in the list of default EntryPoints. | | No |
| `routes` | List of routes. | | Yes |
| `routes[n].kind` | Kind of router matching, only `Rule` is allowed yet. | "Rule" | No |
| `routes[n].match` | Defines the [rule](../../../http/router/rules-and-priority.md#rules) corresponding to an underlying router. | | Yes |
| `routes[n].priority` | Defines the [priority](../../../http/router/rules-and-priority.md#priority-calculation) to disambiguate rules of the same length, for route matching.<br />If not set, the priority is directly equal to the length of the rule, and so the longest length has the highest priority.<br />A value of `0` for the priority is ignored, the default rules length sorting is used. | 0 | No |
| `routes[n].middlewares` | List of middlewares to attach to the IngressRoute. <br />More information [here](#middleware). | "" | No |
| `routes[n].`<br />`middlewares[m].`<br />`name` | Middleware name.<br />The character `@` is not authorized. <br />More information [here](#middleware). | | Yes |
| `routes[n].`<br />`middlewares[m].`<br />`namespace` | Middleware namespace.<br />Can be empty if the middleware belongs to the same namespace as the IngressRoute. <br />More information [here](#middleware). | | No |
| `routes[n].`<br />`observability.`<br />`accesslogs` | Defines whether the route will produce [access-logs](../../../../install-configuration/observability/logs-and-accesslogs.md). See [here](../../../http/router/observability.md) for more information. | false | No |
| `routes[n].`<br />`observability.`<br />`metrics` | Defines whether the route will produce [metrics](../../../../install-configuration/observability/metrics.md). See [here](../../../http/router/observability.md) for more information. | false | No |
| `routes[n].`<br />`observability.`<br />`tracing` | Defines whether the route will produce [traces](../../../../install-configuration/observability/tracing.md). See [here](../../../http/router/observability.md) for more information. | false | No |
| `routes[n].`<br />`services` | List of any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />More information [here](#externalname-service). | | No |
| `routes[n].`<br />`services[m].`<br />`kind` | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> **TraefikService**: Traefik Service.<br />More information [here](#externalname-service). | "Service" | No |
| `routes[n].`<br />`services[m].`<br />`name` | Service name.<br />The character `@` is not authorized. <br />More information [here](#middleware). | | Yes |
| `routes[n].`<br />`services[m].`<br />`namespace` | Service namespace.<br />Can be empty if the service belongs to the same namespace as the IngressRoute. <br />More information [here](#externalname-service). | | No |
| `routes[n].`<br />`services[m].`<br />`port` | Service port (number or port name).<br />Evaluated only if the kind is **Service**. | | No |
| `routes[n].`<br />`services[m].`<br />`responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**. | 100ms | No |
| `routes[n].`<br />`services[m].`<br />`scheme` | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| `routes[n].`<br />`services[m].`<br />`serversTransport` | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**. | "" | No |
| `routes[n].`<br />`services[m].`<br />`passHostHeader` | Forward client Host header to server.<br />Evaluated only if the kind is **Service**. | true | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.scheme` | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.mode` | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "http" | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.path` | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.interval` | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "100ms" | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.unhealthyInterval` | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "100ms" | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.method` | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "GET" | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.status` | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**. | | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.port` | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.timeout` | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "5s" | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.hostname` | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.`<br />`followRedirect` | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | true | No |
| `routes[n].`<br />`services[m].`<br />`healthCheck.headers` | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)). | | No |
| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.name` | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**. | "" | No |
| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.httpOnly` | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**. | false | No |
| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.secure` | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**. | false | No |
| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.sameSite` | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**. | "" | No |
| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.maxAge` | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**. | 0 | No |
| `routes[n].`<br />`services[m].`<br />`strategy` | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**. | "RoundRobin" | No |
| `routes[n].`<br />`services[m].`<br />`weight` | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
| `routes[n].`<br />`services[m].`<br />`nativeLB` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**. | false | No |
| `routes[n].`<br />`services[m].`<br />`nodePortLB` | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**. | false | No |
| `tls` | TLS configuration.<br />Can be an empty value(`{}`):<br />A self signed is generated in such a case<br />(or the [default certificate](tlsstore.md) is used if it is defined.) | | No |
| `tls.secretName` | [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the same namesapce as the `IngressRoute`) | "" | No |
| `tls.`<br />`options.name` | Name of the [`TLSOption`](tlsoption.md) to use.<br />More information [here](#tls-options). | "" | No |
| `tls.`<br />`options.namespace` | Namespace of the [`TLSOption`](tlsoption.md) to use. | "" | No |
| `tls.certResolver` | Name of the [Certificate Resolver](../../../../install-configuration/tls/certificate-resolvers/overview.md) to use to generate automatic TLS certificates. | "" | No |
| `tls.domains` | List of domains to serve using the certificates generates (one `tls.domain`= one certificate).<br />More information in the [dedicated section](../../../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition). | | No |
| `tls.`<br />`domains[n].main` | Main domain name | "" | Yes |
| `tls.`<br />`domains[n].sans` | List of alternative domains (SANs) | | No |
| <a id="entryPoints" href="#entryPoints" title="#entryPoints">`entryPoints`</a> | List of [entry points](../../../../install-configuration/entrypoints.md) names.<br />If not specified, HTTP routers will accept requests from all EntryPoints in the list of default EntryPoints. | | No |
| <a id="routes" href="#routes" title="#routes">`routes`</a> | List of routes. | | Yes |
| <a id="routesn-kind" href="#routesn-kind" title="#routesn-kind">`routes[n].kind`</a> | Kind of router matching, only `Rule` is allowed yet. | "Rule" | No |
| <a id="routesn-match" href="#routesn-match" title="#routesn-match">`routes[n].match`</a> | Defines the [rule](../../../http/router/rules-and-priority.md#rules) corresponding to an underlying router. | | Yes |
| <a id="routesn-priority" href="#routesn-priority" title="#routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../http/router/rules-and-priority.md#priority-calculation) to disambiguate rules of the same length, for route matching.<br />If not set, the priority is directly equal to the length of the rule, and so the longest length has the highest priority.<br />A value of `0` for the priority is ignored, the default rules length sorting is used. | 0 | No |
| <a id="routesn-middlewares" href="#routesn-middlewares" title="#routesn-middlewares">`routes[n].middlewares`</a> | List of middlewares to attach to the IngressRoute. <br />More information [here](#middleware). | "" | No |
| <a id="routesn-middlewaresm-name" href="#routesn-middlewaresm-name" title="#routesn-middlewaresm-name">`routes[n].`<br />`middlewares[m].`<br />`name`</a> | Middleware name.<br />The character `@` is not authorized. <br />More information [here](#middleware). | | Yes |
| <a id="routesn-middlewaresm-namespace" href="#routesn-middlewaresm-namespace" title="#routesn-middlewaresm-namespace">`routes[n].`<br />`middlewares[m].`<br />`namespace`</a> | Middleware namespace.<br />Can be empty if the middleware belongs to the same namespace as the IngressRoute. <br />More information [here](#middleware). | | No |
| <a id="routesn-observability-accesslogs" href="#routesn-observability-accesslogs" title="#routesn-observability-accesslogs">`routes[n].`<br />`observability.`<br />`accesslogs`</a> | Defines whether the route will produce [access-logs](../../../../install-configuration/observability/logs-and-accesslogs.md). See [here](../../../http/router/observability.md) for more information. | false | No |
| <a id="routesn-observability-metrics" href="#routesn-observability-metrics" title="#routesn-observability-metrics">`routes[n].`<br />`observability.`<br />`metrics`</a> | Defines whether the route will produce [metrics](../../../../install-configuration/observability/metrics.md). See [here](../../../http/router/observability.md) for more information. | false | No |
| <a id="routesn-observability-tracing" href="#routesn-observability-tracing" title="#routesn-observability-tracing">`routes[n].`<br />`observability.`<br />`tracing`</a> | Defines whether the route will produce [traces](../../../../install-configuration/observability/tracing.md). See [here](../../../http/router/observability.md) for more information. | false | No |
| <a id="routesn-services" href="#routesn-services" title="#routesn-services">`routes[n].`<br />`services`</a> | List of any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />More information [here](#externalname-service). | | No |
| <a id="routesn-servicesm-kind" href="#routesn-servicesm-kind" title="#routesn-servicesm-kind">`routes[n].`<br />`services[m].`<br />`kind`</a> | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> **TraefikService**: Traefik Service.<br />More information [here](#externalname-service). | "Service" | No |
| <a id="routesn-servicesm-name" href="#routesn-servicesm-name" title="#routesn-servicesm-name">`routes[n].`<br />`services[m].`<br />`name`</a> | Service name.<br />The character `@` is not authorized. <br />More information [here](#middleware). | | Yes |
| <a id="routesn-servicesm-namespace" href="#routesn-servicesm-namespace" title="#routesn-servicesm-namespace">`routes[n].`<br />`services[m].`<br />`namespace`</a> | Service namespace.<br />Can be empty if the service belongs to the same namespace as the IngressRoute. <br />More information [here](#externalname-service). | | No |
| <a id="routesn-servicesm-port" href="#routesn-servicesm-port" title="#routesn-servicesm-port">`routes[n].`<br />`services[m].`<br />`port`</a> | Service port (number or port name).<br />Evaluated only if the kind is **Service**. | | No |
| <a id="routesn-servicesm-responseForwarding-flushInterval" href="#routesn-servicesm-responseForwarding-flushInterval" title="#routesn-servicesm-responseForwarding-flushInterval">`routes[n].`<br />`services[m].`<br />`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**. | 100ms | No |
| <a id="routesn-servicesm-scheme" href="#routesn-servicesm-scheme" title="#routesn-servicesm-scheme">`routes[n].`<br />`services[m].`<br />`scheme`</a> | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| <a id="routesn-servicesm-serversTransport" href="#routesn-servicesm-serversTransport" title="#routesn-servicesm-serversTransport">`routes[n].`<br />`services[m].`<br />`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="routesn-servicesm-passHostHeader" href="#routesn-servicesm-passHostHeader" title="#routesn-servicesm-passHostHeader">`routes[n].`<br />`services[m].`<br />`passHostHeader`</a> | Forward client Host header to server.<br />Evaluated only if the kind is **Service**. | true | No |
| <a id="routesn-servicesm-healthCheck-scheme" href="#routesn-servicesm-healthCheck-scheme" title="#routesn-servicesm-healthCheck-scheme">`routes[n].`<br />`services[m].`<br />`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| <a id="routesn-servicesm-healthCheck-mode" href="#routesn-servicesm-healthCheck-mode" title="#routesn-servicesm-healthCheck-mode">`routes[n].`<br />`services[m].`<br />`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "http" | No |
| <a id="routesn-servicesm-healthCheck-path" href="#routesn-servicesm-healthCheck-path" title="#routesn-servicesm-healthCheck-path">`routes[n].`<br />`services[m].`<br />`healthCheck.path`</a> | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| <a id="routesn-servicesm-healthCheck-interval" href="#routesn-servicesm-healthCheck-interval" title="#routesn-servicesm-healthCheck-interval">`routes[n].`<br />`services[m].`<br />`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "100ms" | No |
| <a id="routesn-servicesm-healthCheck-unhealthyInterval" href="#routesn-servicesm-healthCheck-unhealthyInterval" title="#routesn-servicesm-healthCheck-unhealthyInterval">`routes[n].`<br />`services[m].`<br />`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "100ms" | No |
| <a id="routesn-servicesm-healthCheck-method" href="#routesn-servicesm-healthCheck-method" title="#routesn-servicesm-healthCheck-method">`routes[n].`<br />`services[m].`<br />`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "GET" | No |
| <a id="routesn-servicesm-healthCheck-status" href="#routesn-servicesm-healthCheck-status" title="#routesn-servicesm-healthCheck-status">`routes[n].`<br />`services[m].`<br />`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**. | | No |
| <a id="routesn-servicesm-healthCheck-port" href="#routesn-servicesm-healthCheck-port" title="#routesn-servicesm-healthCheck-port">`routes[n].`<br />`services[m].`<br />`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | | No |
| <a id="routesn-servicesm-healthCheck-timeout" href="#routesn-servicesm-healthCheck-timeout" title="#routesn-servicesm-healthCheck-timeout">`routes[n].`<br />`services[m].`<br />`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "5s" | No |
| <a id="routesn-servicesm-healthCheck-hostname" href="#routesn-servicesm-healthCheck-hostname" title="#routesn-servicesm-healthCheck-hostname">`routes[n].`<br />`services[m].`<br />`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| <a id="routesn-servicesm-healthCheck-followRedirect" href="#routesn-servicesm-healthCheck-followRedirect" title="#routesn-servicesm-healthCheck-followRedirect">`routes[n].`<br />`services[m].`<br />`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | true | No |
| <a id="routesn-servicesm-healthCheck-headers" href="#routesn-servicesm-healthCheck-headers" title="#routesn-servicesm-healthCheck-headers">`routes[n].`<br />`services[m].`<br />`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)). | | No |
| <a id="routesn-servicesm-sticky-cookie-name" href="#routesn-servicesm-sticky-cookie-name" title="#routesn-servicesm-sticky-cookie-name">`routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="routesn-servicesm-sticky-cookie-httpOnly" href="#routesn-servicesm-sticky-cookie-httpOnly" title="#routesn-servicesm-sticky-cookie-httpOnly">`routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="routesn-servicesm-sticky-cookie-secure" href="#routesn-servicesm-sticky-cookie-secure" title="#routesn-servicesm-sticky-cookie-secure">`routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="routesn-servicesm-sticky-cookie-sameSite" href="#routesn-servicesm-sticky-cookie-sameSite" title="#routesn-servicesm-sticky-cookie-sameSite">`routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="routesn-servicesm-sticky-cookie-maxAge" href="#routesn-servicesm-sticky-cookie-maxAge" title="#routesn-servicesm-sticky-cookie-maxAge">`routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**. | 0 | No |
| <a id="routesn-servicesm-strategy" href="#routesn-servicesm-strategy" title="#routesn-servicesm-strategy">`routes[n].`<br />`services[m].`<br />`strategy`</a> | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**. | "RoundRobin" | No |
| <a id="routesn-servicesm-weight" href="#routesn-servicesm-weight" title="#routesn-servicesm-weight">`routes[n].`<br />`services[m].`<br />`weight`</a> | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
| <a id="routesn-servicesm-nativeLB" href="#routesn-servicesm-nativeLB" title="#routesn-servicesm-nativeLB">`routes[n].`<br />`services[m].`<br />`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**. | false | No |
| <a id="routesn-servicesm-nodePortLB" href="#routesn-servicesm-nodePortLB" title="#routesn-servicesm-nodePortLB">`routes[n].`<br />`services[m].`<br />`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="tls" href="#tls" title="#tls">`tls`</a> | TLS configuration.<br />Can be an empty value(`{}`):<br />A self signed is generated in such a case<br />(or the [default certificate](tlsstore.md) is used if it is defined.) | | No |
| <a id="tls-secretName" href="#tls-secretName" title="#tls-secretName">`tls.secretName`</a> | [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the same namesapce as the `IngressRoute`) | "" | No |
| <a id="tls-options-name" href="#tls-options-name" title="#tls-options-name">`tls.`<br />`options.name`</a> | Name of the [`TLSOption`](tlsoption.md) to use.<br />More information [here](#tls-options). | "" | No |
| <a id="tls-options-namespace" href="#tls-options-namespace" title="#tls-options-namespace">`tls.`<br />`options.namespace`</a> | Namespace of the [`TLSOption`](tlsoption.md) to use. | "" | No |
| <a id="tls-certResolver" href="#tls-certResolver" title="#tls-certResolver">`tls.certResolver`</a> | Name of the [Certificate Resolver](../../../../install-configuration/tls/certificate-resolvers/overview.md) to use to generate automatic TLS certificates. | "" | No |
| <a id="tls-domains" href="#tls-domains" title="#tls-domains">`tls.domains`</a> | List of domains to serve using the certificates generates (one `tls.domain`= one certificate).<br />More information in the [dedicated section](../../../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition). | | No |
| <a id="tls-domainsn-main" href="#tls-domainsn-main" title="#tls-domainsn-main">`tls.`<br />`domains[n].main`</a> | Main domain name | "" | Yes |
| <a id="tls-domainsn-sans" href="#tls-domainsn-sans" title="#tls-domainsn-sans">`tls.`<br />`domains[n].sans`</a> | List of alternative domains (SANs) | | No |
### ExternalName Service

24
docs/content/reference/routing-configuration/kubernetes/crd/http/serverstransport.md
View File

@@ -55,18 +55,18 @@ spec:
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `serverstransport.`<br />`serverName` | Defines the server name that will be used for SNI. | | No |
| `serverstransport.`<br />`insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. | false | No |
| `serverstransport.`<br />`rootcas` | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). | | No |
| `serverstransport.`<br />`certificatesSecrets` | Certificates to present to the server for mTLS. | | No |
| `serverstransport.`<br />`maxIdleConnsPerHost` | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
| `serverstransport.`<br />`disableHTTP2` | Disables HTTP/2 for connections with servers. | false | No |
| `serverstransport.`<br />`peerCertURI` | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
| `serverstransport.`<br />`forwardingTimeouts.dialTimeout` | Amount of time to wait until a connection to a server can be established.<br />Zero means no timeout. | 30s | No |
| `serverstransport.`<br />`forwardingTimeouts.responseHeaderTimeout` | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />Zero means no timeout | 0s | No |
| `serverstransport.`<br />`forwardingTimeouts.idleConnTimeout` | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />Zero means no timeout. | 90s | No |
| `serverstransport.`<br />`spiffe.ids` | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. | | No |
| `serverstransport.`<br />`spiffe.trustDomain` | Allow SPIFFE trust domain. | "" | No |
| <a id="serverstransport-serverName" href="#serverstransport-serverName" title="#serverstransport-serverName">`serverstransport.`<br />`serverName`</a> | Defines the server name that will be used for SNI. | | No |
| <a id="serverstransport-insecureSkipVerify" href="#serverstransport-insecureSkipVerify" title="#serverstransport-insecureSkipVerify">`serverstransport.`<br />`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified. | false | No |
| <a id="serverstransport-rootcas" href="#serverstransport-rootcas" title="#serverstransport-rootcas">`serverstransport.`<br />`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). | | No |
| <a id="serverstransport-certificatesSecrets" href="#serverstransport-certificatesSecrets" title="#serverstransport-certificatesSecrets">`serverstransport.`<br />`certificatesSecrets`</a> | Certificates to present to the server for mTLS. | | No |
| <a id="serverstransport-maxIdleConnsPerHost" href="#serverstransport-maxIdleConnsPerHost" title="#serverstransport-maxIdleConnsPerHost">`serverstransport.`<br />`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
| <a id="serverstransport-disableHTTP2" href="#serverstransport-disableHTTP2" title="#serverstransport-disableHTTP2">`serverstransport.`<br />`disableHTTP2`</a> | Disables HTTP/2 for connections with servers. | false | No |
| <a id="serverstransport-peerCertURI" href="#serverstransport-peerCertURI" title="#serverstransport-peerCertURI">`serverstransport.`<br />`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
| <a id="serverstransport-forwardingTimeouts-dialTimeout" href="#serverstransport-forwardingTimeouts-dialTimeout" title="#serverstransport-forwardingTimeouts-dialTimeout">`serverstransport.`<br />`forwardingTimeouts.dialTimeout`</a> | Amount of time to wait until a connection to a server can be established.<br />Zero means no timeout. | 30s | No |
| <a id="serverstransport-forwardingTimeouts-responseHeaderTimeout" href="#serverstransport-forwardingTimeouts-responseHeaderTimeout" title="#serverstransport-forwardingTimeouts-responseHeaderTimeout">`serverstransport.`<br />`forwardingTimeouts.responseHeaderTimeout`</a> | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />Zero means no timeout | 0s | No |
| <a id="serverstransport-forwardingTimeouts-idleConnTimeout" href="#serverstransport-forwardingTimeouts-idleConnTimeout" title="#serverstransport-forwardingTimeouts-idleConnTimeout">`serverstransport.`<br />`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />Zero means no timeout. | 90s | No |
| <a id="serverstransport-spiffe-ids" href="#serverstransport-spiffe-ids" title="#serverstransport-spiffe-ids">`serverstransport.`<br />`spiffe.ids`</a> | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. | | No |
| <a id="serverstransport-spiffe-trustDomain" href="#serverstransport-spiffe-trustDomain" title="#serverstransport-spiffe-trustDomain">`serverstransport.`<br />`spiffe.trustDomain`</a> | Allow SPIFFE trust domain. | "" | No |
!!! note "CA Secret"
The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.

24
docs/content/reference/routing-configuration/kubernetes/crd/http/tlsoption.md
View File

@@ -48,15 +48,15 @@ spec:
| Field | Description | Default | Required |
|:----------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------|:---------|
| `minVersion` | Minimum TLS version that is acceptable. | "VersionTLS12" | No |
| `maxVersion` | Maximum TLS version that is acceptable.<br />We do not recommend setting this option to disable TLS 1.3. | | No |
| `cipherSuites` | List of supported [cipher suites](https://godoc.org/crypto/tls#pkg-constants) for TLS versions up to TLS 1.2.<br />[Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa.](https://tools.ietf.org/html/rfc8446)<br />With TLS 1.3, [the cipher suites are not configurable](https://golang.org/doc/go1.12#tls_1_3) (all supported cipher suites are safe in this case). | | No |
| `curvePreferences` | List of the elliptic curves references that will be used in an ECDHE handshake.<br />Use curves names from [`crypto`](https://godoc.org/crypto/tls#CurveID) or the [RFC](https://tools.ietf.org/html/rfc8446#section-4.2.7).<br />See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information. | | No |
| `clientAuth.secretNames` | Client Authentication (mTLS) option.<br />List of names of the referenced Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) (in TLSOption namespace).<br /> The secret must contain a certificate under either a `tls.ca` or a `ca.crt` key. | | No |
| `clientAuth.clientAuthType` | Client Authentication (mTLS) option.<br />Client authentication type to apply. Available values [here](#client-authentication-mtls). | | No |
| `sniStrict` | Allow rejecting connections from clients connections that do not specify a server_name extension.<br />The [default certificate](../../../http/tls/tls-certificates.md#default-certificate) is never served is the option is enabled. | false | No |
| `alpnProtocols` | List of supported application level protocols for the TLS handshake, in order of preference.<br />If the client supports ALPN, the selected protocol will be one from this list, and the connection will fail if there is no mutually supported protocol. | "h2, http/1.1, acme-tls/1" | No |
| `disableSessiontTickets` | Allow disabling the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions. | false | No |
| <a id="minVersion" href="#minVersion" title="#minVersion">`minVersion`</a> | Minimum TLS version that is acceptable. | "VersionTLS12" | No |
| <a id="maxVersion" href="#maxVersion" title="#maxVersion">`maxVersion`</a> | Maximum TLS version that is acceptable.<br />We do not recommend setting this option to disable TLS 1.3. | | No |
| <a id="cipherSuites" href="#cipherSuites" title="#cipherSuites">`cipherSuites`</a> | List of supported [cipher suites](https://godoc.org/crypto/tls#pkg-constants) for TLS versions up to TLS 1.2.<br />[Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa.](https://tools.ietf.org/html/rfc8446)<br />With TLS 1.3, [the cipher suites are not configurable](https://golang.org/doc/go1.12#tls_1_3) (all supported cipher suites are safe in this case). | | No |
| <a id="curvePreferences" href="#curvePreferences" title="#curvePreferences">`curvePreferences`</a> | List of the elliptic curves references that will be used in an ECDHE handshake.<br />Use curves names from [`crypto`](https://godoc.org/crypto/tls#CurveID) or the [RFC](https://tools.ietf.org/html/rfc8446#section-4.2.7).<br />See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information. | | No |
| <a id="clientAuth-secretNames" href="#clientAuth-secretNames" title="#clientAuth-secretNames">`clientAuth.secretNames`</a> | Client Authentication (mTLS) option.<br />List of names of the referenced Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) (in TLSOption namespace).<br /> The secret must contain a certificate under either a `tls.ca` or a `ca.crt` key. | | No |
| <a id="clientAuth-clientAuthType" href="#clientAuth-clientAuthType" title="#clientAuth-clientAuthType">`clientAuth.clientAuthType`</a> | Client Authentication (mTLS) option.<br />Client authentication type to apply. Available values [here](#client-authentication-mtls). | | No |
| <a id="sniStrict" href="#sniStrict" title="#sniStrict">`sniStrict`</a> | Allow rejecting connections from clients connections that do not specify a server_name extension.<br />The [default certificate](../../../http/tls/tls-certificates.md#default-certificate) is never served is the option is enabled. | false | No |
| <a id="alpnProtocols" href="#alpnProtocols" title="#alpnProtocols">`alpnProtocols`</a> | List of supported application level protocols for the TLS handshake, in order of preference.<br />If the client supports ALPN, the selected protocol will be one from this list, and the connection will fail if there is no mutually supported protocol. | "h2, http/1.1, acme-tls/1" | No |
| <a id="disableSessiontTickets" href="#disableSessiontTickets" title="#disableSessiontTickets">`disableSessiontTickets`</a> | Allow disabling the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions. | false | No |
### Client Authentication (mTLS)
@@ -78,6 +78,6 @@ The default behavior is summed up in the table below:
| Configuration | Behavior |
|:--------------------------|:------------------------------------------------------------|
| No `default` TLS Option | Default internal set of TLS Options by default. |
| One `default` TLS Option | Custom TLS Options applied by default. |
| Many `default` TLS Option | Error log + Default internal set of TLS Options by default. |
| <a id="No-default-TLS-Option" href="#No-default-TLS-Option" title="#No-default-TLS-Option">No `default` TLS Option</a> | Default internal set of TLS Options by default. |
| <a id="One-default-TLS-Option" href="#One-default-TLS-Option" title="#One-default-TLS-Option">One `default` TLS Option</a> | Custom TLS Options applied by default. |
| <a id="Many-default-TLS-Option" href="#Many-default-TLS-Option" title="#Many-default-TLS-Option">Many `default` TLS Option</a> | Error log + Default internal set of TLS Options by default. |

10
docs/content/reference/routing-configuration/kubernetes/crd/http/tlsstore.md
View File

@@ -29,11 +29,11 @@ spec:
| Field | Description | Required |
|:---------------------------------------|:-------------------------|:---------|
| `certificates[n].secretName` | List of Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/), each of them holding a key/certificate pair to add to the store. | No |
| `defaultCertificate.secretName` | Name of the Kubernetes [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) served for connections without a SNI, or without a matching domain. If no default certificate is provided, Traefik will use the generated one. Do not use if the option `defaultGeneratedCert` is set. | No |
| `defaultGeneratedCert.resolver` | Name of the ACME resolver to use to generate the default certificate.<br /> Do not use if the option `defaultCertificate` is set. | No |
| `defaultGeneratedCert.domain.main` | Main domain used to generate the default certificate.<br /> Do not use if the option `defaultCertificate` is set. | No |
| `defaultGeneratedCert.domain.sans` | List of [Subject Alternative Name](https://en.wikipedia.org/wiki/Subject_Alternative_Name) used to generate the default certificate.<br /> Do not use if the option `defaultCertificate` is set. | No |
| <a id="certificatesn-secretName" href="#certificatesn-secretName" title="#certificatesn-secretName">`certificates[n].secretName`</a> | List of Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/), each of them holding a key/certificate pair to add to the store. | No |
| <a id="defaultCertificate-secretName" href="#defaultCertificate-secretName" title="#defaultCertificate-secretName">`defaultCertificate.secretName`</a> | Name of the Kubernetes [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) served for connections without a SNI, or without a matching domain. If no default certificate is provided, Traefik will use the generated one. Do not use if the option `defaultGeneratedCert` is set. | No |
| <a id="defaultGeneratedCert-resolver" href="#defaultGeneratedCert-resolver" title="#defaultGeneratedCert-resolver">`defaultGeneratedCert.resolver`</a> | Name of the ACME resolver to use to generate the default certificate.<br /> Do not use if the option `defaultCertificate` is set. | No |
| <a id="defaultGeneratedCert-domain-main" href="#defaultGeneratedCert-domain-main" title="#defaultGeneratedCert-domain-main">`defaultGeneratedCert.domain.main`</a> | Main domain used to generate the default certificate.<br /> Do not use if the option `defaultCertificate` is set. | No |
| <a id="defaultGeneratedCert-domain-sans" href="#defaultGeneratedCert-domain-sans" title="#defaultGeneratedCert-domain-sans">`defaultGeneratedCert.domain.sans`</a> | List of [Subject Alternative Name](https://en.wikipedia.org/wiki/Subject_Alternative_Name) used to generate the default certificate.<br /> Do not use if the option `defaultCertificate` is set. | No |
!!! note "DefaultCertificate vs DefaultGeneratedCert"
If both `defaultCertificate` and `defaultGeneratedCert` are set, the TLS certificate contained in `defaultCertificate.secretName` is served. The ACME default certificate is not generated.

334
docs/content/reference/routing-configuration/kubernetes/crd/http/traefikservice.md
View File

@@ -3,11 +3,12 @@ title: "Traefik Kubernetes Services Documentation"
description: "Learn how to configure routing and load balancing in Traefik Proxy to reach Services, which handle incoming requests. Read the technical documentation."
---
A `TraefikService` is a custom resource that sits on top of the Kubernetes Services. It enables advanced load-balancing features such as a [Weighted Round Robin](#weighted-round-robin) load balancing or a [Mirroring](#mirroring) between your Kubernetes Services.
A `TraefikService` is a custom resource that sits on top of the Kubernetes Services. It enables advanced load-balancing features such as a [Weighted Round Robin](#weighted-round-robin) load balancing, a [Highest Random Weight](#highest-random-weight) load balancing, or a [Mirroring](#mirroring) between your Kubernetes Services.
Services configure how to reach the actual endpoints that will eventually handle incoming requests. In Traefik, the target service can be either a standard [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)—which exposes a pod—or a TraefikService. The latter allows you to combine advanced load-balancing options like:
- [Weighted Round Robin load balancing](#weighted-round-robin).
- [Highest Random Weight load balancing](#highest-random-weight).
- [Mirroring](#mirroring).
## Weighted Round Robin
@@ -150,41 +151,41 @@ data:
| Field | Description | Default | Required |
|:---------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
| `services` | List of any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />. | | No |
| `services[m].`<br />`kind` | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> - **TraefikService**: Traefik Service. | "" | No |
| `services[m].`<br />`name` | Service name.<br />The character `@` is not authorized. | "" | Yes |
| `services[m].`<br />`namespace` | Service namespace. | "" | No |
| `services[m].`<br />`port` | Service port (number or port name).<br />Evaluated only if the kind is **Service**. | "" | No |
| `services[m].`<br />`responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**. | 100ms | No |
| `services[m].`<br />`scheme` | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| `services[m].`<br />`serversTransport` | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**. | "" | No |
| `services[m].`<br />`passHostHeader` | Forward client Host header to server.<br />Evaluated only if the kind is **Service**. | true | No |
| `services[m].`<br />`healthCheck.scheme` | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
| `services[m].`<br />`healthCheck.mode` | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "http" | No |
| `services[m].`<br />`healthCheck.path` | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
| `services[m].`<br />`healthCheck.interval` | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName]`ExternalName`. | "100ms" | No |
| `services[m].`<br />`healthCheck.unhealthyInterval` | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName]`ExternalName`. | "100ms" | No |
| `services[m].`<br />`healthCheck.method` | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "GET" | No |
| `services[m].`<br />`healthCheck.status` | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**. | | No |
| `services[m].`<br />`healthCheck.port` | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | | No |
| `services[m].`<br />`healthCheck.timeout` | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "5s" | No |
| `services[m].`<br />`healthCheck.hostname` | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
| `services[m].`<br />`healthCheck.`<br />`followRedirect` | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | true | No |
| `services[m].`<br />`healthCheck.headers` | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | | No |
| `services[m].`<br />`sticky.`<br />`cookie.name` | Name of the cookie used for the stickiness.<br />Evaluated only if the kind is **Service**. | Abbreviation of a sha1<br />(ex: `_1d52e`). | No |
| `services[m].`<br />`sticky.`<br />`cookie.httpOnly` | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**. | false | No |
| `services[m].`<br />`sticky.`<br />`cookie.secure` | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**. | false | No |
| `services[m].`<br />`sticky.`<br />`cookie.sameSite` | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**. | "" | No |
| `services[m].`<br />`sticky.`<br />`cookie.maxAge` | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**. | 0 | No |
| `services[m].`<br />`strategy` | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**. | "RoundRobin" | No |
| `services[m].`<br />`weight` | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
| `services[m].`<br />`nativeLB` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind is **Service**. | false | No |
| `services[m].`<br />`nodePortLB` | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**. | false | No |
| `sticky.`<br />`cookie.name` | Name of the cookie used for the stickiness at the WRR service level.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | Abbreviation of a sha1<br />(ex: `_1d52e`). | No |
| `sticky.`<br />`cookie.httpOnly` | Allow the cookie used for the stickiness at the WRR service level to be accessed by client-side APIs, such as JavaScript.<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | false | No |
| `sticky.`<br />`cookie.secure` | Allow the cookie used for the stickiness at the WRR service level to be only transmitted over an encrypted connection (i.e. HTTPS).<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | false | No |
| `sticky.`<br />`cookie.sameSite` | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy for the cookie used for the stickiness at the WRR service level.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | "" | No |
| `sticky.`<br />`cookie.maxAge` | Number of seconds until the cookie used for the stickiness at the WRR service level expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires. | 0 | No |
| <a id="services" href="#services" title="#services">`services`</a> | List of any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />. | | No |
| <a id="servicesm-kind" href="#servicesm-kind" title="#servicesm-kind">`services[m].`<br />`kind`</a> | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> - **TraefikService**: Traefik Service. | "" | No |
| <a id="servicesm-name" href="#servicesm-name" title="#servicesm-name">`services[m].`<br />`name`</a> | Service name.<br />The character `@` is not authorized. | "" | Yes |
| <a id="servicesm-namespace" href="#servicesm-namespace" title="#servicesm-namespace">`services[m].`<br />`namespace`</a> | Service namespace. | "" | No |
| <a id="servicesm-port" href="#servicesm-port" title="#servicesm-port">`services[m].`<br />`port`</a> | Service port (number or port name).<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="servicesm-responseForwarding-flushInterval" href="#servicesm-responseForwarding-flushInterval" title="#servicesm-responseForwarding-flushInterval">`services[m].`<br />`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**. | 100ms | No |
| <a id="servicesm-scheme" href="#servicesm-scheme" title="#servicesm-scheme">`services[m].`<br />`scheme`</a> | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| <a id="servicesm-serversTransport" href="#servicesm-serversTransport" title="#servicesm-serversTransport">`services[m].`<br />`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="servicesm-passHostHeader" href="#servicesm-passHostHeader" title="#servicesm-passHostHeader">`services[m].`<br />`passHostHeader`</a> | Forward client Host header to server.<br />Evaluated only if the kind is **Service**. | true | No |
| <a id="servicesm-healthCheck-scheme" href="#servicesm-healthCheck-scheme" title="#servicesm-healthCheck-scheme">`services[m].`<br />`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
| <a id="servicesm-healthCheck-mode" href="#servicesm-healthCheck-mode" title="#servicesm-healthCheck-mode">`services[m].`<br />`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "http" | No |
| <a id="servicesm-healthCheck-path" href="#servicesm-healthCheck-path" title="#servicesm-healthCheck-path">`services[m].`<br />`healthCheck.path`</a> | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
| <a id="servicesm-healthCheck-interval" href="#servicesm-healthCheck-interval" title="#servicesm-healthCheck-interval">`services[m].`<br />`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName]`ExternalName`. | "100ms" | No |
| <a id="servicesm-healthCheck-unhealthyInterval" href="#servicesm-healthCheck-unhealthyInterval" title="#servicesm-healthCheck-unhealthyInterval">`services[m].`<br />`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName]`ExternalName`. | "100ms" | No |
| <a id="servicesm-healthCheck-method" href="#servicesm-healthCheck-method" title="#servicesm-healthCheck-method">`services[m].`<br />`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "GET" | No |
| <a id="servicesm-healthCheck-status" href="#servicesm-healthCheck-status" title="#servicesm-healthCheck-status">`services[m].`<br />`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**. | | No |
| <a id="servicesm-healthCheck-port" href="#servicesm-healthCheck-port" title="#servicesm-healthCheck-port">`services[m].`<br />`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | | No |
| <a id="servicesm-healthCheck-timeout" href="#servicesm-healthCheck-timeout" title="#servicesm-healthCheck-timeout">`services[m].`<br />`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "5s" | No |
| <a id="servicesm-healthCheck-hostname" href="#servicesm-healthCheck-hostname" title="#servicesm-healthCheck-hostname">`services[m].`<br />`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
| <a id="servicesm-healthCheck-followRedirect" href="#servicesm-healthCheck-followRedirect" title="#servicesm-healthCheck-followRedirect">`services[m].`<br />`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | true | No |
| <a id="servicesm-healthCheck-headers" href="#servicesm-healthCheck-headers" title="#servicesm-healthCheck-headers">`services[m].`<br />`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | | No |
| <a id="servicesm-sticky-cookie-name" href="#servicesm-sticky-cookie-name" title="#servicesm-sticky-cookie-name">`services[m].`<br />`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />Evaluated only if the kind is **Service**. | Abbreviation of a sha1<br />(ex: `_1d52e`). | No |
| <a id="servicesm-sticky-cookie-httpOnly" href="#servicesm-sticky-cookie-httpOnly" title="#servicesm-sticky-cookie-httpOnly">`services[m].`<br />`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="servicesm-sticky-cookie-secure" href="#servicesm-sticky-cookie-secure" title="#servicesm-sticky-cookie-secure">`services[m].`<br />`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="servicesm-sticky-cookie-sameSite" href="#servicesm-sticky-cookie-sameSite" title="#servicesm-sticky-cookie-sameSite">`services[m].`<br />`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="servicesm-sticky-cookie-maxAge" href="#servicesm-sticky-cookie-maxAge" title="#servicesm-sticky-cookie-maxAge">`services[m].`<br />`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**. | 0 | No |
| <a id="servicesm-strategy" href="#servicesm-strategy" title="#servicesm-strategy">`services[m].`<br />`strategy`</a> | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**. | "RoundRobin" | No |
| <a id="servicesm-weight" href="#servicesm-weight" title="#servicesm-weight">`services[m].`<br />`weight`</a> | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
| <a id="servicesm-nativeLB" href="#servicesm-nativeLB" title="#servicesm-nativeLB">`services[m].`<br />`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="servicesm-nodePortLB" href="#servicesm-nodePortLB" title="#servicesm-nodePortLB">`services[m].`<br />`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="sticky-cookie-name" href="#sticky-cookie-name" title="#sticky-cookie-name">`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness at the WRR service level.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | Abbreviation of a sha1<br />(ex: `_1d52e`). | No |
| <a id="sticky-cookie-httpOnly" href="#sticky-cookie-httpOnly" title="#sticky-cookie-httpOnly">`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie used for the stickiness at the WRR service level to be accessed by client-side APIs, such as JavaScript.<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | false | No |
| <a id="sticky-cookie-secure" href="#sticky-cookie-secure" title="#sticky-cookie-secure">`sticky.`<br />`cookie.secure`</a> | Allow the cookie used for the stickiness at the WRR service level to be only transmitted over an encrypted connection (i.e. HTTPS).<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | false | No |
| <a id="sticky-cookie-sameSite" href="#sticky-cookie-sameSite" title="#sticky-cookie-sameSite">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy for the cookie used for the stickiness at the WRR service level.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | "" | No |
| <a id="sticky-cookie-maxAge" href="#sticky-cookie-maxAge" title="#sticky-cookie-maxAge">`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie used for the stickiness at the WRR service level expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires. | 0 | No |
#### Stickiness on multiple levels
@@ -255,6 +256,143 @@ In the example above, to keep a session open with the same server, the client wo
curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo
```
## Highest Random Weight
The HRW (Highest Random Weight) load balancer uses consistent hashing to ensure that requests from the same client IP are always routed to the same service. Unlike weighted round-robin which distributes requests based on weights, HRW provides consistent routing based on the client's remote address.
This is particularly useful for maintaining session affinity without requiring sticky cookies, as clients will consistently reach the same backend service based on their IP address.
### Configuration Example
```yaml tab="IngressRoute"
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test-hrw
namespace: apps
spec:
entryPoints:
- websecure
routes:
- match: Host(`example.com`) && PathPrefix(`/app`)
kind: Rule
services:
# Set an HRW TraefikService
- name: hrw1
namespace: apps
kind: TraefikService
tls:
secretName: supersecret
```
```yaml tab="TraefikService HRW"
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: hrw1
namespace: apps
spec:
highestRandomWeight:
services:
# Kubernetes Service with weight 10
- name: svc1
namespace: apps
port: 80
weight: 10
# Kubernetes Service with weight 20
- name: svc2
namespace: apps
port: 80
weight: 20
# Another TraefikService
- name: wrr1
namespace: apps
kind: TraefikService
weight: 15
```
```yaml tab="Kubernetes Services"
apiVersion: v1
kind: Service
metadata:
name: svc1
namespace: apps
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app1
---
apiVersion: v1
kind: Service
metadata:
name: svc2
namespace: apps
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app2
```
### Configuration Options
| Field | Description | Default | Required |
|:---------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
| <a id="hrw-services" href="#hrw-services" title="#hrw-services">`services`</a> | List of any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). Each service must have a weight assigned. | | Yes |
| <a id="hrw-servicesm-kind" href="#hrw-servicesm-kind" title="#hrw-servicesm-kind">`services[m].`<br />`kind`</a> | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> - **TraefikService**: Traefik Service. | "" | No |
| <a id="hrw-servicesm-name" href="#hrw-servicesm-name" title="#hrw-servicesm-name">`services[m].`<br />`name`</a> | Service name.<br />The character `@` is not authorized. | "" | Yes |
| <a id="hrw-servicesm-namespace" href="#hrw-servicesm-namespace" title="#hrw-servicesm-namespace">`services[m].`<br />`namespace`</a> | Service namespace. | "" | No |
| <a id="hrw-servicesm-port" href="#hrw-servicesm-port" title="#hrw-servicesm-port">`services[m].`<br />`port`</a> | Service port (number or port name).<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="hrw-servicesm-weight" href="#hrw-servicesm-weight" title="#hrw-servicesm-weight">`services[m].`<br />`weight`</a> | Service weight used in the HRW algorithm. Higher weights increase the probability of selection for a given client IP. | 1 | No |
| <a id="hrw-servicesm-responseForwarding-flushInterval" href="#hrw-servicesm-responseForwarding-flushInterval" title="#hrw-servicesm-responseForwarding-flushInterval">`services[m].`<br />`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**. | 100ms | No |
| <a id="hrw-servicesm-scheme" href="#hrw-servicesm-scheme" title="#hrw-servicesm-scheme">`services[m].`<br />`scheme`</a> | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| <a id="hrw-servicesm-serversTransport" href="#hrw-servicesm-serversTransport" title="#hrw-servicesm-serversTransport">`services[m].`<br />`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="hrw-servicesm-passHostHeader" href="#hrw-servicesm-passHostHeader" title="#hrw-servicesm-passHostHeader">`services[m].`<br />`passHostHeader`</a> | Forward client Host header to server.<br />Evaluated only if the kind is **Service**. | true | No |
| <a id="hrw-servicesm-healthCheck-scheme" href="#hrw-servicesm-healthCheck-scheme" title="#hrw-servicesm-healthCheck-scheme">`services[m].`<br />`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
| <a id="hrw-servicesm-healthCheck-mode" href="#hrw-servicesm-healthCheck-mode" title="#hrw-servicesm-healthCheck-mode">`services[m].`<br />`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "http" | No |
| <a id="hrw-servicesm-healthCheck-path" href="#hrw-servicesm-healthCheck-path" title="#hrw-servicesm-healthCheck-path">`services[m].`<br />`healthCheck.path`</a> | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
| <a id="hrw-servicesm-healthCheck-interval" href="#hrw-servicesm-healthCheck-interval" title="#hrw-servicesm-healthCheck-interval">`services[m].`<br />`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "100ms" | No |
| <a id="hrw-servicesm-healthCheck-unhealthyInterval" href="#hrw-servicesm-healthCheck-unhealthyInterval" title="#hrw-servicesm-healthCheck-unhealthyInterval">`services[m].`<br />`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "100ms" | No |
| <a id="hrw-servicesm-healthCheck-method" href="#hrw-servicesm-healthCheck-method" title="#hrw-servicesm-healthCheck-method">`services[m].`<br />`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "GET" | No |
| <a id="hrw-servicesm-healthCheck-status" href="#hrw-servicesm-healthCheck-status" title="#hrw-servicesm-healthCheck-status">`services[m].`<br />`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**. | | No |
| <a id="hrw-servicesm-healthCheck-port" href="#hrw-servicesm-healthCheck-port" title="#hrw-servicesm-healthCheck-port">`services[m].`<br />`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | | No |
| <a id="hrw-servicesm-healthCheck-timeout" href="#hrw-servicesm-healthCheck-timeout" title="#hrw-servicesm-healthCheck-timeout">`services[m].`<br />`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "5s" | No |
| <a id="hrw-servicesm-healthCheck-hostname" href="#hrw-servicesm-healthCheck-hostname" title="#hrw-servicesm-healthCheck-hostname">`services[m].`<br />`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
| <a id="hrw-servicesm-healthCheck-followRedirect" href="#hrw-servicesm-healthCheck-followRedirect" title="#hrw-servicesm-healthCheck-followRedirect">`services[m].`<br />`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | true | No |
| <a id="hrw-servicesm-healthCheck-headers" href="#hrw-servicesm-healthCheck-headers" title="#hrw-servicesm-healthCheck-headers">`services[m].`<br />`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | | No |
| <a id="hrw-servicesm-sticky-cookie-name" href="#hrw-servicesm-sticky-cookie-name" title="#hrw-servicesm-sticky-cookie-name">`services[m].`<br />`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />Evaluated only if the kind is **Service**. | Abbreviation of a sha1<br />(ex: `_1d52e`). | No |
| <a id="hrw-servicesm-sticky-cookie-httpOnly" href="#hrw-servicesm-sticky-cookie-httpOnly" title="#hrw-servicesm-sticky-cookie-httpOnly">`services[m].`<br />`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="hrw-servicesm-sticky-cookie-secure" href="#hrw-servicesm-sticky-cookie-secure" title="#hrw-servicesm-sticky-cookie-secure">`services[m].`<br />`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="hrw-servicesm-sticky-cookie-sameSite" href="#hrw-servicesm-sticky-cookie-sameSite" title="#hrw-servicesm-sticky-cookie-sameSite">`services[m].`<br />`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="hrw-servicesm-sticky-cookie-maxAge" href="#hrw-servicesm-sticky-cookie-maxAge" title="#hrw-servicesm-sticky-cookie-maxAge">`services[m].`<br />`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**. | 0 | No |
| <a id="hrw-servicesm-strategy" href="#hrw-servicesm-strategy" title="#hrw-servicesm-strategy">`services[m].`<br />`strategy`</a> | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**. | "RoundRobin" | No |
| <a id="hrw-servicesm-nativeLB" href="#hrw-servicesm-nativeLB" title="#hrw-servicesm-nativeLB">`services[m].`<br />`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="hrw-servicesm-nodePortLB" href="#hrw-servicesm-nodePortLB" title="#hrw-servicesm-nodePortLB">`services[m].`<br />`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**. | false | No |
### How HRW Works
The Highest Random Weight algorithm combines consistent hashing with weighted load balancing:
1. **Consistent Hashing**: For each incoming request, the client's remote address is hashed to ensure consistent routing.
2. **Weighted Selection**: Each service is assigned a random value based on both the hash of the client IP and the service's weight.
3. **Highest Selection**: The service with the highest calculated value receives the request.
This approach provides several benefits:
- **Session Affinity**: Clients consistently reach the same backend service
- **Weighted Distribution**: Services with higher weights are more likely to be selected
- **No State Required**: Unlike sticky cookies, no client-side or server-side state is needed
- **Fault Tolerance**: If a service becomes unavailable, requests are redistributed consistently among remaining services
## Mirroring
The mirroring is able to mirror requests sent to a service to other services.
@@ -375,65 +513,65 @@ spec:
| Field | Description | Default | Required |
|:--------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
| `kind` | Kind of the main service.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br />- **TraefikService**: Traefik Service.<br />More information [here](#services) | "" | No |
| `name` | Main service name.<br />The character `@` is not authorized. | "" | Yes |
| `namespace` | Main service namespace.<br />More information [here](#services). | "" | No |
| `port` | Main service port (number or port name).<br />Evaluated only if the kind of the main service is **Service**. | "" | No |
| `responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind of the main service is **Service**. | 100ms | No |
| `scheme` | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind of the main service is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| `serversTransport` | Name of ServersTransport resource to use to configure the transport between Traefik and the main service's servers.<br />Evaluated only if the kind of the main service is **Service**. | "" | No |
| `passHostHeader` | Forward client Host header to main service's server.<br />Evaluated only if the kind of the main service is **Service**. | true | No |
| `healthCheck.scheme` | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| `healthCheck.mode` | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "http" | No |
| `healthCheck.path` | Server URL path for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| `healthCheck.interval` | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
| `healthCheck.unhealthyInterval` | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
| `healthCheck.method` | HTTP method for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "GET" | No |
| `healthCheck.status` | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind of the main service is **Service**. | | No |
| `healthCheck.port` | URL port for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | | No |
| `healthCheck.timeout` | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "5s" | No |
| `healthCheck.hostname` | Value in the Host header of the health check request.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| `healthCheck.`<br />`followRedirect` | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | true | No |
| `healthCheck.headers` | Map of header to send to the health check endpoint<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | | No |
| `sticky.`<br />`cookie.name` | Name of the cookie used for the stickiness on the main service.<br />Evaluated only if the kind of the main service is **Service**. | Abbreviation of a sha1<br />(ex: `_1d52e`). | No |
| `sticky.`<br />`cookie.httpOnly` | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind of the main service is **Service**. | false | No |
| `sticky.`<br />`cookie.secure` | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind of the main service is **Service**. | false | No |
| `sticky.`<br />`cookie.sameSite` | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind of the main service is **Service**. | "" | No |
| `sticky.`<br />`cookie.maxAge` | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind of the main service is **Service**. | 0 | No |
| `strategy` | Load balancing strategy between the main service's servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind of the main service is **Service**. | "RoundRobin" | No |
| `weight` | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
| `nativeLB` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind of the main service is **Service**. | false | No |
| `nodePortLB` | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind of the main service is **Service**. | false | No |
| `maxBodySize` | Maximum size allowed for the body of the request.<br />If the body is larger, the request is not mirrored.<br />-1 means unlimited size. | -1 | No |
| `mirrors` | List of mirrored services to target.<br /> It can be any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />More information [here](#services). | | No |
| `mirrors[m].`<br />`kind` | Kind of the mirrored service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br />- **TraefikService**: Traefik Service.<br />More information [here](#services) | "" | No |
| `mirrors[m].`<br />`name` | Mirrored service name.<br />The character `@` is not authorized. | "" | Yes |
| `mirrors[m].`<br />`namespace` | Mirrored service namespace.<br />More information [here](#services). | "" | No |
| `mirrors[m].`<br />`port` | Mirrored service port (number or port name).<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
| `mirrors[m].`<br />`percent` | Part of the traffic to mirror in percent (from 0 to 100) | 0 | No |
| `mirrors[m].`<br />`responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind of the mirrored service is **Service**. | 100ms | No |
| `mirrors[m].`<br />`scheme` | Scheme to use for the request to the mirrored service.<br />Evaluated only if the kind of the mirrored service is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| `mirrors[m].`<br />`serversTransport` | Name of ServersTransport resource to use to configure the transport between Traefik and the mirrored service servers.<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
| `mirrors[m].`<br />`passHostHeader` | Forward client Host header to the mirrored service servers.<br />Evaluated only if the kind of the mirrored service is **Service**. | true | No |
| `mirrors[m].`<br />`healthCheck.scheme` | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| `mirrors[m].`<br />`healthCheck.mode` | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "http" | No |
| `mirrors[m].`<br />`healthCheck.path` | Server URL path for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| `mirrors[m].`<br />`healthCheck.interval` | Frequency of the health check calls.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
| `mirrors[m].`<br />`healthCheck.unhealthyInterval` | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
| `mirrors[m].`<br />`healthCheck.method` | HTTP method for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "GET" | No |
| `mirrors[m].`<br />`healthCheck.status` | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind of the mirrored service is **Service**. | | No |
| `mirrors[m].`<br />`healthCheck.port` | URL port for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | | No |
| `mirrors[m].`<br />`healthCheck.timeout` | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "5s" | No |
| `mirrors[m].`<br />`healthCheck.hostname` | Value in the Host header of the health check request.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| `mirrors[m].`<br />`healthCheck.`<br />`followRedirect` | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | true | No |
| `mirrors[m].`<br />`healthCheck.headers` | Map of header to send to the health check endpoint<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | | No |
| `mirrors[m].`<br />`sticky.`<br />`cookie.name` | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
| `mirrors[m].`<br />`sticky.`<br />`cookie.httpOnly` | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
| `mirrors[m].`<br />`sticky.`<br />`cookie.secure` | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
| `mirrors[m].`<br />`sticky.`<br />`cookie.sameSite` | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
| `mirrors[m].`<br />`sticky.`<br />`cookie.maxAge` | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind of the mirrored service is **Service**. | 0 | No |
| `mirrors[m].`<br />`strategy` | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind of the mirrored service is **Service**. | "RoundRobin" | No |
| `mirrors[m].`<br />`weight` | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
| `mirrors[m].`<br />`nativeLB` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
| `mirrors[m].`<br />`nodePortLB` | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
| `mirrorBody` | Defines whether the request body should be mirrored. | true | No |
| <a id="kind" href="#kind" title="#kind">`kind`</a> | Kind of the main service.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br />- **TraefikService**: Traefik Service.<br />More information [here](#services) | "" | No |
| <a id="name" href="#name" title="#name">`name`</a> | Main service name.<br />The character `@` is not authorized. | "" | Yes |
| <a id="namespace" href="#namespace" title="#namespace">`namespace`</a> | Main service namespace.<br />More information [here](#services). | "" | No |
| <a id="port" href="#port" title="#port">`port`</a> | Main service port (number or port name).<br />Evaluated only if the kind of the main service is **Service**. | "" | No |
| <a id="responseForwarding-flushInterval" href="#responseForwarding-flushInterval" title="#responseForwarding-flushInterval">`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind of the main service is **Service**. | 100ms | No |
| <a id="scheme" href="#scheme" title="#scheme">`scheme`</a> | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind of the main service is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| <a id="serversTransport" href="#serversTransport" title="#serversTransport">`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and the main service's servers.<br />Evaluated only if the kind of the main service is **Service**. | "" | No |
| <a id="passHostHeader" href="#passHostHeader" title="#passHostHeader">`passHostHeader`</a> | Forward client Host header to main service's server.<br />Evaluated only if the kind of the main service is **Service**. | true | No |
| <a id="healthCheck-scheme" href="#healthCheck-scheme" title="#healthCheck-scheme">`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| <a id="healthCheck-mode" href="#healthCheck-mode" title="#healthCheck-mode">`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "http" | No |
| <a id="healthCheck-path" href="#healthCheck-path" title="#healthCheck-path">`healthCheck.path`</a> | Server URL path for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| <a id="healthCheck-interval" href="#healthCheck-interval" title="#healthCheck-interval">`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
| <a id="healthCheck-unhealthyInterval" href="#healthCheck-unhealthyInterval" title="#healthCheck-unhealthyInterval">`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
| <a id="healthCheck-method" href="#healthCheck-method" title="#healthCheck-method">`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "GET" | No |
| <a id="healthCheck-status" href="#healthCheck-status" title="#healthCheck-status">`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind of the main service is **Service**. | | No |
| <a id="healthCheck-port" href="#healthCheck-port" title="#healthCheck-port">`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | | No |
| <a id="healthCheck-timeout" href="#healthCheck-timeout" title="#healthCheck-timeout">`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "5s" | No |
| <a id="healthCheck-hostname" href="#healthCheck-hostname" title="#healthCheck-hostname">`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| <a id="healthCheck-followRedirect" href="#healthCheck-followRedirect" title="#healthCheck-followRedirect">`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | true | No |
| <a id="healthCheck-headers" href="#healthCheck-headers" title="#healthCheck-headers">`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | | No |
| <a id="sticky-cookie-name-2" href="#sticky-cookie-name-2" title="#sticky-cookie-name-2">`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness on the main service.<br />Evaluated only if the kind of the main service is **Service**. | Abbreviation of a sha1<br />(ex: `_1d52e`). | No |
| <a id="sticky-cookie-httpOnly-2" href="#sticky-cookie-httpOnly-2" title="#sticky-cookie-httpOnly-2">`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind of the main service is **Service**. | false | No |
| <a id="sticky-cookie-secure-2" href="#sticky-cookie-secure-2" title="#sticky-cookie-secure-2">`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind of the main service is **Service**. | false | No |
| <a id="sticky-cookie-sameSite-2" href="#sticky-cookie-sameSite-2" title="#sticky-cookie-sameSite-2">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind of the main service is **Service**. | "" | No |
| <a id="sticky-cookie-maxAge-2" href="#sticky-cookie-maxAge-2" title="#sticky-cookie-maxAge-2">`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind of the main service is **Service**. | 0 | No |
| <a id="strategy" href="#strategy" title="#strategy">`strategy`</a> | Load balancing strategy between the main service's servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind of the main service is **Service**. | "RoundRobin" | No |
| <a id="weight" href="#weight" title="#weight">`weight`</a> | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
| <a id="nativeLB" href="#nativeLB" title="#nativeLB">`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind of the main service is **Service**. | false | No |
| <a id="nodePortLB" href="#nodePortLB" title="#nodePortLB">`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind of the main service is **Service**. | false | No |
| <a id="maxBodySize" href="#maxBodySize" title="#maxBodySize">`maxBodySize`</a> | Maximum size allowed for the body of the request.<br />If the body is larger, the request is not mirrored.<br />-1 means unlimited size. | -1 | No |
| <a id="mirrors" href="#mirrors" title="#mirrors">`mirrors`</a> | List of mirrored services to target.<br /> It can be any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />More information [here](#services). | | No |
| <a id="mirrorsm-kind" href="#mirrorsm-kind" title="#mirrorsm-kind">`mirrors[m].`<br />`kind`</a> | Kind of the mirrored service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br />- **TraefikService**: Traefik Service.<br />More information [here](#services) | "" | No |
| <a id="mirrorsm-name" href="#mirrorsm-name" title="#mirrorsm-name">`mirrors[m].`<br />`name`</a> | Mirrored service name.<br />The character `@` is not authorized. | "" | Yes |
| <a id="mirrorsm-namespace" href="#mirrorsm-namespace" title="#mirrorsm-namespace">`mirrors[m].`<br />`namespace`</a> | Mirrored service namespace.<br />More information [here](#services). | "" | No |
| <a id="mirrorsm-port" href="#mirrorsm-port" title="#mirrorsm-port">`mirrors[m].`<br />`port`</a> | Mirrored service port (number or port name).<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
| <a id="mirrorsm-percent" href="#mirrorsm-percent" title="#mirrorsm-percent">`mirrors[m].`<br />`percent`</a> | Part of the traffic to mirror in percent (from 0 to 100) | 0 | No |
| <a id="mirrorsm-responseForwarding-flushInterval" href="#mirrorsm-responseForwarding-flushInterval" title="#mirrorsm-responseForwarding-flushInterval">`mirrors[m].`<br />`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind of the mirrored service is **Service**. | 100ms | No |
| <a id="mirrorsm-scheme" href="#mirrorsm-scheme" title="#mirrorsm-scheme">`mirrors[m].`<br />`scheme`</a> | Scheme to use for the request to the mirrored service.<br />Evaluated only if the kind of the mirrored service is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| <a id="mirrorsm-serversTransport" href="#mirrorsm-serversTransport" title="#mirrorsm-serversTransport">`mirrors[m].`<br />`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and the mirrored service servers.<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
| <a id="mirrorsm-passHostHeader" href="#mirrorsm-passHostHeader" title="#mirrorsm-passHostHeader">`mirrors[m].`<br />`passHostHeader`</a> | Forward client Host header to the mirrored service servers.<br />Evaluated only if the kind of the mirrored service is **Service**. | true | No |
| <a id="mirrorsm-healthCheck-scheme" href="#mirrorsm-healthCheck-scheme" title="#mirrorsm-healthCheck-scheme">`mirrors[m].`<br />`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| <a id="mirrorsm-healthCheck-mode" href="#mirrorsm-healthCheck-mode" title="#mirrorsm-healthCheck-mode">`mirrors[m].`<br />`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "http" | No |
| <a id="mirrorsm-healthCheck-path" href="#mirrorsm-healthCheck-path" title="#mirrorsm-healthCheck-path">`mirrors[m].`<br />`healthCheck.path`</a> | Server URL path for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| <a id="mirrorsm-healthCheck-interval" href="#mirrorsm-healthCheck-interval" title="#mirrorsm-healthCheck-interval">`mirrors[m].`<br />`healthCheck.interval`</a> | Frequency of the health check calls.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
| <a id="mirrorsm-healthCheck-unhealthyInterval" href="#mirrorsm-healthCheck-unhealthyInterval" title="#mirrorsm-healthCheck-unhealthyInterval">`mirrors[m].`<br />`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
| <a id="mirrorsm-healthCheck-method" href="#mirrorsm-healthCheck-method" title="#mirrorsm-healthCheck-method">`mirrors[m].`<br />`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "GET" | No |
| <a id="mirrorsm-healthCheck-status" href="#mirrorsm-healthCheck-status" title="#mirrorsm-healthCheck-status">`mirrors[m].`<br />`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind of the mirrored service is **Service**. | | No |
| <a id="mirrorsm-healthCheck-port" href="#mirrorsm-healthCheck-port" title="#mirrorsm-healthCheck-port">`mirrors[m].`<br />`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | | No |
| <a id="mirrorsm-healthCheck-timeout" href="#mirrorsm-healthCheck-timeout" title="#mirrorsm-healthCheck-timeout">`mirrors[m].`<br />`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "5s" | No |
| <a id="mirrorsm-healthCheck-hostname" href="#mirrorsm-healthCheck-hostname" title="#mirrorsm-healthCheck-hostname">`mirrors[m].`<br />`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
| <a id="mirrorsm-healthCheck-followRedirect" href="#mirrorsm-healthCheck-followRedirect" title="#mirrorsm-healthCheck-followRedirect">`mirrors[m].`<br />`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | true | No |
| <a id="mirrorsm-healthCheck-headers" href="#mirrorsm-healthCheck-headers" title="#mirrorsm-healthCheck-headers">`mirrors[m].`<br />`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | | No |
| <a id="mirrorsm-sticky-cookie-name" href="#mirrorsm-sticky-cookie-name" title="#mirrorsm-sticky-cookie-name">`mirrors[m].`<br />`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
| <a id="mirrorsm-sticky-cookie-httpOnly" href="#mirrorsm-sticky-cookie-httpOnly" title="#mirrorsm-sticky-cookie-httpOnly">`mirrors[m].`<br />`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
| <a id="mirrorsm-sticky-cookie-secure" href="#mirrorsm-sticky-cookie-secure" title="#mirrorsm-sticky-cookie-secure">`mirrors[m].`<br />`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
| <a id="mirrorsm-sticky-cookie-sameSite" href="#mirrorsm-sticky-cookie-sameSite" title="#mirrorsm-sticky-cookie-sameSite">`mirrors[m].`<br />`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
| <a id="mirrorsm-sticky-cookie-maxAge" href="#mirrorsm-sticky-cookie-maxAge" title="#mirrorsm-sticky-cookie-maxAge">`mirrors[m].`<br />`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind of the mirrored service is **Service**. | 0 | No |
| <a id="mirrorsm-strategy" href="#mirrorsm-strategy" title="#mirrorsm-strategy">`mirrors[m].`<br />`strategy`</a> | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind of the mirrored service is **Service**. | "RoundRobin" | No |
| <a id="mirrorsm-weight" href="#mirrorsm-weight" title="#mirrorsm-weight">`mirrors[m].`<br />`weight`</a> | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
| <a id="mirrorsm-nativeLB" href="#mirrorsm-nativeLB" title="#mirrorsm-nativeLB">`mirrors[m].`<br />`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
| <a id="mirrorsm-nodePortLB" href="#mirrorsm-nodePortLB" title="#mirrorsm-nodePortLB">`mirrors[m].`<br />`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
| <a id="mirrorBody" href="#mirrorBody" title="#mirrorBody">`mirrorBody`</a> | Defines whether the request body should be mirrored. | true | No |

82
docs/content/reference/routing-configuration/kubernetes/crd/tcp/ingressroutetcp.md
View File

@@ -16,7 +16,7 @@ This registers the `IngressRouteTCP` kind and other Traefik-specific resources.
You can declare an `IngressRouteTCP` as detailed below:
```yaml tab="IngressRoute"
```yaml tab="IngressRouteTCP"
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
@@ -36,8 +36,6 @@ spec:
- name: foo
port: 8080
weight: 10
proxyProtocol:
version: 1
serversTransport: transport
nativeLB: true
nodePortLB: true
@@ -59,33 +57,61 @@ spec:
## Configuration Options
<<<<<<< HEAD
| Field | Description | Default | Required |
|-----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
| <a id="entryPoints" href="#entryPoints" title="#entryPoints">`entryPoints`</a> | List of entrypoints names. | | No |
| <a id="routes" href="#routes" title="#routes">`routes`</a> | List of routes. | | Yes |
| <a id="routesn-match" href="#routesn-match" title="#routesn-match">`routes[n].match`</a> | Defines the [rule](../../../tcp/router/rules-and-priority.md#rules) of the underlying router. | | Yes |
| <a id="routesn-priority" href="#routesn-priority" title="#routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../tcp/router/rules-and-priority.md#priority) to disambiguate rules of the same length, for route matching. | | No |
| <a id="routesn-middlewaresn-name" href="#routesn-middlewaresn-name" title="#routesn-middlewaresn-name">`routes[n].middlewares[n].name`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) name. | | Yes |
| <a id="routesn-middlewaresn-namespace" href="#routesn-middlewaresn-namespace" title="#routesn-middlewaresn-namespace">`routes[n].middlewares[n].namespace`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) namespace. | "" | No |
| <a id="routesn-services" href="#routesn-services" title="#routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. | | No |
| <a id="routesn-servicesn-name" href="#routesn-servicesn-name" title="#routesn-servicesn-name">`routes[n].services[n].name`</a> | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). | | Yes |
| <a id="routesn-servicesn-port" href="#routesn-servicesn-port" title="#routesn-servicesn-port">`routes[n].services[n].port`</a> | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. | | Yes |
| <a id="routesn-servicesn-weight" href="#routesn-servicesn-weight" title="#routesn-servicesn-weight">`routes[n].services[n].weight`</a> | Defines the weight to apply to the server load balancing. | 1 | No |
| <a id="routesn-servicesn-serversTransport" href="#routesn-servicesn-serversTransport" title="#routesn-servicesn-serversTransport">`routes[n].services[n].serversTransport`</a> | Defines the [ServersTransportTCP](./serverstransporttcp.md).<br />The `ServersTransport` namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace. | | No |
| <a id="routesn-servicesn-nativeLB" href="#routesn-servicesn-nativeLB" title="#routesn-servicesn-nativeLB">`routes[n].services[n].nativeLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See [here](#nativelb) for more information. | false | No |
| <a id="routesn-servicesn-nodePortLB" href="#routesn-servicesn-nodePortLB" title="#routesn-servicesn-nodePortLB">`routes[n].services[n].nodePortLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is `NodePort`. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No |
| <a id="tls" href="#tls" title="#tls">`tls`</a> | Defines [TLS](../../../../install-configuration/tls/certificate-resolvers/overview.md) certificate configuration. | | No |
| <a id="tls-secretName" href="#tls-secretName" title="#tls-secretName">`tls.secretName`</a> | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace). | "" | No |
| <a id="tls-options" href="#tls-options" title="#tls-options">`tls.options`</a> | Defines the reference to a [TLSOption](../http/tlsoption.md). | "" | No |
| <a id="tls-options-name" href="#tls-options-name" title="#tls-options-name">`tls.options.name`</a> | Defines the [TLSOption](../http/tlsoption.md) name. | "" | No |
| <a id="tls-options-namespace" href="#tls-options-namespace" title="#tls-options-namespace">`tls.options.namespace`</a> | Defines the [TLSOption](../http/tlsoption.md) namespace. | "" | No |
| <a id="tls-certResolver" href="#tls-certResolver" title="#tls-certResolver">`tls.certResolver`</a> | Defines the reference to a [CertResolver](../../../../install-configuration/tls/certificate-resolvers/overview.md). | "" | No |
| <a id="tls-domains" href="#tls-domains" title="#tls-domains">`tls.domains`</a> | List of domains. | "" | No |
| <a id="tls-domainsn-main" href="#tls-domainsn-main" title="#tls-domainsn-main">`tls.domains[n].main`</a> | Defines the main domain name. | "" | No |
| <a id="tls-domainsn-sans" href="#tls-domainsn-sans" title="#tls-domainsn-sans">`tls.domains[n].sans`</a> | List of SANs (alternative domains). | "" | No |
| <a id="tls-passthrough" href="#tls-passthrough" title="#tls-passthrough">`tls.passthrough`</a> | If `true`, delegates the TLS termination to the backend. | false | No |
=======
| Field | Description | Default | Required |
|-------------------------------------|-----------------------------|-------------------------------------------|-----------------------|
| `entryPoints` | List of entrypoints names. | | No |
| `routes` | List of routes. | | Yes |
| `routes[n].match` | Defines the [rule](../../../tcp/router/rules-and-priority.md#rules) of the underlying router. | | Yes |
| `routes[n].priority` | Defines the [priority](../../../tcp/router/rules-and-priority.md#priority) to disambiguate rules of the same length, for route matching. | | No |
| `routes[n].middlewares[n].name` | Defines the [MiddlewareTCP](./middlewaretcp.md) name. | | Yes |
| `routes[n].middlewares[n].namespace` | Defines the [MiddlewareTCP](./middlewaretcp.md) namespace. | ""| No|
| `routes[n].services` | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. | | No |
| `routes[n].services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). | | Yes |
| `routes[n].services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.| | Yes |
| `routes[n].services[n].weight` | Defines the weight to apply to the server load balancing. | 1 | No |
| `routes[n].services[n].proxyProtocol` | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) configuration. | | No |
| `routes[n].services[n].proxyProtocol.version` | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) version. | | No |
| `routes[n].services[n].serversTransport` | Defines the [ServersTransportTCP](./serverstransporttcp.md).<br />The `ServersTransport` namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace. | | No |
| `routes[n].services[n].nativeLB` | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See [here](#nativelb) for more information. | false | No |
| `routes[n].services[n].nodePortLB` | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is `NodePort`. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No |
| `tls` | Defines [TLS](../../../../install-configuration/tls/certificate-resolvers/overview.md) certificate configuration. | | No |
| `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace). | "" | No |
| `tls.options` | Defines the reference to a [TLSOption](../http/tlsoption.md). | "" | No |
| `tls.options.name` | Defines the [TLSOption](../http/tlsoption.md) name. | "" | No |
| `tls.options.namespace` | Defines the [TLSOption](../http/tlsoption.md) namespace. | "" | No |
| `tls.certResolver` | Defines the reference to a [CertResolver](../../../../install-configuration/tls/certificate-resolvers/overview.md). | "" | No |
| `tls.domains` | List of domains. | "" | No |
| `tls.domains[n].main` | Defines the main domain name. | "" | No |
| `tls.domains[n].sans` | List of SANs (alternative domains). | "" | No |
| `tls.passthrough` | If `true`, delegates the TLS termination to the backend. | false | No |
| <a id="entryPoints" href="#entryPoints" title="#entryPoints">`entryPoints`</a> | List of entrypoints names. | | No |
| <a id="routes" href="#routes" title="#routes">`routes`</a> | List of routes. | | Yes |
| <a id="routesn-match" href="#routesn-match" title="#routesn-match">`routes[n].match`</a> | Defines the [rule](../../../tcp/router/rules-and-priority.md#rules) of the underlying router. | | Yes |
| <a id="routesn-priority" href="#routesn-priority" title="#routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../tcp/router/rules-and-priority.md#priority) to disambiguate rules of the same length, for route matching. | | No |
| <a id="routesn-middlewaresn-name" href="#routesn-middlewaresn-name" title="#routesn-middlewaresn-name">`routes[n].middlewares[n].name`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) name. | | Yes |
| <a id="routesn-middlewaresn-namespace" href="#routesn-middlewaresn-namespace" title="#routesn-middlewaresn-namespace">`routes[n].middlewares[n].namespace`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) namespace. | ""| No|
| <a id="routesn-services" href="#routesn-services" title="#routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. | | No |
| <a id="routesn-servicesn-name" href="#routesn-servicesn-name" title="#routesn-servicesn-name">`routes[n].services[n].name`</a> | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). | | Yes |
| <a id="routesn-servicesn-port" href="#routesn-servicesn-port" title="#routesn-servicesn-port">`routes[n].services[n].port`</a> | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.| | Yes |
| <a id="routesn-servicesn-weight" href="#routesn-servicesn-weight" title="#routesn-servicesn-weight">`routes[n].services[n].weight`</a> | Defines the weight to apply to the server load balancing. | 1 | No |
| <a id="routesn-servicesn-proxyProtocol" href="#routesn-servicesn-proxyProtocol" title="#routesn-servicesn-proxyProtocol">`routes[n].services[n].proxyProtocol`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) configuration. | | No |
| <a id="routesn-servicesn-proxyProtocol-version" href="#routesn-servicesn-proxyProtocol-version" title="#routesn-servicesn-proxyProtocol-version">`routes[n].services[n].proxyProtocol.version`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) version. | | No |
| <a id="routesn-servicesn-serversTransport" href="#routesn-servicesn-serversTransport" title="#routesn-servicesn-serversTransport">`routes[n].services[n].serversTransport`</a> | Defines the [ServersTransportTCP](./serverstransporttcp.md).<br />The `ServersTransport` namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace. | | No |
| <a id="routesn-servicesn-nativeLB" href="#routesn-servicesn-nativeLB" title="#routesn-servicesn-nativeLB">`routes[n].services[n].nativeLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See [here](#nativelb) for more information. | false | No |
| <a id="routesn-servicesn-nodePortLB" href="#routesn-servicesn-nodePortLB" title="#routesn-servicesn-nodePortLB">`routes[n].services[n].nodePortLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is `NodePort`. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No |
| <a id="tls" href="#tls" title="#tls">`tls`</a> | Defines [TLS](../../../../install-configuration/tls/certificate-resolvers/overview.md) certificate configuration. | | No |
| <a id="tls-secretName" href="#tls-secretName" title="#tls-secretName">`tls.secretName`</a> | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace). | "" | No |
| <a id="tls-options" href="#tls-options" title="#tls-options">`tls.options`</a> | Defines the reference to a [TLSOption](../http/tlsoption.md). | "" | No |
| <a id="tls-options-name" href="#tls-options-name" title="#tls-options-name">`tls.options.name`</a> | Defines the [TLSOption](../http/tlsoption.md) name. | "" | No |
| <a id="tls-options-namespace" href="#tls-options-namespace" title="#tls-options-namespace">`tls.options.namespace`</a> | Defines the [TLSOption](../http/tlsoption.md) namespace. | "" | No |
| <a id="tls-certResolver" href="#tls-certResolver" title="#tls-certResolver">`tls.certResolver`</a> | Defines the reference to a [CertResolver](../../../../install-configuration/tls/certificate-resolvers/overview.md). | "" | No |
| <a id="tls-domains" href="#tls-domains" title="#tls-domains">`tls.domains`</a> | List of domains. | "" | No |
| <a id="tls-domainsn-main" href="#tls-domainsn-main" title="#tls-domainsn-main">`tls.domains[n].main`</a> | Defines the main domain name. | "" | No |
| <a id="tls-domainsn-sans" href="#tls-domainsn-sans" title="#tls-domainsn-sans">`tls.domains[n].sans`</a> | List of SANs (alternative domains). | "" | No |
| <a id="tls-passthrough" href="#tls-passthrough" title="#tls-passthrough">`tls.passthrough`</a> | If `true`, delegates the TLS termination to the backend. | false | No |
>>>>>>> 9c932124f (Add anchors in reference tables)
### ExternalName Service

31
docs/content/reference/routing-configuration/kubernetes/crd/tcp/serverstransporttcp.md
View File

@@ -29,6 +29,9 @@ metadata:
namespace: default
spec:
proxyProtocol:
version: 2
terminationDelay: 100ms
tls:
serverName: example.org
insecureSkipVerify: true
@@ -36,16 +39,18 @@ spec:
## Configuration Options
| Field | Description | Default | Required |
|-------------------------------------|-----------------------------|-------------------------------------------|-----------------------|
| `dialTimeout` | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. | 30s | No |
| `dialKeepAlive` | The interval between keep-alive probes for an active network connection.<br />If this option is set to zero, keep-alive probes are sent with a default value (currently 15 seconds),<br />if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field.<br />If negative, keep-alive probes are turned off.| 15s | No |
| `terminationDelay` | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability.| 100ms | No |
| `tls.serverName` | ServerName used to contact the server. | "" | No |
| `tls.insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. | false | No |
| `tls.peerCertURI` | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
| `tls.rootCAsSecrets` | Defines the set of root certificate authorities to use when verifying server certificates.<br />The CA secret must contain a base64 encoded certificate under either a `tls.ca` or a `ca.crt` key.| "" | No |
| `tls.certificatesSecrets` | Certificates to present to the server for mTLS.| "" | No |
| `spiffe` | Configures [SPIFFE](../../../../install-configuration/tls/spiffe.md) options. | "" | No |
| `spiffe.ids` | Defines the allowed SPIFFE IDs. This takes precedence over the SPIFFE `trustDomain`. |""| No |
| `spiffe.trustDomain` | Defines the allowed SPIFFE trust domain. | "" | No |
| Field | Description | Default | Required |
|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
| <a id="dialTimeout" href="#dialTimeout" title="#dialTimeout">`dialTimeout`</a> | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. | 30s | No |
| <a id="dialKeepAlive" href="#dialKeepAlive" title="#dialKeepAlive">`dialKeepAlive`</a> | The interval between keep-alive probes for an active network connection.<br />If this option is set to zero, keep-alive probes are sent with a default value (currently 15 seconds),<br />if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field.<br />If negative, keep-alive probes are turned off. | 15s | No |
| <a id="proxyProtocol" href="#proxyProtocol" title="#proxyProtocol">`proxyProtocol`</a> | Defines the Proxy Protocol configuration. An empty `proxyProtocol` section enables Proxy Protocol version 2. | | No |
| <a id="proxyProtocol-version" href="#proxyProtocol-version" title="#proxyProtocol-version">`proxyProtocol.version`</a> | Traefik supports PROXY Protocol version 1 and 2 on TCP Services. | | No |
| <a id="terminationDelay" href="#terminationDelay" title="#terminationDelay">`terminationDelay`</a> | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. | 100ms | No |
| <a id="tls-serverName" href="#tls-serverName" title="#tls-serverName">`tls.serverName`</a> | ServerName used to contact the server. | "" | No |
| <a id="tls-insecureSkipVerify" href="#tls-insecureSkipVerify" title="#tls-insecureSkipVerify">`tls.insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified. | false | No |
| <a id="tls-peerCertURI" href="#tls-peerCertURI" title="#tls-peerCertURI">`tls.peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
| <a id="tls-rootCAsSecrets" href="#tls-rootCAsSecrets" title="#tls-rootCAsSecrets">`tls.rootCAsSecrets`</a> | Defines the set of root certificate authorities to use when verifying server certificates.<br />The CA secret must contain a base64 encoded certificate under either a `tls.ca` or a `ca.crt` key. | "" | No |
| <a id="tls-certificatesSecrets" href="#tls-certificatesSecrets" title="#tls-certificatesSecrets">`tls.certificatesSecrets`</a> | Certificates to present to the server for mTLS. | "" | No |
| <a id="spiffe" href="#spiffe" title="#spiffe">`spiffe`</a> | Configures [SPIFFE](../../../../install-configuration/tls/spiffe.md) options. | "" | No |
| <a id="spiffe-ids" href="#spiffe-ids" title="#spiffe-ids">`spiffe.ids`</a> | Defines the allowed SPIFFE IDs. This takes precedence over the SPIFFE `trustDomain`. | "" | No |
| <a id="spiffe-trustDomain" href="#spiffe-trustDomain" title="#spiffe-trustDomain">`spiffe.trustDomain`</a> | Defines the allowed SPIFFE trust domain. | "" | No |

16
docs/content/reference/routing-configuration/kubernetes/crd/udp/ingressrouteudp.md
View File

@@ -32,14 +32,14 @@ spec:
| Field | Description | Default | Required |
|------------------------------------|-----------------------------|-------------------------------------------|-----------------------|
| `entryPoints` | List of entrypoints names. | | No |
| ` routes ` | List of routes. | | Yes |
| `routes[n].services` | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. See [here](#externalname-service) for `ExternalName Service` setup. | | No |
| `services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). | | Yes |
| `routes[n].services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.| | Yes |
| `routes[n].services[n].weight` | Defines the weight to apply to the server load balancing. | 1 | No |
| `routes[n].services[n].nativeLB` | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. | false | No |
| `routes[n].services[n].nodePortLB` | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. See [here](#nativelb) for more information. | false | No |
| <a id="entryPoints" href="#entryPoints" title="#entryPoints">`entryPoints`</a> | List of entrypoints names. | | No |
| <a id="routes" href="#routes" title="#routes">` routes `</a> | List of routes. | | Yes |
| <a id="routesn-services" href="#routesn-services" title="#routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. See [here](#externalname-service) for `ExternalName Service` setup. | | No |
| <a id="servicesn-name" href="#servicesn-name" title="#servicesn-name">`services[n].name`</a> | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). | | Yes |
| <a id="routesn-servicesn-port" href="#routesn-servicesn-port" title="#routesn-servicesn-port">`routes[n].services[n].port`</a> | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.| | Yes |
| <a id="routesn-servicesn-weight" href="#routesn-servicesn-weight" title="#routesn-servicesn-weight">`routes[n].services[n].weight`</a> | Defines the weight to apply to the server load balancing. | 1 | No |
| <a id="routesn-servicesn-nativeLB" href="#routesn-servicesn-nativeLB" title="#routesn-servicesn-nativeLB">`routes[n].services[n].nativeLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. | false | No |
| <a id="routesn-servicesn-nodePortLB" href="#routesn-servicesn-nodePortLB" title="#routesn-servicesn-nodePortLB">`routes[n].services[n].nodePortLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. See [here](#nativelb) for more information. | false | No |
### ExternalName Service

244
docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md
View File

@@ -263,36 +263,36 @@ Limitations or behavioral differences are indicated where relevant.
| Annotation | Limitations / Notes |
|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
| `nginx.ingress.kubernetes.io/affinity` | |
| `nginx.ingress.kubernetes.io/affinity-mode` | Only persistent mode supported; balanced/canary not supported. |
| `nginx.ingress.kubernetes.io/auth-type` | |
| `nginx.ingress.kubernetes.io/auth-secret` | |
| `nginx.ingress.kubernetes.io/auth-secret-type` | |
| `nginx.ingress.kubernetes.io/auth-realm` | |
| `nginx.ingress.kubernetes.io/auth-url` | Only URL and response headers copy supported. Forward auth behaves differently than NGINX. |
| `nginx.ingress.kubernetes.io/auth-method` | |
| `nginx.ingress.kubernetes.io/auth-response-headers` | |
| `nginx.ingress.kubernetes.io/ssl-redirect` | Cannot opt-out per route if enabled globally. |
| `nginx.ingress.kubernetes.io/force-ssl-redirect` | Cannot opt-out per route if enabled globally. |
| `nginx.ingress.kubernetes.io/ssl-passthrough` | Some differences in SNI/default backend handling. |
| `nginx.ingress.kubernetes.io/use-regex` | |
| `nginx.ingress.kubernetes.io/session-cookie-name` | |
| `nginx.ingress.kubernetes.io/session-cookie-path` | |
| `nginx.ingress.kubernetes.io/session-cookie-domain` | |
| `nginx.ingress.kubernetes.io/session-cookie-samesite` | |
| `nginx.ingress.kubernetes.io/load-balance` | Only round_robin supported; ewma and IP hash not supported. |
| `nginx.ingress.kubernetes.io/backend-protocol` | FCGI and AUTO_HTTP not supported. |
| `nginx.ingress.kubernetes.io/enable-cors` | Partial support. |
| `nginx.ingress.kubernetes.io/cors-allow-credentials` | |
| `nginx.ingress.kubernetes.io/cors-allow-headers` | |
| `nginx.ingress.kubernetes.io/cors-allow-methods` | |
| `nginx.ingress.kubernetes.io/cors-allow-origin` | |
| `nginx.ingress.kubernetes.io/cors-max-age` | |
| `nginx.ingress.kubernetes.io/proxy-ssl-server-name` | |
| `nginx.ingress.kubernetes.io/proxy-ssl-name` | |
| `nginx.ingress.kubernetes.io/proxy-ssl-verify` | |
| `nginx.ingress.kubernetes.io/proxy-ssl-secret` | |
| `nginx.ingress.kubernetes.io/service-upstream` | |
| <a id="nginx-ingress-kubernetes-ioaffinity" href="#nginx-ingress-kubernetes-ioaffinity" title="#nginx-ingress-kubernetes-ioaffinity">`nginx.ingress.kubernetes.io/affinity`</a> | |
| <a id="nginx-ingress-kubernetes-ioaffinity-mode" href="#nginx-ingress-kubernetes-ioaffinity-mode" title="#nginx-ingress-kubernetes-ioaffinity-mode">`nginx.ingress.kubernetes.io/affinity-mode`</a> | Only persistent mode supported; balanced/canary not supported. |
| <a id="nginx-ingress-kubernetes-ioauth-type" href="#nginx-ingress-kubernetes-ioauth-type" title="#nginx-ingress-kubernetes-ioauth-type">`nginx.ingress.kubernetes.io/auth-type`</a> | |
| <a id="nginx-ingress-kubernetes-ioauth-secret" href="#nginx-ingress-kubernetes-ioauth-secret" title="#nginx-ingress-kubernetes-ioauth-secret">`nginx.ingress.kubernetes.io/auth-secret`</a> | |
| <a id="nginx-ingress-kubernetes-ioauth-secret-type" href="#nginx-ingress-kubernetes-ioauth-secret-type" title="#nginx-ingress-kubernetes-ioauth-secret-type">`nginx.ingress.kubernetes.io/auth-secret-type`</a> | |
| <a id="nginx-ingress-kubernetes-ioauth-realm" href="#nginx-ingress-kubernetes-ioauth-realm" title="#nginx-ingress-kubernetes-ioauth-realm">`nginx.ingress.kubernetes.io/auth-realm`</a> | |
| <a id="nginx-ingress-kubernetes-ioauth-url" href="#nginx-ingress-kubernetes-ioauth-url" title="#nginx-ingress-kubernetes-ioauth-url">`nginx.ingress.kubernetes.io/auth-url`</a> | Only URL and response headers copy supported. Forward auth behaves differently than NGINX. |
| <a id="nginx-ingress-kubernetes-ioauth-method" href="#nginx-ingress-kubernetes-ioauth-method" title="#nginx-ingress-kubernetes-ioauth-method">`nginx.ingress.kubernetes.io/auth-method`</a> | |
| <a id="nginx-ingress-kubernetes-ioauth-response-headers" href="#nginx-ingress-kubernetes-ioauth-response-headers" title="#nginx-ingress-kubernetes-ioauth-response-headers">`nginx.ingress.kubernetes.io/auth-response-headers`</a> | |
| <a id="nginx-ingress-kubernetes-iossl-redirect" href="#nginx-ingress-kubernetes-iossl-redirect" title="#nginx-ingress-kubernetes-iossl-redirect">`nginx.ingress.kubernetes.io/ssl-redirect`</a> | Cannot opt-out per route if enabled globally. |
| <a id="nginx-ingress-kubernetes-ioforce-ssl-redirect" href="#nginx-ingress-kubernetes-ioforce-ssl-redirect" title="#nginx-ingress-kubernetes-ioforce-ssl-redirect">`nginx.ingress.kubernetes.io/force-ssl-redirect`</a> | Cannot opt-out per route if enabled globally. |
| <a id="nginx-ingress-kubernetes-iossl-passthrough" href="#nginx-ingress-kubernetes-iossl-passthrough" title="#nginx-ingress-kubernetes-iossl-passthrough">`nginx.ingress.kubernetes.io/ssl-passthrough`</a> | Some differences in SNI/default backend handling. |
| <a id="nginx-ingress-kubernetes-iouse-regex" href="#nginx-ingress-kubernetes-iouse-regex" title="#nginx-ingress-kubernetes-iouse-regex">`nginx.ingress.kubernetes.io/use-regex`</a> | |
| <a id="nginx-ingress-kubernetes-iosession-cookie-name" href="#nginx-ingress-kubernetes-iosession-cookie-name" title="#nginx-ingress-kubernetes-iosession-cookie-name">`nginx.ingress.kubernetes.io/session-cookie-name`</a> | |
| <a id="nginx-ingress-kubernetes-iosession-cookie-path" href="#nginx-ingress-kubernetes-iosession-cookie-path" title="#nginx-ingress-kubernetes-iosession-cookie-path">`nginx.ingress.kubernetes.io/session-cookie-path`</a> | |
| <a id="nginx-ingress-kubernetes-iosession-cookie-domain" href="#nginx-ingress-kubernetes-iosession-cookie-domain" title="#nginx-ingress-kubernetes-iosession-cookie-domain">`nginx.ingress.kubernetes.io/session-cookie-domain`</a> | |
| <a id="nginx-ingress-kubernetes-iosession-cookie-samesite" href="#nginx-ingress-kubernetes-iosession-cookie-samesite" title="#nginx-ingress-kubernetes-iosession-cookie-samesite">`nginx.ingress.kubernetes.io/session-cookie-samesite`</a> | |
| <a id="nginx-ingress-kubernetes-ioload-balance" href="#nginx-ingress-kubernetes-ioload-balance" title="#nginx-ingress-kubernetes-ioload-balance">`nginx.ingress.kubernetes.io/load-balance`</a> | Only round_robin supported; ewma and IP hash not supported. |
| <a id="nginx-ingress-kubernetes-iobackend-protocol" href="#nginx-ingress-kubernetes-iobackend-protocol" title="#nginx-ingress-kubernetes-iobackend-protocol">`nginx.ingress.kubernetes.io/backend-protocol`</a> | FCGI and AUTO_HTTP not supported. |
| <a id="nginx-ingress-kubernetes-ioenable-cors" href="#nginx-ingress-kubernetes-ioenable-cors" title="#nginx-ingress-kubernetes-ioenable-cors">`nginx.ingress.kubernetes.io/enable-cors`</a> | Partial support. |
| <a id="nginx-ingress-kubernetes-iocors-allow-credentials" href="#nginx-ingress-kubernetes-iocors-allow-credentials" title="#nginx-ingress-kubernetes-iocors-allow-credentials">`nginx.ingress.kubernetes.io/cors-allow-credentials`</a> | |
| <a id="nginx-ingress-kubernetes-iocors-allow-headers" href="#nginx-ingress-kubernetes-iocors-allow-headers" title="#nginx-ingress-kubernetes-iocors-allow-headers">`nginx.ingress.kubernetes.io/cors-allow-headers`</a> | |
| <a id="nginx-ingress-kubernetes-iocors-allow-methods" href="#nginx-ingress-kubernetes-iocors-allow-methods" title="#nginx-ingress-kubernetes-iocors-allow-methods">`nginx.ingress.kubernetes.io/cors-allow-methods`</a> | |
| <a id="nginx-ingress-kubernetes-iocors-allow-origin" href="#nginx-ingress-kubernetes-iocors-allow-origin" title="#nginx-ingress-kubernetes-iocors-allow-origin">`nginx.ingress.kubernetes.io/cors-allow-origin`</a> | |
| <a id="nginx-ingress-kubernetes-iocors-max-age" href="#nginx-ingress-kubernetes-iocors-max-age" title="#nginx-ingress-kubernetes-iocors-max-age">`nginx.ingress.kubernetes.io/cors-max-age`</a> | |
| <a id="nginx-ingress-kubernetes-ioproxy-ssl-server-name" href="#nginx-ingress-kubernetes-ioproxy-ssl-server-name" title="#nginx-ingress-kubernetes-ioproxy-ssl-server-name">`nginx.ingress.kubernetes.io/proxy-ssl-server-name`</a> | |
| <a id="nginx-ingress-kubernetes-ioproxy-ssl-name" href="#nginx-ingress-kubernetes-ioproxy-ssl-name" title="#nginx-ingress-kubernetes-ioproxy-ssl-name">`nginx.ingress.kubernetes.io/proxy-ssl-name`</a> | |
| <a id="nginx-ingress-kubernetes-ioproxy-ssl-verify" href="#nginx-ingress-kubernetes-ioproxy-ssl-verify" title="#nginx-ingress-kubernetes-ioproxy-ssl-verify">`nginx.ingress.kubernetes.io/proxy-ssl-verify`</a> | |
| <a id="nginx-ingress-kubernetes-ioproxy-ssl-secret" href="#nginx-ingress-kubernetes-ioproxy-ssl-secret" title="#nginx-ingress-kubernetes-ioproxy-ssl-secret">`nginx.ingress.kubernetes.io/proxy-ssl-secret`</a> | |
| <a id="nginx-ingress-kubernetes-ioservice-upstream" href="#nginx-ingress-kubernetes-ioservice-upstream" title="#nginx-ingress-kubernetes-ioservice-upstream">`nginx.ingress.kubernetes.io/service-upstream`</a> | |
### Unsupported NGINX Annotations
@@ -308,95 +308,95 @@ Limitations or behavioral differences are indicated where relevant.
| Annotation | Notes |
|-----------------------------------------------------------------------------|------------------------------------------------------|
| `nginx.ingress.kubernetes.io/app-root` | Not supported yet. |
| `nginx.ingress.kubernetes.io/affinity-canary-behavior` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-tls-secret` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-tls-verify-depth` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-tls-verify-client` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-tls-error-page` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-tls-match-cn` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-cache-key` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-cache-duration` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-keepalive` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-keepalive-share-vars` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-keepalive-requests` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-keepalive-timeout` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-proxy-set-headers` | Not supported yet. |
| `nginx.ingress.kubernetes.io/auth-snippet` | Not supported yet. |
| `nginx.ingress.kubernetes.io/enable-global-auth` | Not supported yet. |
| `nginx.ingress.kubernetes.io/canary` | Not supported yet. |
| `nginx.ingress.kubernetes.io/canary-by-header` | Not supported yet. |
| `nginx.ingress.kubernetes.io/canary-by-header-value` | Not supported yet. |
| `nginx.ingress.kubernetes.io/canary-by-header-pattern` | Not supported yet. |
| `nginx.ingress.kubernetes.io/canary-by-cookie` | Not supported yet. |
| `nginx.ingress.kubernetes.io/canary-weight` | Not supported yet. |
| `nginx.ingress.kubernetes.io/canary-weight-total` | Not supported yet. |
| `nginx.ingress.kubernetes.io/client-body-buffer-size` | Not supported yet. |
| `nginx.ingress.kubernetes.io/configuration-snippet` | Not supported yet. |
| `nginx.ingress.kubernetes.io/custom-http-errors` | Not supported yet. |
| `nginx.ingress.kubernetes.io/disable-proxy-intercept-errors` | Not supported yet. |
| `nginx.ingress.kubernetes.io/default-backend` | Not supported yet; use `defaultBackend` in Ingress spec. |
| `nginx.ingress.kubernetes.io/limit-rate-after` | Not supported yet. |
| `nginx.ingress.kubernetes.io/limit-rate` | Not supported yet. |
| `nginx.ingress.kubernetes.io/limit-whitelist` | Not supported yet. |
| `nginx.ingress.kubernetes.io/limit-rps` | Not supported yet. |
| `nginx.ingress.kubernetes.io/limit-rpm` | Not supported yet. |
| `nginx.ingress.kubernetes.io/limit-burst-multiplier` | Not supported yet. |
| `nginx.ingress.kubernetes.io/limit-connections` | Not supported yet. |
| `nginx.ingress.kubernetes.io/global-rate-limit` | Not supported yet. |
| `nginx.ingress.kubernetes.io/global-rate-limit-window` | Not supported yet. |
| `nginx.ingress.kubernetes.io/global-rate-limit-key` | Not supported yet. |
| `nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs` | Not supported yet. |
| `nginx.ingress.kubernetes.io/permanent-redirect` | Not supported yet. |
| `nginx.ingress.kubernetes.io/permanent-redirect-code` | Not supported yet. |
| `nginx.ingress.kubernetes.io/temporal-redirect` | Not supported yet. |
| `nginx.ingress.kubernetes.io/preserve-trailing-slash` | Not supported yet; Traefik preserves by default. |
| `nginx.ingress.kubernetes.io/proxy-cookie-domain` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-cookie-path` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-connect-timeout` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-send-timeout` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-read-timeout` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-next-upstream` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-next-upstream-timeout` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-next-upstream-tries` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-request-buffering` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-redirect-from` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-redirect-to` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-http-version` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-ssl-ciphers` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-ssl-verify-depth` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-ssl-protocols` | Not supported yet. |
| `nginx.ingress.kubernetes.io/enable-rewrite-log` | Not supported yet. |
| `nginx.ingress.kubernetes.io/rewrite-target` | Not supported yet. |
| `nginx.ingress.kubernetes.io/satisfy` | Not supported yet. |
| `nginx.ingress.kubernetes.io/server-alias` | Not supported yet. |
| `nginx.ingress.kubernetes.io/server-snippet` | Not supported yet. |
| `nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none` | Not supported yet. |
| `nginx.ingress.kubernetes.io/session-cookie-expires` | Not supported yet. |
| `nginx.ingress.kubernetes.io/session-cookie-change-on-failure` | Not supported yet. |
| `nginx.ingress.kubernetes.io/ssl-ciphers` | Not supported yet. |
| `nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers` | Not supported yet. |
| `nginx.ingress.kubernetes.io/connection-proxy-header` | Not supported yet. |
| `nginx.ingress.kubernetes.io/enable-access-log` | Not supported yet. |
| `nginx.ingress.kubernetes.io/enable-opentracing` | Not supported yet. |
| `nginx.ingress.kubernetes.io/opentracing-trust-incoming-span` | Not supported yet. |
| `nginx.ingress.kubernetes.io/enable-opentelemetry` | Not supported yet. |
| `nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span` | Not supported yet. |
| `nginx.ingress.kubernetes.io/enable-modsecurity` | Not supported yet. |
| `nginx.ingress.kubernetes.io/enable-owasp-core-rules` | Not supported yet. |
| `nginx.ingress.kubernetes.io/modsecurity-transaction-id` | Not supported yet. |
| `nginx.ingress.kubernetes.io/modsecurity-snippet` | Not supported yet. |
| `nginx.ingress.kubernetes.io/mirror-request-body` | Not supported yet. |
| `nginx.ingress.kubernetes.io/mirror-target` | Not supported yet. |
| `nginx.ingress.kubernetes.io/mirror-host` | Not supported yet. |
| `nginx.ingress.kubernetes.io/x-forwarded-prefix` | Not supported yet. |
| `nginx.ingress.kubernetes.io/upstream-hash-by` | Not supported yet. |
| `nginx.ingress.kubernetes.io/upstream-vhost` | Not supported yet. |
| `nginx.ingress.kubernetes.io/denylist-source-range` | Not supported yet. |
| `nginx.ingress.kubernetes.io/whitelist-source-range` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-buffering` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-buffers-number` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-buffer-size` | Not supported yet. |
| `nginx.ingress.kubernetes.io/proxy-max-temp-file-size` | Not supported yet. |
| `nginx.ingress.kubernetes.io/stream-snippet` | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioapp-root" href="#nginx-ingress-kubernetes-ioapp-root" title="#nginx-ingress-kubernetes-ioapp-root">`nginx.ingress.kubernetes.io/app-root`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioaffinity-canary-behavior" href="#nginx-ingress-kubernetes-ioaffinity-canary-behavior" title="#nginx-ingress-kubernetes-ioaffinity-canary-behavior">`nginx.ingress.kubernetes.io/affinity-canary-behavior`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-tls-secret" href="#nginx-ingress-kubernetes-ioauth-tls-secret" title="#nginx-ingress-kubernetes-ioauth-tls-secret">`nginx.ingress.kubernetes.io/auth-tls-secret`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-tls-verify-depth" href="#nginx-ingress-kubernetes-ioauth-tls-verify-depth" title="#nginx-ingress-kubernetes-ioauth-tls-verify-depth">`nginx.ingress.kubernetes.io/auth-tls-verify-depth`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-tls-verify-client" href="#nginx-ingress-kubernetes-ioauth-tls-verify-client" title="#nginx-ingress-kubernetes-ioauth-tls-verify-client">`nginx.ingress.kubernetes.io/auth-tls-verify-client`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-tls-error-page" href="#nginx-ingress-kubernetes-ioauth-tls-error-page" title="#nginx-ingress-kubernetes-ioauth-tls-error-page">`nginx.ingress.kubernetes.io/auth-tls-error-page`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream" href="#nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream" title="#nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream">`nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-tls-match-cn" href="#nginx-ingress-kubernetes-ioauth-tls-match-cn" title="#nginx-ingress-kubernetes-ioauth-tls-match-cn">`nginx.ingress.kubernetes.io/auth-tls-match-cn`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-cache-key" href="#nginx-ingress-kubernetes-ioauth-cache-key" title="#nginx-ingress-kubernetes-ioauth-cache-key">`nginx.ingress.kubernetes.io/auth-cache-key`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-cache-duration" href="#nginx-ingress-kubernetes-ioauth-cache-duration" title="#nginx-ingress-kubernetes-ioauth-cache-duration">`nginx.ingress.kubernetes.io/auth-cache-duration`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-keepalive" href="#nginx-ingress-kubernetes-ioauth-keepalive" title="#nginx-ingress-kubernetes-ioauth-keepalive">`nginx.ingress.kubernetes.io/auth-keepalive`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-keepalive-share-vars" href="#nginx-ingress-kubernetes-ioauth-keepalive-share-vars" title="#nginx-ingress-kubernetes-ioauth-keepalive-share-vars">`nginx.ingress.kubernetes.io/auth-keepalive-share-vars`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-keepalive-requests" href="#nginx-ingress-kubernetes-ioauth-keepalive-requests" title="#nginx-ingress-kubernetes-ioauth-keepalive-requests">`nginx.ingress.kubernetes.io/auth-keepalive-requests`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-keepalive-timeout" href="#nginx-ingress-kubernetes-ioauth-keepalive-timeout" title="#nginx-ingress-kubernetes-ioauth-keepalive-timeout">`nginx.ingress.kubernetes.io/auth-keepalive-timeout`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-proxy-set-headers" href="#nginx-ingress-kubernetes-ioauth-proxy-set-headers" title="#nginx-ingress-kubernetes-ioauth-proxy-set-headers">`nginx.ingress.kubernetes.io/auth-proxy-set-headers`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioauth-snippet" href="#nginx-ingress-kubernetes-ioauth-snippet" title="#nginx-ingress-kubernetes-ioauth-snippet">`nginx.ingress.kubernetes.io/auth-snippet`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioenable-global-auth" href="#nginx-ingress-kubernetes-ioenable-global-auth" title="#nginx-ingress-kubernetes-ioenable-global-auth">`nginx.ingress.kubernetes.io/enable-global-auth`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iocanary" href="#nginx-ingress-kubernetes-iocanary" title="#nginx-ingress-kubernetes-iocanary">`nginx.ingress.kubernetes.io/canary`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iocanary-by-header" href="#nginx-ingress-kubernetes-iocanary-by-header" title="#nginx-ingress-kubernetes-iocanary-by-header">`nginx.ingress.kubernetes.io/canary-by-header`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iocanary-by-header-value" href="#nginx-ingress-kubernetes-iocanary-by-header-value" title="#nginx-ingress-kubernetes-iocanary-by-header-value">`nginx.ingress.kubernetes.io/canary-by-header-value`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iocanary-by-header-pattern" href="#nginx-ingress-kubernetes-iocanary-by-header-pattern" title="#nginx-ingress-kubernetes-iocanary-by-header-pattern">`nginx.ingress.kubernetes.io/canary-by-header-pattern`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iocanary-by-cookie" href="#nginx-ingress-kubernetes-iocanary-by-cookie" title="#nginx-ingress-kubernetes-iocanary-by-cookie">`nginx.ingress.kubernetes.io/canary-by-cookie`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iocanary-weight" href="#nginx-ingress-kubernetes-iocanary-weight" title="#nginx-ingress-kubernetes-iocanary-weight">`nginx.ingress.kubernetes.io/canary-weight`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iocanary-weight-total" href="#nginx-ingress-kubernetes-iocanary-weight-total" title="#nginx-ingress-kubernetes-iocanary-weight-total">`nginx.ingress.kubernetes.io/canary-weight-total`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioclient-body-buffer-size" href="#nginx-ingress-kubernetes-ioclient-body-buffer-size" title="#nginx-ingress-kubernetes-ioclient-body-buffer-size">`nginx.ingress.kubernetes.io/client-body-buffer-size`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioconfiguration-snippet" href="#nginx-ingress-kubernetes-ioconfiguration-snippet" title="#nginx-ingress-kubernetes-ioconfiguration-snippet">`nginx.ingress.kubernetes.io/configuration-snippet`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iocustom-http-errors" href="#nginx-ingress-kubernetes-iocustom-http-errors" title="#nginx-ingress-kubernetes-iocustom-http-errors">`nginx.ingress.kubernetes.io/custom-http-errors`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iodisable-proxy-intercept-errors" href="#nginx-ingress-kubernetes-iodisable-proxy-intercept-errors" title="#nginx-ingress-kubernetes-iodisable-proxy-intercept-errors">`nginx.ingress.kubernetes.io/disable-proxy-intercept-errors`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iodefault-backend" href="#nginx-ingress-kubernetes-iodefault-backend" title="#nginx-ingress-kubernetes-iodefault-backend">`nginx.ingress.kubernetes.io/default-backend`</a> | Not supported yet; use `defaultBackend` in Ingress spec. |
| <a id="nginx-ingress-kubernetes-iolimit-rate-after" href="#nginx-ingress-kubernetes-iolimit-rate-after" title="#nginx-ingress-kubernetes-iolimit-rate-after">`nginx.ingress.kubernetes.io/limit-rate-after`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iolimit-rate" href="#nginx-ingress-kubernetes-iolimit-rate" title="#nginx-ingress-kubernetes-iolimit-rate">`nginx.ingress.kubernetes.io/limit-rate`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iolimit-whitelist" href="#nginx-ingress-kubernetes-iolimit-whitelist" title="#nginx-ingress-kubernetes-iolimit-whitelist">`nginx.ingress.kubernetes.io/limit-whitelist`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iolimit-rps" href="#nginx-ingress-kubernetes-iolimit-rps" title="#nginx-ingress-kubernetes-iolimit-rps">`nginx.ingress.kubernetes.io/limit-rps`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iolimit-rpm" href="#nginx-ingress-kubernetes-iolimit-rpm" title="#nginx-ingress-kubernetes-iolimit-rpm">`nginx.ingress.kubernetes.io/limit-rpm`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iolimit-burst-multiplier" href="#nginx-ingress-kubernetes-iolimit-burst-multiplier" title="#nginx-ingress-kubernetes-iolimit-burst-multiplier">`nginx.ingress.kubernetes.io/limit-burst-multiplier`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iolimit-connections" href="#nginx-ingress-kubernetes-iolimit-connections" title="#nginx-ingress-kubernetes-iolimit-connections">`nginx.ingress.kubernetes.io/limit-connections`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioglobal-rate-limit" href="#nginx-ingress-kubernetes-ioglobal-rate-limit" title="#nginx-ingress-kubernetes-ioglobal-rate-limit">`nginx.ingress.kubernetes.io/global-rate-limit`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioglobal-rate-limit-window" href="#nginx-ingress-kubernetes-ioglobal-rate-limit-window" title="#nginx-ingress-kubernetes-ioglobal-rate-limit-window">`nginx.ingress.kubernetes.io/global-rate-limit-window`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioglobal-rate-limit-key" href="#nginx-ingress-kubernetes-ioglobal-rate-limit-key" title="#nginx-ingress-kubernetes-ioglobal-rate-limit-key">`nginx.ingress.kubernetes.io/global-rate-limit-key`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioglobal-rate-limit-ignored-cidrs" href="#nginx-ingress-kubernetes-ioglobal-rate-limit-ignored-cidrs" title="#nginx-ingress-kubernetes-ioglobal-rate-limit-ignored-cidrs">`nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iopermanent-redirect" href="#nginx-ingress-kubernetes-iopermanent-redirect" title="#nginx-ingress-kubernetes-iopermanent-redirect">`nginx.ingress.kubernetes.io/permanent-redirect`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iopermanent-redirect-code" href="#nginx-ingress-kubernetes-iopermanent-redirect-code" title="#nginx-ingress-kubernetes-iopermanent-redirect-code">`nginx.ingress.kubernetes.io/permanent-redirect-code`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iotemporal-redirect" href="#nginx-ingress-kubernetes-iotemporal-redirect" title="#nginx-ingress-kubernetes-iotemporal-redirect">`nginx.ingress.kubernetes.io/temporal-redirect`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iopreserve-trailing-slash" href="#nginx-ingress-kubernetes-iopreserve-trailing-slash" title="#nginx-ingress-kubernetes-iopreserve-trailing-slash">`nginx.ingress.kubernetes.io/preserve-trailing-slash`</a> | Not supported yet; Traefik preserves by default. |
| <a id="nginx-ingress-kubernetes-ioproxy-cookie-domain" href="#nginx-ingress-kubernetes-ioproxy-cookie-domain" title="#nginx-ingress-kubernetes-ioproxy-cookie-domain">`nginx.ingress.kubernetes.io/proxy-cookie-domain`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-cookie-path" href="#nginx-ingress-kubernetes-ioproxy-cookie-path" title="#nginx-ingress-kubernetes-ioproxy-cookie-path">`nginx.ingress.kubernetes.io/proxy-cookie-path`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-connect-timeout" href="#nginx-ingress-kubernetes-ioproxy-connect-timeout" title="#nginx-ingress-kubernetes-ioproxy-connect-timeout">`nginx.ingress.kubernetes.io/proxy-connect-timeout`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-send-timeout" href="#nginx-ingress-kubernetes-ioproxy-send-timeout" title="#nginx-ingress-kubernetes-ioproxy-send-timeout">`nginx.ingress.kubernetes.io/proxy-send-timeout`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-read-timeout" href="#nginx-ingress-kubernetes-ioproxy-read-timeout" title="#nginx-ingress-kubernetes-ioproxy-read-timeout">`nginx.ingress.kubernetes.io/proxy-read-timeout`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-next-upstream" href="#nginx-ingress-kubernetes-ioproxy-next-upstream" title="#nginx-ingress-kubernetes-ioproxy-next-upstream">`nginx.ingress.kubernetes.io/proxy-next-upstream`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-next-upstream-timeout" href="#nginx-ingress-kubernetes-ioproxy-next-upstream-timeout" title="#nginx-ingress-kubernetes-ioproxy-next-upstream-timeout">`nginx.ingress.kubernetes.io/proxy-next-upstream-timeout`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-next-upstream-tries" href="#nginx-ingress-kubernetes-ioproxy-next-upstream-tries" title="#nginx-ingress-kubernetes-ioproxy-next-upstream-tries">`nginx.ingress.kubernetes.io/proxy-next-upstream-tries`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-request-buffering" href="#nginx-ingress-kubernetes-ioproxy-request-buffering" title="#nginx-ingress-kubernetes-ioproxy-request-buffering">`nginx.ingress.kubernetes.io/proxy-request-buffering`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-redirect-from" href="#nginx-ingress-kubernetes-ioproxy-redirect-from" title="#nginx-ingress-kubernetes-ioproxy-redirect-from">`nginx.ingress.kubernetes.io/proxy-redirect-from`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-redirect-to" href="#nginx-ingress-kubernetes-ioproxy-redirect-to" title="#nginx-ingress-kubernetes-ioproxy-redirect-to">`nginx.ingress.kubernetes.io/proxy-redirect-to`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-http-version" href="#nginx-ingress-kubernetes-ioproxy-http-version" title="#nginx-ingress-kubernetes-ioproxy-http-version">`nginx.ingress.kubernetes.io/proxy-http-version`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-ssl-ciphers" href="#nginx-ingress-kubernetes-ioproxy-ssl-ciphers" title="#nginx-ingress-kubernetes-ioproxy-ssl-ciphers">`nginx.ingress.kubernetes.io/proxy-ssl-ciphers`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-ssl-verify-depth" href="#nginx-ingress-kubernetes-ioproxy-ssl-verify-depth" title="#nginx-ingress-kubernetes-ioproxy-ssl-verify-depth">`nginx.ingress.kubernetes.io/proxy-ssl-verify-depth`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-ssl-protocols" href="#nginx-ingress-kubernetes-ioproxy-ssl-protocols" title="#nginx-ingress-kubernetes-ioproxy-ssl-protocols">`nginx.ingress.kubernetes.io/proxy-ssl-protocols`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioenable-rewrite-log" href="#nginx-ingress-kubernetes-ioenable-rewrite-log" title="#nginx-ingress-kubernetes-ioenable-rewrite-log">`nginx.ingress.kubernetes.io/enable-rewrite-log`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iorewrite-target" href="#nginx-ingress-kubernetes-iorewrite-target" title="#nginx-ingress-kubernetes-iorewrite-target">`nginx.ingress.kubernetes.io/rewrite-target`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iosatisfy" href="#nginx-ingress-kubernetes-iosatisfy" title="#nginx-ingress-kubernetes-iosatisfy">`nginx.ingress.kubernetes.io/satisfy`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioserver-alias" href="#nginx-ingress-kubernetes-ioserver-alias" title="#nginx-ingress-kubernetes-ioserver-alias">`nginx.ingress.kubernetes.io/server-alias`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioserver-snippet" href="#nginx-ingress-kubernetes-ioserver-snippet" title="#nginx-ingress-kubernetes-ioserver-snippet">`nginx.ingress.kubernetes.io/server-snippet`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iosession-cookie-conditional-samesite-none" href="#nginx-ingress-kubernetes-iosession-cookie-conditional-samesite-none" title="#nginx-ingress-kubernetes-iosession-cookie-conditional-samesite-none">`nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iosession-cookie-expires" href="#nginx-ingress-kubernetes-iosession-cookie-expires" title="#nginx-ingress-kubernetes-iosession-cookie-expires">`nginx.ingress.kubernetes.io/session-cookie-expires`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iosession-cookie-change-on-failure" href="#nginx-ingress-kubernetes-iosession-cookie-change-on-failure" title="#nginx-ingress-kubernetes-iosession-cookie-change-on-failure">`nginx.ingress.kubernetes.io/session-cookie-change-on-failure`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iossl-ciphers" href="#nginx-ingress-kubernetes-iossl-ciphers" title="#nginx-ingress-kubernetes-iossl-ciphers">`nginx.ingress.kubernetes.io/ssl-ciphers`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iossl-prefer-server-ciphers" href="#nginx-ingress-kubernetes-iossl-prefer-server-ciphers" title="#nginx-ingress-kubernetes-iossl-prefer-server-ciphers">`nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioconnection-proxy-header" href="#nginx-ingress-kubernetes-ioconnection-proxy-header" title="#nginx-ingress-kubernetes-ioconnection-proxy-header">`nginx.ingress.kubernetes.io/connection-proxy-header`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioenable-access-log" href="#nginx-ingress-kubernetes-ioenable-access-log" title="#nginx-ingress-kubernetes-ioenable-access-log">`nginx.ingress.kubernetes.io/enable-access-log`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioenable-opentracing" href="#nginx-ingress-kubernetes-ioenable-opentracing" title="#nginx-ingress-kubernetes-ioenable-opentracing">`nginx.ingress.kubernetes.io/enable-opentracing`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioopentracing-trust-incoming-span" href="#nginx-ingress-kubernetes-ioopentracing-trust-incoming-span" title="#nginx-ingress-kubernetes-ioopentracing-trust-incoming-span">`nginx.ingress.kubernetes.io/opentracing-trust-incoming-span`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioenable-opentelemetry" href="#nginx-ingress-kubernetes-ioenable-opentelemetry" title="#nginx-ingress-kubernetes-ioenable-opentelemetry">`nginx.ingress.kubernetes.io/enable-opentelemetry`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioopentelemetry-trust-incoming-span" href="#nginx-ingress-kubernetes-ioopentelemetry-trust-incoming-span" title="#nginx-ingress-kubernetes-ioopentelemetry-trust-incoming-span">`nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioenable-modsecurity" href="#nginx-ingress-kubernetes-ioenable-modsecurity" title="#nginx-ingress-kubernetes-ioenable-modsecurity">`nginx.ingress.kubernetes.io/enable-modsecurity`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioenable-owasp-core-rules" href="#nginx-ingress-kubernetes-ioenable-owasp-core-rules" title="#nginx-ingress-kubernetes-ioenable-owasp-core-rules">`nginx.ingress.kubernetes.io/enable-owasp-core-rules`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iomodsecurity-transaction-id" href="#nginx-ingress-kubernetes-iomodsecurity-transaction-id" title="#nginx-ingress-kubernetes-iomodsecurity-transaction-id">`nginx.ingress.kubernetes.io/modsecurity-transaction-id`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iomodsecurity-snippet" href="#nginx-ingress-kubernetes-iomodsecurity-snippet" title="#nginx-ingress-kubernetes-iomodsecurity-snippet">`nginx.ingress.kubernetes.io/modsecurity-snippet`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iomirror-request-body" href="#nginx-ingress-kubernetes-iomirror-request-body" title="#nginx-ingress-kubernetes-iomirror-request-body">`nginx.ingress.kubernetes.io/mirror-request-body`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iomirror-target" href="#nginx-ingress-kubernetes-iomirror-target" title="#nginx-ingress-kubernetes-iomirror-target">`nginx.ingress.kubernetes.io/mirror-target`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iomirror-host" href="#nginx-ingress-kubernetes-iomirror-host" title="#nginx-ingress-kubernetes-iomirror-host">`nginx.ingress.kubernetes.io/mirror-host`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iox-forwarded-prefix" href="#nginx-ingress-kubernetes-iox-forwarded-prefix" title="#nginx-ingress-kubernetes-iox-forwarded-prefix">`nginx.ingress.kubernetes.io/x-forwarded-prefix`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioupstream-hash-by" href="#nginx-ingress-kubernetes-ioupstream-hash-by" title="#nginx-ingress-kubernetes-ioupstream-hash-by">`nginx.ingress.kubernetes.io/upstream-hash-by`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioupstream-vhost" href="#nginx-ingress-kubernetes-ioupstream-vhost" title="#nginx-ingress-kubernetes-ioupstream-vhost">`nginx.ingress.kubernetes.io/upstream-vhost`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iodenylist-source-range" href="#nginx-ingress-kubernetes-iodenylist-source-range" title="#nginx-ingress-kubernetes-iodenylist-source-range">`nginx.ingress.kubernetes.io/denylist-source-range`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iowhitelist-source-range" href="#nginx-ingress-kubernetes-iowhitelist-source-range" title="#nginx-ingress-kubernetes-iowhitelist-source-range">`nginx.ingress.kubernetes.io/whitelist-source-range`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-buffering" href="#nginx-ingress-kubernetes-ioproxy-buffering" title="#nginx-ingress-kubernetes-ioproxy-buffering">`nginx.ingress.kubernetes.io/proxy-buffering`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-buffers-number" href="#nginx-ingress-kubernetes-ioproxy-buffers-number" title="#nginx-ingress-kubernetes-ioproxy-buffers-number">`nginx.ingress.kubernetes.io/proxy-buffers-number`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-buffer-size" href="#nginx-ingress-kubernetes-ioproxy-buffer-size" title="#nginx-ingress-kubernetes-ioproxy-buffer-size">`nginx.ingress.kubernetes.io/proxy-buffer-size`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-ioproxy-max-temp-file-size" href="#nginx-ingress-kubernetes-ioproxy-max-temp-file-size" title="#nginx-ingress-kubernetes-ioproxy-max-temp-file-size">`nginx.ingress.kubernetes.io/proxy-max-temp-file-size`</a> | Not supported yet. |
| <a id="nginx-ingress-kubernetes-iostream-snippet" href="#nginx-ingress-kubernetes-iostream-snippet" title="#nginx-ingress-kubernetes-iostream-snippet">`nginx.ingress.kubernetes.io/stream-snippet`</a> | Not supported yet. |

74
docs/content/reference/routing-configuration/other-providers/file.toml
View File

@@ -55,12 +55,23 @@
fallback = "foobar"
[http.services.Service01.failover.healthCheck]
[http.services.Service02]
[http.services.Service02.loadBalancer]
[http.services.Service02.highestRandomWeight]
[[http.services.Service02.highestRandomWeight.services]]
name = "foobar"
weight = 42
[[http.services.Service02.highestRandomWeight.services]]
name = "foobar"
weight = 42
[http.services.Service02.highestRandomWeight.healthCheck]
[http.services.Service03]
[http.services.Service03.loadBalancer]
strategy = "foobar"
passHostHeader = true
serversTransport = "foobar"
[http.services.Service02.loadBalancer.sticky]
[http.services.Service02.loadBalancer.sticky.cookie]
[http.services.Service03.loadBalancer.sticky]
[http.services.Service03.loadBalancer.sticky.cookie]
name = "foobar"
secure = true
httpOnly = true
@@ -69,16 +80,16 @@
path = "foobar"
domain = "foobar"
[[http.services.Service02.loadBalancer.servers]]
[[http.services.Service03.loadBalancer.servers]]
url = "foobar"
weight = 42
preservePath = true
[[http.services.Service02.loadBalancer.servers]]
[[http.services.Service03.loadBalancer.servers]]
url = "foobar"
weight = 42
preservePath = true
[http.services.Service02.loadBalancer.healthCheck]
[http.services.Service03.loadBalancer.healthCheck]
scheme = "foobar"
mode = "foobar"
path = "foobar"
@@ -90,37 +101,40 @@
timeout = "42s"
hostname = "foobar"
followRedirects = true
[http.services.Service02.loadBalancer.healthCheck.headers]
[http.services.Service03.loadBalancer.healthCheck.headers]
name0 = "foobar"
name1 = "foobar"
[http.services.Service02.loadBalancer.responseForwarding]
[http.services.Service03.loadBalancer.passiveHealthCheck]
failureWindow = "42s"
maxFailedAttempts = 42
[http.services.Service03.loadBalancer.responseForwarding]
flushInterval = "42s"
[http.services.Service03]
[http.services.Service03.mirroring]
[http.services.Service04]
[http.services.Service04.mirroring]
service = "foobar"
mirrorBody = true
maxBodySize = 42
[[http.services.Service03.mirroring.mirrors]]
[[http.services.Service04.mirroring.mirrors]]
name = "foobar"
percent = 42
[[http.services.Service03.mirroring.mirrors]]
[[http.services.Service04.mirroring.mirrors]]
name = "foobar"
percent = 42
[http.services.Service03.mirroring.healthCheck]
[http.services.Service04]
[http.services.Service04.weighted]
[http.services.Service04.mirroring.healthCheck]
[http.services.Service05]
[http.services.Service05.weighted]
[[http.services.Service04.weighted.services]]
[[http.services.Service05.weighted.services]]
name = "foobar"
weight = 42
[[http.services.Service04.weighted.services]]
[[http.services.Service05.weighted.services]]
name = "foobar"
weight = 42
[http.services.Service04.weighted.sticky]
[http.services.Service04.weighted.sticky.cookie]
[http.services.Service05.weighted.sticky]
[http.services.Service05.weighted.sticky.cookie]
name = "foobar"
secure = true
httpOnly = true
@@ -128,7 +142,7 @@
maxAge = 42
path = "foobar"
domain = "foobar"
[http.services.Service04.weighted.healthCheck]
[http.services.Service05.weighted.healthCheck]
[http.middlewares]
[http.middlewares.Middleware01]
[http.middlewares.Middleware01.addPrefix]
@@ -454,16 +468,16 @@
[tcp.services.TCPService01.loadBalancer]
serversTransport = "foobar"
terminationDelay = 42
[[tcp.services.TCPService01.loadBalancer.servers]]
address = "foobar"
tls = true
[[tcp.services.TCPService01.loadBalancer.servers]]
address = "foobar"
tls = true
[tcp.services.TCPService01.loadBalancer.proxyProtocol]
version = 42
[[tcp.services.TCPService01.loadBalancer.servers]]
address = "foobar"
tls = true
[[tcp.services.TCPService01.loadBalancer.servers]]
address = "foobar"
tls = true
[tcp.services.TCPService02]
[tcp.services.TCPService02.weighted]
@@ -489,6 +503,8 @@
dialKeepAlive = "42s"
dialTimeout = "42s"
terminationDelay = "42s"
[tcp.serversTransports.TCPServersTransport0.proxyProtocol]
version = 42
[tcp.serversTransports.TCPServersTransport0.tls]
serverName = "foobar"
insecureSkipVerify = true
@@ -509,6 +525,8 @@
dialKeepAlive = "42s"
dialTimeout = "42s"
terminationDelay = "42s"
[tcp.serversTransports.TCPServersTransport1.proxyProtocol]
version = 42
[tcp.serversTransports.TCPServersTransport1.tls]
serverName = "foobar"
insecureSkipVerify = true

23
docs/content/reference/routing-configuration/other-providers/file.yaml
View File

@@ -65,6 +65,14 @@ http:
fallback: foobar
healthCheck: {}
Service02:
highestRandomWeight:
services:
- name: foobar
weight: 42
- name: foobar
weight: 42
healthCheck: {}
Service03:
loadBalancer:
sticky:
cookie:
@@ -98,11 +106,14 @@ http:
headers:
name0: foobar
name1: foobar
passiveHealthCheck:
failureWindow: 42s
maxFailedAttempts: 42
passHostHeader: true
responseForwarding:
flushInterval: 42s
serversTransport: foobar
Service03:
Service04:
mirroring:
service: foobar
mirrorBody: true
@@ -113,7 +124,7 @@ http:
- name: foobar
percent: 42
healthCheck: {}
Service04:
Service05:
weighted:
services:
- name: foobar
@@ -518,14 +529,14 @@ tcp:
services:
TCPService01:
loadBalancer:
proxyProtocol:
version: 42
servers:
- address: foobar
tls: true
- address: foobar
tls: true
serversTransport: foobar
proxyProtocol:
version: 42
terminationDelay: 42
TCPService02:
weighted:
@@ -552,6 +563,8 @@ tcp:
TCPServersTransport0:
dialKeepAlive: 42s
dialTimeout: 42s
proxyProtocol:
version: 42
terminationDelay: 42s
tls:
serverName: foobar
@@ -573,6 +586,8 @@ tcp:
TCPServersTransport1:
dialKeepAlive: 42s
dialTimeout: 42s
proxyProtocol:
version: 42
terminationDelay: 42s
tls:
serverName: foobar

174
docs/content/reference/routing-configuration/other-providers/kv.md
View File

@@ -19,23 +19,23 @@ description: "Read the technical documentation to learn the Traefik Routing Conf
| Key (Path) | Description | Value |
|--------------------------------------|--------------------------------------|----------------------------|
| `traefik/http/routers/<router_name>/rule` | See [rule](../http/router/rules-and-priority.md#rules) for more information. | ```Host(`example.com`)``` |
| `traefik/http/routers/<router_name>/ruleSyntax` | See [rule](../http/router/rules-and-priority.md#rulesyntax) for more information.<br/>RuleSyntax option is deprecated and will be removed in the next major version.<br/>Please do not use this field and rewrite the router rules to use the v3 syntax. | `v3` |
| `traefik/http/routers/<router_name>/entrypoints/0` | See [entry points](../../install-configuration/entrypoints.md) for more information. | `web` |
| `traefik/http/routers/<router_name>/entrypoints/1` | See [entry points](../../install-configuration/entrypoints.md) for more information. | `websecure` |
| `traefik/http/routers/<router_name>/middlewares/0` | See [middlewares overview](../http/middlewares/overview.md) for more information. | `auth` |
| `traefik/http/routers/<router_name>/middlewares/1` | | `prefix` |
| `traefik/http/routers/<router_name>/service` | See [service](../http/load-balancing/service.md) for more information. | `myservice` |
| `traefik/http/routers/<router_name>/tls` | See [tls](../http/tls/overview.md) for more information. | `true` |
| `traefik/http/routers/<router_name>/tls/certresolver` | See [certResolver](../../install-configuration/tls/certificate-resolvers/overview.md) for more information. | `myresolver` |
| `traefik/http/routers/<router_name>/tls/domains/0/main` | See [domains](../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition) for more information. | `example.org` |
| `traefik/http/routers/<router_name>/tls/domains/0/sans/0` | See [domains](../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition) for more information. | `test.example.org` |
| `traefik/http/routers/<router_name>/tls/domains/0/sans/1` | See [domains](../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition) for more information. | `dev.example.org` |
| `traefik/http/routers/<router_name>/tls/options` | See [TLS Options](../http/tls/tls-options.md) for more information. | `foobar` |
| `traefik/http/routers/<router_name>/observability/accesslogs` | The accessLogs option controls whether the router will produce access-logs. | `true` |
| `traefik/http/routers/<router_name>/observability/metrics` | The metrics option controls whether the router will produce metrics. | `true` |
| `traefik/http/routers/<router_name>/observability/tracing` | The tracing option controls whether the router will produce traces. | `true` |
| `traefik/http/routers/<router_name>/priority` | See [priority](../http/router/rules-and-priority.md#priority-calculation) for more information. | `42` |
| <a id="traefikhttproutersrouter-namerule" href="#traefikhttproutersrouter-namerule" title="#traefikhttproutersrouter-namerule">`traefik/http/routers/<router_name>/rule`</a> | See [rule](../http/router/rules-and-priority.md#rules) for more information. | ```Host(`example.com`)``` |
| <a id="traefikhttproutersrouter-nameruleSyntax" href="#traefikhttproutersrouter-nameruleSyntax" title="#traefikhttproutersrouter-nameruleSyntax">`traefik/http/routers/<router_name>/ruleSyntax`</a> | See [rule](../http/router/rules-and-priority.md#rulesyntax) for more information.<br/>RuleSyntax option is deprecated and will be removed in the next major version.<br/>Please do not use this field and rewrite the router rules to use the v3 syntax. | `v3` |
| <a id="traefikhttproutersrouter-nameentrypoints0" href="#traefikhttproutersrouter-nameentrypoints0" title="#traefikhttproutersrouter-nameentrypoints0">`traefik/http/routers/<router_name>/entrypoints/0`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | `web` |
| <a id="traefikhttproutersrouter-nameentrypoints1" href="#traefikhttproutersrouter-nameentrypoints1" title="#traefikhttproutersrouter-nameentrypoints1">`traefik/http/routers/<router_name>/entrypoints/1`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | `websecure` |
| <a id="traefikhttproutersrouter-namemiddlewares0" href="#traefikhttproutersrouter-namemiddlewares0" title="#traefikhttproutersrouter-namemiddlewares0">`traefik/http/routers/<router_name>/middlewares/0`</a> | See [middlewares overview](../http/middlewares/overview.md) for more information. | `auth` |
| <a id="traefikhttproutersrouter-namemiddlewares1" href="#traefikhttproutersrouter-namemiddlewares1" title="#traefikhttproutersrouter-namemiddlewares1">`traefik/http/routers/<router_name>/middlewares/1`</a> | | `prefix` |
| <a id="traefikhttproutersrouter-nameservice" href="#traefikhttproutersrouter-nameservice" title="#traefikhttproutersrouter-nameservice">`traefik/http/routers/<router_name>/service`</a> | See [service](../http/load-balancing/service.md) for more information. | `myservice` |
| <a id="traefikhttproutersrouter-nametls" href="#traefikhttproutersrouter-nametls" title="#traefikhttproutersrouter-nametls">`traefik/http/routers/<router_name>/tls`</a> | See [tls](../http/tls/overview.md) for more information. | `true` |
| <a id="traefikhttproutersrouter-nametlscertresolver" href="#traefikhttproutersrouter-nametlscertresolver" title="#traefikhttproutersrouter-nametlscertresolver">`traefik/http/routers/<router_name>/tls/certresolver`</a> | See [certResolver](../../install-configuration/tls/certificate-resolvers/overview.md) for more information. | `myresolver` |
| <a id="traefikhttproutersrouter-nametlsdomains0main" href="#traefikhttproutersrouter-nametlsdomains0main" title="#traefikhttproutersrouter-nametlsdomains0main">`traefik/http/routers/<router_name>/tls/domains/0/main`</a> | See [domains](../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition) for more information. | `example.org` |
| <a id="traefikhttproutersrouter-nametlsdomains0sans0" href="#traefikhttproutersrouter-nametlsdomains0sans0" title="#traefikhttproutersrouter-nametlsdomains0sans0">`traefik/http/routers/<router_name>/tls/domains/0/sans/0`</a> | See [domains](../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition) for more information. | `test.example.org` |
| <a id="traefikhttproutersrouter-nametlsdomains0sans1" href="#traefikhttproutersrouter-nametlsdomains0sans1" title="#traefikhttproutersrouter-nametlsdomains0sans1">`traefik/http/routers/<router_name>/tls/domains/0/sans/1`</a> | See [domains](../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition) for more information. | `dev.example.org` |
| <a id="traefikhttproutersrouter-nametlsoptions" href="#traefikhttproutersrouter-nametlsoptions" title="#traefikhttproutersrouter-nametlsoptions">`traefik/http/routers/<router_name>/tls/options`</a> | See [TLS Options](../http/tls/tls-options.md) for more information. | `foobar` |
| <a id="traefikhttproutersrouter-nameobservabilityaccesslogs" href="#traefikhttproutersrouter-nameobservabilityaccesslogs" title="#traefikhttproutersrouter-nameobservabilityaccesslogs">`traefik/http/routers/<router_name>/observability/accesslogs`</a> | The accessLogs option controls whether the router will produce access-logs. | `true` |
| <a id="traefikhttproutersrouter-nameobservabilitymetrics" href="#traefikhttproutersrouter-nameobservabilitymetrics" title="#traefikhttproutersrouter-nameobservabilitymetrics">`traefik/http/routers/<router_name>/observability/metrics`</a> | The metrics option controls whether the router will produce metrics. | `true` |
| <a id="traefikhttproutersrouter-nameobservabilitytracing" href="#traefikhttproutersrouter-nameobservabilitytracing" title="#traefikhttproutersrouter-nameobservabilitytracing">`traefik/http/routers/<router_name>/observability/tracing`</a> | The tracing option controls whether the router will produce traces. | `true` |
| <a id="traefikhttproutersrouter-namepriority" href="#traefikhttproutersrouter-namepriority" title="#traefikhttproutersrouter-namepriority">`traefik/http/routers/<router_name>/priority`</a> | See [priority](../http/router/rules-and-priority.md#priority-calculation) for more information. | `42` |
#### Services
@@ -43,41 +43,41 @@ description: "Read the technical documentation to learn the Traefik Routing Conf
| Key (Path) | Description | Value |
|-----------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
| `traefik/http/services/myservice/loadbalancer/servers/0/url` | See [servers](../http/load-balancing/service.md#servers) for more information. | `http://<ip-server-1>:<port-server-1>/` |
| `traefik/http/services/myservice/loadbalancer/servers/0/preservePath` | See [servers](../http/load-balancing/service.md#servers) for more information. | `true` |
| `traefik/http/services/myservice/loadbalancer/servers/0/weight` | See [servers](../http/load-balancing/service.md#servers) for more information. | `1` |
| `traefik/http/services/myservice/loadbalancer/serverstransport` | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/> See [serverstransport](../http/load-balancing/serverstransport.md) for more information. | `foobar@file` |
| `traefik/http/services/myservice/loadbalancer/passhostheader` | See [Service](../http/load-balancing/service.md) for more information. | `true` |
| `traefik/http/services/myservice/loadbalancer/healthcheck/headers/X-Foo` | See [health check](../http/load-balancing/service.md#health-check) for more information. | `foobar` |
| `traefik/http/services/myservice/loadbalancer/healthcheck/hostname` | See [health check](../http/load-balancing/service.md#health-check) for more information. | `example.org` |
| `traefik/http/services/myservice/loadbalancer/healthcheck/interval` | See [health check](../http/load-balancing/service.md#health-check) for more information. | `10` |
| `traefik/http/services/myservice/loadbalancer/healthcheck/path` | See [health check](../http/load-balancing/service.md#health-check) for more information. | `/foo` |
| `traefik/http/services/myservice/loadbalancer/healthcheck/method` | See [health check](../http/load-balancing/service.md#health-check) for more information. | `foobar` |
| `traefik/http/services/myservice/loadbalancer/healthcheck/status` | See [health check](../http/load-balancing/service.md#health-check) for more information. | `42` |
| `traefik/http/services/myservice/loadbalancer/healthcheck/port` | See [health check](../http/load-balancing/service.md#health-check) for more information. | `42` |
| `traefik/http/services/myservice/loadbalancer/healthcheck/scheme` | See [health check](../http/load-balancing/service.md#health-check) for more information. | `http` |
| `traefik/http/services/myservice/loadbalancer/healthcheck/timeout` | See [health check](../http/load-balancing/service.md#health-check) for more information. | `10` |
| `traefik/http/services/myservice/loadbalancer/sticky` | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
| `traefik/http/services/myservice/loadbalancer/sticky/cookie/httponly` | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
| `traefik/http/services/myservice/loadbalancer/sticky/cookie/name` | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `foobar` |
| `traefik/http/services/myservice/loadbalancer/sticky/cookie/path` | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `/foobar` |
| `traefik/http/services/myservice/loadbalancer/sticky/cookie/secure` | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
| `traefik/http/services/myservice/loadbalancer/sticky/cookie/samesite` | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `none` |
| `traefik/http/services/myservice/loadbalancer/sticky/cookie/maxage` | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `42` |
| `traefik/http/services/myservice/loadbalancer/responseforwarding/flushinterval` | See [Service](../http/load-balancing/service.md) for more information. | `10` |
| `traefik/http/services/<service_name>/mirroring/service` | See [Service](../http/load-balancing/service.md#mirroring) for more information. | `foobar` |
| `traefik/http/services/<service_name>/mirroring/mirrors/<n>/name` | See [Service](../http/load-balancing/service.md#mirroring) for more information. | `foobar` |
| `traefik/http/services/<service_name>/mirroring/mirrors/<n>/percent` | See [Service](../http/load-balancing/service.md#mirroring)for more information. | `42` |
| `traefik/http/services/<service_name>/weighted/services/<n>/name` | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `foobar` |
| `traefik/http/services/<service_name>/weighted/services/<n>/weight` | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `42` |
| `traefik/http/services/<service_name>/weighted/sticky/cookie/name` | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `foobar` |
| `traefik/http/services/<service_name>/weighted/sticky/cookie/secure` | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `true` |
| `traefik/http/services/<service_name>/weighted/sticky/cookie/samesite` | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `none` |
| `traefik/http/services/<service_name>/weighted/sticky/cookie/httpOnly` | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `true` |
| `traefik/http/services/<service_name>/weighted/sticky/cookie/maxage` | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `42` |
| `traefik/http/services/<service_name>/failover/fallback` | See [Failover](../http/load-balancing/service.md#failover) for more information. | `backup` |
| `traefik/http/services/<service_name>/failover/healthcheck` | See [Failover](../http/load-balancing/service.md#failover) for more information. | `{}` |
| `traefik/http/services/<service_name>/failover/service` | See [Failover](../http/load-balancing/service.md#failover) for more information. | `main` |
| <a id="traefikhttpservicesmyserviceloadbalancerservers0url" href="#traefikhttpservicesmyserviceloadbalancerservers0url" title="#traefikhttpservicesmyserviceloadbalancerservers0url">`traefik/http/services/myservice/loadbalancer/servers/0/url`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `http://<ip-server-1>:<port-server-1>/` |
| <a id="traefikhttpservicesmyserviceloadbalancerservers0preservePath" href="#traefikhttpservicesmyserviceloadbalancerservers0preservePath" title="#traefikhttpservicesmyserviceloadbalancerservers0preservePath">`traefik/http/services/myservice/loadbalancer/servers/0/preservePath`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `true` |
| <a id="traefikhttpservicesmyserviceloadbalancerservers0weight" href="#traefikhttpservicesmyserviceloadbalancerservers0weight" title="#traefikhttpservicesmyserviceloadbalancerservers0weight">`traefik/http/services/myservice/loadbalancer/servers/0/weight`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `1` |
| <a id="traefikhttpservicesmyserviceloadbalancerserverstransport" href="#traefikhttpservicesmyserviceloadbalancerserverstransport" title="#traefikhttpservicesmyserviceloadbalancerserverstransport">`traefik/http/services/myservice/loadbalancer/serverstransport`</a> | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/> See [serverstransport](../http/load-balancing/serverstransport.md) for more information. | `foobar@file` |
| <a id="traefikhttpservicesmyserviceloadbalancerpasshostheader" href="#traefikhttpservicesmyserviceloadbalancerpasshostheader" title="#traefikhttpservicesmyserviceloadbalancerpasshostheader">`traefik/http/services/myservice/loadbalancer/passhostheader`</a> | See [Service](../http/load-balancing/service.md) for more information. | `true` |
| <a id="traefikhttpservicesmyserviceloadbalancerhealthcheckheadersX-Foo" href="#traefikhttpservicesmyserviceloadbalancerhealthcheckheadersX-Foo" title="#traefikhttpservicesmyserviceloadbalancerhealthcheckheadersX-Foo">`traefik/http/services/myservice/loadbalancer/healthcheck/headers/X-Foo`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `foobar` |
| <a id="traefikhttpservicesmyserviceloadbalancerhealthcheckhostname" href="#traefikhttpservicesmyserviceloadbalancerhealthcheckhostname" title="#traefikhttpservicesmyserviceloadbalancerhealthcheckhostname">`traefik/http/services/myservice/loadbalancer/healthcheck/hostname`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `example.org` |
| <a id="traefikhttpservicesmyserviceloadbalancerhealthcheckinterval" href="#traefikhttpservicesmyserviceloadbalancerhealthcheckinterval" title="#traefikhttpservicesmyserviceloadbalancerhealthcheckinterval">`traefik/http/services/myservice/loadbalancer/healthcheck/interval`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `10` |
| <a id="traefikhttpservicesmyserviceloadbalancerhealthcheckpath" href="#traefikhttpservicesmyserviceloadbalancerhealthcheckpath" title="#traefikhttpservicesmyserviceloadbalancerhealthcheckpath">`traefik/http/services/myservice/loadbalancer/healthcheck/path`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `/foo` |
| <a id="traefikhttpservicesmyserviceloadbalancerhealthcheckmethod" href="#traefikhttpservicesmyserviceloadbalancerhealthcheckmethod" title="#traefikhttpservicesmyserviceloadbalancerhealthcheckmethod">`traefik/http/services/myservice/loadbalancer/healthcheck/method`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `foobar` |
| <a id="traefikhttpservicesmyserviceloadbalancerhealthcheckstatus" href="#traefikhttpservicesmyserviceloadbalancerhealthcheckstatus" title="#traefikhttpservicesmyserviceloadbalancerhealthcheckstatus">`traefik/http/services/myservice/loadbalancer/healthcheck/status`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `42` |
| <a id="traefikhttpservicesmyserviceloadbalancerhealthcheckport" href="#traefikhttpservicesmyserviceloadbalancerhealthcheckport" title="#traefikhttpservicesmyserviceloadbalancerhealthcheckport">`traefik/http/services/myservice/loadbalancer/healthcheck/port`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `42` |
| <a id="traefikhttpservicesmyserviceloadbalancerhealthcheckscheme" href="#traefikhttpservicesmyserviceloadbalancerhealthcheckscheme" title="#traefikhttpservicesmyserviceloadbalancerhealthcheckscheme">`traefik/http/services/myservice/loadbalancer/healthcheck/scheme`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `http` |
| <a id="traefikhttpservicesmyserviceloadbalancerhealthchecktimeout" href="#traefikhttpservicesmyserviceloadbalancerhealthchecktimeout" title="#traefikhttpservicesmyserviceloadbalancerhealthchecktimeout">`traefik/http/services/myservice/loadbalancer/healthcheck/timeout`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `10` |
| <a id="traefikhttpservicesmyserviceloadbalancersticky" href="#traefikhttpservicesmyserviceloadbalancersticky" title="#traefikhttpservicesmyserviceloadbalancersticky">`traefik/http/services/myservice/loadbalancer/sticky`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
| <a id="traefikhttpservicesmyserviceloadbalancerstickycookiehttponly" href="#traefikhttpservicesmyserviceloadbalancerstickycookiehttponly" title="#traefikhttpservicesmyserviceloadbalancerstickycookiehttponly">`traefik/http/services/myservice/loadbalancer/sticky/cookie/httponly`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
| <a id="traefikhttpservicesmyserviceloadbalancerstickycookiename" href="#traefikhttpservicesmyserviceloadbalancerstickycookiename" title="#traefikhttpservicesmyserviceloadbalancerstickycookiename">`traefik/http/services/myservice/loadbalancer/sticky/cookie/name`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `foobar` |
| <a id="traefikhttpservicesmyserviceloadbalancerstickycookiepath" href="#traefikhttpservicesmyserviceloadbalancerstickycookiepath" title="#traefikhttpservicesmyserviceloadbalancerstickycookiepath">`traefik/http/services/myservice/loadbalancer/sticky/cookie/path`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `/foobar` |
| <a id="traefikhttpservicesmyserviceloadbalancerstickycookiesecure" href="#traefikhttpservicesmyserviceloadbalancerstickycookiesecure" title="#traefikhttpservicesmyserviceloadbalancerstickycookiesecure">`traefik/http/services/myservice/loadbalancer/sticky/cookie/secure`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
| <a id="traefikhttpservicesmyserviceloadbalancerstickycookiesamesite" href="#traefikhttpservicesmyserviceloadbalancerstickycookiesamesite" title="#traefikhttpservicesmyserviceloadbalancerstickycookiesamesite">`traefik/http/services/myservice/loadbalancer/sticky/cookie/samesite`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `none` |
| <a id="traefikhttpservicesmyserviceloadbalancerstickycookiemaxage" href="#traefikhttpservicesmyserviceloadbalancerstickycookiemaxage" title="#traefikhttpservicesmyserviceloadbalancerstickycookiemaxage">`traefik/http/services/myservice/loadbalancer/sticky/cookie/maxage`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `42` |
| <a id="traefikhttpservicesmyserviceloadbalancerresponseforwardingflushinterval" href="#traefikhttpservicesmyserviceloadbalancerresponseforwardingflushinterval" title="#traefikhttpservicesmyserviceloadbalancerresponseforwardingflushinterval">`traefik/http/services/myservice/loadbalancer/responseforwarding/flushinterval`</a> | See [Service](../http/load-balancing/service.md) for more information. | `10` |
| <a id="traefikhttpservicesservice-namemirroringservice" href="#traefikhttpservicesservice-namemirroringservice" title="#traefikhttpservicesservice-namemirroringservice">`traefik/http/services/<service_name>/mirroring/service`</a> | See [Service](../http/load-balancing/service.md#mirroring) for more information. | `foobar` |
| <a id="traefikhttpservicesservice-namemirroringmirrorsnname" href="#traefikhttpservicesservice-namemirroringmirrorsnname" title="#traefikhttpservicesservice-namemirroringmirrorsnname">`traefik/http/services/<service_name>/mirroring/mirrors/<n>/name`</a> | See [Service](../http/load-balancing/service.md#mirroring) for more information. | `foobar` |
| <a id="traefikhttpservicesservice-namemirroringmirrorsnpercent" href="#traefikhttpservicesservice-namemirroringmirrorsnpercent" title="#traefikhttpservicesservice-namemirroringmirrorsnpercent">`traefik/http/services/<service_name>/mirroring/mirrors/<n>/percent`</a> | See [Service](../http/load-balancing/service.md#mirroring)for more information. | `42` |
| <a id="traefikhttpservicesservice-nameweightedservicesnname" href="#traefikhttpservicesservice-nameweightedservicesnname" title="#traefikhttpservicesservice-nameweightedservicesnname">`traefik/http/services/<service_name>/weighted/services/<n>/name`</a> | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `foobar` |
| <a id="traefikhttpservicesservice-nameweightedservicesnweight" href="#traefikhttpservicesservice-nameweightedservicesnweight" title="#traefikhttpservicesservice-nameweightedservicesnweight">`traefik/http/services/<service_name>/weighted/services/<n>/weight`</a> | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `42` |
| <a id="traefikhttpservicesservice-nameweightedstickycookiename" href="#traefikhttpservicesservice-nameweightedstickycookiename" title="#traefikhttpservicesservice-nameweightedstickycookiename">`traefik/http/services/<service_name>/weighted/sticky/cookie/name`</a> | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `foobar` |
| <a id="traefikhttpservicesservice-nameweightedstickycookiesecure" href="#traefikhttpservicesservice-nameweightedstickycookiesecure" title="#traefikhttpservicesservice-nameweightedstickycookiesecure">`traefik/http/services/<service_name>/weighted/sticky/cookie/secure`</a> | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `true` |
| <a id="traefikhttpservicesservice-nameweightedstickycookiesamesite" href="#traefikhttpservicesservice-nameweightedstickycookiesamesite" title="#traefikhttpservicesservice-nameweightedstickycookiesamesite">`traefik/http/services/<service_name>/weighted/sticky/cookie/samesite`</a> | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `none` |
| <a id="traefikhttpservicesservice-nameweightedstickycookiehttpOnly" href="#traefikhttpservicesservice-nameweightedstickycookiehttpOnly" title="#traefikhttpservicesservice-nameweightedstickycookiehttpOnly">`traefik/http/services/<service_name>/weighted/sticky/cookie/httpOnly`</a> | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `true` |
| <a id="traefikhttpservicesservice-nameweightedstickycookiemaxage" href="#traefikhttpservicesservice-nameweightedstickycookiemaxage" title="#traefikhttpservicesservice-nameweightedstickycookiemaxage">`traefik/http/services/<service_name>/weighted/sticky/cookie/maxage`</a> | See [Service](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `42` |
| <a id="traefikhttpservicesservice-namefailoverfallback" href="#traefikhttpservicesservice-namefailoverfallback" title="#traefikhttpservicesservice-namefailoverfallback">`traefik/http/services/<service_name>/failover/fallback`</a> | See [Failover](../http/load-balancing/service.md#failover) for more information. | `backup` |
| <a id="traefikhttpservicesservice-namefailoverhealthcheck" href="#traefikhttpservicesservice-namefailoverhealthcheck" title="#traefikhttpservicesservice-namefailoverhealthcheck">`traefik/http/services/<service_name>/failover/healthcheck`</a> | See [Failover](../http/load-balancing/service.md#failover) for more information. | `{}` |
| <a id="traefikhttpservicesservice-namefailoverservice" href="#traefikhttpservicesservice-namefailoverservice" title="#traefikhttpservicesservice-namefailoverservice">`traefik/http/services/<service_name>/failover/service`</a> | See [Failover](../http/load-balancing/service.md#failover) for more information. | `main` |
#### Middleware
@@ -85,7 +85,7 @@ description: "Read the technical documentation to learn the Traefik Routing Conf
| Key (Path) | Description | Value |
|-----------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
| `traefik/http/middlewares/mymiddleware/middleware_type/middleware_option` | With `middleware_type` the type of middleware (ex: `forwardAuth`, `headers`, etc)<br/>and `middleware_option` the middleware option to set (ex for the middleware `addPrefix`: `prefix`).<br/> More information about available middlewares in the dedicated [middlewares section](../http/middlewares/overview.md). | `foobar` |
| <a id="traefikhttpmiddlewaresmymiddlewaremiddleware-typemiddleware-option" href="#traefikhttpmiddlewaresmymiddlewaremiddleware-typemiddleware-option" title="#traefikhttpmiddlewaresmymiddlewaremiddleware-typemiddleware-option">`traefik/http/middlewares/mymiddleware/middleware_type/middleware_option`</a> | With `middleware_type` the type of middleware (ex: `forwardAuth`, `headers`, etc)<br/>and `middleware_option` the middleware option to set (ex for the middleware `addPrefix`: `prefix`).<br/> More information about available middlewares in the dedicated [middlewares section](../http/middlewares/overview.md). | `foobar` |
!!! warning "The character `@` is not authorized in the middleware name."
@@ -108,7 +108,7 @@ traefik/http/routers/<router_name>/middlewares/0=myAddPrefix
| Key (Path) | Description | Value |
|-----------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
| `traefik/http/serversTransports/<serversTransportName>/st_option` | With `st_option` the ServerTransport option to set (ex `maxIdleConnsPerHost`).<br/> More information about available options in the dedicated [ServerTransport section](../http/load-balancing/serverstransport.md). | ServerTransport Options |
| <a id="traefikhttpserversTransportsserversTransportNamest-option" href="#traefikhttpserversTransportsserversTransportNamest-option" title="#traefikhttpserversTransportsserversTransportNamest-option">`traefik/http/serversTransports/<serversTransportName>/st_option`</a> | With `st_option` the ServerTransport option to set (ex `maxIdleConnsPerHost`).<br/> More information about available options in the dedicated [ServerTransport section](../http/load-balancing/serverstransport.md). | ServerTransport Options |
##### Configuration Example
@@ -129,29 +129,29 @@ You can declare TCP Routers and/or Services using KV.
| Key (Path) | Description | Value |
|-------------------------------------------------|-------------------------------------------------|-------|
| `traefik/tcp/routers/mytcprouter/entrypoints/0` | See [entry points](../../install-configuration/entrypoints.md) for more information. | `ep1` |
| `traefik/tcp/routers/mytcprouter/entrypoints/1` | See [entry points](../../install-configuration/entrypoints.md) for more information. | `ep2` |
| `traefik/tcp/routers/my-router/rule` | See [entry points](../../install-configuration/entrypoints.md) for more information. | ```HostSNI(`example.com`)``` |
| `traefik/tcp/routers/mytcprouter/service` | See [service](../tcp/service.md) for more information. | `myservice` |
| `traefik/tcp/routers/mytcprouter/tls` | See [TLS](../tcp/tls.md) for more information. | `true` |
| `traefik/tcp/routers/mytcprouter/tls/certresolver` | See [certResolver](../tcp/tls.md#configuration-options) for more information. | `myresolver` |
| `traefik/tcp/routers/mytcprouter/tls/domains/0/main` | See [TLS](../tcp/tls.md) for more information. | `example.org` |
| `traefik/tcp/routers/mytcprouter/tls/domains/0/sans/0` | See [TLS](../tcp/tls.md) for more information. | `test.example.org` |
| `traefik/tcp/routers/mytcprouter/tls/domains/0/sans/1` | See [TLS](../tcp/tls.md) for more information. | `dev.example.org` |
| `traefik/tcp/routers/mytcprouter/tls/options` | See [TLS](../tcp/tls.md) for more information. | `foobar` |
| `traefik/tcp/routers/mytcprouter/tls/passthrough` | See [TLS](../tcp/tls.md) for more information. | `true` |
| `traefik/tcp/routers/mytcprouter/priority` | See [priority](../tcp/router/rules-and-priority.md#priority) for more information. | `42` |
| <a id="traefiktcproutersmytcprouterentrypoints0" href="#traefiktcproutersmytcprouterentrypoints0" title="#traefiktcproutersmytcprouterentrypoints0">`traefik/tcp/routers/mytcprouter/entrypoints/0`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | `ep1` |
| <a id="traefiktcproutersmytcprouterentrypoints1" href="#traefiktcproutersmytcprouterentrypoints1" title="#traefiktcproutersmytcprouterentrypoints1">`traefik/tcp/routers/mytcprouter/entrypoints/1`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | `ep2` |
| <a id="traefiktcproutersmy-routerrule" href="#traefiktcproutersmy-routerrule" title="#traefiktcproutersmy-routerrule">`traefik/tcp/routers/my-router/rule`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | ```HostSNI(`example.com`)``` |
| <a id="traefiktcproutersmytcprouterservice" href="#traefiktcproutersmytcprouterservice" title="#traefiktcproutersmytcprouterservice">`traefik/tcp/routers/mytcprouter/service`</a> | See [service](../tcp/service.md) for more information. | `myservice` |
| <a id="traefiktcproutersmytcproutertls" href="#traefiktcproutersmytcproutertls" title="#traefiktcproutersmytcproutertls">`traefik/tcp/routers/mytcprouter/tls`</a> | See [TLS](../tcp/tls.md) for more information. | `true` |
| <a id="traefiktcproutersmytcproutertlscertresolver" href="#traefiktcproutersmytcproutertlscertresolver" title="#traefiktcproutersmytcproutertlscertresolver">`traefik/tcp/routers/mytcprouter/tls/certresolver`</a> | See [certResolver](../tcp/tls.md#configuration-options) for more information. | `myresolver` |
| <a id="traefiktcproutersmytcproutertlsdomains0main" href="#traefiktcproutersmytcproutertlsdomains0main" title="#traefiktcproutersmytcproutertlsdomains0main">`traefik/tcp/routers/mytcprouter/tls/domains/0/main`</a> | See [TLS](../tcp/tls.md) for more information. | `example.org` |
| <a id="traefiktcproutersmytcproutertlsdomains0sans0" href="#traefiktcproutersmytcproutertlsdomains0sans0" title="#traefiktcproutersmytcproutertlsdomains0sans0">`traefik/tcp/routers/mytcprouter/tls/domains/0/sans/0`</a> | See [TLS](../tcp/tls.md) for more information. | `test.example.org` |
| <a id="traefiktcproutersmytcproutertlsdomains0sans1" href="#traefiktcproutersmytcproutertlsdomains0sans1" title="#traefiktcproutersmytcproutertlsdomains0sans1">`traefik/tcp/routers/mytcprouter/tls/domains/0/sans/1`</a> | See [TLS](../tcp/tls.md) for more information. | `dev.example.org` |
| <a id="traefiktcproutersmytcproutertlsoptions" href="#traefiktcproutersmytcproutertlsoptions" title="#traefiktcproutersmytcproutertlsoptions">`traefik/tcp/routers/mytcprouter/tls/options`</a> | See [TLS](../tcp/tls.md) for more information. | `foobar` |
| <a id="traefiktcproutersmytcproutertlspassthrough" href="#traefiktcproutersmytcproutertlspassthrough" title="#traefiktcproutersmytcproutertlspassthrough">`traefik/tcp/routers/mytcprouter/tls/passthrough`</a> | See [TLS](../tcp/tls.md) for more information. | `true` |
| <a id="traefiktcproutersmytcprouterpriority" href="#traefiktcproutersmytcprouterpriority" title="#traefiktcproutersmytcprouterpriority">`traefik/tcp/routers/mytcprouter/priority`</a> | See [priority](../tcp/router/rules-and-priority.md#priority) for more information. | `42` |
#### Services
| Key (Path) | Description | Value |
|--------------------------------------------------------------------|--------------------------------------------------------------------|------------------|
| `traefik/tcp/services/mytcpservice/loadbalancer/servers/0/address` | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `xx.xx.xx.xx:xx` |
| `traefik/tcp/services/mytcpservice/loadbalancer/servers/0/tls` | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `true` |
| `traefik/tcp/services/mytcpservice/loadbalancer/proxyprotocol/version` | See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information. | `1` |
| `traefik/tcp/services/myservice/loadbalancer/serverstransport` | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/>See [serverstransport](../tcp/serverstransport.md) for more information. | `foobar@file` |
| `traefik/tcp/services/<service_name>/weighted/services/0/name` | See [Service](../tcp/service.md#weighted-round-robin) for more information. | `foobar` |
| `traefik/tcp/services/<service_name>/weighted/services/0/weight` | See [Service](../tcp/service.md#weighted-round-robin-wrr) for more information. | `42` |
| <a id="traefiktcpservicesmytcpserviceloadbalancerservers0address" href="#traefiktcpservicesmytcpserviceloadbalancerservers0address" title="#traefiktcpservicesmytcpserviceloadbalancerservers0address">`traefik/tcp/services/mytcpservice/loadbalancer/servers/0/address`</a> | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `xx.xx.xx.xx:xx` |
| <a id="traefiktcpservicesmytcpserviceloadbalancerservers0tls" href="#traefiktcpservicesmytcpserviceloadbalancerservers0tls" title="#traefiktcpservicesmytcpserviceloadbalancerservers0tls">`traefik/tcp/services/mytcpservice/loadbalancer/servers/0/tls`</a> | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `true` |
| <a id="traefiktcpservicesmytcpserviceloadbalancerproxyprotocolversion" href="#traefiktcpservicesmytcpserviceloadbalancerproxyprotocolversion" title="#traefiktcpservicesmytcpserviceloadbalancerproxyprotocolversion">`traefik/tcp/services/mytcpservice/loadbalancer/proxyprotocol/version`</a> | See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information. | `1` |
| <a id="traefiktcpservicesmyserviceloadbalancerserverstransport" href="#traefiktcpservicesmyserviceloadbalancerserverstransport" title="#traefiktcpservicesmyserviceloadbalancerserverstransport">`traefik/tcp/services/myservice/loadbalancer/serverstransport`</a> | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/>See [serverstransport](../tcp/serverstransport.md) for more information. | `foobar@file` |
| <a id="traefiktcpservicesservice-nameweightedservices0name" href="#traefiktcpservicesservice-nameweightedservices0name" title="#traefiktcpservicesservice-nameweightedservices0name">`traefik/tcp/services/<service_name>/weighted/services/0/name`</a> | See [Service](../tcp/service.md#weighted-round-robin) for more information. | `foobar` |
| <a id="traefiktcpservicesservice-nameweightedservices0weight" href="#traefiktcpservicesservice-nameweightedservices0weight" title="#traefiktcpservicesservice-nameweightedservices0weight">`traefik/tcp/services/<service_name>/weighted/services/0/weight`</a> | See [Service](../tcp/service.md#weighted-round-robin-wrr) for more information. | `42` |
#### Middleware
@@ -165,7 +165,7 @@ More information about available middlewares in the dedicated [middlewares secti
| Key (Path) | Description | Value |
|-----------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
| `traefik/tcp/middlewares/mymiddleware/middleware_type/middleware_option` | With `middleware_type` the type of middleware (ex: `inflightconn`)<br/>and `middleware_option` the middleware option to set (ex for the middleware `inflightconn`: `amount`).<br/> More information about available middlewares in the dedicated [middlewares section](../tcp/middlewares/overview.md). | `foobar` |
| <a id="traefiktcpmiddlewaresmymiddlewaremiddleware-typemiddleware-option" href="#traefiktcpmiddlewaresmymiddlewaremiddleware-typemiddleware-option" title="#traefiktcpmiddlewaresmymiddlewaremiddleware-typemiddleware-option">`traefik/tcp/middlewares/mymiddleware/middleware_type/middleware_option`</a> | With `middleware_type` the type of middleware (ex: `inflightconn`)<br/>and `middleware_option` the middleware option to set (ex for the middleware `inflightconn`: `amount`).<br/> More information about available middlewares in the dedicated [middlewares section](../tcp/middlewares/overview.md). | `foobar` |
!!! warning "Conflicts in Declaration"
@@ -186,7 +186,7 @@ traefik/tcp/routers/<router_name>/middlewares/0=test-inflightconn
| Key (Path) | Description | Value |
|-----------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
| `traefik/tcp/serversTransports/<serversTransportName>/st_option` | With `st_option` the ServerTransport option to set (ex `maxIdleConnsPerHost`).<br/> More information about available options in the dedicated [ServerTransport section](../tcp/serverstransport.md). | ServerTransport Options |
| <a id="traefiktcpserversTransportsserversTransportNamest-option" href="#traefiktcpserversTransportsserversTransportNamest-option" title="#traefiktcpserversTransportsserversTransportNamest-option">`traefik/tcp/serversTransports/<serversTransportName>/st_option`</a> | With `st_option` the ServerTransport option to set (ex `maxIdleConnsPerHost`).<br/> More information about available options in the dedicated [ServerTransport section](../tcp/serverstransport.md). | ServerTransport Options |
##### Configuration Example
@@ -205,16 +205,16 @@ You can declare UDP Routers and/or Services using KV.
| Key (Path) | Description | Value |
|------------------------------------------------------------------|------------------------------------------------------------------|-------|
| `traefik/udp/routers/myudprouter/entrypoints/0` | See [UDP Router](../udp/router/rules-priority.md#entrypoints) for more information. | `foobar` |
| `traefik/udp/routers/myudprouter/service` | See [UDP Router](../udp/router/rules-priority.md#configuration-example) for more information. | `foobar` |
| <a id="traefikudproutersmyudprouterentrypoints0" href="#traefikudproutersmyudprouterentrypoints0" title="#traefikudproutersmyudprouterentrypoints0">`traefik/udp/routers/myudprouter/entrypoints/0`</a> | See [UDP Router](../udp/router/rules-priority.md#entrypoints) for more information. | `foobar` |
| <a id="traefikudproutersmyudprouterservice" href="#traefikudproutersmyudprouterservice" title="#traefikudproutersmyudprouterservice">`traefik/udp/routers/myudprouter/service`</a> | See [UDP Router](../udp/router/rules-priority.md#configuration-example) for more information. | `foobar` |
#### Services
| Key (Path) | Description | Value |
|------------------------------------------------------------------|------------------------------------------------------------------|-------|
| `traefik/udp/services/loadBalancer/servers/<n>/address` | See [UDP Service](../udp/service.md) for more information. | `foobar` |
| `traefik/udp/services/weighted/services/0/name` | See [UDP Service](../udp/service.md) for more information. | `foobar` |
| `traefik/udp/services/weighted/servers/0/weight` |See [UDP Service](../udp/service.md) for more information. | `42` |
| <a id="traefikudpservicesloadBalancerserversnaddress" href="#traefikudpservicesloadBalancerserversnaddress" title="#traefikudpservicesloadBalancerserversnaddress">`traefik/udp/services/loadBalancer/servers/<n>/address`</a> | See [UDP Service](../udp/service.md) for more information. | `foobar` |
| <a id="traefikudpservicesweightedservices0name" href="#traefikudpservicesweightedservices0name" title="#traefikudpservicesweightedservices0name">`traefik/udp/services/weighted/services/0/name`</a> | See [UDP Service](../udp/service.md) for more information. | `foobar` |
| <a id="traefikudpservicesweightedservers0weight" href="#traefikudpservicesweightedservers0weight" title="#traefikudpservicesweightedservers0weight">`traefik/udp/services/weighted/servers/0/weight`</a> |See [UDP Service](../udp/service.md) for more information. | `42` |
## TLS
@@ -226,10 +226,10 @@ For example, you can define a basic setup like this:
| Key (Path) | Description | Value |
|------------------------------------------------------|------------------------------------------------------|----------|
| `traefik/tls/options/Options0/alpnProtocols/0` | See [TLS Options](../http/tls/tls-options.md) for more information. | `foobar` |
| `traefik/tls/options/Options0/cipherSuites/0` | See [TLS Options](../http/tls/tls-options.md) for more information. | `foobar` |
| `traefik/tls/options/Options0/clientAuth/caFiles/0` | See [TLS Options](../http/tls/tls-options.md) for more information. | `foobar` |
| `traefik/tls/options/Options0/disableSessiontickets` | See [TLS Options](../http/tls/tls-options.md) for more information. | `true` |
| <a id="traefiktlsoptionsOptions0alpnProtocols0" href="#traefiktlsoptionsOptions0alpnProtocols0" title="#traefiktlsoptionsOptions0alpnProtocols0">`traefik/tls/options/Options0/alpnProtocols/0`</a> | See [TLS Options](../http/tls/tls-options.md) for more information. | `foobar` |
| <a id="traefiktlsoptionsOptions0cipherSuites0" href="#traefiktlsoptionsOptions0cipherSuites0" title="#traefiktlsoptionsOptions0cipherSuites0">`traefik/tls/options/Options0/cipherSuites/0`</a> | See [TLS Options](../http/tls/tls-options.md) for more information. | `foobar` |
| <a id="traefiktlsoptionsOptions0clientAuthcaFiles0" href="#traefiktlsoptionsOptions0clientAuthcaFiles0" title="#traefiktlsoptionsOptions0clientAuthcaFiles0">`traefik/tls/options/Options0/clientAuth/caFiles/0`</a> | See [TLS Options](../http/tls/tls-options.md) for more information. | `foobar` |
| <a id="traefiktlsoptionsOptions0disableSessiontickets" href="#traefiktlsoptionsOptions0disableSessiontickets" title="#traefiktlsoptionsOptions0disableSessiontickets">`traefik/tls/options/Options0/disableSessiontickets`</a> | See [TLS Options](../http/tls/tls-options.md) for more information. | `true` |
### TLS Default Generated Certificates
@@ -239,7 +239,7 @@ The configuration to resolve the default certificate should be defined in a TLS
| Key (Path) | Description | Value |
|----------------------------------------------------------------|----------------------------------------------------------------|----------|
| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/main` | See [TLS](../http/tls/tls-certificates/#certificates-stores) for more information. | `foobar` |
| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/0` | See [TLS](../http/tls/tls-certificates/#certificates-stores) for more information| `foobar` |
| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/1` | See [TLS](../http/tls/tls-certificates/#certificates-stores) for more information| `foobar` |
| `traefik/tls/stores/Store0/defaultGeneratedCert/resolver` | See [TLS](../http/tls/tls-certificates/#certificates-stores) for more information| `foobar` |
| <a id="traefiktlsstoresStore0defaultGeneratedCertdomainmain" href="#traefiktlsstoresStore0defaultGeneratedCertdomainmain" title="#traefiktlsstoresStore0defaultGeneratedCertdomainmain">`traefik/tls/stores/Store0/defaultGeneratedCert/domain/main`</a> | See [TLS](../http/tls/tls-certificates.md#certificates-stores) for more information. | `foobar` |
| <a id="traefiktlsstoresStore0defaultGeneratedCertdomainsans0" href="#traefiktlsstoresStore0defaultGeneratedCertdomainsans0" title="#traefiktlsstoresStore0defaultGeneratedCertdomainsans0">`traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/0`</a> | See [TLS](../http/tls/tls-certificates.md#certificates-stores) for more information| `foobar` |
| <a id="traefiktlsstoresStore0defaultGeneratedCertdomainsans1" href="#traefiktlsstoresStore0defaultGeneratedCertdomainsans1" title="#traefiktlsstoresStore0defaultGeneratedCertdomainsans1">`traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/1`</a> | See [TLS](../http/tls/tls-certificates.md#certificates-stores) for more information| `foobar` |
| <a id="traefiktlsstoresStore0defaultGeneratedCertresolver" href="#traefiktlsstoresStore0defaultGeneratedCertresolver" title="#traefiktlsstoresStore0defaultGeneratedCertresolver">`traefik/tls/stores/Store0/defaultGeneratedCert/resolver`</a> | See [TLS](../http/tls/tls-certificates.md#certificates-stores) for more information| `foobar` |

2
docs/content/reference/routing-configuration/tcp/middlewares/inflightconn.md
View File

@@ -52,4 +52,4 @@ spec:
| Field | Description | Default | Required |
|:------|:------------|------------------|-------|
| `amount` | The `amount` option defines the maximum amount of allowed simultaneous connections. <br /> The middleware closes the connection if there are already `amount` connections opened. | "" | Yes |
| <a id="amount" href="#amount" title="#amount">`amount`</a> | The `amount` option defines the maximum amount of allowed simultaneous connections. <br /> The middleware closes the connection if there are already `amount` connections opened. | "" | Yes |

Some files were not shown because too many files have changed in this diff Show More