mirror of
https://github.com/containous/traefik.git
synced 2026-01-15 16:32:52 +03:00
Compare commits
34 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
27b27e9b1f | ||
|
34d8491ac2 | ||
|
105bf1cfd6 | ||
|
1728364341 | ||
|
8479d66d18 | ||
|
|
9e5d4ba5a1 | ||
|
adf47fba31 | ||
|
|
794916a183 | ||
|
2e6dfbae57 | ||
|
ee265a8509 | ||
|
5a9f3e6999 | ||
|
|
fc67185987 | ||
|
d054299ed0 | ||
|
dc04dc1940 | ||
|
|
26f4a669b8 | ||
|
e8067f4e01 | ||
|
|
1881434ac6 | ||
|
862488569d | ||
|
2b710f05b3 | ||
|
c7487c4a69 | ||
|
|
e9f3089e90 | ||
|
7e703742cb | ||
|
|
4de6d6b902 | ||
|
|
1778ff3bac | ||
|
7e1654ae27 | ||
|
|
5d00096f82 | ||
|
be27044099 | ||
|
|
dbebe5fa3e | ||
|
413b7c8cca | ||
|
|
3b6949c18c | ||
|
|
66bf4632e2 | ||
|
|
1de72c715d | ||
|
|
cabcf19303 | ||
|
|
47d7094dfb |
63
.github/workflows/check_doc.yaml
vendored
Normal file
63
.github/workflows/check_doc.yaml
vendored
Normal file
@@ -0,0 +1,63 @@
|
||||
name: Check Documentation
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- '*'
|
||||
paths:
|
||||
- '.github/workflows/check_doc.yaml'
|
||||
- 'docs/**'
|
||||
|
||||
jobs:
|
||||
|
||||
docs:
|
||||
name: lint, build and verify
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Install markdownlint
|
||||
run: |
|
||||
npm install --global markdownlint@0.29.0 markdownlint-cli@0.35.0
|
||||
|
||||
- name: Lint
|
||||
run: ./docs/scripts/lint.sh docs
|
||||
|
||||
- name: Setup python
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: '3.12'
|
||||
cache: 'pip'
|
||||
cache-dependency-path: "./docs/requirements.txt"
|
||||
|
||||
- name: Build documentation
|
||||
working-directory: ./docs
|
||||
run: |
|
||||
pip install -r requirements.txt
|
||||
mkdocs build --strict
|
||||
|
||||
- name: Setup ruby
|
||||
uses: ruby/setup-ruby@v1
|
||||
with:
|
||||
ruby-version: '3.4'
|
||||
|
||||
- name: Install html-proofer
|
||||
run: |
|
||||
gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
|
||||
gem install html-proofer --version 5.0.10 --no-document -- --use-system-libraries
|
||||
env:
|
||||
NOKOGIRI_USE_SYSTEM_LIBRARIES: "true"
|
||||
|
||||
# Comes from https://github.com/gjtorikian/html-proofer?tab=readme-ov-file#caching-with-continuous-integration
|
||||
- name: Cache HTMLProofer
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: tmp/.htmlproofer
|
||||
key: ${{ runner.os }}-htmlproofer
|
||||
|
||||
- name: Verify
|
||||
run: ./docs/scripts/verify.sh docs/site
|
||||
25
.github/workflows/check_doc.yml
vendored
25
.github/workflows/check_doc.yml
vendored
@@ -1,25 +0,0 @@
|
||||
name: Check Documentation
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- '*'
|
||||
|
||||
jobs:
|
||||
|
||||
docs:
|
||||
name: Check, verify and build documentation
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Check documentation
|
||||
run: make docs-pull-images docs
|
||||
env:
|
||||
# These variables are not passed to workflows that are triggered by a pull request from a fork.
|
||||
DOCS_VERIFY_SKIP: ${{ vars.DOCS_VERIFY_SKIP }}
|
||||
DOCS_LINT_SKIP: ${{ vars.DOCS_LINT_SKIP }}
|
||||
2
.github/workflows/validate.yaml
vendored
2
.github/workflows/validate.yaml
vendored
@@ -8,7 +8,7 @@ on:
|
||||
env:
|
||||
GO_VERSION: '1.24'
|
||||
GOLANGCI_LINT_VERSION: v2.0.2
|
||||
MISSPELL_VERSION: v0.6.0
|
||||
MISSPELL_VERSION: v0.7.0
|
||||
|
||||
jobs:
|
||||
|
||||
|
||||
37
CHANGELOG.md
37
CHANGELOG.md
@@ -1,3 +1,40 @@
|
||||
## [v3.6.7](https://github.com/traefik/traefik/tree/v3.6.7) (2026-01-14)
|
||||
[All Commits](https://github.com/traefik/traefik/compare/v3.6.6...v3.6.7)
|
||||
|
||||
**Bug fixes:**
|
||||
- **[acme]** Bump github.com/go-acme/lego/v4 to v4.31.0 ([#12529](https://github.com/traefik/traefik/pull/12529) by [ldez](https://github.com/ldez))
|
||||
- **[acme]** Add missing renew options ([#12467](https://github.com/traefik/traefik/pull/12467) by [ldez](https://github.com/ldez))
|
||||
- **[acme]** Replace hardcoded references to LetsEncrypt in log messages ([#12464](https://github.com/traefik/traefik/pull/12464) by [schildbach](https://github.com/schildbach))
|
||||
- **[k8s/ingress-nginx]** Fix use-regex nginx annotation ([#12531](https://github.com/traefik/traefik/pull/12531) by [LBF38](https://github.com/LBF38))
|
||||
- **[k8s/ingress-nginx]** Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS ([#12528](https://github.com/traefik/traefik/pull/12528) by [rtribotte](https://github.com/rtribotte))
|
||||
- **[k8s/ingress]** Fix panic for empty defaultBackend and defaultBackend without resources ([#12509](https://github.com/traefik/traefik/pull/12509) by [gndz07](https://github.com/gndz07))
|
||||
- **[k8s]** Fix condition used for serving and fenced endpoints ([#12521](https://github.com/traefik/traefik/pull/12521) by [LBF38](https://github.com/LBF38))
|
||||
- **[webui]** Validate X-Forwarded-Prefix value for dashboard redirect ([#12514](https://github.com/traefik/traefik/pull/12514) by [LBF38](https://github.com/LBF38))
|
||||
- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) by [LBF38](https://github.com/LBF38))
|
||||
- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) by [gndz07](https://github.com/gndz07))
|
||||
|
||||
**Documentation:**
|
||||
- **[docker/swarm]** Update swarm.md traefik version ([#12508](https://github.com/traefik/traefik/pull/12508) by [DBouraoui](https://github.com/DBouraoui))
|
||||
- **[k8s/ingress-nginx]** Fix ingress-nginx annotations documentation ([#12510](https://github.com/traefik/traefik/pull/12510) by [nmengin](https://github.com/nmengin))
|
||||
- **[k8s]** Fix Kubernetes reference yml file ([#12406](https://github.com/traefik/traefik/pull/12406) by [mmatur](https://github.com/mmatur))
|
||||
- Fix code copy button positioning ([#12520](https://github.com/traefik/traefik/pull/12520) by [AnuragEkkati](https://github.com/AnuragEkkati))
|
||||
- Fix typo in kubernetes.md ([#12515](https://github.com/traefik/traefik/pull/12515) by [EdwardSalkeld](https://github.com/EdwardSalkeld))
|
||||
- Bring back security section on API & Dashboard documentation page ([#12507](https://github.com/traefik/traefik/pull/12507) by [gndz07](https://github.com/gndz07))
|
||||
- Fix link description in Traefik Proxy documentation ([#12488](https://github.com/traefik/traefik/pull/12488) by [schaerfo](https://github.com/schaerfo))
|
||||
- Add product comparison matrix and features page ([#12037](https://github.com/traefik/traefik/pull/12037) by [sheddy-traefik](https://github.com/sheddy-traefik))
|
||||
|
||||
**Misc:**
|
||||
- Merge branch v2.11 into v3.6 ([#12552](https://github.com/traefik/traefik/pull/12552) by [rtribotte](https://github.com/rtribotte))
|
||||
- Merge branch v2.11 into v3.6 ([#12533](https://github.com/traefik/traefik/pull/12533) by [mmatur](https://github.com/mmatur))
|
||||
- Merge branch v2.11 into v3.6 ([#12497](https://github.com/traefik/traefik/pull/12497) by [mmatur](https://github.com/mmatur))
|
||||
|
||||
## [v2.11.35](https://github.com/traefik/traefik/tree/v2.11.35) (2026-01-14)
|
||||
[All Commits](https://github.com/traefik/traefik/compare/v2.11.34...v2.11.35)
|
||||
|
||||
**Bug fixes:**
|
||||
- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) by [LBF38](https://github.com/LBF38))
|
||||
- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) by [gndz07](https://github.com/gndz07))
|
||||
|
||||
## [v3.6.6](https://github.com/traefik/traefik/tree/v3.6.6) (2025-12-29)
|
||||
[All Commits](https://github.com/traefik/traefik/compare/v3.6.5...v3.6.6)
|
||||
|
||||
|
||||
@@ -97,10 +97,10 @@ func runCmd(staticConfiguration *static.Configuration) error {
|
||||
return fmt.Errorf("setting up logger: %w", err)
|
||||
}
|
||||
|
||||
// Display warning to advertise for new behavior of rejecting encoded characters in the request path.
|
||||
// Deprecated: this has to be removed in the next minor/major version.
|
||||
log.Warn().Msg("Starting with v3.6.4, Traefik now rejects some encoded characters in the request path by default. " +
|
||||
"Refer to the documentation for more details: https://doc.traefik.io/traefik/migrate/v3/#encoded-characters-in-request-path")
|
||||
log.Warn().Msg("Traefik can reject some encoded characters in the request path." +
|
||||
"When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986)," +
|
||||
"it is recommended to set these options to `false` to avoid split-view situation." +
|
||||
"Refer to the documentation for more details: https://doc.traefik.io/traefik/v3.6/migrate/v3/#encoded-characters-configuration-default-values")
|
||||
|
||||
http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
|
||||
|
||||
|
||||
@@ -34,6 +34,7 @@ RUN apk --no-cache --no-progress add \
|
||||
|
||||
COPY ./scripts/verify.sh /verify.sh
|
||||
COPY ./scripts/lint.sh /lint.sh
|
||||
COPY ./scripts/lint-yaml.sh /lint-yaml.sh
|
||||
|
||||
WORKDIR /app
|
||||
VOLUME ["/tmp","/app"]
|
||||
|
||||
18
docs/content/assets/css/code-copy.css
Normal file
18
docs/content/assets/css/code-copy.css
Normal file
@@ -0,0 +1,18 @@
|
||||
/* Fix positioning of the built-in clipboard button for code blocks.
|
||||
* In this theme, the button can end up positioned relative to <body>,
|
||||
* so anchor it to the code block container instead.
|
||||
*/
|
||||
|
||||
.md-typeset pre.highlight {
|
||||
position: relative;
|
||||
}
|
||||
|
||||
.md-typeset pre.highlight > button.md-clipboard {
|
||||
position: absolute;
|
||||
top: .25rem;
|
||||
right: .25rem;
|
||||
z-index: 10;
|
||||
opacity: 1;
|
||||
visibility: visible;
|
||||
}
|
||||
|
||||
@@ -1,4 +1,14 @@
|
||||
/* Highlight */
|
||||
(function(hljs) {
|
||||
hljs.initHighlightingOnLoad();
|
||||
})(hljs);
|
||||
})(hljs);
|
||||
|
||||
/* Scarf Analytics - cookieless, anonymous company-level intelligence */
|
||||
(function() {
|
||||
var img = document.createElement('img');
|
||||
img.src = 'https://static.scarf.sh/a.png?x-pxid=1a49232a-b165-4015-8ed2-a1092f1f0d83';
|
||||
img.referrerPolicy = 'no-referrer-when-downgrade';
|
||||
img.loading = 'eager';
|
||||
img.style.cssText = 'visibility:hidden;position:absolute;width:1px;height:1px;';
|
||||
document.body.appendChild(img);
|
||||
})();
|
||||
148
docs/content/features/index.md
Normal file
148
docs/content/features/index.md
Normal file
@@ -0,0 +1,148 @@
|
||||
---
|
||||
title: "Traefik Product Features Comparison"
|
||||
description: "Compare features across Traefik Proxy, Traefik Hub API Gateway (including AI Gateway capabilities), and Traefik Hub API Management to choose the right solution for your needs."
|
||||
---
|
||||
|
||||
# Traefik Product Features Comparison
|
||||
|
||||
The Traefik ecosystem offers multiple products designed to meet different requirements, from basic reverse proxy functionality to comprehensive API management and AI gateway capabilities. This comparison matrix helps you understand the features available in each product and choose the right solution for your use case.
|
||||
|
||||
## Product Overview
|
||||
|
||||
- **Traefik Proxy** is the open-source application proxy that serves as the foundation for all Traefik products. It provides essential reverse proxy, load balancing, and service discovery capabilities.
|
||||
|
||||
- **[Traefik Hub API Gateway](https://traefik.io/solutions/api-gateway/)** builds on Traefik Proxy with enterprise-grade security, distributed features, and advanced access control for cloud-native API gateway scenarios. It includes **AI Gateway capabilities** that transform any AI endpoint into a managed API.
|
||||
|
||||
- **[Traefik Hub API Management](https://traefik.io/solutions/api-management/)** adds comprehensive API lifecycle management, developer portals, and organizational features for teams managing multiple APIs across environments.
|
||||
|
||||
- **[Traefik AI Gateway](https://traefik.io/solutions/ai-gateway/)** transforms any AI endpoint into a managed API with unified access to multiple LLMs, centralized credential management, semantic caching, local inferencing, and comprehensive AI governance features.
|
||||
|
||||
- **[Traefik MCP Gateway](https://traefik.io/solutions/mcp-gateway/)** provides secure, governed access to Model Context Protocol (MCP) servers for AI agents with task-based access control (TBAC), session-smart routing, and comprehensive audit capabilities for enterprise AI workflows.
|
||||
|
||||
## Features Matrix
|
||||
|
||||
| Feature | Traefik Proxy | Traefik Hub API Gateway | Traefik Hub API Management |
|
||||
|---------|---------------|------------------------|---------------------------|
|
||||
| **Core Networking** | | | |
|
||||
| Services Auto-Discovery | ✓ | ✓ | ✓ |
|
||||
| Graceful Configuration Reload | ✓ | ✓ | ✓ |
|
||||
| Websockets, HTTP/2, HTTP/3, TCP, UDP, GRPC | ✓ | ✓ | ✓ |
|
||||
| Real-time Logs, Access Logs, Metrics & Distributed Tracing | ✓ | ✓ | ✓ |
|
||||
| Canary Deployments | ✓ | ✓ | ✓ |
|
||||
| Let's Encrypt | ✓ | ✓ | ✓ |
|
||||
| **Plugin Ecosystem** | | | |
|
||||
| [Plugin Support](https://plugins.traefik.io/plugins) ([Go](https://github.com/traefik/yaegi), [WASM](https://webassembly.org/)) | ✓ | ✓ | ✓ |
|
||||
| **Deployment & Operations** | | | |
|
||||
| Hybrid cloud, multi-cloud & on-prem compatible | ✓ | ✓ | ✓ |
|
||||
| Per-cluster dashboard | ✓ | ✓ | ✓ |
|
||||
| GitOps-native declarative configuration | ✓ | ✓ | ✓ |
|
||||
| **Authentication & Authorization** | | | |
|
||||
| JWT Authentication | ✗ | ✓ | ✓ |
|
||||
| OAuth 2.0 Token Introspection Authentication | ✗ | ✓ | ✓ |
|
||||
| OAuth 2.0 Client Credentials Authentication | ✗ | ✓ | ✓ |
|
||||
| OpenID Connect Authentication | ✗ | ✓ | ✓ |
|
||||
| Lightweight Directory Access Protocol (LDAP) | ✗ | ✓ | ✓ |
|
||||
| API Key Authentication | ✗ | ✓ | ✓ |
|
||||
| **Security & Policy** | | | |
|
||||
| Open Policy Agent | ✗ | ✓ | ✓ |
|
||||
| Native Coraza Web Application Firewall (WAF) | ✗ | ✓ | ✓ |
|
||||
| HashiCorp Vault Integration | ✗ | ✓ | ✓ |
|
||||
| **Distributed Features** | | | |
|
||||
| Distributed Let's Encrypt | ✗ | ✓ | ✓ |
|
||||
| Distributed Rate Limit | ✗ | ✓ | ✓ |
|
||||
| HTTP Caching | ✗ | ✓ | ✓ |
|
||||
| **Compliance** | | | |
|
||||
| FIPS 140-2 Compliance (Linux & Windows) | ✗ | ✓ | ✓ |
|
||||
| **AI Gateway Capabilities** | | | |
|
||||
| Unified Multi-LLM API Access | ✗ | ✓ | ✓ |
|
||||
| Centralized AI Credential Management | ✗ | ✓ | ✓ |
|
||||
| AI Provider Flexibility (OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, etc.) | ✗ | ✓ | ✓ |
|
||||
| Semantic Caching for AI Responses | ✗ | ✓ | ✓ |
|
||||
| Content Guard & PII Protection | ✗ | ✓ | ✓ |
|
||||
| AI-specific Observability & OpenTelemetry Integration | ✗ | ✓ | ✓ |
|
||||
| Support for Local/Self-hosted LLMs & Inference (Ollama, Mistral, etc.) | ✗ | ✓ | ✓ |
|
||||
| **MCP Gateway Capabilities** | | | |
|
||||
| Task-Based Access Control (TBAC) for AI Agents | ✗ | ✓ | ✓ |
|
||||
| MCP Servers Governance | ✗ | ✓ | ✓ |
|
||||
| Session-Smart Load Balancing for Agent Workflows | ✗ | ✓ | ✓ |
|
||||
| OAuth 2.1 / 2.0 Resource Server for MCP | ✗ | ✓ | ✓ |
|
||||
| Fine-grained Policy Enforcement for AI Tools | ✗ | ✓ | ✓ |
|
||||
| Audit-ready Observability for Agent Interactions | ✗ | ✓ | ✓ |
|
||||
| **API Management** | | | |
|
||||
| Flexible API grouping and versioning | ✗ | ✗ | ✓ |
|
||||
| API Developer Portal | ✗ | ✗ | ✓ |
|
||||
| OpenAPI Specifications Support | ✗ | ✗ | ✓ |
|
||||
| Multi-cluster dashboard | ✗ | ✗ | ✓ |
|
||||
| Built-in identity provider (or use your own) | ✗ | ✗ | ✓ |
|
||||
| Configuration linter & change impact analysis | ✗ | ✗ | ✓ |
|
||||
| Pre-built Grafana dashboards | ✗ | ✗ | ✓ |
|
||||
| Event correlation for quick incident mitigation | ✗ | ✗ | ✓ |
|
||||
| Traffic debugger | ✗ | ✓ | ✓ |
|
||||
| **Support** | | | |
|
||||
| Built-In Commercial Support | Add-on | ✓ | ✓ |
|
||||
|
||||
## Choosing the Right Product
|
||||
|
||||
### Start with Traefik Proxy
|
||||
|
||||
Traefik Proxy is the ideal starting point for organizations looking for a reliable, open-source application proxy with essential networking capabilities. Deploy it as your default ingress tier if you need:
|
||||
|
||||
- Basic reverse proxy and load balancing
|
||||
- Service discovery for containerized applications
|
||||
- Simple TLS termination and Let's Encrypt integration
|
||||
- Cost-effective solution with community support (can upgrade to Traefik Hub for more features)
|
||||
|
||||
### Upgrade to Traefik Hub API Gateway
|
||||
|
||||
Traefik Hub API Gateway layers enterprise security, distributed coordination, and AI Gateway capabilities on top of Traefik Proxy. Upgrade to it when you need:
|
||||
|
||||
- Enterprise security requirements (JWT, OIDC, LDAP)
|
||||
- Distributed deployments across multiple clusters
|
||||
- Advanced rate limiting and caching
|
||||
- WAF and policy enforcement
|
||||
- AI Gateway capabilities
|
||||
- Commercial support
|
||||
|
||||
### Consider Traefik AI Gateway
|
||||
|
||||
Traefik AI Gateway unifies hosted and self-hosted LLM access under centralized control and observability. Consider it if you have:
|
||||
|
||||
- Multi-LLM applications requiring unified API access
|
||||
- Organizations using multiple AI providers (OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, etc.)
|
||||
- Local/self-hosted LLM deployments (Ollama, Mistral)
|
||||
- Centralized AI credential and security management
|
||||
- Cost optimization through semantic caching
|
||||
- PII protection and content filtering for AI interactions
|
||||
- Comprehensive AI observability and compliance requirements
|
||||
|
||||
### Choose Traefik MCP Gateway
|
||||
|
||||
Traefik MCP Gateway governs how AI agents interact with Model Context Protocol servers through task-aware policies and session-smart routing. Choose it if you need:
|
||||
|
||||
- AI agent deployments requiring secure access to MCP servers
|
||||
- Task-based access control (TBAC) for AI workflows
|
||||
- Governance of Model Context Protocol interactions
|
||||
- Session-smart routing for long-running agent conversations
|
||||
- OAuth 2.1 / 2.0 compliant MCP server protection
|
||||
- Audit-ready observability for AI agent activities
|
||||
- Fine-grained policy enforcement for AI tools and resources
|
||||
|
||||
### Choose Traefik Hub API Management
|
||||
|
||||
Traefik Hub API Management extends the gateway foundation with API lifecycle tooling, developer experience features, and governance workflows. Choose it when you have:
|
||||
|
||||
- Multiple APIs requiring centralized management
|
||||
- Developer teams needing self-service portals
|
||||
- Complex API versioning and lifecycle requirements
|
||||
- Multi-cluster environments requiring unified dashboards
|
||||
- Compliance and governance needs
|
||||
|
||||
## Migration Path
|
||||
|
||||
The Traefik ecosystem is designed for seamless upgrades. You can start with Traefik Proxy and add capabilities as your requirements grow:
|
||||
|
||||
1. **Traefik Proxy** → **Hub API Gateway**: Add enterprise security, distributed features, and AI Gateway capabilities
|
||||
2. **Hub API Gateway** → **Hub API Management**: Add comprehensive API management and governance features
|
||||
3. **MCP Gateway**: Specialized solution for AI agent governance and Model Context Protocol management
|
||||
|
||||
All products share the same core configuration concepts, making migration straightforward while preserving your existing configurations and operational knowledge.
|
||||
@@ -57,4 +57,4 @@ You no longer need to create and synchronize configuration files cluttered with
|
||||
Traefik is able to use your cluster API to discover the services and read the attached information.
|
||||
In Traefik, these connectors are called [providers](../providers/overview.md "Link to overview about Traefik providers") because they *provide* the configuration to Traefik.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -92,4 +92,4 @@ All the configuration options are documented in their related section.
|
||||
|
||||
You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -159,4 +159,4 @@ That's it! You've successfully deployed Traefik and configured routing in Docker
|
||||
- [Enable Metrics](../reference/install-configuration/observability/metrics.md)
|
||||
- [Learn more about Docker provider](../reference/install-configuration/providers/docker.md)
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -252,4 +252,4 @@ In which case, you should make sure your infrastructure is properly set up for a
|
||||
LEGO_DISABLE_CNAME_SUPPORT=true
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -144,4 +144,4 @@ And run it:
|
||||
|
||||
All the details are available in the [Contributing Guide](../contributing/building-testing.md)
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -331,4 +331,4 @@ That's it! You've successfully deployed Traefik and configured routing in a Kube
|
||||
- [Learn more about Kubernetes CRD provider](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md)
|
||||
- [Learn more about Kubernetes Gateway API provider](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md)
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -1211,4 +1211,4 @@ If Let's Encrypt is not reachable, the following certificates will apply:
|
||||
!!! important
|
||||
For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -20,4 +20,4 @@ That is to say, how to obtain [TLS certificates](./tls.md#certificates-definitio
|
||||
either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
|
||||
And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -587,4 +587,4 @@ spec:
|
||||
disableSessionTickets: true
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -11,6 +11,8 @@ Traefik is an [open-source](https://github.com/traefik/traefik) Application Prox
|
||||
|
||||
If you start with Traefik for service discovery and routing, you can seamlessly add [API management](https://traefik.io/solutions/api-management/), [API gateway](https://traefik.io/solutions/api-gateway/), [AI gateway](https://traefik.io/solutions/ai-gateway/), and [API mocking](https://traefik.io/solutions/api-mocking/) capabilities as needed.
|
||||
|
||||
For a detailed comparison of all Traefik products and their capabilities, see our [Product Features Comparison](./features/).
|
||||
|
||||
With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kubernetes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).
|
||||
|
||||
Here’s how it works—Traefik receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. It automatically discovers the right configuration for your services by inspecting your infrastructure to identify relevant information and which service serves which request.
|
||||
|
||||
@@ -340,4 +340,4 @@ http:
|
||||
removeHeader = true
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -785,4 +785,4 @@ http:
|
||||
preserveRequestMethod = true
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -422,4 +422,4 @@ Set `isDevelopment` to `true` when developing to mitigate the unwanted effects o
|
||||
Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
|
||||
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -127,4 +127,4 @@ http:
|
||||
|
||||
Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -85,4 +85,4 @@ The `replacement` option defines how to modify the URL to have the new target UR
|
||||
|
||||
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -146,4 +146,4 @@ http:
|
||||
forceSlash = false
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -112,4 +112,4 @@ A list of HTTP middlewares can be found [here](http/overview.md).
|
||||
|
||||
A list of TCP middlewares can be found [here](tcp/overview.md).
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -158,4 +158,4 @@ core:
|
||||
- ✅ All applications functioning correctly
|
||||
- ✅ Performance metrics stable
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -576,3 +576,30 @@ Here is the list of the encoded characters that are rejected by default, along w
|
||||
| `%23` | `#` (hash) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash` |
|
||||
|
||||
Please check out the entrypoint [encodedCharacters option](../reference/install-configuration/entrypoints.md#opt-http-encodedCharacters) documentation for more details.
|
||||
|
||||
## v3.6.7
|
||||
|
||||
### Encoded Characters Configuration Default Values
|
||||
|
||||
Since `v3.6.7`, the options for encoded characters now have a `true` default value.
|
||||
This means that Traefik will not reject requests with a path containing a specific set of encoded characters by default.
|
||||
It is now up to the users to configure the security hardening of encoded characters.
|
||||
|
||||
Here is the list of the encoded characters that can be configured to `false` to disallow them:
|
||||
|
||||
| Encoded Character | Character | Config options | Default value |
|
||||
|-------------------|-------------------------|--------------------------------------------------------------------------------------|---------------|
|
||||
| `%2f` or `%2F` | `/` (slash) | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSlash` | `true` |
|
||||
| `%5c` or `%5C` | `\` (backslash) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedBackSlash` | `true` |
|
||||
| `%00` | `NULL` (null character) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedNullCharacter` | `true` |
|
||||
| `%3b` or `%3B` | `;` (semicolon) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSemicolon` | `true` |
|
||||
| `%25` | `%` (percent) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedPercent` | `true` |
|
||||
| `%3f` or `%3F` | `?` (question mark) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedQuestionMark` | `true` |
|
||||
| `%23` | `#` (hash) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash` | `true` |
|
||||
|
||||
Note: This check is not done against query parameters,
|
||||
but only against the request path as defined
|
||||
in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
|
||||
|
||||
Please check out the entrypoint [encodedCharacters option](../routing/entrypoints.md#encoded-characters) documentation
|
||||
for more details.
|
||||
|
||||
@@ -780,4 +780,4 @@ accesslog:
|
||||
--accesslog.otlp.grpc.tls.insecureSkipVerify=true
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -644,4 +644,4 @@ log:
|
||||
--log.otlp.grpc.tls.insecureSkipVerify=true
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -77,4 +77,4 @@ additionalArguments:
|
||||
!!! note
|
||||
A router with its own observability configuration will override the global default.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -176,4 +176,4 @@ All the following endpoints must be accessed with a `GET` HTTP request.
|
||||
| `/debug/pprof/symbol` | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation. |
|
||||
| `/debug/pprof/trace` | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation. |
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -168,4 +168,4 @@ api:
|
||||
--api.dashboard=false
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -31,4 +31,4 @@ The experience of implementing a Traefik plugin is comparable to writing a web b
|
||||
|
||||
To learn more about Traefik plugin creation, please refer to the [developer documentation](https://plugins.traefik.io/create).
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -702,4 +702,4 @@ providers:
|
||||
--providers.docker.allowEmptyServices=true
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -292,4 +292,4 @@ To illustrate, it is possible to easily define multiple routers, services, and T
|
||||
{{ end }}
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -16,7 +16,7 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
|
||||
|
||||
## Requirements
|
||||
|
||||
{!kubernetes-requirements.md!}
|
||||
{% include-markdown "includes/kubernetes-requirements.md" %}
|
||||
|
||||
!!! tip "All Steps for a Successful Deployment"
|
||||
|
||||
@@ -365,4 +365,4 @@ providers:
|
||||
|
||||
For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -16,7 +16,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
|
||||
|
||||
## Requirements
|
||||
|
||||
{!kubernetes-requirements.md!}
|
||||
{% include-markdown "includes/kubernetes-requirements.md" %}
|
||||
|
||||
!!! info "Helm Chart"
|
||||
|
||||
@@ -357,4 +357,4 @@ providers:
|
||||
--providers.kubernetesgateway.throttleDuration=10s
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -13,7 +13,7 @@ it manages access to cluster services by supporting the [Ingress](https://kubern
|
||||
|
||||
## Requirements
|
||||
|
||||
{!kubernetes-requirements.md!}
|
||||
{% include-markdown "includes/kubernetes-requirements.md" %}
|
||||
|
||||
## Routing Configuration
|
||||
|
||||
@@ -557,4 +557,4 @@ providers:
|
||||
To learn more about the various aspects of the Ingress specification that Traefik supports,
|
||||
many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.6/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -227,4 +227,4 @@ List of providers that support constraints:
|
||||
- [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
|
||||
- [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -769,4 +769,4 @@ providers:
|
||||
--providers.swarm.allowEmptyServices=true
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -1,9 +1,8 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: ingressroutes.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
@@ -465,7 +464,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: ingressroutetcps.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
@@ -721,7 +720,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: ingressrouteudps.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
@@ -833,7 +832,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: middlewares.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
@@ -2147,7 +2146,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: middlewaretcps.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
@@ -2235,7 +2234,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: serverstransports.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
@@ -2404,7 +2403,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: serverstransporttcps.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
@@ -2560,7 +2559,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: tlsoptions.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
@@ -2678,7 +2677,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: tlsstores.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
@@ -2775,7 +2774,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: traefikservices.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -26,4 +26,4 @@ Dynamic configuration with Kubernetes Custom Resource
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: GatewayClass
|
||||
metadata:
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: GatewayClass
|
||||
metadata:
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: ingressroutes.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: ingressroutetcps.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: ingressrouteudps.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: middlewares.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: middlewaretcps.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: serverstransports.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: serverstransporttcps.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: tlsoptions.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: tlsstores.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
name: traefikservices.traefik.io
|
||||
spec:
|
||||
group: traefik.io
|
||||
|
||||
@@ -3,13 +3,27 @@ title: "Traefik API & Dashboard Documentation"
|
||||
description: "Traefik Proxy exposes information through API handlers and showcase them on the Dashboard. Learn about the security, configuration, and endpoints of the APIs and Dashboard. Read the technical documentation."
|
||||
---
|
||||
|
||||
The dashboard is the central place that shows you the current active routes handled by Traefik.
|
||||
Traefik exposes a number of information through API endpoints, such as the configuration of your routers, services, middlewares, etc.
|
||||
|
||||
The dashboard, which is the central place that displays the current active routes handled by Traefik, fetches the data from this API.
|
||||
|
||||
<figure>
|
||||
<img src="../../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
|
||||
<figcaption>The dashboard in action</figcaption>
|
||||
</figure>
|
||||
|
||||
## Security
|
||||
|
||||
Enabling the API and the dashboard in production is not recommended, because it will expose all configuration elements,
|
||||
including sensitive data, for which access should be reserved to administrators.
|
||||
|
||||
In production, it should be at least secured by authentication and authorizations.
|
||||
|
||||
!!! info
|
||||
|
||||
It's recommended to NOT publicly exposing the API's port, keeping it restricted to internal networks
|
||||
(as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
|
||||
|
||||
## Configuration Example
|
||||
|
||||
Enable the dashboard:
|
||||
@@ -187,6 +201,7 @@ All the following endpoints must be accessed with a `GET` HTTP request.
|
||||
| <a id="opt-apientrypoints" href="#opt-apientrypoints" title="#opt-apientrypoints">`/api/entrypoints`</a> | Lists all the entry points information. |
|
||||
| <a id="opt-apientrypointsname" href="#opt-apientrypointsname" title="#opt-apientrypointsname">`/api/entrypoints/{name}`</a> | Returns the information of the entry point specified by `name`. |
|
||||
| <a id="opt-apioverview" href="#opt-apioverview" title="#opt-apioverview">`/api/overview`</a> | Returns statistic information about HTTP, TCP and about enabled features and providers. |
|
||||
| <a id="opt-apisupport-dump" href="#opt-apisupport-dump" title="#opt-apisupport-dump">`/api/support-dump`</a> | Returns an archive that contains the anonymized static configuration and the runtime configuration. |
|
||||
| <a id="opt-apirawdata" href="#opt-apirawdata" title="#opt-apirawdata">`/api/rawdata`</a> | Returns information about dynamic configurations, errors, status and dependency relations. |
|
||||
| <a id="opt-apiversion" href="#opt-apiversion" title="#opt-apiversion">`/api/version`</a> | Returns information about Traefik version. |
|
||||
| <a id="opt-debugvars" href="#opt-debugvars" title="#opt-debugvars">`/debug/vars`</a> | See the [expvar](https://golang.org/pkg/expvar/) Go documentation. |
|
||||
@@ -203,14 +218,16 @@ All the following endpoints must be accessed with a `GET` HTTP request.
|
||||
|
||||
## Dashboard
|
||||
|
||||
The dashboard is available at the same location as the API, but by default on the path `/dashboard/`.
|
||||
The dashboard is available by default on the path `/dashboard/`.
|
||||
|
||||
!!! note
|
||||
|
||||
- The trailing slash `/` in `/dashboard/` is mandatory. This limitation can be mitigated using the the [RedirectRegex Middleware](../../middlewares/http/redirectregex.md).
|
||||
- There is also a redirect from the path `/` to `/dashboard/`, but you should not rely on this behavior, as it is subject to change and may complicate routing rules.
|
||||
- There is also a redirect from the path `/` to `/dashboard/`.
|
||||
|
||||
To securely access the dashboard, you need to define a routing configuration within Traefik. This involves setting up a router attached to the service `api@internal`, which allows you to:
|
||||
As mentioned above in the [Security](#security) section, it is important to secure access to both the dashboard and the API.
|
||||
You need to define a routing configuration within Traefik.
|
||||
This involves setting up a router attached to the service `api@internal`, which allows you to:
|
||||
|
||||
- Implement security features using [middlewares](../../middlewares/overview.md), such as authentication ([basicAuth](../../middlewares/http/basicauth.md), [digestAuth](../../middlewares/http/digestauth.md),
|
||||
[forwardAuth](../../middlewares/http/forwardauth.md)) or [allowlisting](../../middlewares/http/ipallowlist.md).
|
||||
@@ -238,4 +255,4 @@ rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
|
||||
rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -85,13 +85,13 @@ THIS FILE MUST NOT BE EDITED BY HAND
|
||||
| <a id="opt-entrypoints-name-forwardedheaders-insecure" href="#opt-entrypoints-name-forwardedheaders-insecure" title="#opt-entrypoints-name-forwardedheaders-insecure">entrypoints._name_.forwardedheaders.insecure</a> | Trust all forwarded headers. | false |
|
||||
| <a id="opt-entrypoints-name-forwardedheaders-trustedips" href="#opt-entrypoints-name-forwardedheaders-trustedips" title="#opt-entrypoints-name-forwardedheaders-trustedips">entrypoints._name_.forwardedheaders.trustedips</a> | Trust only forwarded headers from selected IPs. | |
|
||||
| <a id="opt-entrypoints-name-http" href="#opt-entrypoints-name-http" title="#opt-entrypoints-name-http">entrypoints._name_.http</a> | HTTP configuration. | |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash">entrypoints._name_.http.encodedcharacters.allowencodedbackslash</a> | Defines whether requests with encoded back slash characters in the path are allowed. | false |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedhash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash">entrypoints._name_.http.encodedcharacters.allowencodedhash</a> | Defines whether requests with encoded hash characters in the path are allowed. | false |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" href="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" title="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter">entrypoints._name_.http.encodedcharacters.allowencodednullcharacter</a> | Defines whether requests with encoded null characters in the path are allowed. | false |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent">entrypoints._name_.http.encodedcharacters.allowencodedpercent</a> | Defines whether requests with encoded percent characters in the path are allowed. | false |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark">entrypoints._name_.http.encodedcharacters.allowencodedquestionmark</a> | Defines whether requests with encoded question mark characters in the path are allowed. | false |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon">entrypoints._name_.http.encodedcharacters.allowencodedsemicolon</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | false |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash">entrypoints._name_.http.encodedcharacters.allowencodedslash</a> | Defines whether requests with encoded slash characters in the path are allowed. | false |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash">entrypoints._name_.http.encodedcharacters.allowencodedbackslash</a> | Defines whether requests with encoded back slash characters in the path are allowed. | true |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedhash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash">entrypoints._name_.http.encodedcharacters.allowencodedhash</a> | Defines whether requests with encoded hash characters in the path are allowed. | true |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" href="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" title="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter">entrypoints._name_.http.encodedcharacters.allowencodednullcharacter</a> | Defines whether requests with encoded null characters in the path are allowed. | true |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent">entrypoints._name_.http.encodedcharacters.allowencodedpercent</a> | Defines whether requests with encoded percent characters in the path are allowed. | true |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark">entrypoints._name_.http.encodedcharacters.allowencodedquestionmark</a> | Defines whether requests with encoded question mark characters in the path are allowed. | true |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon">entrypoints._name_.http.encodedcharacters.allowencodedsemicolon</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | true |
|
||||
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash">entrypoints._name_.http.encodedcharacters.allowencodedslash</a> | Defines whether requests with encoded slash characters in the path are allowed. | true |
|
||||
| <a id="opt-entrypoints-name-http-encodequerysemicolons" href="#opt-entrypoints-name-http-encodequerysemicolons" title="#opt-entrypoints-name-http-encodequerysemicolons">entrypoints._name_.http.encodequerysemicolons</a> | Defines whether request query semicolons should be URLEncoded. | false |
|
||||
| <a id="opt-entrypoints-name-http-maxheaderbytes" href="#opt-entrypoints-name-http-maxheaderbytes" title="#opt-entrypoints-name-http-maxheaderbytes">entrypoints._name_.http.maxheaderbytes</a> | Maximum size of request headers in bytes. | 1048576 |
|
||||
| <a id="opt-entrypoints-name-http-middlewares" href="#opt-entrypoints-name-http-middlewares" title="#opt-entrypoints-name-http-middlewares">entrypoints._name_.http.middlewares</a> | Default middlewares for the routers linked to the entry point. | |
|
||||
|
||||
@@ -84,8 +84,8 @@ additionalArguments:
|
||||
|
||||
## Configuration Options
|
||||
|
||||
| Field | Description | Default | Required |
|
||||
|:----------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------|
|
||||
| Field | Description | Default | Required |
|
||||
|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------|
|
||||
| <a id="opt-address" href="#opt-address" title="#opt-address">`address`</a> | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp] | - | Yes |
|
||||
| <a id="opt-asDefault" href="#opt-asDefault" title="#opt-asDefault">`asDefault`</a> | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault). | false | No |
|
||||
| <a id="opt-forwardedHeaders-trustedIPs" href="#opt-forwardedHeaders-trustedIPs" title="#opt-forwardedHeaders-trustedIPs">`forwardedHeaders.trustedIPs`</a> | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
|
||||
@@ -95,16 +95,16 @@ additionalArguments:
|
||||
| <a id="opt-http-redirections-entryPoint-permanent" href="#opt-http-redirections-entryPoint-permanent" title="#opt-http-redirections-entryPoint-permanent">`http.redirections.`<br />`entryPoint.permanent`</a> | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`). | false | No |
|
||||
| <a id="opt-http-redirections-entryPoint-priority" href="#opt-http-redirections-entryPoint-priority" title="#opt-http-redirections-entryPoint-priority">`http.redirections.`<br />`entryPoint.priority`</a> | Default priority applied to the routers attached to the `entryPoint`. | MaxInt32-1 (2147483646) | No |
|
||||
| <a id="opt-http-encodedCharacters" href="#opt-http-encodedCharacters" title="#opt-http-encodedCharacters">`http.encodedCharacters`</a> | Defines which encoded characters are allowed in the request path. More information [here](#encoded-characters). | false | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedSlash" href="#opt-http-encodedCharacters-allowEncodedSlash" title="#opt-http-encodedCharacters-allowEncodedSlash">`http.encodedCharacters.`<br />`allowEncodedSlash`</a> | Defines whether requests with encoded slash characters in the path are allowed. | false | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedBackSlash" href="#opt-http-encodedCharacters-allowEncodedBackSlash" title="#opt-http-encodedCharacters-allowEncodedBackSlash">`http.encodedCharacters.`<br />`allowEncodedBackSlash`</a> | Defines whether requests with encoded back slash characters in the path are allowed. | false | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedNullCharacter" href="#opt-http-encodedCharacters-allowEncodedNullCharacter" title="#opt-http-encodedCharacters-allowEncodedNullCharacter">`http.encodedCharacters.`<br />`allowEncodedNullCharacter`</a> | Defines whether requests with encoded null characters in the path are allowed. | false | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedSemicolon" href="#opt-http-encodedCharacters-allowEncodedSemicolon" title="#opt-http-encodedCharacters-allowEncodedSemicolon">`http.encodedCharacters.`<br />`allowEncodedSemicolon`</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | false | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedPercent" href="#opt-http-encodedCharacters-allowEncodedPercent" title="#opt-http-encodedCharacters-allowEncodedPercent">`http.encodedCharacters.`<br />`allowEncodedPercent`</a> | Defines whether requests with encoded percent characters in the path are allowed. | false | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedQuestionMark" href="#opt-http-encodedCharacters-allowEncodedQuestionMark" title="#opt-http-encodedCharacters-allowEncodedQuestionMark">`http.encodedCharacters.`<br />`allowEncodedQuestionMark`</a> | Defines whether requests with encoded question mark characters in the path are allowed. | false | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedHash" href="#opt-http-encodedCharacters-allowEncodedHash" title="#opt-http-encodedCharacters-allowEncodedHash">`http.encodedCharacters.`<br />`allowEncodedHash`</a> | Defines whether requests with encoded hash characters in the path are allowed. | false | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedSlash" href="#opt-http-encodedCharacters-allowEncodedSlash" title="#opt-http-encodedCharacters-allowEncodedSlash">`http.encodedCharacters.`<br />`allowEncodedSlash`</a> | Defines whether requests with encoded slash characters in the path are allowed. | true | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedBackSlash" href="#opt-http-encodedCharacters-allowEncodedBackSlash" title="#opt-http-encodedCharacters-allowEncodedBackSlash">`http.encodedCharacters.`<br />`allowEncodedBackSlash`</a> | Defines whether requests with encoded back slash characters in the path are allowed. | true | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedNullCharacter" href="#opt-http-encodedCharacters-allowEncodedNullCharacter" title="#opt-http-encodedCharacters-allowEncodedNullCharacter">`http.encodedCharacters.`<br />`allowEncodedNullCharacter`</a> | Defines whether requests with encoded null characters in the path are allowed. | true | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedSemicolon" href="#opt-http-encodedCharacters-allowEncodedSemicolon" title="#opt-http-encodedCharacters-allowEncodedSemicolon">`http.encodedCharacters.`<br />`allowEncodedSemicolon`</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | true | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedPercent" href="#opt-http-encodedCharacters-allowEncodedPercent" title="#opt-http-encodedCharacters-allowEncodedPercent">`http.encodedCharacters.`<br />`allowEncodedPercent`</a> | Defines whether requests with encoded percent characters in the path are allowed. | true | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedQuestionMark" href="#opt-http-encodedCharacters-allowEncodedQuestionMark" title="#opt-http-encodedCharacters-allowEncodedQuestionMark">`http.encodedCharacters.`<br />`allowEncodedQuestionMark`</a> | Defines whether requests with encoded question mark characters in the path are allowed. | true | No |
|
||||
| <a id="opt-http-encodedCharacters-allowEncodedHash" href="#opt-http-encodedCharacters-allowEncodedHash" title="#opt-http-encodedCharacters-allowEncodedHash">`http.encodedCharacters.`<br />`allowEncodedHash`</a> | Defines whether requests with encoded hash characters in the path are allowed. | true | No |
|
||||
| <a id="opt-http-encodeQuerySemicolons" href="#opt-http-encodeQuerySemicolons" title="#opt-http-encodeQuerySemicolons">`http.encodeQuerySemicolons`</a> | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons). | false | No |
|
||||
| <a id="opt-http-sanitizePath" href="#opt-http-sanitizePath" title="#opt-http-sanitizePath">`http.sanitizePath`</a> | Defines whether to enable the request path sanitization.<br /> More information [here](#sanitizepath). | false | No |
|
||||
| <a id="opt-http-maxHeaderBytes" href="#opt-http-maxHeaderBytes" title="#opt-http-maxHeaderBytes">`http.maxHeaderBytes`</a> | Set the maximum size of request headers in bytes. | 1048576 | No |
|
||||
| <a id="opt-http-maxHeaderBytes" href="#opt-http-maxHeaderBytes" title="#opt-http-maxHeaderBytes">`http.maxHeaderBytes`</a> | Set the maximum size of request headers in bytes. | 1048576 | No |
|
||||
| <a id="opt-http-middlewares" href="#opt-http-middlewares" title="#opt-http-middlewares">`http.middlewares`</a> | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares). | - | No |
|
||||
| <a id="opt-http-tls" href="#opt-http-tls" title="#opt-http-tls">`http.tls`</a> | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generated by Traefik. <br /> We recommend to not use self signed certificates in production. | - | No |
|
||||
| <a id="opt-http-tls-options" href="#opt-http-tls-options" title="#opt-http-tls-options">`http.tls.options`</a> | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption). | - | No |
|
||||
@@ -220,16 +220,22 @@ it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
|
||||
### Encoded Characters
|
||||
|
||||
You can configure Traefik to control the handling of encoded characters in request paths for security purposes.
|
||||
By default, Traefik rejects requests containing certain encoded characters that could be used in path traversal or other security attacks.
|
||||
By default, Traefik do not reject requests with path containing certain encoded characters that could be used in path traversal or other security attacks.
|
||||
|
||||
!!! warning "Security Considerations"
|
||||
!!! info
|
||||
|
||||
This check is not done against the request query parameters,
|
||||
but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
|
||||
|
||||
Allowing certain encoded characters may expose your application to security vulnerabilities.
|
||||
!!! info "Security Considerations"
|
||||
|
||||
When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986) and notably decode encoded reserved characters in the requets path,
|
||||
it is recommended to set these options to `false` to avoid split-view situation and helps prevent path traversal attacks or other malicious attempts to bypass security controls.
|
||||
|
||||
Here is the list of the encoded characters that are rejected by default:
|
||||
|
||||
| Encoded Character | Character |
|
||||
|-------------------|-------------------------|
|
||||
| Encoded Character | Character |
|
||||
|------------------------------------------------------------------------------------|-------------------------|
|
||||
| <a id="opt-2f-or-2F" href="#opt-2f-or-2F" title="#opt-2f-or-2F">`%2f` or `%2F`</a> | `/` (slash) |
|
||||
| <a id="opt-5c-or-5C" href="#opt-5c-or-5C" title="#opt-5c-or-5C">`%5c` or `%5C`</a> | `\` (backslash) |
|
||||
| <a id="opt-00" href="#opt-00" title="#opt-00">`%00`</a> | `NULL` (null character) |
|
||||
|
||||
@@ -409,4 +409,4 @@ services:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -420,11 +420,11 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
|
||||
- [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
|
||||
- [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
|
||||
- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
|
||||
- [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
|
||||
- [A thread on Hacker News about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
|
||||
- [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
|
||||
- [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
|
||||
- [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
|
||||
- [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
|
||||
- [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -15,7 +15,7 @@ enabling seamless integration between Traefik's networking capabilities and Knat
|
||||
|
||||
## Requirements
|
||||
|
||||
{!kubernetes-requirements.md!}
|
||||
{% include-markdown "includes/kubernetes-requirements.md" %}
|
||||
|
||||
1. Install/update the Knative CRDs.
|
||||
|
||||
@@ -139,4 +139,4 @@ providers:
|
||||
|
||||
See the dedicated section in [routing](../../../routing-configuration/kubernetes/knative.md).
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -130,4 +130,4 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-
|
||||
|
||||
For additional information, refer to the [full example](../../../../user-guides/crd-acme/index.md) with Let's Encrypt.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -21,7 +21,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
|
||||
|
||||
## Requirements
|
||||
|
||||
{!kubernetes-requirements.md!}
|
||||
{% include-markdown "includes/kubernetes-requirements.md" %}
|
||||
|
||||
1. Install/update the Kubernetes Gateway API CRDs.
|
||||
|
||||
@@ -137,4 +137,4 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-
|
||||
and the dedicated [routing section](../../../../routing/providers/kubernetes-gateway.md)
|
||||
in the Traefik documentation.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -176,4 +176,4 @@ providers:
|
||||
|
||||
See the dedicated section in [routing](../../../routing-configuration/kubernetes/ingress-nginx.md).
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -149,4 +149,4 @@ many examples of Ingresses definitions are located in the test
|
||||
[examples](https://github.com/traefik/traefik/tree/v3.1/pkg/provider/kubernetes/ingress/fixtures)
|
||||
of the Traefik repository.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -121,4 +121,4 @@ http:
|
||||
As it is very difficult to listen to all file system notifications, Traefik uses [fsnotify](https://github.com/fsnotify/fsnotify).
|
||||
If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -160,4 +160,4 @@ List of providers that support constraints:
|
||||
- [Consul Catalog](./hashicorp/consul-catalog.md#constraints)
|
||||
- [Nomad](./hashicorp/nomad.md#constraints)
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -464,4 +464,4 @@ It allows different implementation levels of the [AAA (Authentication, Authoriza
|
||||
- [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
|
||||
- [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -330,4 +330,4 @@ If Let's Encrypt is not reachable, the following certificates will apply:
|
||||
!!! important
|
||||
For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -17,4 +17,4 @@ The Certificates resolvers are defined in the static configuration.
|
||||
Defining a certificate resolver does not imply that routers are going to use it automatically.
|
||||
Each router or entrypoint that is meant to use the resolver must explicitly reference it.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -53,4 +53,4 @@ stringData:
|
||||
| <a id="opt-secretNonBase64Encoded" href="#opt-secretNonBase64Encoded" title="#opt-secretNonBase64Encoded">`secretNonBase64Encoded`</a> | Defines whether the secret sent by the client is base64 encoded. | false | No |
|
||||
| <a id="opt-secretValues" href="#opt-secretValues" title="#opt-secretValues">`secretValues`</a> | Contain the hash of the API keys. <br /> Supported hashing algorithms are Bcrypt, SHA1 and MD5. <br /> The hash should be generated using `htpasswd`.<br />Can reference a Kubernetes Secret using the URN format: `urn:k8s:secret:[name]:[valueKey]` | [] | Yes |
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -92,4 +92,4 @@ The option `users` supports Kubernetes secrets.
|
||||
Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
|
||||
You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -82,4 +82,4 @@ On Kubernetes, you don’t use the `users` or `usersFile` fields. Instead, you r
|
||||
- `kubernetes.io/basic-auth secret`: This secret type contains two keys—`username` and `password`—but is generally suited for a smaller number of users. Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than the other method.
|
||||
- Opaque secret with a users field: Here, the secret contains a single string field (often called `users`) where each line represents a user. This approach allows you to store multiple users in one secret.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -127,4 +127,4 @@ The following request properties are provided to the forward-auth target endpoin
|
||||
| <a id="opt-Request-URI" href="#opt-Request-URI" title="#opt-Request-URI">Request URI</a> | `X-Forwarded-Uri` |
|
||||
| <a id="opt-Source-IP-Address" href="#opt-Source-IP-Address" title="#opt-Source-IP-Address">Source IP-Address</a> | `X-Forwarded-For` |
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -323,4 +323,4 @@ It allows all origins that contain any match of a regular expression in the `acc
|
||||
|
||||
When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -204,4 +204,4 @@ Only SHA-256 and SHA-512 checksums are supported for checksum computation.
|
||||
|
||||
To disable this feature and only perform authentication, set the `validateDigest` option to `false` in the middleware configuration.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -230,4 +230,4 @@ The reference to a Kubernetes secret takes the form of a URN:
|
||||
urn:k8s:secret:[name]:[valueKey]
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -102,4 +102,4 @@ and a `bindPassword`, then the middleware runs in search mode. In this mode, a s
|
||||
issued to the LDAP server before trying to bind. If result of this search returns only 1 record,
|
||||
it tries to issue a bind request with this record, otherwise it aborts a `401 Unauthorized` status code.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -252,4 +252,4 @@ The following Redis modes are supported:
|
||||
|
||||
For more information about Redis, we recommend the [official Redis documentation](https://redis.io/docs/ "Link to official Redis documentation").
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -206,4 +206,4 @@ stringData:
|
||||
-----END EC PRIVATE KEY-----
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -427,4 +427,4 @@ This means that a new CSRF token will be generated and sent to the client whenev
|
||||
When a request is sent and uses a non-safe method (see [RFC7231#section-4.2.1](https://datatracker.ietf.org/doc/html/rfc7231.html#section-4.2.1)),
|
||||
the CSRF token value (extracted from the cookie) have to be sent to the server in the header configured with the [headerName option](#configuration-options).
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -69,4 +69,4 @@ spec:
|
||||
| <a id="opt-allow" href="#opt-allow" title="#opt-allow">`allow`</a> | The `allow` option sets the expression to evaluate that determines if the request should be authorized. | "" | No (one of `allow` or `forwardHeaders` must be set) |
|
||||
| <a id="opt-forwardHeaders" href="#opt-forwardHeaders" title="#opt-forwardHeaders">`forwardHeaders`</a> | The `forwardHeaders` option sets the HTTP headers to add to requests and populates them with the result of the given expression. | "" | No (one of `allow` or `forwardHeaders` must be set) |
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -48,4 +48,4 @@ Middlewares that use the same protocol can be combined into chains to fit every
|
||||
|
||||
Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -85,4 +85,4 @@ The `replacement` option defines how to modify the URL to have the new target UR
|
||||
|
||||
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -63,4 +63,4 @@ spec:
|
||||
|:-----------------------------|:--------------------------------------------------------------|:--------|:---------|
|
||||
| <a id="opt-prefixes" href="#opt-prefixes" title="#opt-prefixes">`prefixes`</a> | List of prefixes to strip from the request URL.<br />If your backend is serving assets (for example, images or JavaScript files), it can use the `X-Forwarded-Prefix` header to construct relative URLs. | [] | No |
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -61,4 +61,4 @@ spec:
|
||||
| <a id="opt-directives" href="#opt-directives" title="#opt-directives">`directives`</a> | List of WAF rules to enforce. | | Yes |
|
||||
| <a id="opt-crsEnabled" href="#opt-crsEnabled" title="#opt-crsEnabled">`crsEnabled`</a> | Enable [CRS rulesets](https://github.com/corazawaf/coraza-coreruleset/tree/main/rules/%40owasp_crs).<br /> Once the ruleset is enabled, it can be used in the middleware. | false | False |
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -185,4 +185,4 @@ Request → EntryPoint → Parent Router → Middleware → Child Router A → S
|
||||
4. If `X-User-Role: admin`, `api-admin` router matches and forwards to `admin-service`
|
||||
5. If `X-User-Role: user`, `api-user` router matches and forwards to `user-service`
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -103,7 +103,7 @@ labels:
|
||||
|----------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------|
|
||||
| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, HTTP routers are attached to all entry points. | All entry points | No |
|
||||
| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service. See [Rules & Priority](./rules-and-priority.md) for details. | | Yes |
|
||||
| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
|
||||
| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. Negative values are supported. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
|
||||
| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [Middlewares overview](../middlewares/overview.md) for available middlewares. | | No |
|
||||
| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle HTTPS requests. | | No |
|
||||
| <a id="opt-tls-certResolver" href="#opt-tls-certResolver" title="#opt-tls-certResolver">`tls.certResolver`</a> | The name of the certificate resolver to use for automatic certificate generation. See [Certificate Resolver](../tls/overview.md#certificate-resolver) for details. | | No |
|
||||
@@ -118,4 +118,4 @@ labels:
|
||||
- The character `@` is not authorized in the router name
|
||||
- In provider-specific configurations (Docker, Kubernetes), router names are often auto-generated based on service names and rules
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -225,6 +225,8 @@ The priority is directly equal to the length of the rule, and so the longest len
|
||||
|
||||
A value of `0` for the priority is ignored: `priority: 0` means that the default rules length sorting is used.
|
||||
|
||||
Negative priority values are supported.
|
||||
|
||||
Traefik reserves a range of priorities for its internal routers, the maximum user-defined router priority value is:
|
||||
|
||||
- `(MaxInt32 - 1000)` for 32-bit platforms,
|
||||
|
||||
@@ -100,4 +100,4 @@ This provides fine-grained control over certificate generation and takes precede
|
||||
|
||||
Every domain must have A/AAAA records pointing to Traefik.
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -155,4 +155,4 @@ labels:
|
||||
}
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -259,4 +259,4 @@ spec:
|
||||
disableSessionTickets: true
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
@@ -86,7 +86,7 @@ spec:
|
||||
| <a id="opt-routes" href="#opt-routes" title="#opt-routes">`routes`</a> | List of routes. | | Yes |
|
||||
| <a id="opt-routesn-kind" href="#opt-routesn-kind" title="#opt-routesn-kind">`routes[n].kind`</a> | Kind of router matching, only `Rule` is allowed yet. | "Rule" | No |
|
||||
| <a id="opt-routesn-match" href="#opt-routesn-match" title="#opt-routesn-match">`routes[n].match`</a> | Defines the [rule](../../../http/routing/rules-and-priority.md#rules) corresponding to an underlying router. | | Yes |
|
||||
| <a id="opt-routesn-priority" href="#opt-routesn-priority" title="#opt-routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../http/routing/rules-and-priority.md#priority-calculation) to disambiguate rules of the same length, for route matching.<br />If not set, the priority is directly equal to the length of the rule, and so the longest length has the highest priority.<br />A value of `0` for the priority is ignored, the default rules length sorting is used. | 0 | No |
|
||||
| <a id="opt-routesn-priority" href="#opt-routesn-priority" title="#opt-routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../http/routing/rules-and-priority.md#priority-calculation) to disambiguate rules of the same length, for route matching.<br />If not set, the priority is directly equal to the length of the rule, and so the longest length has the highest priority.<br />A value of `0` for the priority is ignored, the default rules length sorting is used.<br />Negative values are supported. | 0 | No |
|
||||
| <a id="opt-routesn-middlewares" href="#opt-routesn-middlewares" title="#opt-routesn-middlewares">`routes[n].middlewares`</a> | List of middlewares to attach to the IngressRoute. <br />More information [here](#middleware). | "" | No |
|
||||
| <a id="opt-routesn-middlewaresm-name" href="#opt-routesn-middlewaresm-name" title="#opt-routesn-middlewaresm-name">`routes[n].`<br />`middlewares[m].`<br />`name`</a> | Middleware name.<br />The character `@` is not authorized. <br />More information [here](#middleware). | | Yes |
|
||||
| <a id="opt-routesn-middlewaresm-namespace" href="#opt-routesn-middlewaresm-namespace" title="#opt-routesn-middlewaresm-namespace">`routes[n].`<br />`middlewares[m].`<br />`namespace`</a> | Middleware namespace.<br />Can be empty if the middleware belongs to the same namespace as the IngressRoute. <br />More information [here](#middleware). | | No |
|
||||
|
||||
@@ -763,4 +763,4 @@ spec:
|
||||
|
||||
```
|
||||
|
||||
{!traefik-for-business-applications.md!}
|
||||
{% include-markdown "includes/traefik-for-business-applications.md" %}
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user