homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add TCP Servers Transports support

Browse source 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
This commit is contained in:
Simon Delicata 2022-12-09 09:58:05 +01:00 committed by GitHub
parent c2dac39da1
commit 3eeea2bb2b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
101 changed files with 5956 additions and 1669 deletions
Download patch file Download diff file Expand all files Collapse all files

4
docs/content/https/spiffe.md
View file

@ -28,7 +28,9 @@ The `workloadAPIAddr` configuration defines the address of the SPIFFE [Workload
!!! info "Enabling SPIFFE in ServersTransports"
Enabling SPIFFE does not imply that backend connections are going to use it automatically.
Each [ServersTransport](../routing/services/index.md#serverstransport_1) that is meant to be secured with SPIFFE must [explicitly](../routing/services/index.md#spiffe) enable it.
Each [ServersTransport](../routing/services/index.md#serverstransport_1) or [TCPServersTransport](../routing/services/index.md#serverstransport_2),
that is meant to be secured with SPIFFE,
must explicitly enable it (see [SPIFFE with ServersTransport](../routing/services/index.md#spiffe) or [SPIFFE with TCPServersTransport](../routing/services/index.md#spiffe_1)).
!!! warning "SPIFFE can cause Traefik to stall"
When using SPIFFE,

10
docs/content/migration/v2-to-v3.md
View file

@ -55,3 +55,13 @@ One should use the `ContentType` middleware to enable the `Content-Type` header
In v3, HTTP/3 is no longer an experimental feature.
The `experimental.http3` option has been removed from the static configuration.
## TCP ServersTransport
In v3, the support of `TCPServersTransport` has been introduced.
When using the KubernetesCRD provider, it is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) manifests.
### TCP LoadBalancer `terminationDelay` option
The TCP LoadBalancer `terminationDelay` option has been removed.
This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)

3
docs/content/reference/dynamic-configuration/docker-labels.yml
View file

@ -190,8 +190,9 @@
- "traefik.tcp.routers.tcprouter1.tls.options=foobar"
- "traefik.tcp.routers.tcprouter1.tls.passthrough=true"
- "traefik.tcp.services.tcpservice01.loadbalancer.proxyprotocol.version=42"
- "traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay=42"
- "traefik.tcp.services.tcpservice01.loadbalancer.server.port=foobar"
- "traefik.tcp.services.tcpservice01.loadbalancer.server.tls=true"
- "traefik.tcp.services.tcpservice01.loadbalancer.serverstransport=foobar"
- "traefik.udp.routers.udprouter0.entrypoints=foobar, foobar"
- "traefik.udp.routers.udprouter0.service=foobar"
- "traefik.udp.routers.udprouter1.entrypoints=foobar, foobar"

52
docs/content/reference/dynamic-configuration/file.toml
View file

@ -377,15 +377,17 @@
[tcp.services]
[tcp.services.TCPService01]
[tcp.services.TCPService01.loadBalancer]
terminationDelay = 42
serversTransport = "foobar"
[tcp.services.TCPService01.loadBalancer.proxyProtocol]
version = 42
[[tcp.services.TCPService01.loadBalancer.servers]]
address = "foobar"
tls = true
[[tcp.services.TCPService01.loadBalancer.servers]]
address = "foobar"
tls = true
[tcp.services.TCPService02]
[tcp.services.TCPService02.weighted]
@ -396,6 +398,7 @@
[[tcp.services.TCPService02.weighted.services]]
name = "foobar"
weight = 42
[tcp.middlewares]
[tcp.middlewares.TCPMiddleware00]
[tcp.middlewares.TCPMiddleware00.ipAllowList]
@ -404,6 +407,53 @@
[tcp.middlewares.TCPMiddleware01.inFlightConn]
amount = 42
[tcp.serversTransports]
[tcp.serversTransports.TCPServersTransport0]
dialTimeout = "42s"
dialKeepAlive = "42s"
terminationDelay = "42s"
[tcp.serversTransports.TCPServersTransport0.tls]
serverName = "foobar"
insecureSkipVerify = true
rootCAs = ["foobar", "foobar"]
peerCertURI = "foobar"
[[tcp.serversTransports.TCPServersTransport0.tls.certificates]]
certFile = "foobar"
keyFile = "foobar"
[[tcp.serversTransports.TCPServersTransport0.tls.certificates]]
certFile = "foobar"
keyFile = "foobar"
[tcp.serversTransports.TCPServersTransport0.spiffe]
ids = ["foobar", "foobar"]
trustDomain = "foobar"
[tcp.serversTransports.TCPServersTransport1]
dialTimeout = "42s"
dialKeepAlive = "42s"
terminationDelay = "42s"
[tcp.serversTransports.TCPServersTransport1.tls]
serverName = "foobar"
insecureSkipVerify = true
rootCAs = ["foobar", "foobar"]
peerCertURI = "foobar"
[[tcp.serversTransports.TCPServersTransport1.tls.certificates]]
certFile = "foobar"
keyFile = "foobar"
[[tcp.serversTransports.TCPServersTransport1.tls.certificates]]
certFile = "foobar"
keyFile = "foobar"
[tcp.serversTransports.TCPServersTransport1.spiffe]
ids = ["foobar", "foobar"]
trustDomain = "foobar"
[udp]
[udp.routers]
[udp.routers.UDPRouter0]

47
docs/content/reference/dynamic-configuration/file.yaml
View file

@ -426,12 +426,14 @@ tcp:
services:
TCPService01:
loadBalancer:
terminationDelay: 42
serversTransport: foobar
proxyProtocol:
version: 42
servers:
- address: foobar
tls: true
- address: foobar
tls: true
TCPService02:
weighted:
services:
@ -448,6 +450,49 @@ tcp:
TCPMiddleware01:
inFlightConn:
amount: 42
serversTransports:
TCPServersTransport0:
dialTimeout: 42s
dialKeepAlive: 42s
terminationDelay: 42s
tls:
serverName: foobar
insecureSkipVerify: true
rootCAs:
- foobar
- foobar
certificates:
- certFile: foobar
keyFile: foobar
- certFile: foobar
keyFile: foobar
peerCertURI: foobar
spiffe:
ids:
- foobar
- foobar
trustDomain: foobar
TCPServersTransport1:
dialTimeout: 42s
dialKeepAlive: 42s
terminationDelay: 42s
tls:
serverName: foobar
insecureSkipVerify: true
rootCAs:
- foobar
- foobar
certificates:
- certFile: foobar
keyFile: foobar
- certFile: foobar
keyFile: foobar
peerCertURI: foobar
spiffe:
ids:
- foobar
- foobar
trustDomain: foobar
udp:
routers:
UDPRouter0:

141
docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
View file

@ -373,15 +373,16 @@ spec:
to use.
type: integer
type: object
terminationDelay:
description: TerminationDelay defines the deadline that
the proxy sets, after one of its connected peers indicates
it has closed the writing capability of its connection,
to close the reading capability as well, hence fully
terminating the connection. It is a duration in milliseconds,
defaulting to 100. A negative value means an infinite
deadline (i.e. the reading capability is never closed).
type: integer
serversTransport:
description: ServersTransport defines the name of ServersTransportTCP
resource to use. It allows to configure the transport
between Traefik and your servers. Can only be used on
a Kubernetes Service.
type: string
tls:
description: TLS determines whether to use TLS when dialing
with the backend.
type: boolean
weight:
description: Weight defines the weight used when balancing
requests between multiple Kubernetes Service.
@ -1684,6 +1685,128 @@ status:
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.6.2
creationTimestamp: null
name: serverstransporttcps.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: ServersTransportTCP
listKind: ServersTransportTCPList
plural: serverstransporttcps
singular: serverstransporttcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: 'ServersTransportTCP is the CRD implementation of a TCPServersTransport.
If no tcpServersTransport is specified, a default one named default@internal
will be used. The default@internal tcpServersTransport can be configured
in the static configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#serverstransport_3'
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.
properties:
dialKeepAlive:
anyOf:
- type: integer
- type: string
description: DialKeepAlive is the interval between keep-alive probes
for an active network connection. If zero, keep-alive probes are
sent with a default value (currently 15 seconds), if supported by
the protocol and operating system. Network protocols or operating
systems that do not support keep-alives ignore this field. If negative,
keep-alive probes are disabled.
x-kubernetes-int-or-string: true
dialTimeout:
anyOf:
- type: integer
- type: string
description: DialTimeout is the amount of time to wait until a connection
to a backend server can be established.
x-kubernetes-int-or-string: true
terminationDelay:
anyOf:
- type: integer
- type: string
description: TerminationDelay defines the delay to wait before fully
terminating the connection, after one connected peer has closed
its writing capability.
x-kubernetes-int-or-string: true
tls:
description: TLS defines the TLS configuration
properties:
certificatesSecrets:
description: CertificatesSecrets defines a list of secret storing
client certificates for mTLS.
items:
type: string
type: array
insecureSkipVerify:
description: InsecureSkipVerify disables TLS certificate verification.
type: boolean
peerCertURI:
description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
to keep per-host. PeerCertURI defines the peer cert URI used
to match against SAN URI during the peer certificate verification.
type: string
rootCAsSecrets:
description: RootCAsSecrets defines a list of CA secret used to
validate self-signed certificates.
items:
type: string
type: array
serverName:
description: ServerName defines the server name used to contact
the server.
type: string
spiffe:
description: Spiffe defines the SPIFFE configuration.
properties:
ids:
description: IDs defines the allowed SPIFFE IDs (takes precedence
over the SPIFFE TrustDomain).
items:
type: string
type: array
trustDomain:
description: TrustDomain defines the allowed SPIFFE trust
domain.
type: string
type: object
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition

1
docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
View file

@ -43,6 +43,7 @@ rules:
- tlsoptions
- tlsstores
- serverstransports
- serverstransporttcps
verbs:
- get
- list

22
docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
View file

@ -147,6 +147,7 @@ spec:
services:
- name: whoamitcp
port: 8080
serversTransport: mytransporttcp
middlewares:
- name: ipallowlist
tls:
@ -213,9 +214,30 @@ spec:
certificatesSecrets:
- foobar
- foobar
peerCertURI: foobar
maxIdleConnsPerHost: 1
forwardingTimeouts:
dialTimeout: 42s
responseHeaderTimeout: 42s
idleConnTimeout: 42s
disableHTTP2: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransporttcp
namespace: default
spec:
serverName: foobar
insecureSkipVerify: true
rootCAsSecrets:
- foobar
- foobar
certificatesSecrets:
- foobar
- foobar
peerCertURI: foobar
dialTimeout: 42s
dialKeepAlive: 42s

34
docs/content/reference/dynamic-configuration/kv-ref.md
View file

@ -278,10 +278,42 @@
| `traefik/tcp/routers/TCPRouter1/tls/domains/1/sans/1` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/options` | `foobar` |
| `traefik/tcp/routers/TCPRouter1/tls/passthrough` | `true` |
| `traefik/tcp/serversTransports/TCPServersTransport0/dialKeepAlive` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport0/dialTimeout` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport0/spiffe/ids/0` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/spiffe/ids/1` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/spiffe/trustDomain` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/terminationDelay` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/certFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/keyFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/1/certFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/1/keyFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/insecureSkipVerify` | `true` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/peerCertURI` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/rootCAs/0` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/rootCAs/1` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport0/tls/serverName` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/dialKeepAlive` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport1/dialTimeout` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport1/spiffe/ids/0` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/spiffe/ids/1` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/spiffe/trustDomain` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/terminationDelay` | `42s` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/certFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/keyFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/1/certFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/1/keyFile` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/insecureSkipVerify` | `true` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/peerCertURI` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/rootCAs/0` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/rootCAs/1` | `foobar` |
| `traefik/tcp/serversTransports/TCPServersTransport1/tls/serverName` | `foobar` |
| `traefik/tcp/services/TCPService01/loadBalancer/proxyProtocol/version` | `42` |
| `traefik/tcp/services/TCPService01/loadBalancer/servers/0/address` | `foobar` |
| `traefik/tcp/services/TCPService01/loadBalancer/servers/0/tls` | `true` |
| `traefik/tcp/services/TCPService01/loadBalancer/servers/1/address` | `foobar` |
| `traefik/tcp/services/TCPService01/loadBalancer/terminationDelay` | `42` |
| `traefik/tcp/services/TCPService01/loadBalancer/servers/1/tls` | `true` |
| `traefik/tcp/services/TCPService01/loadBalancer/serversTransport` | `foobar` |
| `traefik/tcp/services/TCPService02/weighted/services/0/name` | `foobar` |
| `traefik/tcp/services/TCPService02/weighted/services/0/weight` | `42` |
| `traefik/tcp/services/TCPService02/weighted/services/1/name` | `foobar` |

3
docs/content/reference/dynamic-configuration/marathon-labels.json
View file

@ -190,8 +190,9 @@
"traefik.tcp.routers.tcprouter1.tls.options": "foobar",
"traefik.tcp.routers.tcprouter1.tls.passthrough": "true",
"traefik.tcp.services.tcpservice01.loadbalancer.proxyprotocol.version": "42",
"traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay": "42",
"traefik.tcp.services.tcpservice01.loadbalancer.server.port": "foobar",
"traefik.tcp.services.tcpservice01.loadbalancer.server.tls": "true",
"traefik.tcp.services.tcpservice01.loadbalancer.serverstransport": "foobar",
"traefik.udp.routers.udprouter0.entrypoints": "foobar, foobar",
"traefik.udp.routers.udprouter0.service": "foobar",
"traefik.udp.routers.udprouter1.entrypoints": "foobar, foobar",

19
docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml
View file

@ -105,15 +105,16 @@ spec:
to use.
type: integer
type: object
terminationDelay:
description: TerminationDelay defines the deadline that
the proxy sets, after one of its connected peers indicates
it has closed the writing capability of its connection,
to close the reading capability as well, hence fully
terminating the connection. It is a duration in milliseconds,
defaulting to 100. A negative value means an infinite
deadline (i.e. the reading capability is never closed).
type: integer
serversTransport:
description: ServersTransport defines the name of ServersTransportTCP
resource to use. It allows to configure the transport
between Traefik and your servers. Can only be used on
a Kubernetes Service.
type: string
tls:
description: TLS determines whether to use TLS when dialing
with the backend.
type: boolean
weight:
description: Weight defines the weight used when balancing
requests between multiple Kubernetes Service.

122
docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransporttcps.yaml Normal file
View file

@ -0,0 +1,122 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.6.2
creationTimestamp: null
name: serverstransporttcps.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: ServersTransportTCP
listKind: ServersTransportTCPList
plural: serverstransporttcps
singular: serverstransporttcp
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: 'ServersTransportTCP is the CRD implementation of a TCPServersTransport.
If no tcpServersTransport is specified, a default one named default@internal
will be used. The default@internal tcpServersTransport can be configured
in the static configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#serverstransport_3'
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.
properties:
dialKeepAlive:
anyOf:
- type: integer
- type: string
description: DialKeepAlive is the interval between keep-alive probes
for an active network connection. If zero, keep-alive probes are
sent with a default value (currently 15 seconds), if supported by
the protocol and operating system. Network protocols or operating
systems that do not support keep-alives ignore this field. If negative,
keep-alive probes are disabled.
x-kubernetes-int-or-string: true
dialTimeout:
anyOf:
- type: integer
- type: string
description: DialTimeout is the amount of time to wait until a connection
to a backend server can be established.
x-kubernetes-int-or-string: true
terminationDelay:
anyOf:
- type: integer
- type: string
description: TerminationDelay defines the delay to wait before fully
terminating the connection, after one connected peer has closed
its writing capability.
x-kubernetes-int-or-string: true
tls:
description: TLS defines the TLS configuration
properties:
certificatesSecrets:
description: CertificatesSecrets defines a list of secret storing
client certificates for mTLS.
items:
type: string
type: array
insecureSkipVerify:
description: InsecureSkipVerify disables TLS certificate verification.
type: boolean
peerCertURI:
description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
to keep per-host. PeerCertURI defines the peer cert URI used
to match against SAN URI during the peer certificate verification.
type: string
rootCAsSecrets:
description: RootCAsSecrets defines a list of CA secret used to
validate self-signed certificates.
items:
type: string
type: array
serverName:
description: ServerName defines the server name used to contact
the server.
type: string
spiffe:
description: Spiffe defines the SPIFFE configuration.
properties:
ids:
description: IDs defines the allowed SPIFFE IDs (takes precedence
over the SPIFFE TrustDomain).
items:
type: string
type: array
trustDomain:
description: TrustDomain defines the allowed SPIFFE trust
domain.
type: string
type: object
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

27
docs/content/reference/static-configuration/cli-ref.md
View file

@ -1020,6 +1020,33 @@ Defines the allowed SPIFFE trust domain.
`--spiffe.workloadapiaddr`:
Defines the workload API address.
`--tcpserverstransport.dialkeepalive`:
Defines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled (Default: ```15```)
`--tcpserverstransport.dialtimeout`:
Defines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
`--tcpserverstransport.terminationdelay`:
Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. (Default: ```0```)
`--tcpserverstransport.tls`:
Defines the TLS configuration. (Default: ```false```)
`--tcpserverstransport.tls.insecureskipverify`:
Disables SSL certificate verification. (Default: ```false```)
`--tcpserverstransport.tls.rootcas`:
Defines a list of CA secret used to validate self-signed certificate
`--tcpserverstransport.tls.spiffe`:
Defines the SPIFFE TLS configuration. (Default: ```false```)
`--tcpserverstransport.tls.spiffe.ids`:
Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
`--tcpserverstransport.tls.spiffe.trustdomain`:
Defines the allowed SPIFFE trust domain.
`--tracing`:
OpenTracing configuration. (Default: ```false```)

27
docs/content/reference/static-configuration/env-ref.md
View file

@ -1020,6 +1020,33 @@ Defines the allowed SPIFFE trust domain.
`TRAEFIK_SPIFFE_WORKLOADAPIADDR`:
Defines the workload API address.
`TRAEFIK_TCPSERVERSTRANSPORT_DIALKEEPALIVE`:
Defines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled (Default: ```15```)
`TRAEFIK_TCPSERVERSTRANSPORT_DIALTIMEOUT`:
Defines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
`TRAEFIK_TCPSERVERSTRANSPORT_TERMINATIONDELAY`:
Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. (Default: ```0```)
`TRAEFIK_TCPSERVERSTRANSPORT_TLS`:
Defines the TLS configuration. (Default: ```false```)
`TRAEFIK_TCPSERVERSTRANSPORT_TLS_INSECURESKIPVERIFY`:
Disables SSL certificate verification. (Default: ```false```)
`TRAEFIK_TCPSERVERSTRANSPORT_TLS_ROOTCAS`:
Defines a list of CA secret used to validate self-signed certificate
`TRAEFIK_TCPSERVERSTRANSPORT_TLS_SPIFFE`:
Defines the SPIFFE TLS configuration. (Default: ```false```)
`TRAEFIK_TCPSERVERSTRANSPORT_TLS_SPIFFE_IDS`:
Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
`TRAEFIK_TCPSERVERSTRANSPORT_TLS_SPIFFE_TRUSTDOMAIN`:
Defines the allowed SPIFFE trust domain.
`TRAEFIK_TRACING`:
OpenTracing configuration. (Default: ```false```)

19
docs/content/reference/static-configuration/file.toml
View file

@ -6,10 +6,29 @@
insecureSkipVerify = true
rootCAs = ["foobar", "foobar"]
maxIdleConnsPerHost = 42
[serversTransport.forwardingTimeouts]
dialTimeout = "42s"
responseHeaderTimeout = "42s"
idleConnTimeout = "42s"
readIdleTimeout = "42s"
pingTimeout = "42s"
[serversTransport.spiffe]
ids = ["foobar", "foobar"]
trustDomain = "foobar"
[tcpServersTransport]
dialTimeout = "42s"
dialKeepAlive = "42s"
[tcpServersTransport.tls]
insecureSkipVerify = true
rootCAs = ["foobar", "foobar"]
[tcpServersTransport.tls.spiffe]
ids = ["foobar", "foobar"]
trustDomain = "foobar"
[entryPoints]
[entryPoints.EntryPoint0]

22
docs/content/reference/static-configuration/file.yaml
View file

@ -1,7 +1,7 @@
global:
checkNewVersion: true
sendAnonymousUsage: true
serversTransport:
serversTransports:
insecureSkipVerify: true
rootCAs:
- foobar
@ -11,6 +11,26 @@ serversTransport:
dialTimeout: 42s
responseHeaderTimeout: 42s
idleConnTimeout: 42s
readIdleTimeout: 42s
pingTimeout: 42s
spiffe:
ids:
- foobar
- foobar
trustDomain: foobar
tcpServersTransport:
dialTimeout: 42s
dialKeepAlive: 42s
tls:
insecureSkipVerify: true
rootCAs:
- foobar
- foobar
spiffe:
ids:
- foobar
- foobar
trustDomain: foobar
entryPoints:
EntryPoint0:
address: foobar

198
docs/content/routing/overview.md
View file

@ -250,10 +250,12 @@ and then between Traefik and the backend servers, is configured through the
In addition, a few parameters are dedicated to configuring globally
what happens with the connections between Traefik and the backends.
This is done through the `serversTransport` section of the configuration,
which features these options:
This is done through the [`serversTransport`](#http-servers-transports) and [`tcpServersTransport`](#tcp-servers-transports)
sections of the configuration, which features these options:
### `insecureSkipVerify`
### HTTP Servers Transports
#### `insecureSkipVerify`
_Optional, Default=false_
@ -276,7 +278,7 @@ serversTransport:
--serversTransport.insecureSkipVerify=true
```
### `rootCAs`
#### `rootCAs`
_Optional_
@ -302,7 +304,7 @@ serversTransport:
--serversTransport.rootCAs=foo.crt,bar.crt
```
### `maxIdleConnsPerHost`
#### `maxIdleConnsPerHost`
_Optional, Default=2_
@ -325,7 +327,7 @@ serversTransport:
--serversTransport.maxIdleConnsPerHost=7
```
### `spiffe`
#### `spiffe`
Please note that [SPIFFE](../https/spiffe.md) must be enabled in the static configuration
before using it to secure the connection between Traefik and the backends.
@ -380,7 +382,7 @@ serversTransport:
--serversTransport.spiffe.trustDomain=spiffe://trust-domain
```
### `forwardingTimeouts`
#### `forwardingTimeouts`
`forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers.
@ -462,4 +464,186 @@ serversTransport:
--serversTransport.forwardingTimeouts.idleConnTimeout=1s
```
### TCP Servers Transports
#### `dialTimeout`
_Optional, Default="30s"_
`dialTimeout` is the maximum duration allowed for a connection to a backend server to be established.
Zero means no timeout.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
dialTimeout: 30s
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport]
dialTimeout = "30s"
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.dialTimeout=30s
```
#### `dialKeepAlive`
_Optional, Default="15s"_
`dialKeepAlive` defines the interval between keep-alive probes sent on an active network connection.
If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and
operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative,
keep-alive probes are disabled.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
dialKeepAlive: 30s
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport]
dialKeepAlive = "30s"
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.dialKeepAlive=30s
```
#### `tls`
`tls` defines the TLS configuration to connect with TCP backends.
_Optional_
An empty `tls` section enables TLS.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
tls: {}
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport.tls]
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.tls=true
```
#### `tls.insecureSkipVerify`
_Optional_
`insecureSkipVerify` disables the server's certificate chain and host name verification.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
tls:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport.tls]
insecureSkipVerify = true
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.tls.insecureSkipVerify=true
```
#### `tls.rootCAs`
_Optional_
`rootCAs` defines the set of Root Certificate Authorities (as file paths, or data bytes)
to use when verifying self-signed TLS server certificates.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
tls:
rootCAs:
- foo.crt
- bar.crt
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport.tls]
rootCAs = ["foo.crt", "bar.crt"]
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.tls.rootCAs=foo.crt,bar.crt
```
#### `spiffe`
Please note that [SPIFFE](../https/spiffe.md) must be enabled in the static configuration
before using it to secure the connection between Traefik and the backends.
#### `spiffe.ids`
_Optional_
`ids` defines the allowed SPIFFE IDs.
This takes precedence over the SPIFFE TrustDomain.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
spiffe:
ids:
- spiffe://trust-domain/id1
- spiffe://trust-domain/id2
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport.spiffe]
ids = ["spiffe://trust-domain/id1", "spiffe://trust-domain/id2"]
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.spiffe.ids=spiffe://trust-domain/id1,spiffe://trust-domain/id2
```
#### `spiffe.trustDomain`
_Optional_
`trustDomain` defines the allowed SPIFFE trust domain.
```yaml tab="File (YAML)"
## Static configuration
tcpServersTransport:
trustDomain: spiffe://trust-domain
```
```toml tab="File (TOML)"
## Static configuration
[tcpServersTransport.spiffe]
trustDomain = "spiffe://trust-domain"
```
```bash tab="CLI"
## Static configuration
--tcpServersTransport.spiffe.trustDomain=spiffe://trust-domain
```
{!traefik-for-business-applications.md!}

17
docs/content/routing/providers/consul-catalog.md
View file

@ -404,12 +404,12 @@ You can declare TCP Routers and/or Services using tags.
traefik.tcp.services.mytcpservice.loadbalancer.server.port=423
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.terminationdelay`"
See [termination delay](../services/index.md#termination-delay) for more information.
??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.tls`"
Determines whether to use TLS when dialing with the backend.
```yaml
traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100
traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
@ -420,6 +420,15 @@ You can declare TCP Routers and/or Services using tags.
traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
See [serverstransport](../services/index.md#serverstransport_2) for more information.
```yaml
traefik.tcp.services.myservice.loadbalancer.serverstransport=foobar@file
```
### UDP
You can declare UDP Routers and/or Services using tags.

15
docs/content/routing/providers/docker.md
View file

@ -577,12 +577,12 @@ You can declare TCP Routers and/or Services using labels.
- "traefik.tcp.services.mytcpservice.loadbalancer.server.port=423"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.terminationdelay`"
??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.tls`"
See [termination delay](../services/index.md#termination-delay) for more information.
Determines whether to use TLS when dialing with the backend.
```yaml
- "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100"
- "traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
@ -593,6 +593,15 @@ You can declare TCP Routers and/or Services using labels.
- "traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
See [serverstransport](../services/index.md#serverstransport_2) for more information.
```yaml
- "traefik.tcp.services.<service_name>.loadbalancer.serverstransport=foobar@file"
```
### UDP
You can declare UDP Routers and/or Services using labels.

17
docs/content/routing/providers/ecs.md
View file

@ -418,12 +418,12 @@ You can declare TCP Routers and/or Services using labels.
traefik.tcp.services.mytcpservice.loadbalancer.server.port=423
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.terminationdelay`"
See [termination delay](../services/index.md#termination-delay) for more information.
??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.tls`"
Determines whether to use TLS when dialing with the backend.
```yaml
traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100
traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
@ -434,6 +434,15 @@ You can declare TCP Routers and/or Services using labels.
traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
See [serverstransport](../services/index.md#serverstransport_2) for more information.
```yaml
traefik.tcp.services.<service_name>.loadbalancer.serverstransport=foobar@file
```
### UDP
You can declare UDP Routers and/or Services using tags.

255
docs/content/routing/providers/kubernetes-crd.md
View file

@ -295,17 +295,18 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
You can find an excerpt of the available custom resources in the table below:
| Kind | Purpose | Concept Behind |
|--------------------------------------------|--------------------------------------------------------------------|----------------------------------------------------------------|
| [IngressRoute](#kind-ingressroute) | HTTP Routing | [HTTP router](../routers/index.md#configuring-http-routers) |
| [Middleware](#kind-middleware) | Tweaks the HTTP requests before they are sent to your service | [HTTP Middlewares](../../middlewares/http/overview.md) |
| [TraefikService](#kind-traefikservice) | Abstraction for HTTP loadbalancing/mirroring | [HTTP service](../services/index.md#configuring-http-services) |
| [IngressRouteTCP](#kind-ingressroutetcp) | TCP Routing | [TCP router](../routers/index.md#configuring-tcp-routers) |
| [MiddlewareTCP](#kind-middlewaretcp) | Tweaks the TCP requests before they are sent to your service | [TCP Middlewares](../../middlewares/tcp/overview.md) |
| [IngressRouteUDP](#kind-ingressrouteudp) | UDP Routing | [UDP router](../routers/index.md#configuring-udp-routers) |
| [TLSOptions](#kind-tlsoption) | Allows to configure some parameters of the TLS connection | [TLSOptions](../../https/tls.md#tls-options) |
| [TLSStores](#kind-tlsstore) | Allows to configure the default TLS store | [TLSStores](../../https/tls.md#certificates-stores) |
| [ServersTransport](#kind-serverstransport) | Allows to configure the transport between Traefik and the backends | [ServersTransport](../../services/#serverstransport_1) |
| Kind | Purpose | Concept Behind |
|--------------------------------------------------|--------------------------------------------------------------------|----------------------------------------------------------------|
| [IngressRoute](#kind-ingressroute) | HTTP Routing | [HTTP router](../routers/index.md#configuring-http-routers) |
| [Middleware](#kind-middleware) | Tweaks the HTTP requests before they are sent to your service | [HTTP Middlewares](../../middlewares/http/overview.md) |
| [TraefikService](#kind-traefikservice) | Abstraction for HTTP loadbalancing/mirroring | [HTTP service](../services/index.md#configuring-http-services) |
| [IngressRouteTCP](#kind-ingressroutetcp) | TCP Routing | [TCP router](../routers/index.md#configuring-tcp-routers) |
| [MiddlewareTCP](#kind-middlewaretcp) | Tweaks the TCP requests before they are sent to your service | [TCP Middlewares](../../middlewares/tcp/overview.md) |
| [IngressRouteUDP](#kind-ingressrouteudp) | UDP Routing | [UDP router](../routers/index.md#configuring-udp-routers) |
| [TLSOptions](#kind-tlsoption) | Allows to configure some parameters of the TLS connection | [TLSOptions](../../https/tls.md#tls-options) |
| [TLSStores](#kind-tlsstore) | Allows to configure the default TLS store | [TLSStores](../../https/tls.md#certificates-stores) |
| [ServersTransport](#kind-serverstransport) | Allows to configure the transport between Traefik and the backends | [ServersTransport](../../services/#serverstransport_1) |
| [ServersTransportTCP](#kind-serverstransporttcp) | Allows to configure the transport between Traefik and the backends | [TCP ServersTransport](../../services/#serverstransport_3) |
### Kind: `IngressRoute`
@ -1088,60 +1089,60 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
name: ingressroutetcpfoo
spec:
entryPoints: # [1]
entryPoints: # [1]
- footcp
routes: # [2]
- match: HostSNI(`*`) # [3]
priority: 10 # [4]
routes: # [2]
- match: HostSNI(`*`) # [3]
priority: 10 # [4]
middlewares:
- name: middleware1 # [5]
namespace: default # [6]
services: # [7]
- name: foo # [8]
port: 8080 # [9]
weight: 10 # [10]
terminationDelay: 400 # [11]
proxyProtocol: # [12]
version: 1 # [13]
tls: # [14]
secretName: supersecret # [15]
options: # [16]
name: opt # [17]
namespace: default # [18]
certResolver: foo # [19]
domains: # [20]
- main: example.net # [21]
sans: # [22]
- name: middleware1 # [5]
namespace: default # [6]
services: # [7]
- name: foo # [8]
port: 8080 # [9]
weight: 10 # [10]
proxyProtocol: # [11]
version: 1 # [12]
serversTransport: transport # [13]
tls: # [14]
secretName: supersecret # [15]
options: # [16]
name: opt # [17]
namespace: default # [18]
certResolver: foo # [19]
domains: # [20]
- main: example.net # [21]
sans: # [22]
- a.example.net
- b.example.net
passthrough: false # [23]
passthrough: false # [23]
```
| Ref | Attribute | Purpose |
|------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `entryPoints` | List of [entrypoints](../routers/index.md#entrypoints_1) names |
| [2] | `routes` | List of routes |
| [3] | `routes[n].match` | Defines the [rule](../routers/index.md#rule_1) of the underlying router |
| [4] | `routes[n].priority` | Defines the [priority](../routers/index.md#priority_1) to disambiguate rules of the same length, for route matching |
| [5] | `middlewares[n].name` | Defines the [MiddlewareTCP](#kind-middlewaretcp) name |
| [6] | `middlewares[n].namespace` | Defines the [MiddlewareTCP](#kind-middlewaretcp) namespace |
| [7] | `routes[n].services` | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions (See below for `ExternalName Service` setup) |
| [8] | `services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) |
| [9] | `services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. |
| [10] | `services[n].weight` | Defines the weight to apply to the server load balancing |
| [11] | `services[n].terminationDelay` | corresponds to the deadline that the proxy sets, after one of its connected peers indicates it has closed the writing capability of its connection, to close the reading capability as well, hence fully terminating the connection. It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the reading capability is never closed). |
| [12] | `proxyProtocol` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) configuration |
| [13] | `version` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) version |
| [14] | `tls` | Defines [TLS](../routers/index.md#tls_1) certificate configuration |
| [15] | `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace) |
| [16] | `tls.options` | Defines the reference to a [TLSOption](#kind-tlsoption) |
| [17] | `options.name` | Defines the [TLSOption](#kind-tlsoption) name |
| [18] | `options.namespace` | Defines the [TLSOption](#kind-tlsoption) namespace |
| [19] | `tls.certResolver` | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1) |
| [20] | `tls.domains` | List of [domains](../routers/index.md#domains_1) |
| [21] | `domains[n].main` | Defines the main domain name |
| [22] | `domains[n].sans` | List of SANs (alternative domains) |
| [23] | `tls.passthrough` | If `true`, delegates the TLS termination to the backend |
| Ref | Attribute | Purpose |
|------|-------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `entryPoints` | List of [entrypoints](../routers/index.md#entrypoints_1) names |
| [2] | `routes` | List of routes |
| [3] | `routes[n].match` | Defines the [rule](../routers/index.md#rule_1) of the underlying router |
| [4] | `routes[n].priority` | Defines the [priority](../routers/index.md#priority_1) to disambiguate rules of the same length, for route matching |
| [5] | `middlewares[n].name` | Defines the [MiddlewareTCP](#kind-middlewaretcp) name |
| [6] | `middlewares[n].namespace` | Defines the [MiddlewareTCP](#kind-middlewaretcp) namespace |
| [7] | `routes[n].services` | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions (See below for `ExternalName Service` setup) |
| [8] | `services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) |
| [9] | `services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. |
| [10] | `services[n].weight` | Defines the weight to apply to the server load balancing |
| [11] | `services[n].proxyProtocol` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) configuration |
| [12] | `services[n].proxyProtocol.version` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) version |
| [13] | `services[n].serversTransport` | Defines the reference to a [ServersTransportTCP](#kind-serverstransporttcp). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). |
| [14] | `tls` | Defines [TLS](../routers/index.md#tls_1) certificate configuration |
| [15] | `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace) |
| [16] | `tls.options` | Defines the reference to a [TLSOption](#kind-tlsoption) |
| [17] | `tls.options.name` | Defines the [TLSOption](#kind-tlsoption) name |
| [18] | `tls.options.namespace` | Defines the [TLSOption](#kind-tlsoption) namespace |
| [19] | `tls.certResolver` | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1) |
| [20] | `tls.domains` | List of [domains](../routers/index.md#domains_1) |
| [21] | `tls.domains[n].main` | Defines the main domain name |
| [22] | `tls.domains[n].sans` | List of SANs (alternative domains) |
| [23] | `tls.passthrough` | If `true`, delegates the TLS termination to the backend |
??? example "Declaring an IngressRouteTCP"
@ -1161,11 +1162,9 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
services:
- name: foo
port: 8080
terminationDelay: 400
weight: 10
- name: bar
port: 8081
terminationDelay: 500
weight: 10
tls:
certResolver: foo
@ -1689,7 +1688,7 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
!!! important "Default serversTransport"
If no `serversTransport` is specified, the `default@internal` will be used.
The `default@internal` serversTransport is created from the [static configuration](../overview.md#transport-configuration).
The `default@internal` serversTransport is created from the [static configuration](../overview.md#http-servers-transports).
!!! info "ServersTransport Attributes"
@ -1701,21 +1700,26 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
namespace: default
spec:
serverName: foobar # [1]
insecureSkipVerify: true # [2]
rootCAsSecrets: # [3]
serverName: foobar # [1]
insecureSkipVerify: true # [2]
rootCAsSecrets: # [3]
- foobar
- foobar
certificatesSecrets: # [4]
certificatesSecrets: # [4]
- foobar
- foobar
maxIdleConnsPerHost: 1 # [5]
forwardingTimeouts: # [6]
dialTimeout: 42s # [7]
responseHeaderTimeout: 42s # [8]
idleConnTimeout: 42s # [9]
peerCertURI: foobar # [10]
disableHTTP2: true # [11]
maxIdleConnsPerHost: 1 # [5]
forwardingTimeouts: # [6]
dialTimeout: 42s # [7]
responseHeaderTimeout: 42s # [8]
idleConnTimeout: 42s # [9]
peerCertURI: foobar # [10]
disableHTTP2: true # [11]
spiffe: # [12]
ids: # [13]
- spiffe://trust-domain/id1
- spiffe://trust-domain/id2
trustDomain: "spiffe://trust-domain" # [14]
```
| Ref | Attribute | Purpose |
@ -1731,6 +1735,9 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
| [9] | `idleConnTimeout` | The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout exists. |
| [10] | `peerCertURI` | URI used to match against SAN URIs during the server's certificate verification. |
| [11] | `disableHTTP2` | Disables HTTP/2 for connections with servers. |
| [12] | `spiffe` | The spiffe configuration. |
| [13] | `ids` | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). |
| [14] | `trustDomain` | Defines the allowed SPIFFE trust domain. |
!!! info "CA Secret"
@ -1775,10 +1782,110 @@ By default, the referenced ServersTransport CRD must be defined in the same [Kub
To reference a ServersTransport CRD from another namespace,
the value must be of form `namespace-name@kubernetescrd`,
and the [cross-namespace](../../../providers/kubernetes-crd/#allowcrossnamespace) option must be enabled.
and the [allowCrossNamespace](../../../providers/kubernetes-crd/#allowcrossnamespace) option must be enabled.
If the ServersTransport CRD is defined in another provider the cross-provider format `name@provider` should be used.
### Kind: `ServersTransportTCP`
`ServersTransportTCP` is the CRD implementation of a [ServersTransportTCP](../services/index.md#serverstransport_2).
!!! important "Default serversTransportTCP"
If no `serversTransportTCP` is specified, the `default@internal` will be used.
The `default@internal` serversTransportTCP is created from the [static configuration](../overview.md#tcp-servers-transports).
!!! info "ServersTransportTCP Attributes"
```yaml tab="ServersTransportTCP"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
dialTimeout: 42s # [1]
dialKeepAlive: 42s # [2]
terminationDelay: 42s # [3]
tls: # [4]
serverName: foobar # [5]
insecureSkipVerify: true # [6]
peerCertURI: foobar # [7]
rootCAsSecrets: # [8]
- foobar
- foobar
certificatesSecrets: # [9]
- foobar
- foobar
spiffe: # [10]
ids: # [11]
- spiffe://trust-domain/id1
- spiffe://trust-domain/id2
trustDomain: "spiffe://trust-domain" # [12]
```
| Ref | Attribute | Purpose |
|------|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `dialTimeout` | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. |
| [2] | `dialKeepAlive` | The interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled. |
| [3] | `terminationDelay` | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. |
| [4] | `tls` | The TLS configuration. |
| [5] | `serverName` | ServerName used to contact the server. |
| [6] | `insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. |
| [7] | `peerCertURI` | URI used to match against SAN URIs during the server's certificate verification. |
| [8] | `rootCAsSecrets` | Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [9] | `certificatesSecrets` | Certificates to present to the server for mTLS. |
| [10] | `spiffe` | The SPIFFE configuration. |
| [11] | `ids` | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). |
| [12] | `trustDomain` | Defines the allowed SPIFFE trust domain. |
!!! info "CA Secret"
The CA secret must contain a base64 encoded certificate under either a `tls.ca` or a `ca.crt` key.
??? example "Declaring and referencing a ServersTransportTCP"
```yaml tab="ServersTransportTCP"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
tls:
serverName: example.org
insecureSkipVerify: true
```
```yaml tab="IngressRouteTCP"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: testroute
namespace: default
spec:
entryPoints:
- tcpep
routes:
- match: HostSNI(`bar`)
services:
- name: whoamitcp
port: 8080
serversTransport: mytransport
```
#### ServersTransportTCP reference
By default, the referenced ServersTransportTCP CRD must be defined in the same [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace.
To reference a ServersTransportTCP CRD from another namespace,
the value must be of form `namespace-name@kubernetescrd`,
and the [allowCrossNamespace](../../../providers/kubernetes-crd/#allowcrossnamespace) option must be enabled.
If the ServersTransportTCP CRD is defined in another provider the cross-provider format `name@provider` should be used.
## Further
Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt.

17
docs/content/routing/providers/kv.md
View file

@ -413,14 +413,6 @@ You can declare TCP Routers and/or Services using KV.
| Key (Path) | Value |
|--------------------------------------------------------------------|------------------|
| `traefik/tcp/services/mytcpservice/loadbalancer/servers/0/address` | `xx.xx.xx.xx:xx` |
??? info "`traefik/tcp/services/<service_name>/loadbalancer/terminationdelay`"
See [termination delay](../services/index.md#termination-delay) for more information.
| Key (Path) | Value |
|-------------------------------------------------------------------|-------|
| `traefik/tcp/services/mytcpservice/loadbalancer/terminationdelay` | `100` |
??? info "`traefik/tcp/services/<service_name>/loadbalancer/proxyprotocol/version`"
@ -430,6 +422,15 @@ You can declare TCP Routers and/or Services using KV.
|------------------------------------------------------------------------|-------|
| `traefik/tcp/services/mytcpservice/loadbalancer/proxyprotocol/version` | `1` |
??? info "`traefik/tcp/services/<service_name>/loadbalancer/serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
See [serverstransport](../services/index.md#serverstransport_2) for more information.
| Key (Path) | Value |
|-----------------------------------------------------------------|---------------|
| `traefik/tcp/services/myservice/loadbalancer/serverstransport` | `foobar@file` |
??? info "`traefik/tcp/services/<service_name>/weighted/services/<n>/name`"
| Key (Path) | Value |

17
docs/content/routing/providers/marathon.md
View file

@ -451,12 +451,12 @@ You can declare TCP Routers and/or Services using labels.
"traefik.tcp.services.mytcpservice.loadbalancer.server.port": "423"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.terminationdelay`"
See [termination delay](../services/index.md#termination-delay) for more information.
??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.tls`"
Determines whether to use TLS when dialing with the backend.
```json
"traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay": "100"
"traefik.tcp.services.mytcpservice.loadbalancer.server.tls": "true"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
@ -467,6 +467,15 @@ You can declare TCP Routers and/or Services using labels.
"traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version": "1"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
See [serverstransport](../services/index.md#serverstransport_2) for more information.
```json
"traefik.tcp.services.<service_name>.loadbalancer.serverstransport": "foobar@file"
```
### UDP
You can declare UDP Routers and/or Services using labels.

15
docs/content/routing/providers/nomad.md
View file

@ -396,12 +396,12 @@ You can declare TCP Routers and/or Services using tags.
traefik.tcp.services.mytcpservice.loadbalancer.server.port=423
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.terminationdelay`"
??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.tls`"
See [termination delay](../services/index.md#termination-delay) for more information.
Determines whether to use TLS when dialing with the backend.
```yaml
traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100
traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
@ -412,6 +412,15 @@ You can declare TCP Routers and/or Services using tags.
traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
See [serverstransport](../services/index.md#serverstransport_2) for more information.
```yaml
traefik.tcp.services.myservice.loadbalancer.serverstransport=foobar@file
```
### UDP
You can declare UDP Routers and/or Services using tags.

17
docs/content/routing/providers/rancher.md
View file

@ -454,12 +454,12 @@ You can declare TCP Routers and/or Services using labels.
- "traefik.tcp.services.mytcpservice.loadbalancer.server.port=423"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.terminationdelay`"
See [termination delay](../services/index.md#termination-delay) for more information.
??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.tls`"
Determines whether to use TLS when dialing with the backend.
```yaml
- "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100"
- "traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
@ -470,6 +470,15 @@ You can declare TCP Routers and/or Services using labels.
- "traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
See [serverstransport](../services/index.md#serverstransport_2) for more information.
```yaml
- "traefik.tcp.services.<service_name>.loadbalancer.serverstransport=foobar@file"
```
### UDP
You can declare UDP Routers and/or Services using labels.

576
docs/content/routing/services/index.md
View file

@ -473,9 +473,9 @@ By default, `passHostHeader` is true.
#### ServersTransport
`serversTransport` allows to reference a [ServersTransport](./index.md#serverstransport_1) configuration for the communication between Traefik and your servers.
`serversTransport` allows to reference an [HTTP ServersTransport](./index.md#serverstransport_1) configuration for the communication between Traefik and your servers.
??? example "Specify a transport -- Using the [File Provider](../../providers/file.md)"
??? example "Specify an HTTP transport -- Using the [File Provider](../../providers/file.md)"
```yaml tab="YAML"
## Dynamic configuration
@ -494,9 +494,9 @@ By default, `passHostHeader` is true.
serversTransport = "mytransport"
```
!!! info default serversTransport
!!! info Default Servers Transport
If no serversTransport is specified, the `default@internal` will be used.
The `default@internal` serversTransport is created from the [static configuration](../overview.md#transport-configuration).
The `default@internal` serversTransport is created from the [static configuration](../overview.md#http-servers-transports).
#### Response Forwarding
@ -532,9 +532,9 @@ Below are the available options for the Response Forwarding mechanism:
### ServersTransport
ServersTransport allows to configure the transport between Traefik and your servers.
ServersTransport allows to configure the transport between Traefik and your HTTP servers.
#### `ServerName`
#### `serverName`
_Optional_
@ -562,10 +562,10 @@ metadata:
namespace: default
spec:
serverName: "test"
serverName: "test"
```
#### `Certificates`
#### `certificates`
_Optional_
@ -597,7 +597,7 @@ metadata:
namespace: default
spec:
certificatesSecrets:
certificatesSecrets:
- mycert
---
@ -606,9 +606,9 @@ kind: Secret
metadata:
name: mycert
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
```
#### `insecureSkipVerify`
@ -639,7 +639,7 @@ metadata:
namespace: default
spec:
insecureSkipVerify: true
insecureSkipVerify: true
```
#### `rootCAs`
@ -672,7 +672,7 @@ metadata:
namespace: default
spec:
rootCAsSecrets:
rootCAsSecrets:
- myca
---
apiVersion: v1
@ -680,8 +680,8 @@ kind: Secret
metadata:
name: myca
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
```
#### `maxIdleConnsPerHost`
@ -712,7 +712,7 @@ metadata:
namespace: default
spec:
maxIdleConnsPerHost: 7
maxIdleConnsPerHost: 7
```
#### `disableHTTP2`
@ -721,12 +721,6 @@ _Optional, Default=false_
`disableHTTP2` disables HTTP/2 for connections with servers.
```toml tab="File (TOML)"
## Dynamic configuration
[http.serversTransports.mytransport]
disableHTTP2 = true
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
@ -735,6 +729,12 @@ http:
disableHTTP2: true
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.serversTransports.mytransport]
disableHTTP2 = true
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
@ -743,7 +743,7 @@ metadata:
namespace: default
spec:
disableHTTP2: true
disableHTTP2: true
```
#### `peerCertURI`
@ -752,12 +752,6 @@ _Optional, Default=false_
`peerCertURI` defines the URI used to match against SAN URIs during the server's certificate verification.
```toml tab="File (TOML)"
## Dynamic configuration
[http.serversTransports.mytransport]
peerCertURI = "foobar"
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
@ -766,6 +760,12 @@ http:
peerCertURI: foobar
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.serversTransports.mytransport]
peerCertURI = "foobar"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
@ -774,7 +774,7 @@ metadata:
namespace: default
spec:
peerCertURI: foobar
peerCertURI: foobar
```
#### `spiffe`
@ -923,8 +923,8 @@ metadata:
namespace: default
spec:
forwardingTimeouts:
responseHeaderTimeout: "1s"
forwardingTimeouts:
responseHeaderTimeout: "1s"
```
##### `forwardingTimeouts.idleConnTimeout`
@ -957,8 +957,8 @@ metadata:
namespace: default
spec:
forwardingTimeouts:
idleConnTimeout: "1s"
forwardingTimeouts:
idleConnTimeout: "1s"
```
##### `forwardingTimeouts.readIdleTimeout`
@ -995,8 +995,8 @@ metadata:
namespace: default
spec:
forwardingTimeouts:
readIdleTimeout: "1s"
forwardingTimeouts:
readIdleTimeout: "1s"
```
##### `forwardingTimeouts.pingTimeout`
@ -1029,8 +1029,8 @@ metadata:
namespace: default
spec:
forwardingTimeouts:
pingTimeout: "1s"
forwardingTimeouts:
pingTimeout: "1s"
```
### Weighted Round Robin (service)
@ -1469,6 +1469,9 @@ The servers load balancer is in charge of balancing the requests between the ser
#### Servers
Servers declare a single instance of your program.
#### `address`
The `address` option (IP:Port) point to a specific instance.
??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)"
@ -1491,6 +1494,60 @@ The `address` option (IP:Port) point to a specific instance.
address = "xx.xx.xx.xx:xx"
```
#### `tls`
The `tls` determines whether to use TLS when dialing with the backend.
??? example "A Service with One Server Using TLS -- Using the [File Provider](../../providers/file.md)"
```yaml tab="YAML"
## Dynamic configuration
tcp:
services:
my-service:
loadBalancer:
servers:
- address: "xx.xx.xx.xx:xx"
tls: true
```
```toml tab="TOML"
## Dynamic configuration
[tcp.services]
[tcp.services.my-service.loadBalancer]
[[tcp.services.my-service.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
tls = true
```
#### ServersTransport
`serversTransport` allows to reference a [TCP ServersTransport](./index.md#serverstransport_3) configuration for the communication between Traefik and your servers.
??? example "Specify a TCP transport -- Using the [File Provider](../../providers/file.md)"
```yaml tab="YAML"
## Dynamic configuration
tcp:
services:
Service01:
loadBalancer:
serversTransport: mytransport
```
```toml tab="TOML"
## Dynamic configuration
[tcp.services]
[tcp.services.Service01]
[tcp.services.Service01.loadBalancer]
serversTransport = "mytransport"
```
!!! info "Default Servers Transport"
If no serversTransport is specified, the `default@internal` will be used.
The `default@internal` serversTransport is created from the [static configuration](../overview.md#tcp-servers-transports).
#### PROXY Protocol
Traefik supports [PROXY Protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2 on TCP Services.
@ -1524,39 +1581,6 @@ Below are the available options for the PROXY protocol:
version = 1
```
#### Termination Delay
As a proxy between a client and a server, it can happen that either side (e.g. client side) decides to terminate its writing capability on the connection (i.e. issuance of a FIN packet).
The proxy needs to propagate that intent to the other side, and so when that happens, it also does the same on its connection with the other side (e.g. backend side).
However, if for some reason (bad implementation, or malicious intent) the other side does not eventually do the same as well,
the connection would stay half-open, which would lock resources for however long.
To that end, as soon as the proxy enters this termination sequence, it sets a deadline on fully terminating the connections on both sides.
The termination delay controls that deadline.
It is a duration in milliseconds, defaulting to 100.
A negative value means an infinite deadline (i.e. the connection is never fully terminated by the proxy itself).
??? example "A Service with a termination delay -- Using the [File Provider](../../providers/file.md)"
```yaml tab="YAML"
## Dynamic configuration
tcp:
services:
my-service:
loadBalancer:
terminationDelay: 200
```
```toml tab="TOML"
## Dynamic configuration
[tcp.services]
[tcp.services.my-service.loadBalancer]
[[tcp.services.my-service.loadBalancer]]
terminationDelay = 200
```
### Weighted Round Robin
The Weighted Round Robin (alias `WRR`) load-balancer of services is in charge of balancing the requests between multiple services based on provided weights.
@ -1612,6 +1636,414 @@ tcp:
address = "private-ip-server-2:8080/"
```
### ServersTransport
ServersTransport allows to configure the transport between Traefik and your TCP servers.
#### `dialTimeout`
_Optional, Default="30s"_
`dialTimeout` defines the timeout when dialing the backend TCP service. If zero, no timeout exists.
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
dialTimeout: 30s
```
```toml tab="File (TOML)"
## Dynamic configuration
[tcp.serversTransports.mytransport]
dialTimeout = "30s"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
dialTimeout: 30s
```
#### `dialKeepAlive`
_Optional, Default="15s"_
`dialKeepAlive` defines the interval between keep-alive probes for an active network connection.
If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and
operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative,
keep-alive probes are disabled.
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
dialKeepAlive: 30s
```
```toml tab="File (TOML)"
## Dynamic configuration
[tcp.serversTransports.mytransport]
dialKeepAlive = "30s"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
dialKeepAlive: 30s
```
#### `terminationDelay`
_Optional, Default="100ms"_
As a proxy between a client and a server, it can happen that either side (e.g. client side) decides to terminate its writing capability on the connection (i.e. issuance of a FIN packet).
The proxy needs to propagate that intent to the other side, and so when that happens, it also does the same on its connection with the other side (e.g. backend side).
However, if for some reason (bad implementation, or malicious intent) the other side does not eventually do the same as well,
the connection would stay half-open, which would lock resources for however long.
To that end, as soon as the proxy enters this termination sequence, it sets a deadline on fully terminating the connections on both sides.
The termination delay controls that deadline.
A negative value means an infinite deadline (i.e. the connection is never fully terminated by the proxy itself).
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
terminationDelay: 100ms
```
```toml tab="File (TOML)"
## Dynamic configuration
[tcp.serversTransports.mytransport]
terminationDelay = "100ms"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
terminationDelay: 100ms
```
#### `tls`
`tls` defines the TLS configuration.
_Optional_
An empty `tls` section enables TLS.
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
tls: {}
```
```toml tab="File (TOML)"
## Dynamic configuration
[tcp.serversTransports.mytransport.tls]
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
tls: {}
```
#### `tls.serverName`
_Optional_
`tls.serverName` configure the server name that will be used for SNI.
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
tls:
serverName: "myhost"
```
```toml tab="File (TOML)"
## Dynamic configuration
[tcp.serversTransports.mytransport.tls]
serverName = "myhost"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
tls:
serverName: "test"
```
#### `tls.certificates`
_Optional_
`tls.certificates` is the list of certificates (as file paths, or data bytes)
that will be set as client certificates for mTLS.
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
tls:
certificates:
- certFile: foo.crt
keyFile: bar.crt
```
```toml tab="File (TOML)"
## Dynamic configuration
[[tcp.serversTransports.mytransport.tls.certificates]]
certFile = "foo.crt"
keyFile = "bar.crt"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
tls:
certificatesSecrets:
- mycert
---
apiVersion: v1
kind: Secret
metadata:
name: mycert
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
```
#### `tls.insecureSkipVerify`
_Optional_
`tls.insecureSkipVerify` controls whether the server's certificate chain and host name is verified.
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
tls:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
## Dynamic configuration
[tcp.serversTransports.mytransport.tls]
insecureSkipVerify = true
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
tls:
insecureSkipVerify: true
```
#### `tls.rootCAs`
_Optional_
`tls.rootCAs` defines the set of root certificate authorities (as file paths, or data bytes) to use when verifying server certificates.
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
tls:
rootCAs:
- foo.crt
- bar.crt
```
```toml tab="File (TOML)"
## Dynamic configuration
[tcp.serversTransports.mytransport.tls]
rootCAs = ["foo.crt", "bar.crt"]
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
tls:
rootCAsSecrets:
- myca
---
apiVersion: v1
kind: Secret
metadata:
name: myca
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
```
#### `tls.peerCertURI`
_Optional, Default=false_
`tls.peerCertURI` defines the URI used to match against SAN URIs during the server's certificate verification.
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
tls:
peerCertURI: foobar
```
```toml tab="File (TOML)"
## Dynamic configuration
[tcp.serversTransports.mytransport.tls]
peerCertURI = "foobar"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
tls:
peerCertURI: foobar
```
#### `spiffe`
Please note that [SPIFFE](../../https/spiffe.md) must be enabled in the static configuration
before using it to secure the connection between Traefik and the backends.
##### `spiffe.ids`
_Optional_
`ids` defines the allowed SPIFFE IDs.
This takes precedence over the SPIFFE TrustDomain.
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
spiffe:
ids:
- spiffe://trust-domain/id1
- spiffe://trust-domain/id2
```
```toml tab="File (TOML)"
## Dynamic configuration
[tcp.serversTransports.mytransport.spiffe]
ids = ["spiffe://trust-domain/id1", "spiffe://trust-domain/id2"]
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
spiffe:
ids:
- spiffe://trust-domain/id1
- spiffe://trust-domain/id2
```
##### `spiffe.trustDomain`
_Optional_
`trustDomain` defines the allowed SPIFFE trust domain.
```yaml tab="File (YAML)"
## Dynamic configuration
tcp:
serversTransports:
mytransport:
spiffe:
trustDomain: spiffe://trust-domain
```
```toml tab="File (TOML)"
## Dynamic configuration
[tcp.serversTransports.mytransport.spiffe]
trustDomain = "spiffe://trust-domain"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
spiffe:
trustDomain: "spiffe://trust-domain"
```
## Configuring UDP Services
### General