homelab/traefik
1
0
Fork 0
Code Activity

Replace internal dead links

Browse source
This commit is contained in:
Romain 2025-10-14 16:26:05 +02:00 committed by GitHub
parent 0ea8cbdfbf
commit 835899f4bc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
41 changed files with 310 additions and 2043 deletions
Download patch file Download diff file Expand all files Collapse all files

4
docs/content/reference/install-configuration/providers/docker.md
View file

@ -45,7 +45,7 @@ services:
| <a id="opt-providers-docker-username" href="#opt-providers-docker-username" title="#opt-providers-docker-username">`providers.docker.username`</a> | Defines the username for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.| "" | No |
| <a id="opt-providers-docker-password" href="#opt-providers-docker-password" title="#opt-providers-docker-password">`providers.docker.password`</a> | Defines the password for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.| "" | No |
| <a id="opt-providers-docker-useBindPortIP" href="#opt-providers-docker-useBindPortIP" title="#opt-providers-docker-useBindPortIP">`providers.docker.useBindPortIP`</a> | Instructs Traefik to use the IP/Port attached to the container's binding instead of its inner network IP/Port. See [here](#usebindportip) for more information | false | No |
| <a id="opt-providers-docker-exposedByDefault" href="#opt-providers-docker-exposedByDefault" title="#opt-providers-docker-exposedByDefault">`providers.docker.exposedByDefault`</a> | Expose containers by default through Traefik. See [here](./overview.md#restrict-the-scope-of-service-discovery) for additional information | true | No |
| <a id="opt-providers-docker-exposedByDefault" href="#opt-providers-docker-exposedByDefault" title="#opt-providers-docker-exposedByDefault">`providers.docker.exposedByDefault`</a> | Expose containers by default through Traefik. See [here](./overview.md#exposedbydefault-and-traefikenable) for additional information | true | No |
| <a id="opt-providers-docker-network" href="#opt-providers-docker-network" title="#opt-providers-docker-network">`providers.docker.network`</a> | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.docker.network` label.| "" | No |
| <a id="opt-providers-docker-defaultRule" href="#opt-providers-docker-defaultRule" title="#opt-providers-docker-defaultRule">`providers.docker.defaultRule`</a> | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information. | ```"Host(`{{ normalize .Name }}`)"``` | No |
| <a id="opt-providers-docker-httpClientTimeout" href="#opt-providers-docker-httpClientTimeout" title="#opt-providers-docker-httpClientTimeout">`providers.docker.httpClientTimeout`</a> | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set. | 0 | No |
@ -306,7 +306,7 @@ as well as the usual boolean logic, as shown in examples below.
constraints = "LabelRegex(`a.label.name`, `a.+`)"
```
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
```yaml tab="File (YAML)"
providers:

4
docs/content/reference/install-configuration/providers/hashicorp/consul-catalog.md
View file

@ -36,7 +36,7 @@ Attaching tags to services:
| <a id="opt-providers-consulCatalog-refreshInterval" href="#opt-providers-consulCatalog-refreshInterval" title="#opt-providers-consulCatalog-refreshInterval">`providers.consulCatalog.refreshInterval`</a> | Defines the polling interval.| 15s | No |
| <a id="opt-providers-consulCatalog-prefix" href="#opt-providers-consulCatalog-prefix" title="#opt-providers-consulCatalog-prefix">`providers.consulCatalog.prefix`</a> | Defines the prefix for Consul Catalog tags defining Traefik labels.| traefik | yes |
| <a id="opt-providers-consulCatalog-requireConsistent" href="#opt-providers-consulCatalog-requireConsistent" title="#opt-providers-consulCatalog-requireConsistent">`providers.consulCatalog.requireConsistent`</a> | Forces the read to be fully consistent. See [here](#requireconsistent) for more information.| false | yes |
| <a id="opt-providers-consulCatalog-exposedByDefault" href="#opt-providers-consulCatalog-exposedByDefault" title="#opt-providers-consulCatalog-exposedByDefault">`providers.consulCatalog.exposedByDefault`</a> | Expose Consul Catalog services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#restrict-the-scope-of-service-discovery). | true | no |
| <a id="opt-providers-consulCatalog-exposedByDefault" href="#opt-providers-consulCatalog-exposedByDefault" title="#opt-providers-consulCatalog-exposedByDefault">`providers.consulCatalog.exposedByDefault`</a> | Expose Consul Catalog services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#exposedbydefault-and-traefikenable). | true | no |
| <a id="opt-providers-consulCatalog-defaultRule" href="#opt-providers-consulCatalog-defaultRule" title="#opt-providers-consulCatalog-defaultRule">`providers.consulCatalog.defaultRule`</a> | The Default Host rule for all services. See [here](#defaultrule) for more information. | ```"Host(`{{ normalize .Name }}`)"``` | No |
| <a id="opt-providers-consulCatalog-connectAware" href="#opt-providers-consulCatalog-connectAware" title="#opt-providers-consulCatalog-connectAware">`providers.consulCatalog.connectAware`</a> | Enable Consul Connect support. If set to `true`, Traefik will be enabled to communicate with Connect services. | false | No |
| <a id="opt-providers-consulCatalog-connectByDefault" href="#opt-providers-consulCatalog-connectByDefault" title="#opt-providers-consulCatalog-connectByDefault">`providers.consulCatalog.connectByDefault`</a> | Consider every service as Connect capable by default. If set to true, Traefik will consider every Consul Catalog service to be Connect capable by default. The option can be overridden on an instance basis with the traefik.consulcatalog.connect tag. | false | No |
@ -166,7 +166,7 @@ providers:
# ...
```
For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#restrict-the-scope-of-service-discovery).
For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#exposedbydefault-and-traefikenable).
### `namespaces`

4
docs/content/reference/install-configuration/providers/hashicorp/nomad.md
View file

@ -46,7 +46,7 @@ service {
| <a id="opt-providers-nomad-throttleDuration" href="#opt-providers-nomad-throttleDuration" title="#opt-providers-nomad-throttleDuration">`providers.nomad.throttleDuration`</a> | Defines how often the provider is allowed to handle service events from Nomad. This option is only compatible when the `watch` option is enabled | 0s | No |
| <a id="opt-providers-nomad-defaultRule" href="#opt-providers-nomad-defaultRule" title="#opt-providers-nomad-defaultRule">`providers.nomad.defaultRule`</a> | The Default Host rule for all services. See [here](#defaultrule) for more information | ```"Host(`{{ normalize .Name }}`)"``` | No |
| <a id="opt-providers-nomad-constraints" href="#opt-providers-nomad-constraints" title="#opt-providers-nomad-constraints">`providers.nomad.constraints`</a> | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| <a id="opt-providers-nomad-exposedByDefault" href="#opt-providers-nomad-exposedByDefault" title="#opt-providers-nomad-exposedByDefault">`providers.nomad.exposedByDefault`</a> | Expose Nomad services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#restrict-the-scope-of-service-discovery) for additional information | true | No |
| <a id="opt-providers-nomad-exposedByDefault" href="#opt-providers-nomad-exposedByDefault" title="#opt-providers-nomad-exposedByDefault">`providers.nomad.exposedByDefault`</a> | Expose Nomad services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#exposedbydefault-and-traefikenable) for additional information | true | No |
| <a id="opt-providers-nomad-allowEmptyServices" href="#opt-providers-nomad-allowEmptyServices" title="#opt-providers-nomad-allowEmptyServices">`providers.nomad.allowEmptyServices`</a> | Instructs the provider to create any [servers load balancer](../../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| <a id="opt-providers-nomad-prefix" href="#opt-providers-nomad-prefix" title="#opt-providers-nomad-prefix">`providers.nomad.prefix`</a> | Defines the prefix for Nomad service tags defining Traefik labels. | `traefik` | yes |
| <a id="opt-providers-nomad-stale" href="#opt-providers-nomad-stale" title="#opt-providers-nomad-stale">`providers.nomad.stale`</a> | Instructs Traefik to use stale consistency for Nomad service API reads. See [here](#stale) for more information | false | No |
@ -245,7 +245,7 @@ providers:
# ...
```
For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#restrict-the-scope-of-service-discovery).
For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#exposedbydefault-and-traefikenable).
## Routing Configuration

24
docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md
View file

@ -108,18 +108,18 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-
<!-- markdownlint-disable MD013 -->
| Resource | Purpose |
|--------------------------------------------------|--------------------------------------------------------------------|
| <a id="opt-IngressRoute" href="#opt-IngressRoute" title="#opt-IngressRoute">[IngressRoute](../../../../routing/providers/kubernetes-crd.md#kind-ingressroute)</a> | HTTP Routing |
| <a id="opt-Middleware" href="#opt-Middleware" title="#opt-Middleware">[Middleware](../../../../middlewares/http/overview.md)</a> | Tweaks the HTTP requests before they are sent to your service |
| <a id="opt-TraefikService" href="#opt-TraefikService" title="#opt-TraefikService">[TraefikService](../../../../routing/providers/kubernetes-crd.md#kind-traefikservice)</a> | Abstraction for HTTP loadbalancing/mirroring |
| <a id="opt-TLSOptions" href="#opt-TLSOptions" title="#opt-TLSOptions">[TLSOptions](../../../../routing/providers/kubernetes-crd.md#kind-tlsoption)</a> | Allows configuring some parameters of the TLS connection |
| <a id="opt-TLSStores" href="#opt-TLSStores" title="#opt-TLSStores">[TLSStores](../../../../routing/providers/kubernetes-crd.md#kind-tlsstore)</a> | Allows configuring the default TLS store |
| <a id="opt-ServersTransport" href="#opt-ServersTransport" title="#opt-ServersTransport">[ServersTransport](../../../../routing/providers/kubernetes-crd.md#kind-serverstransport)</a> | Allows configuring the transport between Traefik and the backends |
| <a id="opt-IngressRouteTCP" href="#opt-IngressRouteTCP" title="#opt-IngressRouteTCP">[IngressRouteTCP](../../../../routing/providers/kubernetes-crd.md#kind-ingressroutetcp)</a> | TCP Routing |
| <a id="opt-MiddlewareTCP" href="#opt-MiddlewareTCP" title="#opt-MiddlewareTCP">[MiddlewareTCP](../../../../routing/providers/kubernetes-crd.md#kind-middlewaretcp)</a> | Tweaks the TCP requests before they are sent to your service |
| <a id="opt-ServersTransportTCP" href="#opt-ServersTransportTCP" title="#opt-ServersTransportTCP">[ServersTransportTCP](../../../../routing/providers/kubernetes-crd.md#kind-serverstransporttc)</a> | Allows configuring the transport between Traefik and the backends |
| <a id="opt-IngressRouteUDP" href="#opt-IngressRouteUDP" title="#opt-IngressRouteUDP">[IngressRouteUDP](../../../../routing/providers/kubernetes-crd.md#kind-ingressrouteudp)</a> | UDP Routing |
| Resource | Purpose |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|
| <a id="opt-IngressRoute" href="#opt-IngressRoute" title="#opt-IngressRoute">[IngressRoute](../../../routing-configuration/kubernetes/crd/http/ingressroute.md)</a> | HTTP Routing |
| <a id="opt-Middleware" href="#opt-Middleware" title="#opt-Middleware">[Middleware](../../../routing-configuration/kubernetes/crd/http/middleware.md)</a> | Tweaks the HTTP requests before they are sent to your service |
| <a id="opt-TraefikService" href="#opt-TraefikService" title="#opt-TraefikService">[TraefikService](../../../routing-configuration/kubernetes/crd/http/traefikservice.md)</a> | Abstraction for HTTP loadbalancing/mirroring |
| <a id="opt-TLSOptions" href="#opt-TLSOptions" title="#opt-TLSOptions">[TLSOptions](../../../routing-configuration/kubernetes/crd/http/tlsoption.md)</a> | Allows configuring some parameters of the TLS connection |
| <a id="opt-TLSStores" href="#opt-TLSStores" title="#opt-TLSStores">[TLSStores](../../../routing-configuration/kubernetes/crd/http/tlsstore.md)</a> | Allows configuring the default TLS store |
| <a id="opt-ServersTransport" href="#opt-ServersTransport" title="#opt-ServersTransport">[ServersTransport](../../../routing-configuration/kubernetes/crd/http/serverstransport.md)</a> | Allows configuring the transport between Traefik and the backends |
| <a id="opt-IngressRouteTCP" href="#opt-IngressRouteTCP" title="#opt-IngressRouteTCP">[IngressRouteTCP](../../../routing-configuration/kubernetes/crd/tcp/ingressroutetcp.md)</a> | TCP Routing |
| <a id="opt-MiddlewareTCP" href="#opt-MiddlewareTCP" title="#opt-MiddlewareTCP">[MiddlewareTCP](../../../routing-configuration/kubernetes/crd/tcp/middlewaretcp.md)</a> | Tweaks the TCP requests before they are sent to your service |
| <a id="opt-ServersTransportTCP" href="#opt-ServersTransportTCP" title="#opt-ServersTransportTCP">[ServersTransportTCP](../../../routing-configuration/kubernetes/crd/tcp/serverstransporttcp.md)</a> | Allows configuring the transport between Traefik and the backends |
| <a id="opt-IngressRouteUDP" href="#opt-IngressRouteUDP" title="#opt-IngressRouteUDP">[IngressRouteUDP](../../../routing-configuration/kubernetes/crd/udp/ingressrouteudp.md)</a> | UDP Routing |
## Particularities

2
docs/content/reference/install-configuration/providers/others/ecs.md
View file

@ -103,7 +103,7 @@ providers:
# ...
```
For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#restrict-the-scope-of-service-discovery).
For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#exposedbydefault-and-traefikenable).
### `defaultRule`

4
docs/content/reference/install-configuration/providers/swarm.md
View file

@ -50,7 +50,7 @@ services:
| <a id="opt-providers-swarm-username" href="#opt-providers-swarm-username" title="#opt-providers-swarm-username">`providers.swarm.username`</a> | Defines the username for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication. | "" | No |
| <a id="opt-providers-swarm-password" href="#opt-providers-swarm-password" title="#opt-providers-swarm-password">`providers.swarm.password`</a> | Defines the password for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication. | "" | No |
| <a id="opt-providers-swarm-useBindPortIP" href="#opt-providers-swarm-useBindPortIP" title="#opt-providers-swarm-useBindPortIP">`providers.swarm.useBindPortIP`</a> | Instructs Traefik to use the IP/Port attached to the container's binding instead of its inner network IP/Port. See [here](#usebindportip) for more information | false | No |
| <a id="opt-providers-swarm-exposedByDefault" href="#opt-providers-swarm-exposedByDefault" title="#opt-providers-swarm-exposedByDefault">`providers.swarm.exposedByDefault`</a> | Expose containers by default through Traefik. See [here](./overview.md#restrict-the-scope-of-service-discovery) for additional information | true | No |
| <a id="opt-providers-swarm-exposedByDefault" href="#opt-providers-swarm-exposedByDefault" title="#opt-providers-swarm-exposedByDefault">`providers.swarm.exposedByDefault`</a> | Expose containers by default through Traefik. See [here](./overview.md#exposedbydefault-and-traefikenable) for additional information | true | No |
| <a id="opt-providers-swarm-network" href="#opt-providers-swarm-network" title="#opt-providers-swarm-network">`providers.swarm.network`</a> | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.swarm.network` label. | "" | No |
| <a id="opt-providers-swarm-defaultRule" href="#opt-providers-swarm-defaultRule" title="#opt-providers-swarm-defaultRule">`providers.swarm.defaultRule`</a> | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information | ```"Host(`{{ normalize .Name }}`)"``` | No |
| <a id="opt-providers-swarm-refreshSeconds" href="#opt-providers-swarm-refreshSeconds" title="#opt-providers-swarm-refreshSeconds">`providers.swarm.refreshSeconds`</a> | Defines the polling interval for Swarm Mode. | "15s" | No |
@ -312,7 +312,7 @@ as well as the usual boolean logic, as shown in examples below.
constraints = "LabelRegex(`a.label.name`, `a.+`)"
```
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
```yaml tab="File (YAML)"
providers:

2
docs/content/reference/install-configuration/tls/spiffe.md
View file

@ -44,7 +44,7 @@ spiffe:
## ServersTransport
Enabling SPIFFE does not imply that backend connections are going to use it automatically.
Each [ServersTransport](../../../routing/services/index.md#serverstransport_1) or [TCPServersTransport](../../../routing/services/index.md#serverstransport_2), that is meant to be secured with SPIFFE, must explicitly enable it (see [SPIFFE with ServersTransport](../../../routing/services/index.md#spiffe) or [SPIFFE with TCPServersTransport](../../../routing/services/index.md#spiffe_1)).
Each [ServersTransport](../../routing-configuration/http/load-balancing/serverstransport.md) or [TCPServersTransport](../../routing-configuration/tcp/serverstransport.md), that is meant to be secured with SPIFFE, must explicitly enable it (see [SPIFFE with ServersTransport](../../routing-configuration/http/load-balancing/serverstransport.md#opt-spiffe) or [SPIFFE with TCPServersTransport](../../routing-configuration/tcp/serverstransport.md#opt-serverstransport-spiffe)).
### Configuration Example

33
docs/content/reference/routing-configuration/http/load-balancing/serverstransport.md
View file

@ -94,19 +94,20 @@ labels:
## Configuration Options
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| <a id="opt-serverName" href="#opt-serverName" title="#opt-serverName">`serverName`</a> | Configures the server name that will be used as the SNI. | "" | No |
| <a id="opt-certificates" href="#opt-certificates" title="#opt-certificates">`certificates`</a> | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS. | [] | No |
| <a id="opt-insecureSkipVerify" href="#opt-insecureSkipVerify" title="#opt-insecureSkipVerify">`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified. | false | No |
| <a id="opt-rootcas" href="#opt-rootcas" title="#opt-rootcas">`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). | [] | No |
| <a id="opt-maxIdleConnsPerHost" href="#opt-maxIdleConnsPerHost" title="#opt-maxIdleConnsPerHost">`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
| <a id="opt-disableHTTP2" href="#opt-disableHTTP2" title="#opt-disableHTTP2">`disableHTTP2`</a> | Disables HTTP/2 for connections with servers. | false | No |
| <a id="opt-peerCertURI" href="#opt-peerCertURI" title="#opt-peerCertURI">`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
| <a id="opt-forwardingTimeouts-dialTimeout" href="#opt-forwardingTimeouts-dialTimeout" title="#opt-forwardingTimeouts-dialTimeout">`forwardingTimeouts.dialTimeout`</a> | Amount of time to wait until a connection to a server can be established.<br />0 = no timeout | 30s | No |
| <a id="opt-forwardingTimeouts-responseHeaderTimeout" href="#opt-forwardingTimeouts-responseHeaderTimeout" title="#opt-forwardingTimeouts-responseHeaderTimeout">`forwardingTimeouts.responseHeaderTimeout`</a> | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />0 = no timeout | 0s | No |
| <a id="opt-forwardingTimeouts-idleConnTimeout" href="#opt-forwardingTimeouts-idleConnTimeout" title="#opt-forwardingTimeouts-idleConnTimeout">`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />0 = no timeout | 90s | No |
| <a id="opt-forwardingTimeouts-readIdleTimeout" href="#opt-forwardingTimeouts-readIdleTimeout" title="#opt-forwardingTimeouts-readIdleTimeout">`forwardingTimeouts.readIdleTimeout`</a> | Defines the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection. | 0s | No |
| <a id="opt-forwardingTimeouts-pingTimeout" href="#opt-forwardingTimeouts-pingTimeout" title="#opt-forwardingTimeouts-pingTimeout">`forwardingTimeouts.pingTimeout`</a> | Defines the timeout after which the HTTP/2 connection will be closed if a response to ping is not received. | 15s | No |
| <a id="opt-spiffe-ids" href="#opt-spiffe-ids" title="#opt-spiffe-ids">`spiffe.ids`</a> | Defines the allowed SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. | [] | No |
| <a id="opt-spiffe-trustDomain" href="#opt-spiffe-trustDomain" title="#opt-spiffe-trustDomain">`spiffe.trustDomain`</a> | Defines the SPIFFE trust domain. | "" | No |
| Field | Description | Default | Required |
|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| <a id="opt-serverName" href="#opt-serverName" title="#opt-serverName">`serverName`</a> | Configures the server name that will be used as the SNI. | "" | No |
| <a id="opt-certificates" href="#opt-certificates" title="#opt-certificates">`certificates`</a> | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS. | [] | No |
| <a id="opt-insecureSkipVerify" href="#opt-insecureSkipVerify" title="#opt-insecureSkipVerify">`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified. | false | No |
| <a id="opt-rootcas" href="#opt-rootcas" title="#opt-rootcas">`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). | [] | No |
| <a id="opt-maxIdleConnsPerHost" href="#opt-maxIdleConnsPerHost" title="#opt-maxIdleConnsPerHost">`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
| <a id="opt-disableHTTP2" href="#opt-disableHTTP2" title="#opt-disableHTTP2">`disableHTTP2`</a> | Disables HTTP/2 for connections with servers. | false | No |
| <a id="opt-peerCertURI" href="#opt-peerCertURI" title="#opt-peerCertURI">`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
| <a id="opt-forwardingTimeouts-dialTimeout" href="#opt-forwardingTimeouts-dialTimeout" title="#opt-forwardingTimeouts-dialTimeout">`forwardingTimeouts.dialTimeout`</a> | Amount of time to wait until a connection to a server can be established.<br />0 = no timeout | 30s | No |
| <a id="opt-forwardingTimeouts-responseHeaderTimeout" href="#opt-forwardingTimeouts-responseHeaderTimeout" title="#opt-forwardingTimeouts-responseHeaderTimeout">`forwardingTimeouts.responseHeaderTimeout`</a> | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />0 = no timeout | 0s | No |
| <a id="opt-forwardingTimeouts-idleConnTimeout" href="#opt-forwardingTimeouts-idleConnTimeout" title="#opt-forwardingTimeouts-idleConnTimeout">`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />0 = no timeout | 90s | No |
| <a id="opt-forwardingTimeouts-readIdleTimeout" href="#opt-forwardingTimeouts-readIdleTimeout" title="#opt-forwardingTimeouts-readIdleTimeout">`forwardingTimeouts.readIdleTimeout`</a> | Defines the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection. | 0s | No |
| <a id="opt-forwardingTimeouts-pingTimeout" href="#opt-forwardingTimeouts-pingTimeout" title="#opt-forwardingTimeouts-pingTimeout">`forwardingTimeouts.pingTimeout`</a> | Defines the timeout after which the HTTP/2 connection will be closed if a response to ping is not received. | 15s | No |
| <a id="opt-spiffe" href="#opt-spiffe" title="#opt-spiffe">`spiffe`</a> | Defines the SPIFFE configuration. An empty `spiffe` section enables SPIFFE (that allows any SPIFFE ID). | | No |
| <a id="opt-spiffe-ids" href="#opt-spiffe-ids" title="#opt-spiffe-ids">`spiffe.ids`</a> | Defines the allowed SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. | [] | No |
| <a id="opt-spiffe-trustDomain" href="#opt-spiffe-trustDomain" title="#opt-spiffe-trustDomain">`spiffe.trustDomain`</a> | Defines the SPIFFE trust domain. | "" | No |

40
docs/content/reference/routing-configuration/http/routing/router.md
View file

@ -23,6 +23,11 @@ http:
- "ratelimit"
tls:
certResolver: "letsencrypt"
options: "modern"
domains:
- main: "example.com"
sans:
- "www.example.com"
observability:
metrics: true
accessLogs: true
@ -41,6 +46,11 @@ http:
[http.routers.my-router.tls]
certResolver = "letsencrypt"
options = "modern"
[[http.routers.my-router.tls.domains]]
main = "example.com"
sans = ["www.example.com"]
[http.routers.my-router.observability]
metrics = true
@ -56,6 +66,9 @@ labels:
- "traefik.http.routers.my-router.middlewares=auth,ratelimit"
- "traefik.http.routers.my-router.service=my-service"
- "traefik.http.routers.my-router.tls.certresolver=letsencrypt"
- "traefik.http.routers.my-router.tls.options=modern"
- "traefik.http.routers.my-router.tls.domains[0].main=example.com"
- "traefik.http.routers.my-router.tls.domains[0].sans=www.example.com"
- "traefik.http.routers.my-router.observability.metrics=true"
- "traefik.http.routers.my-router.observability.accessLogs=true"
- "traefik.http.routers.my-router.observability.tracing=true"
@ -70,6 +83,9 @@ labels:
"traefik.http.routers.my-router.middlewares=auth,ratelimit",
"traefik.http.routers.my-router.service=my-service",
"traefik.http.routers.my-router.tls.certresolver=letsencrypt",
"traefik.http.routers.my-router.tls.options=modern",
"traefik.http.routers.my-router.tls.domains[0].main=example.com",
"traefik.http.routers.my-router.tls.domains[0].sans=www.example.com",
"traefik.http.routers.my-router.observability.metrics=true",
"traefik.http.routers.my-router.observability.accessLogs=true",
"traefik.http.routers.my-router.observability.tracing=true"
@ -79,18 +95,22 @@ labels:
## Configuration Options
| Field | Description | Default | Required |
|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, HTTP routers are attached to all entry points. | All entry points | No |
| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service. See [Rules & Priority](./rules-and-priority.md) for details. | | Yes |
| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [Middlewares overview](../middlewares/overview.md) for available middlewares. | | No |
| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle HTTPS requests. See [TLS overview](../tls/overview.md) for detailed TLS configuration. | | No |
| <a id="opt-observability" href="#opt-observability" title="#opt-observability">`observability`</a> | Observability configuration for the router. Allows fine-grained control over access logs, metrics, and tracing per router. See [Observability](./observability.md) for details. | Inherited from entry points | No |
| <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The name of the service that will handle the matched requests. Services can be load balancer services, weighted round robin, mirroring, or failover services. See [Service](../load-balancing/service.md) for details.| | Yes |
| Field | Description | Default | Required |
|----------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------|
| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, HTTP routers are attached to all entry points. | All entry points | No |
| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service. See [Rules & Priority](./rules-and-priority.md) for details. | | Yes |
| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [Middlewares overview](../middlewares/overview.md) for available middlewares. | | No |
| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle HTTPS requests. | | No |
| <a id="opt-tls-certResolver" href="#opt-tls-certResolver" title="#opt-tls-certResolver">`tls.certResolver`</a> | The name of the certificate resolver to use for automatic certificate generation. See [Certificate Resolver](../tls/overview.md#certificate-resolver) for details. | | No |
| <a id="opt-tls-options" href="#opt-tls-options" title="#opt-tls-options">`tls.options`</a> | The name of the TLS options to use for configuring TLS parameters (cipher suites, min/max TLS version, client authentication, etc.). See [TLS Options](../tls/tls-options.md) for detailed configuration. | `default` | No |
| <a id="opt-tls-domains" href="#opt-tls-domains" title="#opt-tls-domains">`tls.domains`</a> | List of domains and Subject Alternative Names (SANs) for explicit certificate domain specification. When using ACME certificate resolvers, domains are automatically extracted from router rules, making this option optional. | | No |
| <a id="opt-observability" href="#opt-observability" title="#opt-observability">`observability`</a> | Observability configuration for the router. Allows fine-grained control over access logs, metrics, and tracing per router. See [Observability](./observability.md) for details. | Inherited from entry points | No |
| <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The name of the service that will handle the matched requests. Services can be load balancer services, weighted round robin, mirroring, or failover services. See [Service](../load-balancing/service.md) for details. | | Yes |
## Router Naming
- The character `@` is not authorized in the router name
- In provider-specific configurations (Docker, Kubernetes), router names are often auto-generated based on service names and rules
{!traefik-for-business-applications.md!}

101
docs/content/reference/routing-configuration/http/tls/overview.md
View file

@ -1,10 +1,103 @@
---
title: "Traefik TLS Documentation"
description: "Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation."
title: "Traefik HTTP TLS Documentation"
description: "Learn how to configure the transport layer security (TLS) connection for HTTP services in Traefik Proxy. Read the technical documentation."
---
Traefik's TLS configuration defines how TLS negotiation is handled for incoming connections.
## General
The next section of this documentation explains how to configure TLS connections through a definition in the dynamic configuration and how to configure TLS options, and certificates stores.
When an HTTP router is configured to handle HTTPS traffic, include a `tls` field in its definition.
This field tells Traefik that the router should process only TLS requests and ignore non-TLS traffic.
By default, an HTTP router with a TLS field will terminate the TLS connections,
meaning that it will send decrypted data to the services.
The TLS configuration provides several options for fine-tuning the TLS behavior,
including automatic certificate generation, custom TLS options, and explicit domain specification.
## Configuration Example
```yaml tab="Structured (YAML)"
http:
routers:
my-https-router:
rule: "Host(`example.com`) && Path(`/api`)"
service: "my-http-service"
tls:
certResolver: "letsencrypt"
options: "modern-tls"
domains:
- main: "example.com"
sans:
- "www.example.com"
- "api.example.com"
```
```toml tab="Structured (TOML)"
[http.routers.my-https-router]
rule = "Host(`example.com`) && Path(`/api`)"
service = "my-http-service"
[http.routers.my-https-router.tls]
certResolver = "letsencrypt"
options = "modern-tls"
[[http.routers.my-https-router.tls.domains]]
main = "example.com"
sans = ["www.example.com", "api.example.com"]
```
```yaml tab="Labels"
labels:
- "traefik.http.routers.my-https-router.rule=Host(`example.com`) && Path(`/api`)"
- "traefik.http.routers.my-https-router.service=my-http-service"
- "traefik.http.routers.my-https-router.tls=true"
- "traefik.http.routers.my-https-router.tls.certresolver=letsencrypt"
- "traefik.http.routers.my-https-router.tls.options=modern-tls"
- "traefik.http.routers.my-https-router.tls.domains[0].main=example.com"
- "traefik.http.routers.my-https-router.tls.domains[0].sans=www.example.com,api.example.com"
```
```json tab="Tags"
{
"Tags": [
"traefik.http.routers.my-https-router.rule=Host(`example.com`) && Path(`/api`)",
"traefik.http.routers.my-https-router.service=my-http-service",
"traefik.http.routers.my-https-router.tls=true",
"traefik.http.routers.my-https-router.tls.certresolver=letsencrypt",
"traefik.http.routers.my-https-router.tls.options=modern-tls",
"traefik.http.routers.my-https-router.tls.domains[0].main=example.com",
"traefik.http.routers.my-https-router.tls.domains[0].sans=www.example.com,api.example.com"
]
}
```
## Configuration Options
| Field | Description | Default | Required |
|:-----------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------|:---------|
| <a id="opt-options" href="#opt-options" title="#opt-options">`options`</a> | The name of the TLS options to use for configuring TLS parameters (cipher suites, min/max TLS version, client authentication, etc.). See [TLS Options](./tls-options.md) for detailed configuration. | `default` | No |
| <a id="opt-certResolver" href="#opt-certResolver" title="#opt-certResolver">`certResolver`</a> | The name of the certificate resolver to use for automatic certificate generation via ACME providers (such as Let's Encrypt). See the [Certificate Resolver](./#certificate-resolver) section for more details. | "" | No |
| <a id="opt-domains" href="#opt-domains" title="#opt-domains">`domains`</a> | List of domains and Subject Alternative Names (SANs) for explicit certificate domain specification. See the [Custom Domains](./#custom-domains) section for more details. | [] | No |
## Certificate Resolver
The `tls.certResolver` option allows you to specify a certificate resolver for automatic certificate generation via ACME providers (such as Let's Encrypt).
When a certificate resolver is configured for a router,
Traefik will automatically obtain and manage TLS certificates for the domains specified in the router's rule (in the `Host` matcher) or in the `tls.domains` configuration (with `tls.domains` taking precedence).
!!! important "Prerequisites"
- Certificate resolvers must be defined in the [static configuration](../../../install-configuration/tls/certificate-resolvers/acme.md)
- The router must have `tls` enabled
- An ACME challenge type must be configured for the certificate resolver
## Custom Domains
When using ACME certificate resolvers, domains are automatically extracted from router rules,
but the `tls.domains` option allows you to explicitly specify the domains and Subject Alternative Names (SANs) for which certificates should be generated.
This provides fine-grained control over certificate generation and takes precedence over domains automatically extracted from router rules.
Every domain must have A/AAAA records pointing to Traefik.
{!traefik-for-business-applications.md!}

55
docs/content/reference/routing-configuration/kubernetes/crd/tcp/ingressroutetcp.md
View file

@ -3,7 +3,7 @@ title: "Kubernetes IngressRouteTCP"
description: "An IngressRouteTCP is a Traefik CRD is in charge of connecting incoming TCP connections to the Services that can handle them."
---
`IngressRouteTCP` is the CRD implementation of a [Traefik TCP router](../../../tcp/router/rules-and-priority.md).
`IngressRouteTCP` is the CRD implementation of a [Traefik TCP router](../../../tcp/routing/rules-and-priority.md).
Before creating `IngressRouteTCP` objects, you need to apply the [Traefik Kubernetes CRDs](https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions) to your Kubernetes cluster.
@ -39,7 +39,6 @@ spec:
serversTransport: transport
nativeLB: true
nodePortLB: true
tls: false
tls:
secretName: supersecret
@ -57,33 +56,33 @@ spec:
## Configuration Options
| Field | Description | Default | Required |
|-------------------------------------|-----------------------------|-------------------------------------------|-----------------------|
| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of entrypoints names. | | No |
| <a id="opt-routes" href="#opt-routes" title="#opt-routes">`routes`</a> | List of routes. | | Yes |
| <a id="opt-routesn-match" href="#opt-routesn-match" title="#opt-routesn-match">`routes[n].match`</a> | Defines the [rule](../../../tcp/router/rules-and-priority.md#rules) of the underlying router. | | Yes |
| <a id="opt-routesn-priority" href="#opt-routesn-priority" title="#opt-routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../tcp/router/rules-and-priority.md#priority) to disambiguate rules of the same length, for route matching. | | No |
| <a id="opt-routesn-middlewaresn-name" href="#opt-routesn-middlewaresn-name" title="#opt-routesn-middlewaresn-name">`routes[n].middlewares[n].name`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) name. | | Yes |
| <a id="opt-routesn-middlewaresn-namespace" href="#opt-routesn-middlewaresn-namespace" title="#opt-routesn-middlewaresn-namespace">`routes[n].middlewares[n].namespace`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) namespace. | ""| No|
| <a id="opt-routesn-services" href="#opt-routesn-services" title="#opt-routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. | | No |
| <a id="opt-routesn-servicesn-name" href="#opt-routesn-servicesn-name" title="#opt-routesn-servicesn-name">`routes[n].services[n].name`</a> | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). | | Yes |
| <a id="opt-routesn-servicesn-port" href="#opt-routesn-servicesn-port" title="#opt-routesn-servicesn-port">`routes[n].services[n].port`</a> | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.| | Yes |
| <a id="opt-routesn-servicesn-weight" href="#opt-routesn-servicesn-weight" title="#opt-routesn-servicesn-weight">`routes[n].services[n].weight`</a> | Defines the weight to apply to the server load balancing. | 1 | No |
| <a id="opt-routesn-servicesn-proxyProtocol" href="#opt-routesn-servicesn-proxyProtocol" title="#opt-routesn-servicesn-proxyProtocol">`routes[n].services[n].proxyProtocol`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) configuration. | | No |
| <a id="opt-routesn-servicesn-proxyProtocol-version" href="#opt-routesn-servicesn-proxyProtocol-version" title="#opt-routesn-servicesn-proxyProtocol-version">`routes[n].services[n].proxyProtocol.version`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) version. | | No |
| <a id="opt-routesn-servicesn-serversTransport" href="#opt-routesn-servicesn-serversTransport" title="#opt-routesn-servicesn-serversTransport">`routes[n].services[n].serversTransport`</a> | Defines the [ServersTransportTCP](./serverstransporttcp.md).<br />The `ServersTransport` namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace. | | No |
| <a id="opt-routesn-servicesn-nativeLB" href="#opt-routesn-servicesn-nativeLB" title="#opt-routesn-servicesn-nativeLB">`routes[n].services[n].nativeLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See [here](#nativelb) for more information. | false | No |
| Field | Description | Default | Required |
|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------|-----------------------|
| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of entrypoints names. | | No |
| <a id="opt-routes" href="#opt-routes" title="#opt-routes">`routes`</a> | List of routes. | | Yes |
| <a id="opt-routesn-match" href="#opt-routesn-match" title="#opt-routesn-match">`routes[n].match`</a> | Defines the [rule](../../../tcp/routing/rules-and-priority.md#rules) of the underlying router. | | Yes |
| <a id="opt-routesn-priority" href="#opt-routesn-priority" title="#opt-routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../tcp/routing/rules-and-priority.md#priority-calculation) to disambiguate rules of the same length, for route matching. | | No |
| <a id="opt-routesn-middlewaresn-name" href="#opt-routesn-middlewaresn-name" title="#opt-routesn-middlewaresn-name">`routes[n].middlewares[n].name`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) name. | | Yes |
| <a id="opt-routesn-middlewaresn-namespace" href="#opt-routesn-middlewaresn-namespace" title="#opt-routesn-middlewaresn-namespace">`routes[n].middlewares[n].namespace`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) namespace. | ""| No|
| <a id="opt-routesn-services" href="#opt-routesn-services" title="#opt-routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. | | No |
| <a id="opt-routesn-servicesn-name" href="#opt-routesn-servicesn-name" title="#opt-routesn-servicesn-name">`routes[n].services[n].name`</a> | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). | | Yes |
| <a id="opt-routesn-servicesn-port" href="#opt-routesn-servicesn-port" title="#opt-routesn-servicesn-port">`routes[n].services[n].port`</a> | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. | | Yes |
| <a id="opt-routesn-servicesn-weight" href="#opt-routesn-servicesn-weight" title="#opt-routesn-servicesn-weight">`routes[n].services[n].weight`</a> | Defines the weight to apply to the server load balancing. | 1 | No |
| <a id="opt-routesn-servicesn-proxyProtocol" href="#opt-routesn-servicesn-proxyProtocol" title="#opt-routesn-servicesn-proxyProtocol">`routes[n].services[n].proxyProtocol`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) configuration. | | No |
| <a id="opt-routesn-servicesn-proxyProtocol-version" href="#opt-routesn-servicesn-proxyProtocol-version" title="#opt-routesn-servicesn-proxyProtocol-version">`routes[n].services[n].proxyProtocol.version`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) version. | | No |
| <a id="opt-routesn-servicesn-serversTransport" href="#opt-routesn-servicesn-serversTransport" title="#opt-routesn-servicesn-serversTransport">`routes[n].services[n].serversTransport`</a> | Defines the [ServersTransportTCP](./serverstransporttcp.md).<br />The `ServersTransport` namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace. | | No |
| <a id="opt-routesn-servicesn-nativeLB" href="#opt-routesn-servicesn-nativeLB" title="#opt-routesn-servicesn-nativeLB">`routes[n].services[n].nativeLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See [here](#nativelb) for more information. | false | No |
| <a id="opt-routesn-servicesn-nodePortLB" href="#opt-routesn-servicesn-nodePortLB" title="#opt-routesn-servicesn-nodePortLB">`routes[n].services[n].nodePortLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is `NodePort`. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No |
| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | Defines [TLS](../../../../install-configuration/tls/certificate-resolvers/overview.md) certificate configuration. | | No |
| <a id="opt-tls-secretName" href="#opt-tls-secretName" title="#opt-tls-secretName">`tls.secretName`</a> | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace). | "" | No |
| <a id="opt-tls-options" href="#opt-tls-options" title="#opt-tls-options">`tls.options`</a> | Defines the reference to a [TLSOption](../http/tlsoption.md). | "" | No |
| <a id="opt-tls-options-name" href="#opt-tls-options-name" title="#opt-tls-options-name">`tls.options.name`</a> | Defines the [TLSOption](../http/tlsoption.md) name. | "" | No |
| <a id="opt-tls-options-namespace" href="#opt-tls-options-namespace" title="#opt-tls-options-namespace">`tls.options.namespace`</a> | Defines the [TLSOption](../http/tlsoption.md) namespace. | "" | No |
| <a id="opt-tls-certResolver" href="#opt-tls-certResolver" title="#opt-tls-certResolver">`tls.certResolver`</a> | Defines the reference to a [CertResolver](../../../../install-configuration/tls/certificate-resolvers/overview.md). | "" | No |
| <a id="opt-tls-domains" href="#opt-tls-domains" title="#opt-tls-domains">`tls.domains`</a> | List of domains. | "" | No |
| <a id="opt-tls-domainsn-main" href="#opt-tls-domainsn-main" title="#opt-tls-domainsn-main">`tls.domains[n].main`</a> | Defines the main domain name. | "" | No |
| <a id="opt-tls-domainsn-sans" href="#opt-tls-domainsn-sans" title="#opt-tls-domainsn-sans">`tls.domains[n].sans`</a> | List of SANs (alternative domains). | "" | No |
| <a id="opt-tls-passthrough" href="#opt-tls-passthrough" title="#opt-tls-passthrough">`tls.passthrough`</a> | If `true`, delegates the TLS termination to the backend. | false | No |
| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | Defines [TLS](../../../../install-configuration/tls/certificate-resolvers/overview.md) certificate configuration. | | No |
| <a id="opt-tls-secretName" href="#opt-tls-secretName" title="#opt-tls-secretName">`tls.secretName`</a> | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace). | "" | No |
| <a id="opt-tls-options" href="#opt-tls-options" title="#opt-tls-options">`tls.options`</a> | Defines the reference to a [TLSOption](tlsoption.md). | "" | No |
| <a id="opt-tls-options-name" href="#opt-tls-options-name" title="#opt-tls-options-name">`tls.options.name`</a> | Defines the [TLSOption](tlsoption.md) name. | "" | No |
| <a id="opt-tls-options-namespace" href="#opt-tls-options-namespace" title="#opt-tls-options-namespace">`tls.options.namespace`</a> | Defines the [TLSOption](tlsoption.md) namespace. | "" | No |
| <a id="opt-tls-certResolver" href="#opt-tls-certResolver" title="#opt-tls-certResolver">`tls.certResolver`</a> | Defines the reference to a [CertResolver](../../../../install-configuration/tls/certificate-resolvers/overview.md). | "" | No |
| <a id="opt-tls-domains" href="#opt-tls-domains" title="#opt-tls-domains">`tls.domains`</a> | List of domains. | "" | No |
| <a id="opt-tls-domainsn-main" href="#opt-tls-domainsn-main" title="#opt-tls-domainsn-main">`tls.domains[n].main`</a> | Defines the main domain name. | "" | No |
| <a id="opt-tls-domainsn-sans" href="#opt-tls-domainsn-sans" title="#opt-tls-domainsn-sans">`tls.domains[n].sans`</a> | List of SANs (alternative domains). | "" | No |
| <a id="opt-tls-passthrough" href="#opt-tls-passthrough" title="#opt-tls-passthrough">`tls.passthrough`</a> | If `true`, delegates the TLS termination to the backend. | false | No |
### ExternalName Service

2
docs/content/reference/routing-configuration/kubernetes/crd/udp/ingressrouteudp.md
View file

@ -3,7 +3,7 @@ title: "IngressRouteUDP"
description: "Understand the routing configuration for the Kubernetes IngressRouteUDP & Traefik CRD"
---
`IngressRouteUDP` is the CRD implementation of a [Traefik UDP router](../../../udp/router/rules-priority.md).
`IngressRouteUDP` is the CRD implementation of a [Traefik UDP router](../../../udp/routing/rules-priority.md).
Before creating `IngressRouteUDP` objects, you need to apply the [Traefik Kubernetes CRDs](https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions) to your Kubernetes cluster.

6
docs/content/reference/routing-configuration/kubernetes/gateway-api.md
View file

@ -748,7 +748,6 @@ By default, NativeLB is `false`.
Note that it is possible to override the default value by using the option [`nativeLBByDefault`](../../install-configuration/providers/kubernetes/kubernetes-gateway.md) at the provider level.
```yaml
---
apiVersion: v1
kind: Service
metadata:
@ -757,7 +756,10 @@ metadata:
annotations:
traefik.io/service.nativelb: "true"
spec:
[...]
ports:
- name: web
port: 80
```
{!traefik-for-business-applications.md!}

14
docs/content/reference/routing-configuration/other-providers/consul-catalog.md
View file

@ -385,7 +385,7 @@ You can declare TCP Routers, Middlewares and/or Services using tags.
??? info "`traefik.tcp.routers.<router_name>.rule`"
See [rule](../tcp/router/rules-and-priority.md#rules) for more information.
See [rule](../tcp/routing/rules-and-priority.md#rules) for more information.
```yaml
traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)
@ -405,7 +405,7 @@ You can declare TCP Routers, Middlewares and/or Services using tags.
```
??? info "`traefik.tcp.routers.<router_name>.priority`"
See [priority](../tcp/router/rules-and-priority.md#priority) for more information.
See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information.
```yaml
- "traefik.tcp.routers.mytcprouter.priority=42"
```
@ -460,7 +460,7 @@ You can declare TCP Routers, Middlewares and/or Services using tags.
??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
See [Passthrough](../tcp/tls.md#passthrough) for more information.
See [Passthrough](../tcp/tls.md#opt-passthrough) for more information.
```yaml
traefik.tcp.routers.mytcprouter.tls.passthrough=true
@ -485,14 +485,6 @@ You can declare TCP Routers, Middlewares and/or Services using tags.
traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information.
```yaml
traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.

14
docs/content/reference/routing-configuration/other-providers/docker.md
View file

@ -498,7 +498,7 @@ You can declare TCP Routers and/or Services using labels.
??? info "`traefik.tcp.routers.<router_name>.rule`"
See [rule](../tcp/router/rules-and-priority.md#rules) for more information.
See [rule](../tcp/routing/rules-and-priority.md#rules) for more information.
```yaml
"traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)"
@ -565,7 +565,7 @@ You can declare TCP Routers and/or Services using labels.
??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
See [TLS](../tcp/tls.md#passthrough) for more information.
See [TLS](../tcp/tls.md#opt-passthrough) for more information.
```yaml
"traefik.tcp.routers.mytcprouter.tls.passthrough=true"
@ -573,7 +573,7 @@ You can declare TCP Routers and/or Services using labels.
??? info "`traefik.tcp.routers.<router_name>.priority`"
See [priority](../tcp/router/rules-and-priority.md) for more information.
See [priority](../tcp/routing/rules-and-priority.md) for more information.
```yaml
"traefik.tcp.routers.mytcprouter.priority=42"
@ -597,14 +597,6 @@ You can declare TCP Routers and/or Services using labels.
"traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information.
```yaml
"traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.

12
docs/content/reference/routing-configuration/other-providers/ecs.md
View file

@ -454,7 +454,7 @@ You can declare TCP Routers and/or Services using labels.
??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
See [Passthrough](../tcp/tls.md#passthrough) for more information.
See [Passthrough](../tcp/tls.md#opt-passthrough) for more information.
```yaml
traefik.tcp.routers.mytcprouter.tls.passthrough=true
@ -462,7 +462,7 @@ You can declare TCP Routers and/or Services using labels.
??? info "`traefik.tcp.routers.<router_name>.priority`"
See [priority](../tcp/router/rules-and-priority.md#priority) for more information.
See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information.
```yaml
traefik.tcp.routers.mytcprouter.priority=42
@ -494,14 +494,6 @@ You can declare TCP Routers and/or Services using labels.
traefik.http.services.myservice.loadbalancer.server.weight=42
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information.
```yaml
traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.

9
docs/content/reference/routing-configuration/other-providers/kv.md
View file

@ -140,7 +140,7 @@ You can declare TCP Routers and/or Services using KV.
| <a id="opt-traefiktcproutersmytcproutertlsdomains0sans1" href="#opt-traefiktcproutersmytcproutertlsdomains0sans1" title="#opt-traefiktcproutersmytcproutertlsdomains0sans1">`traefik/tcp/routers/mytcprouter/tls/domains/0/sans/1`</a> | See [TLS](../tcp/tls.md) for more information. | `dev.example.org` |
| <a id="opt-traefiktcproutersmytcproutertlsoptions" href="#opt-traefiktcproutersmytcproutertlsoptions" title="#opt-traefiktcproutersmytcproutertlsoptions">`traefik/tcp/routers/mytcprouter/tls/options`</a> | See [TLS](../tcp/tls.md) for more information. | `foobar` |
| <a id="opt-traefiktcproutersmytcproutertlspassthrough" href="#opt-traefiktcproutersmytcproutertlspassthrough" title="#opt-traefiktcproutersmytcproutertlspassthrough">`traefik/tcp/routers/mytcprouter/tls/passthrough`</a> | See [TLS](../tcp/tls.md) for more information. | `true` |
| <a id="opt-traefiktcproutersmytcprouterpriority" href="#opt-traefiktcproutersmytcprouterpriority" title="#opt-traefiktcproutersmytcprouterpriority">`traefik/tcp/routers/mytcprouter/priority`</a> | See [priority](../tcp/router/rules-and-priority.md#priority) for more information. | `42` |
| <a id="opt-traefiktcproutersmytcprouterpriority" href="#opt-traefiktcproutersmytcprouterpriority" title="#opt-traefiktcproutersmytcprouterpriority">`traefik/tcp/routers/mytcprouter/priority`</a> | See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information. | `42` |
#### Services
@ -148,10 +148,9 @@ You can declare TCP Routers and/or Services using KV.
|--------------------------------------------------------------------|--------------------------------------------------------------------|------------------|
| <a id="opt-traefiktcpservicesmytcpserviceloadbalancerservers0address" href="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0address" title="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0address">`traefik/tcp/services/mytcpservice/loadbalancer/servers/0/address`</a> | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `xx.xx.xx.xx:xx` |
| <a id="opt-traefiktcpservicesmytcpserviceloadbalancerservers0tls" href="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0tls" title="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0tls">`traefik/tcp/services/mytcpservice/loadbalancer/servers/0/tls`</a> | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `true` |
| <a id="opt-traefiktcpservicesmytcpserviceloadbalancerproxyprotocolversion" href="#opt-traefiktcpservicesmytcpserviceloadbalancerproxyprotocolversion" title="#opt-traefiktcpservicesmytcpserviceloadbalancerproxyprotocolversion">`traefik/tcp/services/mytcpservice/loadbalancer/proxyprotocol/version`</a> | See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information. | `1` |
| <a id="opt-traefiktcpservicesmyserviceloadbalancerserverstransport" href="#opt-traefiktcpservicesmyserviceloadbalancerserverstransport" title="#opt-traefiktcpservicesmyserviceloadbalancerserverstransport">`traefik/tcp/services/myservice/loadbalancer/serverstransport`</a> | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/>See [serverstransport](../tcp/serverstransport.md) for more information. | `foobar@file` |
| <a id="opt-traefiktcpservicesservice-nameweightedservices0name" href="#opt-traefiktcpservicesservice-nameweightedservices0name" title="#opt-traefiktcpservicesservice-nameweightedservices0name">`traefik/tcp/services/<service_name>/weighted/services/0/name`</a> | See [Service](../tcp/service.md#weighted-round-robin) for more information. | `foobar` |
| <a id="opt-traefiktcpservicesservice-nameweightedservices0weight" href="#opt-traefiktcpservicesservice-nameweightedservices0weight" title="#opt-traefiktcpservicesservice-nameweightedservices0weight">`traefik/tcp/services/<service_name>/weighted/services/0/weight`</a> | See [Service](../tcp/service.md#weighted-round-robin-wrr) for more information. | `42` |
| <a id="opt-traefiktcpservicesservice-nameweightedservices0weight" href="#opt-traefiktcpservicesservice-nameweightedservices0weight" title="#opt-traefiktcpservicesservice-nameweightedservices0weight">`traefik/tcp/services/<service_name>/weighted/services/0/weight`</a> | See [Service](../tcp/service.md#weighted-round-robin) for more information. | `42` |
#### Middleware
@ -205,8 +204,8 @@ You can declare UDP Routers and/or Services using KV.
| Key (Path) | Description | Value |
|------------------------------------------------------------------|------------------------------------------------------------------|-------|
| <a id="opt-traefikudproutersmyudprouterentrypoints0" href="#opt-traefikudproutersmyudprouterentrypoints0" title="#opt-traefikudproutersmyudprouterentrypoints0">`traefik/udp/routers/myudprouter/entrypoints/0`</a> | See [UDP Router](../udp/router/rules-priority.md#entrypoints) for more information. | `foobar` |
| <a id="opt-traefikudproutersmyudprouterservice" href="#opt-traefikudproutersmyudprouterservice" title="#opt-traefikudproutersmyudprouterservice">`traefik/udp/routers/myudprouter/service`</a> | See [UDP Router](../udp/router/rules-priority.md#configuration-example) for more information. | `foobar` |
| <a id="opt-traefikudproutersmyudprouterentrypoints0" href="#opt-traefikudproutersmyudprouterentrypoints0" title="#opt-traefikudproutersmyudprouterentrypoints0">`traefik/udp/routers/myudprouter/entrypoints/0`</a> | See [UDP Router](../udp/routing/rules-priority.md#entrypoints) for more information. | `foobar` |
| <a id="opt-traefikudproutersmyudprouterservice" href="#opt-traefikudproutersmyudprouterservice" title="#opt-traefikudproutersmyudprouterservice">`traefik/udp/routers/myudprouter/service`</a> | See [UDP Router](../udp/routing/rules-priority.md#configuration-example) for more information. | `foobar` |
#### Services

14
docs/content/reference/routing-configuration/other-providers/nomad.md
View file

@ -377,7 +377,7 @@ You can declare TCP Routers and/or Services using tags.
??? info "`traefik.tcp.routers.<router_name>.rule`"
See [rule](../tcp/router/rules-and-priority.md#rules) for more information.
See [rule](../tcp/routing/rules-and-priority.md#rules) for more information.
```yaml
traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)
@ -398,7 +398,7 @@ You can declare TCP Routers and/or Services using tags.
??? info "`traefik.tcp.routers.<router_name>.priority`"
See [priority](../tcp/router/rules-and-priority.md#priority) for more information.
See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information.
```yaml
traefik.tcp.routers.myrouter.priority=42
@ -454,7 +454,7 @@ You can declare TCP Routers and/or Services using tags.
??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
See [Passthrough](../tcp/tls.md#passthrough) for more information.
See [Passthrough](../tcp/tls.md#opt-passthrough) for more information.
```yaml
traefik.tcp.routers.mytcprouter.tls.passthrough=true
@ -478,14 +478,6 @@ You can declare TCP Routers and/or Services using tags.
traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information.
```yaml
traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.

14
docs/content/reference/routing-configuration/other-providers/swarm.md
View file

@ -520,7 +520,7 @@ You can declare TCP Routers and/or Services using labels.
??? info "`traefik.tcp.routers.<router_name>.rule`"
See [rule](../tcp/router/rules-and-priority.md#rules) for more information.
See [rule](../tcp/routing/rules-and-priority.md#rules) for more information.
```yaml
- "traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)"
@ -589,7 +589,7 @@ You can declare TCP Routers and/or Services using labels.
??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
See [Passthrough](../tcp/tls.md#passthrough) for more information.
See [Passthrough](../tcp/tls.md#opt-passthrough) for more information.
```yaml
- "traefik.tcp.routers.mytcprouter.tls.passthrough=true"
@ -597,7 +597,7 @@ You can declare TCP Routers and/or Services using labels.
??? info "`traefik.tcp.routers.<router_name>.priority`"
See [priority](../tcp/router/rules-and-priority.md) for more information.
See [priority](../tcp/routing/rules-and-priority.md) for more information.
```yaml
- "traefik.tcp.routers.myrouter.priority=42"
@ -621,14 +621,6 @@ You can declare TCP Routers and/or Services using labels.
- "traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information.
```yaml
- "traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1"
```
??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.

34
docs/content/reference/routing-configuration/tcp/routing/router.md
View file

@ -26,6 +26,11 @@ tcp:
tls:
passthrough: false
certResolver: "letsencrypt"
options: "modern-tls"
domains:
- main: "example.com"
sans:
- "www.example.com"
service: my-tcp-service
```
@ -41,6 +46,11 @@ tcp:
[tcp.routers.my-tcp-router.tls]
passthrough = false
certResolver = "letsencrypt"
options = "modern-tls"
[[tcp.routers.my-tcp-router.tls.domains]]
main = "example.com"
sans = ["www.example.com"]
```
```yaml tab="Labels"
@ -51,6 +61,9 @@ labels:
- "traefik.tcp.routers.my-tcp-router.middlewares=tcp-ipallowlist"
- "traefik.tcp.routers.my-tcp-router.tls.certresolver=letsencrypt"
- "traefik.tcp.routers.my-tcp-router.tls.passthrough=false"
- "traefik.tcp.routers.my-tcp-router.tls.options=modern-tls"
- "traefik.tcp.routers.my-tcp-router.tls.domains[0].main=example.com"
- "traefik.tcp.routers.my-tcp-router.tls.domains[0].sans=www.example.com"
- "traefik.tcp.routers.my-tcp-router.service=my-tcp-service"
```
@ -63,6 +76,9 @@ labels:
"traefik.tcp.routers.my-tcp-router.middlewares=tcp-ipallowlist",
"traefik.tcp.routers.my-tcp-router.tls.certresolver=letsencrypt",
"traefik.tcp.routers.my-tcp-router.tls.passthrough=false",
"traefik.tcp.routers.my-tcp-router.tls.options=modern-tls",
"traefik.tcp.routers.my-tcp-router.tls.domains[0].main=example.com",
"traefik.tcp.routers.my-tcp-router.tls.domains[0].sans=www.example.com",
"traefik.tcp.routers.my-tcp-router.service=my-tcp-service"
]
}
@ -70,17 +86,19 @@ labels:
## Configuration Options
| Field | Description | Default | Required |
|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, TCP routers are attached to all TCP entry points. | All TCP entry points | No |
| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular connection matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the connection to the service. See [Rules & Priority](./rules-and-priority.md) for details. | | Yes |
| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid rule overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [TCP Middlewares overview](../middlewares/overview.md) for available TCP middlewares. | | No |
| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle TLS connections. See [TLS configuration](../tls.md) for detailed TLS options. | | No |
| <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The name of the service that will handle the matched connections. Services can be load balancer services or weighted round robin services. See [TCP Service](../service.md) for details. | | Yes |
| Field | Description | Default | Required |
|--------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|----------|
| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, TCP routers are attached to all TCP entry points. | All TCP entry points | No |
| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular connection matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the connection to the service. See [Rules & Priority](./rules-and-priority.md) for details. | | Yes |
| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid rule overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [TCP Middlewares overview](../middlewares/overview.md) for available TCP middlewares. | | No |
| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle TLS connections. See [TLS configuration](../tls.md) for detailed TLS options. | | No |
| <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The name of the service that will handle the matched connections. Services can be load balancer services or weighted round robin services. See [TCP Service](../service.md) for details. | | Yes |
## Router Naming
- The character `@` is not authorized in the router name
- Router names should be descriptive and follow your naming conventions
- In provider-specific configurations (Docker, Kubernetes), router names are often auto-generated based on service names and rules
{!traefik-for-business-applications.md!}

5
docs/content/reference/routing-configuration/tcp/serverstransport.md
View file

@ -84,8 +84,8 @@ labels:
## Configuration Options
| Field | Description | Default | Required |
|:----------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| Field | Description | Default | Required |
|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| <a id="opt-serverstransport-dialTimeout" href="#opt-serverstransport-dialTimeout" title="#opt-serverstransport-dialTimeout">`serverstransport.`<br />`dialTimeout`</a> | Defines the timeout when dialing the backend TCP service. If zero, no timeout exists. | 30s | No |
| <a id="opt-serverstransport-dialKeepAlive" href="#opt-serverstransport-dialKeepAlive" title="#opt-serverstransport-dialKeepAlive">`serverstransport.`<br />`dialKeepAlive`</a> | Defines the interval between keep-alive probes for an active network connection. | 15s | No |
| <a id="opt-serverstransport-terminationDelay" href="#opt-serverstransport-terminationDelay" title="#opt-serverstransport-terminationDelay">`serverstransport.`<br />`terminationDelay`</a> | Sets the time limit for the proxy to fully terminate connections on both sides after initiating the termination sequence, with a negative value indicating no deadline. More Information [here](#terminationdelay) | 100ms | No |
@ -97,6 +97,7 @@ labels:
| <a id="opt-serverstransport-tls-insecureSkipVerify" href="#opt-serverstransport-tls-insecureSkipVerify" title="#opt-serverstransport-tls-insecureSkipVerify">`serverstransport.`<br />`tls`<br />`.insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified. | false | No |
| <a id="opt-serverstransport-tls-rootcas" href="#opt-serverstransport-tls-rootcas" title="#opt-serverstransport-tls-rootcas">`serverstransport.`<br />`tls`<br />`.rootcas`</a> | Defines the root certificate authorities to use when verifying server certificates. (for mTLS connections). | | No |
| <a id="opt-serverstransport-tls-peerCertURI" href="#opt-serverstransport-tls-peerCertURI" title="#opt-serverstransport-tls-peerCertURI">`serverstransport.`<br />`tls.`<br />`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification. | false | No |
| <a id="opt-serverstransport-spiffe" href="#opt-serverstransport-spiffe" title="#opt-serverstransport-spiffe">`serverstransport.`<br />`spiffe`</a> | Defines the SPIFFE configuration. An empty `spiffe` section enables SPIFFE (that allows any SPIFFE ID). | | No |
| <a id="opt-serverstransport-spiffe-ids" href="#opt-serverstransport-spiffe-ids" title="#opt-serverstransport-spiffe-ids">`serverstransport.`<br />`spiffe`<br />`.ids`</a> | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. | | No |
| <a id="opt-serverstransport-spiffe-trustDomain" href="#opt-serverstransport-spiffe-trustDomain" title="#opt-serverstransport-spiffe-trustDomain">`serverstransport.`<br />`spiffe`<br />`.trustDomain`</a> | Allow SPIFFE trust domain. | "" | No |

36
docs/content/reference/routing-configuration/tcp/tls.md
View file

@ -5,7 +5,7 @@ description: "Learn how to configure the transport layer security (TLS) connecti
## General
When a router is configured to handle HTTPS traffic, include a `tls` field in its definition. This field tells Traefik that the router should process only TLS requests and ignore non-TLS traffic.
When a TCP router is configured to handle TLS traffic, include a `tls` field in its definition. This field tells Traefik that the router should process only TLS connections and ignore non-TLS traffic.
By default, a router with a TLS field will terminate the TLS connections, meaning that it will send decrypted data to the services.
@ -94,11 +94,33 @@ labels:
## Configuration Options
| Field | Description | Default | Required |
|:------------------|:--------------------|:-----------------------------------------------|:---------|
| <a id="opt-passthrough" href="#opt-passthrough" title="#opt-passthrough">`passthrough`</a> | Defines whether the requests should be forwarded "as is", keeping all data encrypted. | false | No |
| <a id="opt-options" href="#opt-options" title="#opt-options">`options`</a> | enables fine-grained control of the TLS parameters. It refers to a [TLS Options](../http/tls/tls-certificates.md#tls-options) and will be applied only if a `HostSNI` rule is defined. | "" | No |
| <a id="opt-domains" href="#opt-domains" title="#opt-domains">`domains`</a> | Defines a set of SANs (alternative domains) for each main domain. Every domain must have A/AAAA records pointing to Traefik. Each domain & SAN will lead to a certificate request.| [] | No |
| <a id="opt-certResolver" href="#opt-certResolver" title="#opt-certResolver">`certResolver`</a> | If defined, Traefik will try to generate certificates based on routers `Host` & `HostSNI` rules. | "" | No |
| Field | Description | Default | Required |
|:-----------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
| <a id="opt-passthrough" href="#opt-passthrough" title="#opt-passthrough">`passthrough`</a> | Defines whether the requests should be forwarded "as is", keeping all data encrypted. | false | No |
| <a id="opt-options" href="#opt-options" title="#opt-options">`options`</a> | enables fine-grained control of the TLS parameters. It refers to a [TLS Options](../http/tls/tls-options.md) and will be applied only if a `HostSNI` rule is defined. | "" | No |
| <a id="opt-certResolver" href="#opt-certResolver" title="#opt-certResolver">`certResolver`</a> | The name of the certificate resolver to use for automatic certificate generation via ACME providers (such as Let's Encrypt). See the [Certificate Resolver](./#certificate-resolver) section for more details. | "" | No |
| <a id="opt-domains" href="#opt-domains" title="#opt-domains">`domains`</a> | List of domains and Subject Alternative Names (SANs) for explicit certificate domain specification. See the [Custom Domains](./#custom-domains) section for more details. | [] | No |
## Certificate Resolver
The `tls.certResolver` option allows you to specify a certificate resolver for automatic certificate generation via ACME providers (such as Let's Encrypt).
When a certificate resolver is configured for a router,
Traefik will automatically obtain and manage TLS certificates for the domains specified in the router's rule (in the `HostSNI` matcher) or in the `tls.domains` configuration (with `tls.domains` taking precedence).
!!! important "Prerequisites"
- Certificate resolvers must be defined in the [static configuration](../../install-configuration/tls/certificate-resolvers/acme.md)
- The router must have `tls` enabled
- An ACME challenge type must be configured for the certificate resolver
## Custom Domains
When using ACME certificate resolvers, domains are automatically extracted from router rules,
but the `tls.domains` option allows you to explicitly specify the domains and Subject Alternative Names (SANs) for which certificates should be generated.
This provides fine-grained control over certificate generation and takes precedence over domains automatically extracted from router rules.
Every domain must have A/AAAA records pointing to Traefik.
{!traefik-for-business-applications.md!}

2
docs/content/reference/routing-configuration/udp/routing/router.md
View file

@ -60,7 +60,7 @@ Even though UDP is connectionless, Traefik's UDP router implementation relies on
Each session has an associated timeout that cleans up inactive sessions after a specified duration of inactivity.
Session timeout can be configured using the `entryPoints.name.udp.timeout` option in the static configuration. See [EntryPoints documentation](../../install-configuration/entrypoints.md) for details.
Session timeout can be configured using the `entryPoints.name.udp.timeout` option in the static configuration. See [EntryPoints documentation](../../../install-configuration/entrypoints.md) for details.
## Router Naming