homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Documentation Revamp

Browse source 
Co-authored-by: jbdoumenjou <jb.doumenjou@gmail.com>
This commit is contained in:
Gérald Croës 2019-02-26 05:50:07 -08:00 committed by Traefiker Bot
parent 848e45c22c
commit ac6b11037d
174 changed files with 5858 additions and 4002 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
docs/content/assets/img/architecture-overview.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 458 KiB

BIN
docs/content/assets/img/dashboard-health.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 208 KiB

BIN
docs/content/assets/img/dashboard-main.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 274 KiB

BIN
docs/content/assets/img/entrypoints.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 383 KiB

BIN
docs/content/assets/img/middleware/addprefix.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
docs/content/assets/img/middleware/authforward.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 92 KiB

BIN
docs/content/assets/img/middleware/basicauth.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
docs/content/assets/img/middleware/buffering.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
docs/content/assets/img/middleware/chain.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
docs/content/assets/img/middleware/circuitbreaker.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
docs/content/assets/img/middleware/compress.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
docs/content/assets/img/middleware/digestauth.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
docs/content/assets/img/middleware/errorpages.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 120 KiB

BIN
docs/content/assets/img/middleware/headers.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
docs/content/assets/img/middleware/ipwhitelist.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
docs/content/assets/img/middleware/maxconnection.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 63 KiB

BIN
docs/content/assets/img/middleware/overview.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 307 KiB

BIN
docs/content/assets/img/middleware/ratelimit.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
docs/content/assets/img/providers.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 385 KiB

BIN
docs/content/assets/img/providers/docker.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 228 KiB

BIN
docs/content/assets/img/quickstart-diagram.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 289 KiB

BIN
docs/content/assets/img/routers.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 354 KiB

BIN
docs/content/assets/img/services.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 339 KiB

BIN
docs/content/assets/img/static-dynamic-configuration.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 386 KiB

BIN
docs/content/assets/img/traefik-architecture.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 452 KiB

BIN
docs/content/assets/img/traefik-concepts-1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 182 KiB

BIN
docs/content/assets/img/traefik-concepts-2.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 209 KiB

BIN
docs/content/assets/img/traefik.icon.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 2 KiB

BIN
docs/content/assets/img/traefik.logo.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 34 KiB

4
docs/content/assets/js/extra.js Normal file
View file

@ -0,0 +1,4 @@
/* Highlight */
(function(hljs) {
hljs.initHighlightingOnLoad();
})(hljs);

24
docs/content/assets/js/hljs/LICENSE Normal file
View file

@ -0,0 +1,24 @@
Copyright (c) 2006, Ivan Sagalaev
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of highlight.js nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS AND CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

2
docs/content/assets/js/hljs/highlight.pack.js Normal file
View file

File diff suppressed because one or more lines are too long

96
docs/content/assets/styles/atom-one-light.css Normal file
View file

@ -0,0 +1,96 @@
/*
Atom One Light by Daniel Gamage
Original One Light Syntax theme from https://github.com/atom/one-light-syntax
base: #fafafa
mono-1: #383a42
mono-2: #686b77
mono-3: #a0a1a7
hue-1: #0184bb
hue-2: #4078f2
hue-3: #a626a4
hue-4: #50a14f
hue-5: #e45649
hue-5-2: #c91243
hue-6: #986801
hue-6-2: #c18401
*/
.hljs {
display: block;
overflow-x: auto;
padding: 0.5em;
color: #383a42;
background: #fafafa;
}
.hljs-comment,
.hljs-quote {
color: #a0a1a7;
font-style: italic;
}
.hljs-doctag,
.hljs-keyword,
.hljs-formula {
color: #a626a4;
}
.hljs-section,
.hljs-name,
.hljs-selector-tag,
.hljs-deletion,
.hljs-subst {
color: #e45649;
}
.hljs-literal {
color: #0184bb;
}
.hljs-string,
.hljs-regexp,
.hljs-addition,
.hljs-attribute,
.hljs-meta-string {
color: #50a14f;
}
.hljs-built_in,
.hljs-class .hljs-title {
color: #c18401;
}
.hljs-attr,
.hljs-variable,
.hljs-template-variable,
.hljs-type,
.hljs-selector-class,
.hljs-selector-attr,
.hljs-selector-pseudo,
.hljs-number {
color: #986801;
}
.hljs-symbol,
.hljs-bullet,
.hljs-link,
.hljs-meta,
.hljs-selector-id,
.hljs-title {
color: #4078f2;
}
.hljs-emphasis {
font-style: italic;
}
.hljs-strong {
font-weight: bold;
}
.hljs-link {
text-decoration: underline;
}

59
docs/content/assets/styles/extra.css Normal file
View file

@ -0,0 +1,59 @@
@import url('https://fonts.googleapis.com/css?family=Noto+Sans|Noto+Serif');
.md-logo img {
background-color: white;
border-radius: 50%;
width: 30px;
height: 30px;
}
/* Fix for Chrome */
.md-typeset__table td code {
word-break: unset;
}
.md-typeset__table tr :nth-child(1) {
word-wrap: break-word;
max-width: 30em;
}
body {
font-family: 'Noto Sans', sans-serif;
}
h1 {
font-weight: bold !important;
color: rgba(0,0,0,.9) !important;
}
h2 {
font-weight: bold !important;
}
h3 {
font-weight: bold !important;
}
figcaption {
text-align: center;
font-size: 0.8em;
font-style: italic;
color: #8D909F;
}
p.subtitle {
color: rgba(0,0,0,.54);
padding-top: 0;
margin-top: -2em;
font-weight: bold;
font-size: 1.25em;
}
.markdown-body .task-list-item {
list-style-type: none !important;
}
.markdown-body .task-list-item input[type="checkbox"] {
margin: 0 4px 0.25em -20px;
vertical-align: middle;
}

10
docs/content/contributing/advocating.md Normal file
View file

@ -0,0 +1,10 @@
# Advocating
Spread the Love & Tell Us about It
{: .subtitle }
There are many ways to contribute to the project, and there is one that always spark joy: when we see/read about users talking about how Traefik helps them solve their problems.
If you're talking about Traefik, [let us know](https://blog.containo.us/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/containous/traefik/wiki/Awesome-Traefik).

181
docs/content/contributing/building-testing.md Normal file
View file

@ -0,0 +1,181 @@
# Building and Testing
Compile and Test Your Own Traefik!
{: .subtitle }
So you want to build your own Traefik binary from the sources?
Let's see how.
## Building
You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik.
For changes to its dependencies, the `dep` dependency management tool is required.
### Method 1: Using `Docker` and `Makefile`
Run make with the `binary` target.
This will create binaries for the Linux platform in the `dist` folder.
```bash
$ make binary
docker build -t traefik-webui -f webui/Dockerfile webui
Sending build context to Docker daemon 2.686MB
Step 1/11 : FROM node:8.15.0
---> 1f6c34f7921c
[...]
Successfully built ce4ff439c06a
Successfully tagged traefik-webui:latest
[...]
docker build -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
Sending build context to Docker daemon 279MB
Step 1/10 : FROM golang:1.11-alpine
---> f4bfb3d22bda
[...]
Successfully built 5c3c1a911277
Successfully tagged traefik-dev:4475--feature-documentation
docker run -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER -v "/home/ldez/sources/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
---> Making bundle: generate (in .)
removed 'autogen/gentemplates/gen.go'
removed 'autogen/genstatic/gen.go'
---> Making bundle: binary (in .)
$ ls dist/
traefik*
```
### Method 2: Using `go`
You need `go` v1.9+.
!!! tip "Source Directory"
It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory.
This is the official golang workspace hierarchy that will allow dependencies to be properly resolved.
!!! note "Environment"
Set your `GOPATH` and `PATH` variable to be set to `~/go` via:
```bash
export GOPATH=~/go
export PATH=$PATH:$GOPATH/bin
```
For convenience, add `GOPATH` and `PATH` to your `.bashrc` or `.bash_profile`
Verify your environment is setup properly by running `$ go env`.
Depending on your OS and environment, you should see an output similar to:
```bash
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/<yourusername>/go"
GORACE=""
## ... and the list goes on
```
#### Build Traefik
Once you've set up your go environment and cloned the source repository, you can build Traefik.
Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
```bash
cd ~/go/src/github.com/containous/traefik
# Get go-bindata. (Important: the ellipses are required.)
go get github.com/containous/go-bindata/...
# Let's build
# generate
# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates)
go generate
# Standard go build
go build ./cmd/traefik
```
You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
### Updating the templates
If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
### Setting up dependency management
The [dep](https://github.com/golang/dep) command is not required for building;
however, it is necessary if you need to update the dependencies (i.e., add, update, or remove third-party packages).
You need [dep](https://github.com/golang/dep) >= 0.5.0.
If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).
A following `make dep-prune` run should be triggered to trim down the size of the vendor folder.
The final result must be committed into VCS.
Here's a full example using dep to add a new dependency:
```bash
# install the new main dependency github.com/foo/bar and minimize vendor size
$ dep ensure -add github.com/foo/bar
# generate (Only required to integrate other components such as web dashboard)
$ go generate
# Standard go build
$ go build ./cmd/traefik
```
## Testing
### Method 1: `Docker` and `make`
Run unit tests using the `test-unit` target.
Run integration tests using the `test-integration` target.
Run all tests (unit and integration) using the `test` target.
```bash
$ make test-unit
docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
# […]
docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
---> Making bundle: generate (in .)
removed 'gen.go'
---> Making bundle: test-unit (in .)
+ go test -cover -coverprofile=cover.out .
ok github.com/containous/traefik 0.005s coverage: 4.1% of statements
Test success
```
For development purposes, you can specify which tests to run by using (only works the `test-integration` target):
```bash
# Run every tests in the MyTest suite
TESTFLAGS="-check.f MyTestSuite" make test-integration
# Run the test "MyTest" in the MyTest suite
TESTFLAGS="-check.f MyTestSuite.MyTest" make test-integration
# Run every tests starting with "My", in the MyTest suite
TESTFLAGS="-check.f MyTestSuite.My" make test-integration
# Run every tests ending with "Test", in the MyTest suite
TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
```
More: https://labix.org/gocheck
### Method 2: `go`
Unit tests can be run from the cloned directory using `$ go test ./...` which should return `ok`, similar to:
```test
ok _/home/user/go/src/github/containous/traefik 0.004s
```
Integration tests must be run from the `integration/` directory and require the `-integration` switch: `$ cd integration && go test -integration ./...`.

112
docs/content/contributing/data-collection.md Normal file
View file

@ -0,0 +1,112 @@
# Data Collection
Understanding How Traefik is Being Used
{: .subtitle }
## Configuration Example
**By default, this feature is disabled;** but to allow us understand better how you use Traefik, please enable the data collection option.
??? example "Enabling Data Collection with TOML"
```toml
[Global]
# Send anonymous usage data
# Default: false
#
sendAnonymousUsage = true
```
??? example "Enabling Data Collection with the CLI"
```bash
./traefik --sendAnonymousUsage=true
```
## Collected Data
This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369).
In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
### What's collected / when ?
Once a day (the first call begins 10 minutes after the start of Traefik), we collect:
- the Traefik version number
- a hash of the configuration
- an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
!!! note
We do not collect the dynamic configuration information (routers & services).
We do not collect these data to run advertising programs.
We do not sell these data to third-parties.
### Example of Collected Data
??? example "Original configuration"
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[api]
[Docker]
endpoint = "tcp://10.10.10.10:2375"
domain = "foo.bir"
exposedByDefault = true
swarmMode = true
[Docker.TLS]
ca = "dockerCA"
cert = "dockerCert"
key = "dockerKey"
insecureSkipVerify = true
[ECS]
domain = "foo.bar"
exposedByDefault = true
clusters = ["foo-bar"]
region = "us-west-2"
accessKeyID = "AccessKeyID"
secretAccessKey = "SecretAccessKey"
```
??? example "Resulting Obfuscated Configuration"
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[api]
[Docker]
endpoint = "xxxx"
domain = "xxxx"
exposedByDefault = true
swarmMode = true
[Docker.TLS]
ca = "xxxx"
cert = "xxxx"
key = "xxxx"
insecureSkipVerify = false
[ECS]
domain = "xxxx"
exposedByDefault = true
clusters = []
region = "us-west-2"
accessKeyID = "xxxx"
secretAccessKey = "xxxx"
```
## The Code for Data Collection
If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/collector/collector.go)
By default we anonymize all configuration fields, except fields tagged with `export=true`.

100
docs/content/contributing/documentation.md Normal file
View file

@ -0,0 +1,100 @@
# Documentation
Features Are Better When You Know How to Use Them
{: .subtitle }
You've found something unclear in the documentation and want to give a try at explaining it better?
Let's see how.
## Building Documentation
### General
This [documentation](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/).
### Method 1: `Docker` and `make`
You can build the documentation and test it locally (with live reloading), using the `docs` target:
```bash
$ make docs
docker build -t traefik-docs -f docs.Dockerfile .
# […]
docker run --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
# […]
[I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
[I 170828 20:47:48 handlers:60] Start watching changes
[I 170828 20:47:48 handlers:62] Start detecting changes
```
!!! tip "Default URL"
Your local documentation server will run by default on [http://127.0.0.1:8000](http://127.0.0.1:8000).
If you only want to build the documentation without serving it locally, you can use the following command:
```bash
$ make docs-build
...
```
### Method 2: `mkdocs`
First, make sure you have `python` and `pip` installed.
```bash
$ python --version
Python 2.7.2
$ pip --version
pip 1.5.2
```
Then, install mkdocs with `pip`.
```bash
pip install --user -r requirements.txt
```
To build the documentation locally and serve it locally, run `mkdocs serve` from the root directory.
This will start a local server.
```bash
$ mkdocs serve
INFO - Building documentation...
INFO - Cleaning site directory
[I 160505 22:31:24 server:281] Serving on http://127.0.0.1:8000
[I 160505 22:31:24 handlers:59] Start watching changes
[I 160505 22:31:24 handlers:61] Start detecting changes
```
### Check the Documentation
To check that the documentation meets standard expectations (no dead links, html markup validity, ...), use the `docs-verify` target.
```bash
$ make docs-verify
docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
...
docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
=== Checking HTML content...
Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
```
!!! note "Clean & Verify"
If you've made changes to the documentation, it's safter to clean it before verifying it.
```bash
$ make docs-clean docs-verify
...
```
!!! note "Disabling Documentation Verification"
Verification can be disabled by setting the environment variable `DOCS_VERIFY_SKIP` to `true`:
```shell
DOCS_VERIFY_SKIP=true make docs-verify
...
DOCS_LINT_SKIP is true: no linting done.
```

45
docs/content/contributing/submitting-issues.md Normal file
View file

@ -0,0 +1,45 @@
# Submitting Issues
Help Us Help You!
{: .subtitle }
We use the [GitHub issue tracker](https://github.com/containous/traefik/issues) to keep track of issues in Traefik.
The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
To save us some time and get quicker feedback, be sure to follow the guide lines below.
!!! important "Getting Help Vs Reporting an Issue"
The issue tracker is not a general support forum, but a place to report bugs and asks for new features.
For end-user related support questions, try using first:
- the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
- [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
## Issue Title
The title must be short and descriptive. (~60 characters)
## Description
Follow the [issue template](https://github.com/containous/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible, and make use of the `traefik bug` command if you can (see the [video on Youtube](https://www.youtube.com/watch?v=Lyz62L8m93I)).
Explain us in which conditions you encountered the issue, what is your context.
Remain as clear and concise as possible
Take time to polish the format of your message so we'll enjoy reading it and working on it.
Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
## Feature Request
Traefik is an open-source project and aims to be the best edge router possible.
Remember when asking for new features that these must be useful to the majority (and not only useful in edge case scenarios, or hack-like setups).
Do you best to explain what you're looking for, and why it would improve Traefik for everyone.
## International English
Every maintainer / Traefik user is not a native English speaker, so if you feel sometimes that some messages sound rude, remember that it probably is a language barrier problem from someone willing to help you.

45
docs/content/contributing/submitting-pull-requests.md Normal file
View file

@ -0,0 +1,45 @@
# Submitting Pull Requests
A Quick Guide for Efficient Contributions
{: .subtitle }
So you've decide to improve Traefik?
Thank You!
Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.
Let's go though the classic pitfalls to make sure everything is right.
## Title
The title must be short and descriptive. (~60 characters)
## Description
Follow the [pull request template](https://github.com/containous/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
Explain the conditions which led you to write this PR: give us context.
The context should lead to something, an idea or a problem that youre facing.
Remain clear and concise.
Take time to polish the format of your message so we'll enjoy reading it and working on it.
Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
## PR Content
- Make it small.
- One feature per Pull Request.
- Write useful descriptions and titles.
- Avoid re-formatting code that is not on the path of your PR.
- Make sure the [code builds](building-testing.md).
- Make sure [all tests pass](building-testing.md).
- Add tests.
- Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
!!! note "third-party dependencies"
If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
!!! tip "10 Tips for Better Pull Requests"
We enjoyed this article, maybe you will too! [10 tips for better pull requests](http://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).

10
docs/content/contributing/thank-you.md Normal file
View file

@ -0,0 +1,10 @@
# Thank You!
_You_ Made It
{: .subtitle}
Traefik truly is an [open-source project](https://github.com/containous/traefik/),
and wouldn't have become what it is today without the help of our [many contributors](https://github.com/containous/traefik/graphs/contributors) (at the time of writing this),
not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.
So once again, thank you for your invaluable help on making Traefik such a good product.

35
docs/content/getting-started/concepts.md Normal file
View file

@ -0,0 +1,35 @@
# Concepts
Everything You Need to Know
{: .subtitle }
## Edge Router
Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request: it knows all the logic and every rule that determine which services handle which requests (based on the [path](../../routing/routers/#rule), the [host](../../routing/routers/#rule), [headers](../../routing/routers/#rule), [and so on](../../routing/routers/#rule) ...).
![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png)
## Auto Service Discovery
Where traditionally edge routers (or reverse proxies) need a configuration file that contains every possible route to your services, Traefik gets them from the services themselves.
Deploying your services, you attach information that tell Traefik the characteristics of the requests the services can handle.
![Decentralized Configuration](../assets/img/traefik-concepts-2.png)
It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
The opposite is true: when you remove a service from your infrastructure, the route will disapear accordingly.
You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.
!!! note "Many different rules"
In the example above, we used the request [path](../routing/routers.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers.md#rule).
!!! note "Updating the requests"
In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services.
!!! question "How does Traefik discover the services?"
Traefik is able to use your cluster API to discover the services and read the attached information. In Traefik, these connectors are called [providers](../providers/overview.md) because they _provide_ the configuration to Traefik. To learn more about them, read the [provider overview](../providers/overview.md) section.

81
docs/content/getting-started/configuration-overview.md Normal file
View file

@ -0,0 +1,81 @@
# Configuration Overview
How the Magic Happens
{: .subtitle }
![Configuration](../assets/img/static-dynamic-configuration.png)
Configuration in Traefik can refer to two different things:
- The fully dynamic routing configuration (referred to as the _dynamic configuration_)
- The startup configuration (referred to as the _static configuration_)
Elements in the _static configuration_ set up connections to [providers](../../providers/overview/) and define the [entrypoints](../../routing/entrypoints/) Traefik will listen to (these elements don't change often).
The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
This configuration can change and is seamlessly hot-reloaded, without any request interuption or connection loss.
## The Dynamic Configuration
Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): wether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
!!! Note
In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
!!! Note
HTTPS Certificates also belong to the dynamic configuration. You can add / update / remove them without restarting your Traefik instance.
## The Static Configuration
There are three different locations where you can define static configuration options in Traefik:
- In a key-value store
- In the command-line arguments
- In a configuration file
If you don't provide a value for a given option, default values apply.
!!! important "Precedence Order"
The following precedence order applies for configuration options: key-value > command-line > configuration file.
It means that arguments override configuration file, and key-value store overrides arguments.
!!! important "Default Values"
Some root options are enablers: they set default values for all their children.
For example, the `--providers.docker` option enables the docker provider.
Once positioned, this option sets (and resets) all the default values under the root `providers.docker`.
If you define child options using a lesser precedence configuration source, they will be overwritten by the default values.
### Configuration File
At startup, Traefik searches for a file named `traefik.toml` in `/etc/traefik/`, `$HOME/.traefik/`, and `.` (_the working directory_).
You can override this using the `configFile` argument.
```bash
traefik --configFile=foo/bar/myconfigfile.toml
```
### Arguments
Use `traefik --help` to get the list of the available arguments.
### Key-Value Stores
Traefik supports several Key-value stores:
- [Consul](https://consul.io)
- [etcd](https://coreos.com/etcd/)
- [ZooKeeper](https://zookeeper.apache.org/)
- [boltdb](https://github.com/boltdb/bolt)
## Available Configuration Options
All the configuration options are documented in their related section.
You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.

109
docs/content/getting-started/quick-start.md Normal file
View file

@ -0,0 +1,109 @@
# Quick Start
A Simple Use Case Using Docker
{: .subtitle }
![quickstart-diagram](../assets/img/quickstart-diagram.png)
!!! tip
To save some time, you can clone [Traefik's repository](https://github.com/containous/traefik).
The quickstart files are located in the [examples/quickstart](https://github.com/containous/traefik/tree/master/examples/quickstart/) directory.
## Launch Traefik With the Docker Provider
Create a `docker-compose.yml` file where you will define a `reverse-proxy` service that uses the official Traefik image:
```yaml
version: '3'
services:
reverse-proxy:
image: traefik # The official Traefik docker image
command: --api --docker # Enables the web UI and tells Traefik to listen to docker
ports:
- "80:80" # The HTTP port
- "8080:8080" # The Web UI (enabled by --api)
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
```
**That's it. Now you can launch Traefik!**
Start your `reverse-proxy` with the following command:
```shell
docker-compose up -d reverse-proxy
```
You can open a browser and go to [http://localhost:8080](http://localhost:8080) to see Traefik's dashboard (we'll go back there once we have launched a service in step 2).
## Traefik Detects New Services and Creates the Route for You
Now that we have a Traefik instance up and running, we will deploy new services.
Edit your `docker-compose.yml` file and add the following at the end of your file.
```yaml
# ...
whoami:
image: containous/whoami # A container that exposes an API to show its IP address
labels:
- "traefik.router.rule=Host:whoami.docker.localhost"
```
The above defines `whoami`: a simple web service that outputs information about the machine it is deployed on (its IP address, host, and so on).
Start the `whoami` service with the following command:
```shell
docker-compose up -d whoami
```
Go back to your browser ([http://localhost:8080](http://localhost:8080)) and see that Traefik has automatically detected the new container and updated its own configuration.
When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_ (Here, we're using curl)
```shell
curl -H Host:whoami.docker.localhost http://127.0.0.1
```
_Shows the following output:_
```yaml
Hostname: a656c8ddca6c
IP: 172.27.0.3
#...
```
## More Instances? Traefik Load Balances Them
Run more instances of your `whoami` service with the following command:
```shell
docker-compose up -d --scale whoami=2
```
Go back to your browser ([http://localhost:8080](http://localhost:8080)) and see that Traefik has automatically detected the new instance of the container.
Finally, see that Traefik load-balances between the two instances of your services by running twice the following command:
```shell
curl -H Host:whoami.docker.localhost http://127.0.0.1
```
The output will show alternatively one of the followings:
```yaml
Hostname: a656c8ddca6c
IP: 172.27.0.3
#...
```
```yaml
Hostname: s458f154e1f1
IP: 172.27.0.4
# ...
```
!!! question "Where to Go Next?"
Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you!

22
docs/content/glossary.md Normal file
View file

@ -0,0 +1,22 @@
# TODO -- Glossary
Where Every Technical Word finds its Definition`
{: .subtitle}
- [ ] Provider
- [ ] Types of providers (KV, annotation based, label based, configuration based)
- [ ] Entrypoint
- [ ] Routers
- [ ] Middleware
- [ ] Service
- [ ] Static Configuration
- [ ] Dynamic Configuration
- [ ] ACME
- [ ] TraefikEE
- [ ] Tracing
- [ ] Metrics
- [ ] Orchestrator
- [ ] Key Value Store
- [ ] Logs
- [ ] Traefiker
- [ ] Traefik (How to pronounce)

4
docs/content/includes/.markdownlint.json Normal file
View file

@ -0,0 +1,4 @@
{
"extends": "../../.markdownlint.json",
"MD041": false
}

1
docs/content/includes/more-on-command-line.md Normal file
View file

@ -0,0 +1 @@
To learn more about configuration options in the command line, refer to the [configuration overview](../getting-started/configuration-overview.md)

1
docs/content/includes/more-on-configuration-file.md Normal file
View file

@ -0,0 +1 @@
To learn more about the configuration file, refer to [configuration overview](../getting-started/configuration-overview.md)

2
docs/content/includes/more-on-entrypoints.md Normal file
View file

@ -0,0 +1,2 @@
!!! info "More On Entrypoints"
Learn more about entrypoints and their configuration options in the dedicated section.

1
docs/content/includes/more-on-key-value-store.md Normal file
View file

@ -0,0 +1 @@
To learn more about configuration in key-value stores, refer to the [configuration overview](../getting-started/configuration-overview.md)

2
docs/content/includes/more-on-routers.md Normal file
View file

@ -0,0 +1,2 @@
!!! info "More On Routers"
Learn more about routers and their configuration options in the [dedicated section](../routing/routers.md).

23
docs/content/index.md Normal file
View file

@ -0,0 +1,23 @@
# Welcome
![Architecture](assets/img/traefik-architecture.png)
Traefik is an [open-source](https://github.com/containous/traefik) *Edge Router* that makes publishing your services a fun and easy experience.
It receives requests on behalf of your system and finds out which components are responsible for handling them.
What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services.
The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request.
Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.
Developing Traefik, our main goal is to make it simple to use, and we're sure you'll enjoy it.
-- The Traefik Maintainer Team
!!! Note
If you're a businness running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik.

33
docs/content/middlewares/addprefix.md Normal file
View file

@ -0,0 +1,33 @@
# Add Prefix
Prefixing the Path
{: .subtitle }
![AddPrefix](../assets/img/middleware/addprefix.png)
The AddPrefix middleware updates the URL Path of the request before forwarding it.
## Configuration Examples
??? example "File -- Prefixing with /foo"
```toml
[Middlewares]
[Middlewares.add-foo.AddPrefix]
prefix = "/foo"
```
??? example "Docker -- Prefixing with /bar"
```yaml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.add-bar.addprefix.prefix=/bar"
```
## Configuration Options
### prefix
`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).

83
docs/content/middlewares/basicauth.md Normal file
View file

@ -0,0 +1,83 @@
# BasicAuth
Adding Basic Authentication
{: .subtitle }
![BasicAuth](../assets/img/middleware/basicauth.png)
The BasicAuth middleware is a quick way to restrict access to your services to known users.
## Configuration Examples
??? example "File -- Declaring the user list"
```toml
[Middlewares]
[Middlewares.test-auth.basicauth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
```
??? example "Docker -- Using an external file for the authorized users"
```yml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.declared-users-only.basicauth.usersFile=path-to-file.ext",
```
## Configuration Options
### General
Passwords must be encoded using MD5, SHA1, or BCrypt.
!!! tip
Use `htpasswd` to generate the passwords.
### users
The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
!!! Note
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### usersFile
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
The file content is a list of `name:encoded-password`.
??? example "A file containing test/test and test2/test2"
```
test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
```
!!! Note
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### realm
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
### headerField
You can customize the header field for the authenticated user using the `headerField`option.
??? example "File -- Passing Authenticated Users to Services Via Headers"
```toml
[Middlewares.my-auth.basicauth]
usersFile = "path-to-file.ext"
headerField = "X-WebAuth-User" # header for the authenticated user
```
### removeHeader
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)

69
docs/content/middlewares/buffering.md Normal file
View file

@ -0,0 +1,69 @@
# Buffering
How to Read the Request before Forwarding It
{: .subtitle }
![Buffering](../assets/img/middleware/buffering.png)
The Buffering middleware gives you control on how you want to read the requests before sending them to services.
With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified limit.
This can help services deal with large data (multipart/form-data for example), and can minimize time spent sending data to a service.
## Configuration Examples
??? example "File -- Sets the maximum request body to 2Mb"
```toml
[Middlewares]
[Middlewares.2Mb-limit.buffering]
maxRequestBodyBytes = 250000
```
??? example "Docker -- Buffers 1Mb of the request in memory, then writes to disk"
```yaml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.1Mb-memory.buffering.memRequestBodyBytes=125000",
```
## Configuration Options
### maxRequestBodyBytes
With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
### memRequestBodyBytes
You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
### maxResponseBodyBytes
With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
### memResponseBodyBytes
You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
### retryExpression
You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
!!! example "Retries once in case of a network error"
```
retryExpression = "IsNetworkError() && Attempts() < 2"
```
Available functions for the retry expression are:
- `Attempts()` number of attempts (the first one counts)
- `ResponseCode()` response code of the service
- `IsNetworkError()` - if the response code is related to networking error

40
docs/content/middlewares/chain.md Normal file
View file

@ -0,0 +1,40 @@
# Chain
When One Isn't Enougth
{: .subtitle }
![Chain](../assets/img/middleware/chain.png)
The Chain middleware enables you to define reusable combinations of other pieces of middleware.
It makes reusing the same groups easier.
## Configuration Example
??? example "A Chain for WhiteList, BasicAuth, and HTTPS"
```toml
# ...
[Routers]
[Routers.router1]
service = "service1"
middlewares = ["secured"]
rule = "Host: mydomain"
[Middlewares]
[Middlewares.secured.Chain]
middlewares = ["https-only", "known-ips", "auth-users"]
[Middlewares.auth-users.BasicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[Middlewares.https-only.SchemeRedirect]
scheme = "https"
[Middlewares.known-ips.ipWhiteList]
sourceRange = ["192.168.1.7", "x.x.x.x", "x.x.x.x"]
[Services]
[Services.service1]
[Services.service1.LoadBalancer]
[[Services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:80"
Weight = 1
```

146
docs/content/middlewares/circuitbreaker.md Normal file
View file

@ -0,0 +1,146 @@
# CircuitBreaker
Don't Waste Time Calling Unhealthy Services
{: .subtitle }
![CircuitBreaker](../assets/img/middleware/circuitbreaker.png)
The circuit breaker protects your system from stacking requests to unhealthy services (resulting in cascading failures).
When your system is healthy, the circuit is close (normal operations).
When your system becomes unhealthy, the circuit becomes open and the requests are no longer forwarded (but handled by a fallback mechanism).
To assess if your system is healthy, the circuit breaker constantly monitors the services.
!!! Note
- The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state.
- The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state.
!!! important
Each router will eventually gets its own instance of a given circuit breaker. If two different routers refer to the same circuit breaker definition, they will get one instance each. It means that one circuit breaker can be open while the other stays close: their state is not shared. This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
## Configuration Examples
??? example "Latency Check -- Using Toml"
```toml
[middlewares]
[middlewares.latency-check.circuitbreaker]
expression = "LatencyAtQuantileMS(50.0) > 100"
```
??? example "Latency Check -- Using Docker Labels"
```yaml
# in a docker compose file
container-definition:
image: image-name
labels:
- "traefik.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
```
## Possible States
There are three possible states for your circuit breaker:
- Close (your service operates normally)
- Open (the fallback mechanism takes over your service)
- Recovering (the circuit breaker tries to resume normal operations by progressively sending requests to your service)
### Close
While close, the circuit breaker only collects metrics to analyze the behavior of the requests.
At specified intervals (`checkPeriod`), it will evaluate `expression` to decide if its state must change.
### Open
While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`. After this duration, it will enter the recovering state.
### Recovering
While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`). If your service fails during recovery, the circuit breaker becomes open again. If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
## Configuration Options
### Configuring the Trigger
You can specify an `expression` that, once matched, will trigger the circuit breaker (and apply the fallback mechanism instead of calling your services).
The `expression` can check three different metrics:
- The network error ratio (`NetworkErrorRatio`)
- The status code ratio (`ResponseCodeRatio`)
- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
#### NetworkErrorRatio
If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
#### ResponseCodeRatio
You can trigger the circuit breaker based on the ratio of a given range of status codes.
The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`, `dividedByTo`.
The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).
!!! Note
If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
`from`is inclusive, `to` is exclusive.
For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).
#### LatencyAtQuantileMS
You can trigger the circuit breaker when a given proportion of your requests become too slow.
For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median lantency (quantile 50) reaches 100MS.
!!! Note
You must provide a float number (with the leading .0) for the quantile value
#### Using multiple metrics
You can combine multiple metrics using operators in your expression.
Supported operators are:
- AND (`&&`)
- OR (`||)
For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
#### Operators
Here is the list of supported operators:
- Greater than (`>`)
- Greater or equal than (`>=`)
- Lesser than (`<`)
- Lesser or equal than (`<=`)
- Not (`!`)
- Equal (`==`)
- Not Equal (`!=`)
### Fallback mechanism
The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured.
### CheckPeriod
The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
### FallbackDuration
By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
### RecoveringDuration
The duration of the recovering mode (recovering state).
By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.

34
docs/content/middlewares/compress.md Normal file
View file

@ -0,0 +1,34 @@
# Compress
Compressing the Response before Sending it to the Client
{: .subtitle }
![Compress](../assets/img/middleware/compress.png)
The Compress middleware enables the gzip compression.
## Configuration Examples
??? example "File -- enable gzip compression"
```toml
[Middlewares]
[Middlewares.test-compress.Compress]
```
??? example "Docker -- enable gzip compression"
```yml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.test-compress.compress=true",
```
## Notes
Responses are compressed when:
* The response body is larger than `512` bytes.
* The `Accept-Encoding` request header contains `gzip`.
* The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

78
docs/content/middlewares/digestauth.md Normal file
View file

@ -0,0 +1,78 @@
# DigestAuth
Adding Digest Authentication
{: .subtitle }
![BasicAuth](../assets/img/middleware/digestauth.png)
The DigestAuth middleware is a quick way to restrict access to your services to known users.
## Configuration Examples
??? example "File -- Declaring the user list"
```toml
[Middlewares]
[Middlewares.test-auth.digestauth]
users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
```
??? example "Docker -- Using an external file for the authorized users"
```yml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.declared-users-only.digestauth.usersFile=path-to-file.ext",
```
!!! tip
Use `htdigest` to generate passwords.
## Configuration Options
### Users
The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
!!! Note
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### UsersFile
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
The file content is a list of `name:realm:encoded-password`.
??? example "A file containing test/test and test2/test2"
```
test:traefik:a2688e031edb4be6a3797f3882655c05
test2:traefik:518845800f9e2bfb1f1f740ec24f074e
```
!!! Note
If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
### Realm
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
### HeaderField
You can customize the header field for the authenticated user using the `headerField`option.
??? example "File -- Passing Authenticated Users to Services Via Headers"
```toml
[Middlewares.my-auth.digestauth]
usersFile = "path-to-file.ext"
headerField = "X-WebAuth-User" # header for the authenticated user
```
### RemoveHeader
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)

66
docs/content/middlewares/errorpages.md Normal file
View file

@ -0,0 +1,66 @@
# ErrorPage
It Has Never Been Easier to Say That Something Went Wrong
{: .subtitle }
![ErrorPages](../assets/img/middleware/errorpages.png)
The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
!!! important
The error page itself is _not_ hosted by Traefik.
## Configuration Examples
??? example "File -- Custom Error Page for 5XX"
```toml
[Routers]
[Routers.router1]
Service = "my-service"
Rule = Host(`my-domain`)
[Middlewares]
[Middlewares.5XX-errors.Errors]
status = ["500-599"]
service = "error-handler-service"
query = "/error.html"
[Services]
# ... definition of error-handler-service and my-service
```
??? example "Docker -- Dynamic Custom Error Page for 5XX Status Code"
```yaml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.test-errorpage.errors.status=500-599",
- "traefik.middlewares.test-errorpage.errors.service=serviceError",
- "traefik.middlewares.test-errorpage.errors.query=/{status}.html",
```
!!! note
In this example, the error page URL is based on the status code (`query=/{status}.html)`.
## Configuration Options
### status
The `status` that will trigger the error page.
The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
!!! Note
You can define either a status code like `500` or ranges with a syntax like `500-599`.
### service
The service that will serve the new requested error page.
### query
The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.

63
docs/content/middlewares/forwardauth.md Normal file
View file

@ -0,0 +1,63 @@
# ForwardAuth
Using an External Service to Ccheck for Credentials
{: .subtitle }
![AuthForward](../assets/img/middleware/authforward.png)
The ForwardAuth middleware delegate the authentication to an external service.
If the service response code is 2XX, access is granted and the original request is performed.
Otherwise, the response from the authentication server is returned.
## Configuration Examples
??? example "File -- Forward authentication to authserver.com"
```toml
[Middlewares]
[Middlewares.test-auth.forwardauth]
address = "https://authserver.com/auth"
trustForwardHeader = true
authResponseHeaders = ["X-Auth-User", "X-Secret"]
[Middlewares.test-auth.forwardauth.tls]
ca = "path/to/local.crt"
caOptional = true
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
??? example "Docker -- Forward authentication to authserver.com"
```yml
a-container:
image: a-container-image
labels:
- "traefik.Middlewares.test-auth.ForwardAuth.Address=https://authserver.com/auth"
- "traefik.Middlewares.test-auth.ForwardAuth.AuthResponseHeaders=X-Auth-User, X-Secret"
- "traefik.Middlewares.test-auth.ForwardAuth.TLS.CA=path/to/local.crt"
- "traefik.Middlewares.test-auth.ForwardAuth.TLS.CAOptional=true"
- "traefik.Middlewares.test-auth.ForwardAuth.TLS.Cert=path/to/foo.cert"
- "traefik.Middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify=true"
- "traefik.Middlewares.test-auth.ForwardAuth.TLS.Key=path/to/foo.key"
- "traefik.Middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
```
## Configuration Options
### address
The `address` option defines the authentication server address.
### trustForwardHeader
Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers.
### authResponseHeaders
The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
### tls
The `tls` option is the tls configuration from Traefik to the authentication server.

179
docs/content/middlewares/headers.md Normal file
View file

@ -0,0 +1,179 @@
# Headers
Adding Headers to the Request / Response
{: .subtitle }
![Headers](../assets/img/middleware/headers.png)
The Headers middleware can manage the requests/responses headers.
## Configuration Examples
### Adding Headers to the Request and the Response
Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` to the response
??? example "File"
```toml
[Middlewares]
[Middlewares.testHeader.headers]
[Middlewares.testHeader.headers.CustomRequestHeaders]
X-Script-Name = "test"
[Middlewares.testHeader.headers.CustomResponseHeaders]
X-Custom-Response-Header = "True"
```
??? example "Docker"
```yml
a-container:
image: a-container-image
labels:
- "traefik.Middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test",
- "traefik.Middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True",
```
### Adding and Removing Headers
`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request, and the `X-Custom-Response-Header` header removed from the response.
??? example "File"
```toml
[Middlewares]
[Middlewares.testHeader.headers]
[Middlewares.testHeader.headers.CustomRequestHeaders]
X-Script-Name = "test"
[Middlewares.testHeader.headers.CustomResponseHeaders]
X-Custom-Response-Header = "True"
```
??? example "Docker"
```yml
a-container:
image: a-container-image
labels:
- "traefik.Middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test",
- "traefik.Middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True",
```
### Using Security Headers
Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above.
This functionality allows for some easy security features to quickly be set.
??? example "File"
```toml
[Middlewares]
[Middlewares.testHeader.headers]
FrameDeny = true
SSLRedirect = true
```
??? example "Docker"
```yml
a-container:
image: a-container-image
labels:
- "traefik.Middlewares.testHeader.Headers.FrameDeny=true",
- "traefik.Middlewares.testHeader.Headers.SSLRedirect=true",
```
## Configuration Options
### General
!!! warning
If the custom header name is the same as one header name of the request or response, it will be replaced.
!!! note
The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
### customRequestHeaders
The `customRequestHeaders` option lists the Header names and values to apply to the request.
### allowedHosts
The `allowedHosts` option lists fully qualified domain names that are allowed.
### hostsProxyHeaders
The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
### sslRedirect
The `sslRedirect` is set to true, then only allow https requests.
### sslTemporaryRedirect
Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
### sslHost
The `SSLHost` option is the host name that is used to redirect http requests to https.
### sslProxyHeaders
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
### sslForceHost
Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
### stsSeconds
The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
### stsIncludeSubdomains
The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header.
### stsPreload
Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
### forceSTSHeader
Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP.
### frameDeny
Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
### customFrameOptionsValue
The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option.
### contentTypeNosniff
Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.
### browserXssFilter
Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
### customBrowserXSSValue
The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option.
### contentSecurityPolicy
The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
### publicKey
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
### referrerPolicy
The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
### isDevelopment
Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain.
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.

113
docs/content/middlewares/ipwhitelist.md Normal file
View file

@ -0,0 +1,113 @@
# IPWhiteList
Limiting Clients to Specific IPs
{: .subtitle }
![IpWhiteList](../assets/img/middleware/ipwhitelist.png)
IPWhitelist accepts / refuses requests based on the client IP.
## Configuration Examples
??? example "File -- Accepts request from defined IP"
```toml
[Middlewares]
[Middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
??? example "Docker -- Accepts request from defined IP"
```yml
a-container:
image: a-container-image
labels:
- "traefik.Middlewares.Middleware9.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
```
## Configuration Options
### sourceRange
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
### ipStrategy
The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
#### ipStrategy.depth
The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
!!! note "Examples of Depth & X-Forwaded-For"
If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
??? note "More examples"
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
??? example "File -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
```toml
[Middlewares]
[Middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[Middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
depth = 2
```
??? example "Docker -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
```yml
a-container:
image: a-container-image
labels:
- "traefik.Middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
- "traefik.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
!!! note
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is is lesser than or equal to 0.
#### ipStrategy.excludedIPs
`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
!!! note "Examples of ExcludedIPs & X-Forwaded-For"
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|-----------------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
!!! important
If `depth` is specified, `excludedIPs` is ignored.
??? example "File -- Exclude from `X-Forwarded-For`"
```toml
[Middlewares]
[Middlewares.test-ipwhitelist.ipWhiteList]
[Middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
??? example "Docker -- Exclude from `X-Forwarded-For`"
```yml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
```

44
docs/content/middlewares/maxconnection.md Normal file
View file

@ -0,0 +1,44 @@
# MaxConnection
Limiting the Number of Simultaneous Clients
{: .subtitle }
![MaxConnection](../assets/img/middleware/maxconnection.png)
To proactively prevent services from being overwhelmed with high load, a maximum connection limit can be applied.
## Configuration Examples
??? example "File -- Limiting to 10 simultaneous connections"
```toml
[Middlewares]
[Middlewares.test-maxconn.maxconn]
amount = 10
```
??? example "Docker -- Limiting to 10 simultaneous connections"
```yml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.test-maxconn.maxconn.amount=10"
```
## Configuration Options
### amount
The `amount` option defines the maximum amount of allowed simultaneous connections.
The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `extractorfunc` strategy).
### extractorfunc
The `extractorfunc` defines the strategy used to categorize requests.
The possible values are:
- `request.host` categorizes requests based on the request host.
- `client.ip` categorizes requests based on the client ip.
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.

106
docs/content/middlewares/overview.md Normal file
View file

@ -0,0 +1,106 @@
# Middlewares
Tweaking the Request
{: .subtitle }
![Overview](../assets/img/middleware/overview.png)
Attached to the routers, pieces of middleware are a mean of tweaking the requests before they are sent to your [service](../routing/services.md) (or before the answer from the services are sent to the clients).
There are many different available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
Pieces of middleware can be combined in chains to fit every scenario.
## Configuration Example
??? example "As Toml Configuration File"
```toml
[providers]
[providers.file]
[Routers]
[Routers.router1]
Service = "myService"
Middlewares = ["foo-add-prefix"]
Rule = "Host: example.com"
[Middlewares]
[Middlewares.foo-add-prefix.AddPrefix]
prefix = "/foo"
[Services]
[Services.service1]
[Services.service1.LoadBalancer]
[[Services.service1.LoadBalancer.Servers]]
URL = "http://127.0.0.1:80"
Weight = 1
```
??? example "As a Docker Label"
```yaml
# A container that exposes a simple API
whoami:
image: containous/whoami # A container that exposes an API to show its IP address
labels:
- "traefik.middlewares.foo-add-prefix.addprefix.prefix=/foo",
```
## Advanced Configuration
When you declare a middleware, it lives in its `provider` namespace.
For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker `provider` namespace.
If you use multiple `providers` and wish to reference a middleware declared in another `provider`, then you'll have to prefix the middleware name with the `provider` name.
??? abstract "Referencing a Middleware from Another Provider"
Declaring the add-foo-prefix in the file provider.
```toml
[providers]
[providers.file]
[middlewares]
[middlewares.add-foo-prefix.AddPrefix]
prefix = "/foo"
```
Using the add-foo-prefix middleware from docker.
```yaml
your-container: #
image: your-docker-image
labels:
# Attach file.add-foo-prefix middleware (declared in file)
- "traefik.routers.middlewares=file.add-foo-prefix",
```
## Available Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [AddPrefix](addprefix.md) | Add a Path Prefix | Path Modifier |
| [BasicAuth](basicauth.md) | Basic auth mechanism | Security, Authentication |
| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
| [Chain](chain.md) | Combine multiple pieces of middleware | Middleware tool |
| [CircuitBreaker](circuitbreaker.md) | Stop calling unhealthy services | Request Lifecycle |
| [Compress](circuitbreaker.md) | Compress the response | Content Modifier |
| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
| [Errors](errorpages.md) | Define custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Authentication delegation | Security, Authentication |
| [Headers](headers.md) | Add / Update headers | Security |
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |
| [MaxConnection](maxconnection.md) | Limit the number of simultaneous connections | Security, Request lifecycle |
| [PassTLSClientCert](passtlsclientcert.md) | TODO | Security |
| [RateLimit](ratelimit.md) | Limit the call frequency | Security, Request lifecycle |
| [RedirectScheme](redirectscheme.md) | Redirect easily the client elsewhere | Request lifecycle |
| [RedirectRegex](redirectregex.md) | Redirect the client elsewhere | Request lifecycle |
| [ReplacePath](replacepath.md) | Change the path of the request | Path Modifier |
| [ReplacePathRegex](replacepathregex.md) | Change the path of the request | Path Modifier |
| [Retry](retry.md) | Automatically retry the request in case of errors | Request lifecycle |
| [StripPrefix](stripprefix.md) | Change the path of the request | Path Modifier |
| [StripPrefixRegex](stripprefixregex.md) | Change the path of the request | Path Modifier |

499
docs/content/middlewares/passtlsclientcert.md Normal file
View file

@ -0,0 +1,499 @@
# TODO - PassTLSClientCert
Adding Client Certificates in a Header
{: .subtitle }
`TODO add schema`
PassTLSClientCert adds in header the selected data from the passed client tls certificate.
## Configuration Examples
??? example "File -- Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
```toml
[Middlewares]
[Middlewares.test-passtlsclientcert.passtlsclientcert]
pem = true
```
??? example "Docker -- Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
```yml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.Middleware11.passtlsclientcert.pem=true"
```
??? example "File -- Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header"
```toml
[Middlewares]
[Middlewares.test-passtlsclientcert.passtlsclientcert]
[Middlewares.test-passtlsclientcert.passtlsclientcert.info]
notAfter = true
notBefore = true
sans = true
[Middlewares.test-passtlsclientcert.passtlsclientcert.info.subject]
country = true
province = true
locality = true
organization = true
commonName = true
serialNumber = true
domainComponent = true
[Middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer]
country = true
province = true
locality = true
organization = true
commonName = true
serialNumber = true
domainComponent = true
```
??? example "Docker -- Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header"
```yml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
- "traefik.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
```
## Configuration Options
### General
PassTLSClientCert can add two headers to the request:
* `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
* `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
!!! note
The headers are filled with escaped string so it can be safely placed inside a URL query.
In the following example, you can see a complete certificate. We will use each part of it to explains the middleware options.
??? example "A complete client tls certificate"
```
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
Validity
Not Before: Dec 6 11:10:16 2018 GMT
Not After : Dec 5 11:10:16 2020 GMT
Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:de:77:fa:8d:03:70:30:39:dd:51:1b:cc:60:db:
a9:5a:13:b1:af:fe:2c:c6:38:9b:88:0a:0f:8e:d9:
1b:a1:1d:af:0d:66:e4:13:5b:bc:5d:36:92:d7:5e:
d0:fa:88:29:d3:78:e1:81:de:98:b2:a9:22:3f:bf:
8a:af:12:92:63:d4:a9:c3:f2:e4:7e:d2:dc:a2:c5:
39:1c:7a:eb:d7:12:70:63:2e:41:47:e0:f0:08:e8:
dc:be:09:01:ec:28:09:af:35:d7:79:9c:50:35:d1:
6b:e5:87:7b:34:f6:d2:31:65:1d:18:42:69:6c:04:
11:83:fe:44:ae:90:92:2d:0b:75:39:57:62:e6:17:
2f:47:2b:c7:53:dd:10:2d:c9:e3:06:13:d2:b9:ba:
63:2e:3c:7d:83:6b:d6:89:c9:cc:9d:4d:bf:9f:e8:
a3:7b:da:c8:99:2b:ba:66:d6:8e:f8:41:41:a0:c9:
d0:5e:c8:11:a4:55:4a:93:83:87:63:04:63:41:9c:
fb:68:04:67:c2:71:2f:f2:65:1d:02:5d:15:db:2c:
d9:04:69:85:c2:7d:0d:ea:3b:ac:85:f8:d4:8f:0f:
c5:70:b2:45:e1:ec:b2:54:0b:e9:f7:82:b4:9b:1b:
2d:b9:25:d4:ab:ca:8f:5b:44:3e:15:dd:b8:7f:b7:
ee:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
X509v3 Authority Key Identifier:
keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
X509v3 Subject Alternative Name:
DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
Signature Algorithm: sha1WithRSAEncryption
76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
ed:99:ab:f7:cd:fe:38:3f:c3:9a:22:31:1b:ac:8c:1c:c2:f9:
5d:d4:75:7a:2e:72:c7:85:a9:04:af:9f:2a:cc:d3:96:75:f0:
8e:c7:c6:76:48:ac:45:a4:b9:02:1e:2f:c0:15:c4:07:08:92:
cb:27:50:67:a1:c8:05:c5:3a:b3:a6:48:be:eb:d5:59:ab:a2:
1b:95:30:71:13:5b:0a:9a:73:3b:60:cc:10:d0:6a:c7:e5:d7:
8b:2f:f9:2e:98:f2:ff:81:14:24:09:e3:4b:55:57:09:1a:22:
74:f1:f6:40:13:31:43:89:71:0a:96:1a:05:82:1f:83:3a:87:
9b:17:25:ef:5a:55:f2:2d:cd:0d:4d:e4:81:58:b6:e3:8d:09:
62:9a:0c:bd:e4:e5:5c:f0:95:da:cb:c7:34:2c:34:5f:6d:fc:
60:7b:12:5b:86:fd:df:21:89:3b:48:08:30:bf:67:ff:8c:e6:
9b:53:cc:87:36:47:70:40:3b:d9:90:2a:d2:d2:82:c6:9c:f5:
d1:d8:e0:e6:fd:aa:2f:95:7e:39:ac:fc:4e:d4:ce:65:b3:ec:
c6:98:8a:31
-----BEGIN CERTIFICATE-----
MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
-----END CERTIFICATE-----
```
### pem
The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
??? example "The data used by the pem option"
```
-----BEGIN CERTIFICATE-----
MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
-----END CERTIFICATE-----
```
!!! note "Extracted data"
The delimiters and `\n` will be removed.
If there are more than one certificate, they are separated by a "`;`".
### info
The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The value of the header will be an escaped concatenation of all the selected certificate details.
The following example shows an unescaped result that uses all the available fields:
```text
Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
```
!!! note "Multiple certificates"
If there are more than one certificate, they are separated by a `;`.
#### info.notafter
Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
The data are taken from the following certificate part:
```text
Validity
Not After : Dec 5 11:10:16 2020 GMT
```
The escape `notafter` info part will be like:
```text
NA=1607166616
```
#### info.notbefore
Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part.
The data are taken from the following certificate part:
```text
Validity
Not Before: Dec 6 11:10:16 2018 GMT
```
The escape `notafter` info part will be like:
```text
NB=1544094616
```
#### info.sans
Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
The data are taken from the following certificate part:
```text
X509v3 Subject Alternative Name:
DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
```
The escape SANs info part will be like:
```text
SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
```
!!! note "multiple values"
All the SANs data are separated by a `,`.
#### info.subject
The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The data are taken from the following certificate part :
```text
Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
```
##### info.subject.country
Set the `info.subject.country` option to true to add the `country` information into the subject.
The data are taken from the subject part with the `C` key.
The escape country info in the subject part will be like :
```text
C=FR,C=US
```
##### info.subject.province
Set the `info.subject.province` option to true to add the `province` information into the subject.
The data are taken from the subject part with the `ST` key.
The escape province info in the subject part will be like :
```text
ST=Cheese org state,ST=Cheese com state
```
##### info.subject.locality
Set the `info.subject.locality` option to true to add the `locality` information into the subject.
The data are taken from the subject part with the `L` key.
The escape locality info in the subject part will be like :
```text
L=TOULOUSE,L=LYON
```
##### info.subject.organization
Set the `info.subject.organization` option to true to add the `organization` information into the subject.
The data are taken from the subject part with the `O` key.
The escape organization info in the subject part will be like :
```text
O=Cheese,O=Cheese 2
```
##### info.subject.commonname
Set the `info.subject.commonname` option to true to add the `commonname` information into the subject.
The data are taken from the subject part with the `CN` key.
The escape commonname info in the subject part will be like :
```text
CN=*.cheese.com
```
##### info.subject.serialnumber
Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject.
The data are taken from the subject part with the `SN` key.
The escape serialnumber info in the subject part will be like :
```text
SN=1234567890
```
##### info.subject.domaincomponent
Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject.
The data are taken from the subject part with the `DC` key.
The escape domaincomponent info in the subject part will be like :
```text
DC=org,DC=cheese
```
#### info.issuer
The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The data are taken from the following certificate part :
```text
Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
```
##### info.issuer.country
Set the `info.issuer.country` option to true to add the `country` information into the issuer.
The data are taken from the issuer part with the `C` key.
The escape country info in the issuer part will be like :
```text
C=FR,C=US
```
##### info.issuer.province
Set the `info.issuer.province` option to true to add the `province` information into the issuer.
The data are taken from the issuer part with the `ST` key.
The escape province info in the issuer part will be like :
```text
ST=Signing State,ST=Signing State 2
```
##### info.issuer.locality
Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
The data are taken from the issuer part with the `L` key.
The escape locality info in the issuer part will be like :
```text
L=TOULOUSE,L=LYON
```
##### info.issuer.organization
Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
The data are taken from the issuer part with the `O` key.
The escape organization info in the issuer part will be like :
```text
O=Cheese,O=Cheese 2
```
##### info.issuer.commonname
Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer.
The data are taken from the issuer part with the `CN` key.
The escape commonname info in the issuer part will be like :
```text
CN=Simple Signing CA 2
```
##### info.issuer.serialnumber
Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer.
The data are taken from the issuer part with the `SN` key.
The escape serialnumber info in the issuer part will be like :
```text
SN=1234567890
```
##### info.issuer.domaincomponent
Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer.
The data are taken from the issuer part with the `DC` key.
The escape domaincomponent info in the issuer part will be like :
```text
DC=org,DC=cheese
```

68
docs/content/middlewares/ratelimit.md Normal file
View file

@ -0,0 +1,68 @@
# TODO -- RateLimit
Protection from Too Many Calls
{: .subtitle }
![RateLimit](../assets/img/middleware/ratelimit.png)
The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows you define what is fair.
## Configuration Example
??? example "Limit to 100 requests every 10 seconds (with a possible burst of 200)"
```toml
[middlewares]
[middlewares.fair-ratelimit.ratelimit]
extractorfunc = "client.ip"
[middlewares.fair-ratelimit.ratelimit.rateset1]
period = "10s"
average = 100
burst = 200
```
??? example "Combine multiple limits"
```toml
[middlewares]
[middlewares.fair-ratelimit.ratelimit]
extractorfunc = "client.ip"
[middlewares.fair-ratelimit.ratelimit.rateset1]
period = "10s"
average = 100
burst = 200
[middlewares.fair-ratelimit.ratelimit.rateset2]
period = "3s"
average = 5
burst = 10
```
Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds. These can "burst" up to 10 and 200 in each period, respectively.
## Configuration Options
### extractorfunc
The `extractorfunc` option defines the strategy used to categorize requests.
The possible values are:
- `request.host` categorizes requests based on the request host.
- `client.ip` categorizes requests based on the client ip.
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
### ratelimit (multiple values)
You can combine multiple ratelimit.
The ratelimit will trigger with the first reached limit.
Each ratelimit has 3 options, `period`, `average`, and `burst`.
The rate limit will allow an average of `average` requests every `period`, with a maximum of `burst` request on that period.
!!! note "Period Format"
Period is to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).

52
docs/content/middlewares/redirectregex.md Normal file
View file

@ -0,0 +1,52 @@
# TODO - RedirectRegex
Redirecting the Client to a Different Location
{: .subtitle }
`TODO: add schema`
RegexRedirect redirect a request from an url to another with regex matching and replacement.
## Configuration Examples
??? example "File -- Redirect with domain replacement"
```toml
[Middlewares]
[Middlewares.test-redirectregex.redirectregex]
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/$1"
```
??? example "Docker -- Redirect with domain replacement"
```yml
a-container:
image: a-container-image
labels:
- "traefik.Middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.Middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
```
## Configuration Options
### permanent
Set the `permanent` option to `true` to apply a permanent redirection.
### regex
The `Regex` option is the regular expression to match and capture elements form the request URL.
!!! warning
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
!!! tip
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
### replacement
The `replacement` option defines how to modify the URl to have the new target URL.

41
docs/content/middlewares/redirectscheme.md Normal file
View file

@ -0,0 +1,41 @@
# TODO - RedirectScheme
Redirecting the Client to a Different Scheme/Port
{: .subtitle }
`TODO: add schema`
RegexRedirect redirect request from a scheme to another.
## Configuration Examples
??? example "File -- Redirect to https"
```toml
[Middlewares]
[Middlewares.test-redirectscheme.redirectscheme]
scheme = "https"
```
??? example "Docker -- Redirect to https"
```yml
a-container:
image: a-container-image
labels:
- "traefik.Middlewares.test-redirectscheme.redirectscheme.scheme=https"
```
## Configuration Options
### permanent
Set the `permanent` option to `true` to apply a permanent redirection.
### scheme
The `scheme` option defines the scheme of the new url.
### port
The `port` option defines the port of the new url.

40
docs/content/middlewares/replacepath.md Normal file
View file

@ -0,0 +1,40 @@
# TODO -- ReplacePath
Updating the Path Before Forwarding the Request
{: .subtitle }
`TODO: add schema`
Replace the path of the request url.
## Configuration Examples
??? example "File -- Replace the path by /foo"
```toml
[Middlewares]
[Middlewares.test-replacepath.ReplacePath]
path = "/foo"
```
??? example "Docker --Replace the path by /foo"
```yaml
a-container:
image: a-container-image
labels:
- "traefik.middlewares.test-replacepath.replacepath.path=/foo"
```
## Configuration Options
### General
The ReplacePath middleware will:
* replace the actual path by the specified one.
* store the original path in a `X-Replaced-Path` header.
### path
The `path` option defines the path to use as replacement in the request url.

4
docs/content/middlewares/replacepathregex.md Normal file
View file

@ -0,0 +1,4 @@
# TODO -- ReplacePathRegex
Updating the Path Before Forwarding the Request (Using a Regex)
{: .subtitle }

20
docs/content/middlewares/retry.md Normal file
View file

@ -0,0 +1,20 @@
# TODO -- Retry
Retrying until it Succeeds
{: .subtitle }
## Old Content
## Retry Configuration
```toml
# Enable retry sending request if network error
[retry]
# Number of attempts
#
# Optional
# Default: (number servers in backend) -1
#
# attempts = 3
```

13
docs/content/middlewares/stripprefix.md Normal file
View file

@ -0,0 +1,13 @@
# TODO -- StripPrefix
Removing Prefixes From the Path Before Forwarding the Request
{: .subtitle }
## OldContent
Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.
Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).
The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.

13
docs/content/middlewares/stripprefixregex.md Normal file
View file

@ -0,0 +1,13 @@
# TODO -- StripPrefix
Removing Prefixes From the Path Before Forwarding the Request (Using a Regex)
{: .subtitle }
## OldContent
Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.
Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).
The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.

152
docs/content/observability/access-logs.md Normal file
View file

@ -0,0 +1,152 @@
# Access Logs
Who Calls Whom?
{.subtitle}
By default, logs are written to stdout, in text format.
## Configuration Examples
??? example "Enabling Access Logs"
```toml
[accessLog]
```
## Configuration Options
### filePath
By default access logs are written to the standard output.
To write the logs into a log file, use the `filePath` option.
in the Common Log Format (CLF), extended with additional fields.
### format
By default, logs are written using the Common Log Format (CLF).
To write logs in JSON, use `json` in the `format` option.
!!! note "Common Log Format"
#### CLF - Common Log Format
```html
<remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms
```
#### bufferingSize
To write the logs in an asynchronous fashion, specify a `bufferingSize` option.
This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.
In some cases, this option can greatly help performances.
??? example "Configuring a buffer of 100 lines"
```toml
[accessLog]
filePath = "/path/to/access.log"
bufferingSize = 100
```
#### Filtering
To filter logs, you can specify a set of filters which are logically "OR-connected".
Thus, specifying multiple filters will keep more access logs than specifying only one.
The available filters are:
- `statusCodes`, to limit the access logs to requests with a status codes in the specified range
- `retryAttempts`, to keep the access logs when at least one retry has happened
- `minDuration`, to keep access logs when requests take longer than the specified duration
??? example "Configuring Multiple Filters"
```toml
[accessLog]
filePath = "/path/to/access.log"
format = "json"
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
```
#### Limiting the Fields
You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.header` options
Each field can be set to:
- `keep` to keep the value
- `drop` to drop the value
- `redact` to replace the value with "redacted"
??? example "Limiting the Logs to Specific Fields"
```toml
[accessLog]
filePath = "/path/to/access.log"
format = "json"
[accessLog.filters]
statusCodes = ["200", "300-302"]
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"ClientUsername" = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
```
??? list "Available Fields"
```ini
StartUTC
StartLocal
Duration
FrontendName
BackendName
BackendURL
BackendAddr
ClientAddr
ClientHost
ClientPort
ClientUsername
RequestAddr
RequestHost
RequestPort
RequestMethod
RequestPath
RequestProtocol
RequestLine
RequestContentSize
OriginDuration
OriginContentSize
OriginStatus
OriginStatusLine
DownstreamStatus
DownstreamStatusLine
DownstreamContentSize
RequestCount
GzipRatio
Overhead
RetryAttempts
```
## Log Rotation
Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
This allows the logs to be rotated and processed by an external program, such as `logrotate`.
!!! note
This does not work on Windows due to the lack of USR signals.

50
docs/content/observability/logs.md Normal file
View file

@ -0,0 +1,50 @@
# Logs
Reading What's Happening
{: .subtitle }
By default, logs are written to stdout, in text format.
## Configuration Example
??? example "Writing Logs in a File"
```toml
[log]
filePath = "/path/to/traefik.log"
```
??? example "Writing Logs in a File, in JSON"
```toml
[log]
filePath = "/path/to/log-file.log"
format = "json"
```
## Configuration Options
### General
Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
#### filePath
By default, the logs are written to the standard output.
You can configure a file path instead using the `filePath` option.
#### format
By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.
#### logLevel
By default, the `logLevel` is set to `error`, but you can choose amongst `debug`, `panic`, `fatal`, `error`, `warn`, and `info`.
## Log Rotation
Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
This allows the logs to be rotated and processed by an external program, such as `logrotate`.
!!! note
This does not work on Windows due to the lack of USR signals.

219
docs/content/observability/tracing.md Normal file
View file

@ -0,0 +1,219 @@
# Tracing
Visualize the Requests Flow
{: .subtitle }
The tracing system allows developers to visualize call flows in their infrastructure.
Traefik uses OpenTracing, an open standard designed for distributed tracing.
Traefik supports three tracing backends: Jaeger, Zipkin, and DataDog.
## Configuration Reference
??? example "With Jaeger"
```toml
# Tracing definition
[tracing]
# Backend name used to send tracing data
#
# Default: "jaeger"
#
backend = "jaeger"
# Service name used in Jaeger backend
#
# Default: "traefik"
#
serviceName = "traefik"
# Span name limit allows for name truncation in case of very long Frontend/Backend names
# This can prevent certain tracing providers to drop traces that exceed their length limits
#
# Default: 0 - no truncation will occur
#
spanNameLimit = 0
[tracing.jaeger]
# Sampling Server URL is the address of jaeger-agent's HTTP sampling server
#
# Default: "http://localhost:5778/sampling"
#
samplingServerURL = "http://localhost:5778/sampling"
# Sampling Type specifies the type of the sampler: const, probabilistic, rateLimiting
#
# Default: "const"
#
samplingType = "const"
# Sampling Param is a value passed to the sampler.
# Valid values for Param field are:
# - for "const" sampler, 0 or 1 for always false/true respectively
# - for "probabilistic" sampler, a probability between 0 and 1
# - for "rateLimiting" sampler, the number of spans per second
#
# Default: 1.0
#
samplingParam = 1.0
# Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address
#
# Default: "127.0.0.1:6831"
#
localAgentHostPort = "127.0.0.1:6831"
# Generate 128-bit trace IDs, compatible with OpenCensus
#
# Default: false
gen128Bit = true
# Set the propagation header type. This can be either:
# - "jaeger", jaeger's default trace header.
# - "b3", compatible with OpenZipkin
#
# Default: "jaeger"
propagation = "jaeger"
```
!!! warning
Traefik is only able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent).
??? example "With Zipkin"
```toml
# Tracing definition
[tracing]
# Backend name used to send tracing data
#
# Default: "jaeger"
#
backend = "zipkin"
# Service name used in Zipkin backend
#
# Default: "traefik"
#
serviceName = "traefik"
# Span name limit allows for name truncation in case of very long Frontend/Backend names
# This can prevent certain tracing providers to drop traces that exceed their length limits
#
# Default: 0 - no truncation will occur
#
spanNameLimit = 150
[tracing.zipkin]
# Zipkin HTTP endpoint used to send data
#
# Default: "http://localhost:9411/api/v1/spans"
#
httpEndpoint = "http://localhost:9411/api/v1/spans"
# Enable Zipkin debug
#
# Default: false
#
debug = false
# Use Zipkin SameSpan RPC style traces
#
# Default: false
#
sameSpan = false
# Use Zipkin 128 bit root span IDs
#
# Default: true
#
id128Bit = true
# The rate between 0.0 and 1.0 of requests to trace.
#
# Default: 1.0
#
sampleRate = 0.2
```
??? example "With DataDog"
```toml
# Tracing definition
[tracing]
# Backend name used to send tracing data
#
# Default: "jaeger"
#
backend = "datadog"
# Service name used in DataDog backend
#
# Default: "traefik"
#
serviceName = "traefik"
# Span name limit allows for name truncation in case of very long Frontend/Backend names
# This can prevent certain tracing providers to drop traces that exceed their length limits
#
# Default: 0 - no truncation will occur
#
spanNameLimit = 100
[tracing.datadog]
# Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address
#
# Default: "127.0.0.1:8126"
#
localAgentHostPort = "127.0.0.1:8126"
# Enable DataDog debug
#
# Default: false
#
debug = false
# Apply shared tag in a form of Key:Value to all the traces
#
# Default: ""
#
globalTag = ""
```
??? example "With Instana"
```toml
# Tracing definition
[tracing]
# Backend name used to send tracing data
#
# Default: "jaeger"
#
backend = "instana"
# Service name used in Instana backend
#
# Default: "traefik"
#
serviceName = "traefik"
[tracing.instana]
# Local Agent Host instructs reporter to send spans to instana-agent at this address
#
# Default: "127.0.0.1"
#
localAgentHost = "127.0.0.1"
# Local Agent port instructs reporter to send spans to the instana-agent at this port
#
# Default: 42699
#
localAgentPort = 42699
# Set Instana tracer log level
#
# Default: info
# Valid values for logLevel field are:
# - error
# - warn
# - debug
# - info
#
logLevel = "info"
```

62
docs/content/operations/cli.md Normal file
View file

@ -0,0 +1,62 @@
# CLI
The Traefik Command Line
{: .subtitle }
## General
```bash
traefik [command] [--flag=flag_argument]
```
Available commands:
- `version` : Print version
- `storeconfig` : Store the static Traefik configuration into a Key-value stores. Please refer to the `Store Traefik configuration`(TODO: add doc and link) section to get documentation on it.
- `bug`: The easiest way to submit a pre-filled issue.
- `healthcheck`: Calls Traefik `/ping` to check health.
Each command can have additional flags.
All those flags will be displayed with:
```bash
traefik [command] --help
```
Each command is described at the beginning of the help section:
```bash
traefik --help
# or
docker run traefik[:version] --help
# ex: docker run traefik:1.5 --help
```
## Command: bug
The easiest way to submit a pre-filled issue on [Traefik GitHub](https://github.com/containous/traefik)! Watch [this demo](https://www.youtube.com/watch?v=Lyz62L8m93I) for more information.
```bash
traefik bug
```
### Command: healthcheck
Checks the health of Traefik.
Its exit status is `0` if Traefik is healthy and `1` if it is unhealthy.
This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism.
!!! note
The [`ping` endpoint](../ping/) must be enabled to allow the `healthcheck` command to call `/ping`.
```bash
traefik healthcheck
```
```bash
OK: http://:8082/ping
```

62
docs/content/operations/dashboard.md Normal file
View file

@ -0,0 +1,62 @@
# The Dashboard
See What's Going On
{: .subtitle }
The dashboard is the central place that shows you the current active routes handled by Traefik.
<figure>
<img src="../../assets/img/dashboard-main.png" alt="Dashboard - Providers" />
<figcaption>The dashboard in action with Traefik listening to 3 different providers</figcaption>
</figure>
<figure>
<img src="../../assets/img/dashboard-health.png" alt="Dashboard - Health" />
<figcaption>The dashboard shows the health of the system.</figcaption>
</figure>
By default, the dashboard is available on `/` on port `:8080`.
!!! tip "Did You Know?"
It is possible to customize the dashboard endpoint.
To learn how, refer to the `Traefik's API documentation`(TODO: add doc and link).
## Enabling the Dashboard
To enable the dashboard, you need to enable Traefik's API.
??? example "Using the Command Line"
Option | Values | Default Value
-- | -- | --:
--api | \[true\|false\] | false
--api.dashboard | \[true\|false\] | true when api is true
{!more-on-command-line.md!}
??? example "Using the Configuration File"
```toml
[api]
# Dashboard
#
# Optional
# Default: true
#
dashboard = true
```
{!more-on-configuration-file.md!}
??? example "Using a Key/Value Store"
Key | Values | Default Value
-- | -- | --:
api | \[true\|false\] | false
api.dashboard | \[true\|false\] | true when api is true
{!more-on-key-value-store.md!}
!!! tip "Did You Know?"
The API provides more features than the Dashboard.
To learn more about it, refer to the `Traefik's API documentation`(TODO: add doc and link).

15
docs/content/operations/debug-mode.md Normal file
View file

@ -0,0 +1,15 @@
# The Debug Mode
Getting More Information (Not For Production)
{: .subtitle }
The debug mode will make Traefik be _extremely_ verbose in its logs, and is NOT intended for production purposes.
## Configuration Example
??? example "TOML -- Enabling the Debug Mode"
```toml
[Global]
debug = true
```

56
docs/content/operations/ping.md Normal file
View file

@ -0,0 +1,56 @@
# Ping
Checking the Health of Your Traefik Instances
{: .subtitle }
## Configuration Examples
??? example "Enabling /ping on the http EntryPoint"
```toml
[entryPoints]
[entrypoints.http]
address = ":80"
[ping]
entryPoint = "http"
```
??? example "Enabling /ping on the https EntryPoint"
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[ping]
entryPoint = "https"
```
??? example "Enabling /ping on a dedicated EntryPoint"
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.ping]
address = ":8082"
[ping]
entryPoint = "ping"
```
| Path | Method | Description |
|---------|---------------|----------------------------------------------------------------------------------------------------|
| `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
## Configuration Options
The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`)

247
docs/content/providers/docker.md Normal file
View file

@ -0,0 +1,247 @@
# Traefik & Docker
A Story of Labels & Containers
{: .subtitle }
![Docker](../assets/img/providers/docker.png)
Attach labels to your containers and let Traefik do the rest!
!!! tip "The Quick Start Uses Docker"
If you haven't already, maybe you'd like to go through the [quick start](../getting-started/quick-start.md) that uses the docker provider!
## Configuration Examples
??? example "Configuring Docker & Deploying / Exposing Services"
Enabling the docker provider
```toml
[docker]
endpoint = "unix:///var/run/docker.sock"
```
Attaching labels to containers (in your docker compose file)
```yaml
version: "3"
services:
my-container:
# ...
labels:
- traefik.services.my-container.rule=Host(my-domain)
```
??? example "Configuring Docker Swarm & Deploying / Exposing Services"
Enabling the docker provider (Swarm Mode)
```toml
[docker]
endpoint = "tcp://127.0.0.1:2377"
swarmMode = true
```
Attaching labels to containers (in your docker compose file)
```yaml
version: "3"
services:
my-container:
deploy:
labels:
- traefik.services.my-container.rule=Host(my-domain)
```
!!! important "Labels in Docker Swarm Mode"
If you use a compose file with the Swarm mode, labels should be defined in the `deploy` part of your service.
This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
## Provider Configuration Options
!!! tip "Browse the Reference"
If you're in a hurry, maybe you'd rather go through the [Docker Reference](../reference/providers/docker.md).
### endpoint
Traefik requires access to the docker socket to get its dynamic configuration.
??? warning "Security Notes"
Depending on your context, accessing the Docker API without any restriction can be a security concern: If Traefik is attacked, then the attacker might get access to the Docker (or Swarm Mode) backend.
As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
`[...] only **trusted** users should be allowed to control your Docker daemon [...]`
!!! note "Improved Security"
[TraefikEE](https://containo.us/traefikee) solves this problem by separating the control plane (connected to Docker) and the data plane (handling the requests).
??? tip "Resources about Docker's Security"
- [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html)
- [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
- [To Dind or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
??? tip "Security Compensation"
Expose the Docker socket over TCP, instead of the default Unix socket file.
It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
- Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
- Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
- Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
- Accounting at container level, by exposing the socket on a another container than Traefik's.
With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
- Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
??? tip "Additional Resources"
- [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
- [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
- [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
- [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
!!! note "Traefik & Swarm Mode"
To let Traefik access the Docker Socket of the Swarm manager, it is mandatory to schedule Traefik on the Swarm manager nodes.
??? example "Using the docker.sock"
The docker-compose file shares the docker sock with the Traefik container
```yaml
version: '3'
services:
traefik:
image: traefik
ports:
- "80:80"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
```
We specify the docker.sock in traefik's configuration file.
```toml
# ...
[providers]
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
```
### usebindportip (_Optional_, _Default=false_)
Traefik routes requests to the IP/Port of the matching container.
When setting `usebindportip=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
When used in conjunction with the `traefik.port` label (that tells Traefik to route requests to a specific port), Traefik tries to find a binding on port `traefik.port`.
If it can't find such a binding, Traefik falls back on the internal network IP of the container, but still uses the `traefik.port` that is set in the label.
??? example "Examples of `usebindportip` in different situations."
| traefik.port label | Container's binding | Routes to |
|--------------------|----------------------------------------------------|----------------|
| - | - | IntIP:IntPort |
| - | ExtPort:IntPort | IntIP:IntPort |
| - | ExtIp:ExtPort:IntPort | ExtIp:ExtPort |
| LblPort | - | IntIp:LblPort |
| LblPort | ExtIp:ExtPort:LblPort | ExtIp:ExtPort |
| LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort |
| LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
!!! note
In the above table, ExtIp stands for "external IP found in the binding", IntIp stands for "internal network container's IP", ExtPort stands for "external Port found in the binding", and IntPort stands for "internal network container's port."
### exposedByDefault (_Optional_, _Default=true_)
Expose containers by default through Traefik.
If set to false, containers that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
### network (_Optional_)
Defines a default docker network to use for connections to all containers.
This option can be overridden on a container basis with the `traefik.docker.network` label.
### domain (_Optional_, _Default=docker.localhost_)
This is the default base domain used for the router rules.
This option can be overridden on a container basis with the
`traefik.domain` label.
### swarmMode (_Optional_, _Default=false_)
Activates the Swarm Mode.
### swarmModeRefreshSeconds (_Optional_, _Default=15_)
Defines the polling interval (in seconds) in Swarm Mode.
## Routing Configuration Options
### General
Traefik creates, for each container, a corresponding [service](../routing/services.md) and [router](../routing/routers.md).
The Service automatically gets a server per instance of the container, and the router gets a default rule attached to it, based on the container name.
### Routers
To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change. For example, to change the rule, you could add the label `traefik.routers.my-container.rule=Host(my-domain)`.
Every [Router](../routing/routers.md) parameter can be updated this way.
### Services
To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.services.{name-of-your-choice}.`, followed by the option you want to change. For example, to change the load balancer method, you'd add the label `traefik.services.{name-of-your-choice}.loadbalancer.method=drr`.
Every [Service](../routing/services.md) parameter can be updated this way.
### Middleware
You can declare pieces of middleware using labels starting with `traefik.middlewares.{name-of-your-choice}.`, followed by the middleware type/options. For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.middlewares.my-redirect.schemeredirect.scheme: https`.
??? example "Declaring and Referencing a Middleware"
```yaml
services:
my-container:
# ...
labels:
- traefik.middlewares.my-redirect.schemeredirect.scheme=https
- traefik.routers.middlewares=my-redirect
```
!!! warning "Conflicts in Declaration"
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
### Specific Options
#### traefik.enable
You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false.
This option overrides the value of `exposedByDefault`.
#### traefik.tags
Sets the tags for [constraints filtering](./overview.md#constraints-configuration).
#### traefik.docker.network
Overrides the default docker network to use for connections to the container.
If a container is linked to several networks, be sure to set the proper network name (you can check this with `docker inspect <container_id>`), otherwise it will randomly pick one (depending on how docker is returning them).
!!! warning
When deploying a stack from a compose file `stack`, the networks defined are prefixed with `stack`.

27
docs/content/providers/file.md Normal file
View file

@ -0,0 +1,27 @@
# TODO -- File
Good Old Configuration File
{: .subtitle }
## Configuration
### Full Example in toml
`TO COMPLETE`
### In same file
`TO COMPLETE`
## In dedicated file
`TO COMPLETE`
### Old Content
Traefik can hot-reload those rules which could be provided by multiple configuration backends.
We only need to enable `watch` option to make Traefik watch configuration backend changes and generate its configuration automatically.
Routes to services will be created and updated instantly at any changes.
Please refer to the configuration backends section to get documentation on it.

93
docs/content/providers/overview.md Normal file
View file

@ -0,0 +1,93 @@
# Overview
Traefik's Many Friends
{: .subtitle }
![Providers](../assets/img/providers.png)
Configuration discovery in Traefik is achieved through _Providers_.
The _providers_ are existing infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores.
The idea is that Traefik will query the providers' API in order to find relevant information about routing, and each time Traefik detects a change, it dynamically updates the routes.
Deploy and forget is Traefik's credo.
## Orchestrators
Even if each provider is different, we can categorize them in four groups:
- Label based (each deployed container has a set of labels attached to it)
- Key-Value based (each deployed container updates a key-value store with relevant information)
- Annotation based (a separate object, with annotations, defines the characteristics of the container)
- File based (the good old configuration file)
## Supported Providers
Below is the list of the currently supported providers in Traefik.
| Provider | Type | Configuration Type |
|-----------------------------|--------------|--------------------|
| [Docker](./docker.md) | Orchestrator | Label |
| [File](./file.md) | Orchestrator | Custom Annotation |
| Kubernetes (not documented) | Orchestrator | Custom Annotation |
| Marathon (not documented) | Orchestrator | Label |
!!! note "More Providers"
The current version of Traefik is in development and doesn't support (yet) every provider. See the previous version (1.7) for more providers.
## Constraints Configuration
If you want to limit the scope of Traefik service discovery, you can set constraints. Doing so, Traefik will create routes for containers that match these constraints only.
??? example "Containers with the api Tag"
```toml
constraints = ["tag==api"]
```
??? example "Containers without the api Tag"
```toml
constraints = ["tag!=api"]
```
??? example "Containers with tags starting with 'us-'"
```toml
constraints = ["tag==us-*"]
```
??? example "Multiple constraints"
```toml
# Multiple constraints
# - "tag==" must match with at least one tag
# - "tag!=" must match with none of tags
constraints = ["tag!=us-*", "tag!=asia-*"]
```
??? note "List of Providers that Support Constraints"
- Docker
- Consul K/V
- BoltDB
- Zookeeper
- ECS
- Etcd
- Consul Catalog
- Rancher
- Marathon
- Kubernetes (using a provider-specific mechanism based on label selectors)
!!! note
The constraint option belongs to the provider configuration itself.
??? example "Setting the Constraint Options for Docker"
```toml
[providers]
[providers.docker]
constraints = ["tag==api"]
```

173
docs/content/reference/acme.md Normal file
View file

@ -0,0 +1,173 @@
# ACME - Reference
Every Options for ACME
{: .subtitle}
## TOML
```toml
# Sample entrypoint configuration when using ACME.
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
# Enable ACME (Let's Encrypt): automatic SSL.
[acme]
# Email address used for registration.
#
# Required
#
email = "test@traefik.io"
# File used for certificates storage.
#
# Optional (Deprecated)
#
#storageFile = "acme.json"
# File or key used for certificates storage.
#
# Required
#
storage = "acme.json"
# or `storage = "traefik/acme/account"` if using KV store.
# Entrypoint to proxy acme apply certificates to.
#
# Required
#
entryPoint = "https"
# Deprecated, replaced by [acme.dnsChallenge].
#
# Optional.
#
# dnsProvider = "digitalocean"
# Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
#
# Optional
# Default: 0
#
# delayDontCheckDNS = 0
# If true, display debug log messages from the acme client library.
#
# Optional
# Default: false
#
# acmeLogging = true
# If true, override certificates in key-value store when using storeconfig.
#
# Optional
# Default: false
#
# overrideCertificates = true
# Deprecated. Enable on demand certificate generation.
#
# Optional
# Default: false
#
# onDemand = true
# Enable certificate generation on frontends host rules.
#
# Optional
# Default: false
#
# onHostRule = true
# CA server to use.
# Uncomment the line to use Let's Encrypt's staging server,
# leave commented to go to prod.
#
# Optional
# Default: "https://acme-v02.api.letsencrypt.org/directory"
#
# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# KeyType to use.
#
# Optional
# Default: "RSA4096"
#
# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
#
# KeyType = "RSA4096"
# Use a TLS-ALPN-01 ACME challenge.
#
# Optional (but recommended)
#
[acme.tlsChallenge]
# Use a HTTP-01 ACME challenge.
#
# Optional
#
# [acme.httpChallenge]
# EntryPoint to use for the HTTP-01 challenges.
#
# Required
#
# entryPoint = "http"
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.
#
# Optional
#
# [acme.dnsChallenge]
# DNS provider used.
#
# Required
#
# provider = "digitalocean"
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
# Default: 0
#
# delayBeforeCheck = 0
# Use following DNS servers to resolve the FQDN authority.
#
# Optional
# Default: empty
#
# resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
#
# NOT RECOMMENDED:
# Increase the risk of reaching Let's Encrypt's rate limits.
#
# Optional
# Default: false
#
# disablePropagationCheck = true
# Domains list.
# Only domains defined here can generate wildcard certificates.
# The certificates for these domains are negotiated at traefik startup only.
#
# [[acme.domains]]
# main = "local1.com"
# sans = ["test1.local1.com", "test2.local1.com"]
# [[acme.domains]]
# main = "local2.com"
# [[acme.domains]]
# main = "*.local3.com"
# sans = ["local3.com", "test1.test1.local3.com"]
```

131
docs/content/reference/entrypoints.md Normal file
View file

@ -0,0 +1,131 @@
# EntryPoints - Reference
Every Options for EntryPoints
{: .subtitle}
## TOML
```toml
defaultEntryPoints = ["http", "https"]
# ...
# ...
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.compress]
[entryPoints.http.clientIPStrategy]
depth = 5
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
[entryPoints.http.whitelist]
sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
[entryPoints.http.whitelist.IPStrategy]
depth = 5
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
[entryPoints.http.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
[[entryPoints.http.tls.certificates]]
certFile = "path/to/my.cert"
keyFile = "path/to/my.key"
[[entryPoints.http.tls.certificates]]
certFile = "path/to/other.cert"
keyFile = "path/to/other.key"
# ...
[entryPoints.http.tls.clientCA]
files = ["path/to/ca1.crt", "path/to/ca2.crt"]
optional = false
[entryPoints.http.redirect]
entryPoint = "https"
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/$1"
permanent = true
[entryPoints.http.auth]
headerField = "X-WebAuth-User"
[entryPoints.http.auth.basic]
removeHeader = true
realm = "Your realm"
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
usersFile = "/path/to/.htpasswd"
[entryPoints.http.auth.digest]
removeHeader = true
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]
usersFile = "/path/to/.htdigest"
[entryPoints.http.auth.forward]
address = "https://authserver.com/auth"
trustForwardHeader = true
authResponseHeaders = ["X-Auth-User"]
[entryPoints.http.auth.forward.tls]
ca = "path/to/local.crt"
caOptional = true
cert = "path/to/foo.cert"
key = "path/to/foo.key"
insecureSkipVerify = true
[entryPoints.http.proxyProtocol]
insecure = true
trustedIPs = ["10.10.10.1", "10.10.10.2"]
[entryPoints.http.forwardedHeaders]
trustedIPs = ["10.10.10.1", "10.10.10.2"]
insecure = false
[entryPoints.https]
# ...
```
## CLI
```ini
Name:foo
Address::80
TLS:/my/path/foo.cert,/my/path/foo.key;/my/path/goo.cert,/my/path/goo.key;/my/path/hoo.cert,/my/path/hoo.key
TLS
TLS.MinVersion:VersionTLS11
TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384
TLS.SniStrict:true
TLS.DefaultCertificate.Cert:path/to/foo.cert
TLS.DefaultCertificate.Key:path/to/foo.key
CA:car
CA.Optional:true
Redirect.EntryPoint:https
Redirect.Regex:http://localhost/(.*)
Redirect.Replacement:http://mydomain/$1
Redirect.Permanent:true
Compress:true
WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16
WhiteList.IPStrategy.depth:3
WhiteList.IPStrategy.ExcludedIPs:10.0.0.3/24,20.0.0.3/24
ProxyProtocol.TrustedIPs:192.168.0.1
ProxyProtocol.Insecure:true
ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
Auth.Basic.Removeheader:true
Auth.Basic.Realm:traefik
Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e
Auth.Digest.Removeheader:true
Auth.HeaderField:X-WebAuth-User
Auth.Forward.Address:https://authserver.com/auth
Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret
Auth.Forward.TrustForwardHeader:true
Auth.Forward.TLS.CA:path/to/local.crt
Auth.Forward.TLS.CAOptional:true
Auth.Forward.TLS.Cert:path/to/foo.cert
Auth.Forward.TLS.Key:path/to/foo.key
Auth.Forward.TLS.InsecureSkipVerify:true
```

53
docs/content/reference/logs.md Normal file
View file

@ -0,0 +1,53 @@
# Logs - Reference
## TOML
```toml
logLevel = "INFO"
[traefikLog]
filePath = "/path/to/traefik.log"
format = "json"
[accessLog]
filePath = "/path/to/access.log"
format = "json"
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"ClientUsername" = "drop"
# ...
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
# ...
```
## CLI
For more information about the CLI, see the documentation about [Traefik command](../../operations/cli).
```shell
--logLevel="DEBUG"
--traefikLog.filePath="/path/to/traefik.log"
--traefikLog.format="json"
--accessLog.filePath="/path/to/access.log"
--accessLog.format="json"
--accessLog.filters.statusCodes="200,300-302"
--accessLog.filters.retryAttempts="true"
--accessLog.filters.minDuration="10ms"
--accessLog.fields.defaultMode="keep"
--accessLog.fields.names="Username=drop Hostname=drop"
--accessLog.fields.headers.defaultMode="keep"
--accessLog.fields.headers.names="User-Agent=redact Authorization=drop Content-Type=keep"
```

180
docs/content/reference/providers/docker.md Normal file
View file

@ -0,0 +1,180 @@
# Docker -- Reference
## Docker
```toml
################################################################
# Docker Provider
################################################################
# Enable Docker Provider.
[docker]
# Docker server endpoint. Can be a tcp or a unix socket endpoint.
#
# Required
#
endpoint = "unix:///var/run/docker.sock"
# Default base domain used for the frontend rules.
# Can be overridden by setting the "traefik.domain" label on a container.
#
# Optional
#
domain = "docker.localhost"
# Enable watch docker changes.
#
# Optional
#
watch = true
# Override default configuration template.
# For advanced users :)
#
# Optional
#
# filename = "docker.tmpl"
# Override template version
# For advanced users :)
#
# Optional
# - "1": previous template version (must be used only with older custom templates, see "filename")
# - "2": current template version (must be used to force template version when "filename" is used)
#
# templateVersion = 2
# Expose containers by default in Traefik.
# If set to false, containers that don't have `traefik.enable=true` will be ignored.
#
# Optional
# Default: true
#
exposedByDefault = true
# Use the IP address from the binded port instead of the inner network one.
#
# In case no IP address is attached to the binded port (or in case
# there is no bind), the inner network one will be used as a fallback.
#
# Optional
# Default: false
#
usebindportip = true
# Use Swarm Mode services as data provider.
#
# Optional
# Default: false
#
swarmMode = false
# Polling interval (in seconds) for Swarm Mode.
#
# Optional
# Default: 15
#
swarmModeRefreshSeconds = 15
# Define a default docker network to use for connections to all containers.
# Can be overridden by the traefik.docker.network label.
#
# Optional
#
network = "web"
# Enable docker TLS connection.
#
# Optional
#
# [docker.tls]
# ca = "/etc/ssl/ca.crt"
# cert = "/etc/ssl/docker.crt"
# key = "/etc/ssl/docker.key"
# insecureSkipVerify = true
```
## Docker Swarm Mode
```toml
################################################################
# Docker Swarm Mode Provider
################################################################
# Enable Docker Provider.
[docker]
# Docker server endpoint.
# Can be a tcp or a unix socket endpoint.
#
# Required
# Default: "unix:///var/run/docker.sock"
#
# swarm classic (1.12-)
# endpoint = "tcp://127.0.0.1:2375"
# docker swarm mode (1.12+)
endpoint = "tcp://127.0.0.1:2377"
# Default base domain used for the frontend rules.
# Can be overridden by setting the "traefik.domain" label on a services.
#
# Optional
# Default: ""
#
domain = "docker.localhost"
# Enable watch docker changes.
#
# Optional
# Default: true
#
watch = true
# Use Docker Swarm Mode as data provider.
#
# Optional
# Default: false
#
swarmMode = true
# Define a default docker network to use for connections to all containers.
# Can be overridden by the traefik.docker.network label.
#
# Optional
#
network = "web"
# Override default configuration template.
# For advanced users :)
#
# Optional
#
# filename = "docker.tmpl"
# Override template version
# For advanced users :)
#
# Optional
# - "1": previous template version (must be used only with older custom templates, see "filename")
# - "2": current template version (must be used to force template version when "filename" is used)
#
# templateVersion = 2
# Expose services by default in Traefik.
#
# Optional
# Default: true
#
exposedByDefault = false
# Enable docker TLS connection.
#
# Optional
#
# [docker.tls]
# ca = "/etc/ssl/ca.crt"
# cert = "/etc/ssl/docker.crt"
# key = "/etc/ssl/docker.key"
# insecureSkipVerify = true
```

330
docs/content/routing/acme.md Normal file
View file

@ -0,0 +1,330 @@
# ACME
Automatic HTTPS
{: .subtitle }
Traefik can automatically generate certificates for your domains using an ACME provider (like Let's Encrypt).
!!! warning "Let's Encrypt and Rate Limiting"
Note that Let's Encrypt has [rate limiting](https://letsencrypt.org/docs/rate-limits).
## Configuration Examples
??? example "Configuring ACME on the Https EntryPoint"
```toml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.http-tls]
address = ":443"
[entryPoints.http-tls.tls] # enabling TLS
[acme]
email = "your-email@your-domain.org"
storage = "acme.json"
entryPoint = "http-tls" # acme is enabled on http-tls
onHostRule = true # dynamic generation based on the Host() matcher
[acme.httpChallenge]
entryPoint = "web" # used during the challenge
```
??? example "Configuring Wildcard Certificates"
```toml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.http-tls]
address = ":443"
[entryPoints.https.tls] # enabling TLS
[acme]
email = "your-email@your-domain.org"
storage = "acme.json"
entryPoint = "http-tls" # acme is enabled on http-tls
[acme.dnsChallenge]
provider = "xxx"
[[acme.domains]]
main = "*.mydomain.com"
sans = ["mydomain.com"]
```
!!! note "Configuration Reference"
There are many available options for ACME. For a quick glance at what's possible, browse the [configuration reference](../reference/acme.md).
## Configuration Options
### The Different ACME Challenges
#### tlsChallenge
Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
??? example "Using an EntryPoint Called https for the `tlsChallenge`"
```toml
[acme]
# ...
entryPoint = "https"
[acme.tlsChallenge]
```
!!! note
As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72), when using the `TLS-ALPN-01` challenge, `acme.entryPoint` must be reachable by Let's Encrypt through port 443.
#### `httpChallenge`
Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
??? example "Using an EntryPoint Called http for the `httpChallenge`"
```toml
[acme]
# ...
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
```
!!! note
As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72), when using the `HTTP-01` challenge, `acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
!!! note
Redirection is fully compatible with the `HTTP-01` challenge.
#### `dnsChallenge`
Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
??? example "Configuring a `dnsChallenge` with the digitalocean Provider"
```toml
[acme]
# ...
[acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
# ...
```
!!! important
A `provider` is mandatory.
??? list "Supported Providers"
Here is a list of supported `providers`, that can automate the DNS verification, along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
| Provider Name | Provider Code | Environment Variables | Wildcard & Root Domain Support |
|--------------------------------------------------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
| [ACME DNS](https://github.com/joohoi/acme-dns) | `acme-dns` | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH` | Not tested yet |
| [Alibaba Cloud](https://www.vultr.com) | `alidns` | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID` | Not tested yet |
| [Auroradns](https://www.pcextreme.com/aurora/dns) | `auroradns` | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT` | Not tested yet |
| [Azure](https://azure.microsoft.com/services/dns/) | `azure` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]` | Not tested yet |
| [Blue Cat](https://www.bluecatnetworks.com/) | `bluecat` | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW` | Not tested yet |
| [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key` | YES |
| [CloudXNS](https://www.cloudxns.net) | `cloudxns` | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY` | Not tested yet |
| [ConoHa](https://www.conoha.jp) | `conoha` | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD` | YES |
| [DigitalOcean](https://www.digitalocean.com) | `digitalocean` | `DO_AUTH_TOKEN` | YES |
| [DNSimple](https://dnsimple.com) | `dnsimple` | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL` | Not tested yet |
| [DNS Made Easy](https://dnsmadeeasy.com) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX` | Not tested yet |
| [DNSPod](https://www.dnspod.com/) | `dnspod` | `DNSPOD_API_KEY` | Not tested yet |
| [DreamHost](https://www.dreamhost.com/) | `dreamhost` | `DREAMHOST_API_KEY` | YES |
| [Duck DNS](https://www.duckdns.org/) | `duckdns` | `DUCKDNS_TOKEN` | No |
| [Dyn](https://dyn.com) | `dyn` | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD` | Not tested yet |
| External Program | `exec` | `EXEC_PATH` | YES |
| [Exoscale](https://www.exoscale.com) | `exoscale` | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT` | YES |
| [Fast DNS](https://www.akamai.com/) | `fastdns` | `AKAMAI_CLIENT_TOKEN`, `AKAMAI_CLIENT_SECRET`, `AKAMAI_ACCESS_TOKEN` | Not tested yet |
| [Gandi](https://www.gandi.net) | `gandi` | `GANDI_API_KEY` | Not tested yet |
| [Gandi v5](http://doc.livedns.gandi.net) | `gandiv5` | `GANDIV5_API_KEY` | YES |
| [Glesys](https://glesys.com/) | `glesys` | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN` | Not tested yet |
| [GoDaddy](https://godaddy.com/domains) | `godaddy` | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | Not tested yet |
| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud` | `GCE_PROJECT`, `GCE_SERVICE_ACCOUNT_FILE` | YES |
| [hosting.de](https://www.hosting.de) | `hostingde` | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME` | Not tested yet |
| HTTP request | `httpreq` | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` (1) | YES |
| [IIJ](https://www.iij.ad.jp/) | `iij` | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE` | Not tested yet |
| [INWX](https://www.inwx.de/en) | `inwx` | `INWX_USERNAME`, `INWX_PASSWORD` | YES |
| [Lightsail](https://aws.amazon.com/lightsail/) | `lightsail` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE` | Not tested yet |
| [Linode](https://www.linode.com) | `linode` | `LINODE_API_KEY` | Not tested yet |
| [Linode v4](https://www.linode.com) | `linodev4` | `LINODE_TOKEN` | Not tested yet |
| manual | - | none, but you need to run Traefik interactively, turn on `acmeLogging` to see instructions and press <kbd>Enter</kbd>. | YES |
| [MyDNS.jp](https://www.mydns.jp/) | `mydnsjp` | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD` | YES |
| [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` | YES |
| [name.com](https://www.name.com/) | `namedotcom` | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER` | Not tested yet |
| [Netcup](https://www.netcup.eu/) | `netcup` | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD` | Not tested yet |
| [NIFCloud](https://cloud.nifty.com/service/dns.htm) | `nifcloud` | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY` | Not tested yet |
| [Ns1](https://ns1.com/) | `ns1` | `NS1_API_KEY` | Not tested yet |
| [Open Telekom Cloud](https://cloud.telekom.de) | `otc` | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT` | Not tested yet |
| [OVH](https://www.ovh.com) | `ovh` | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY` | YES |
| [PowerDNS](https://www.powerdns.com) | `pdns` | `PDNS_API_KEY`, `PDNS_API_URL` | Not tested yet |
| [Rackspace](https://www.rackspace.com/cloud/dns) | `rackspace` | `RACKSPACE_USER`, `RACKSPACE_API_KEY` | Not tested yet |
| [RFC2136](https://tools.ietf.org/html/rfc2136) | `rfc2136` | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER` | Not tested yet |
| [Route 53](https://aws.amazon.com/route53/) | `route53` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile. | YES |
| [Sakura Cloud](https://cloud.sakura.ad.jp/) | `sakuracloud` | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET` | Not tested yet |
| [Selectel](https://selectel.ru/en/) | `selectel` | `SELECTEL_API_TOKEN` | YES |
| [Stackpath](https://www.stackpath.com/) | `stackpath` | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID` | Not tested yet |
| [TransIP](https://www.transip.nl/) | `transip` | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH` | YES |
| [VegaDNS](https://github.com/shupp/VegaDNS-API) | `vegadns` | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL` | Not tested yet |
| [Vscale](https://vscale.io/) | `vscale` | `VSCALE_API_TOKEN` | YES |
| [VULTR](https://www.vultr.com) | `vultr` | `VULTR_API_KEY` | Not tested yet |
- (1): more information about the HTTP message format can be found [here](https://github.com/xenolf/lego/blob/master/providers/dns/httpreq/readme.md)
!!! note "`delayBeforeCheck`"
By default, the `provider` verifies the TXT record _before_ letting ACME verify.
You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
This option is useful when internal networks block external DNS queries.
!!! note "`resolvers`"
Use custom DNS servers to resolve the FQDN authority.
```toml
[acme]
# ...
[acme.dnsChallenge]
# ...
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
```
### Known Domains, SANs, and Wildcards
You can set SANs (alternative domains) for each main domain.
Every domain must have A/AAAA records pointing to Traefik.
Each domain & SAN will lead to a certificate request.
```toml
[acme]
# ...
[[acme.domains]]
main = "local1.com"
sans = ["test1.local1.com", "test2.local1.com"]
[[acme.domains]]
main = "local2.com"
[[acme.domains]]
main = "*.local3.com"
sans = ["local3.com", "test1.test1.local3.com"]
# ...
```
!!! important
The certificates for the domains listed in `acme.domains` are negotiated at Traefik startup only.
!!! note
Wildcard certificates can only be verified through a `DNS-01` challenge.
#### Wildcard Domains
[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
```toml
[acme]
# ...
[[acme.domains]]
main = "*.local1.com"
sans = ["local1.com"]
# ...
```
!!! note "Double Wildcard Certificates"
It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
Due to an ACME limitation it is not possible to define wildcards in SANs (alternative domains).
Thus, the wildcard domain has to be defined as a main domain.
Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
In this case the generated DNS TXT record for both domains is the same.
Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant, it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail.
The Traefik ACME client library [LEGO](https://github.com/xenolf/lego) supports some but not all DNS providers to work around this issue.
The [Supported `provider` table](#dnschallenge) indicates if they allow generating certificates for a wildcard domain and its root domain.
### caServer
??? example "Using the Let's Encrypt staging server"
```toml
[acme]
# ...
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# ...
```
### onHostRule
Enable certificate generation on [routers](routers.md) `Host` rules (for routers active on the `acme.entryPoint`).
This will request a certificate from Let's Encrypt for each router with a Host rule.
```toml
[acme]
# ...
onHostRule = true
# ...
```
!!! note "Multiple Hosts in a Rule"
The rule `Host(test1.traefik.io,test2.traefik.io)` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`.
!!! warning
`onHostRule` option can not be used to generate wildcard certificates. Refer to [wildcard generation](#wildcard-domains) for further information.
### `storage`
The `storage` option sets the location where your ACME certificates are saved to.
```toml
[acme]
# ...
storage = "acme.json"
# ...
```
The value can refer to two kinds of storage:
- a JSON file
- a KV store entry
#### In a File
ACME certificates can be stored in a JSON file that needs to have a `600` file mode .
In Docker you can mount either the JSON file, or the folder containing it:
```bash
docker run -v "/my/host/acme.json:acme.json" traefik
```
```bash
docker run -v "/my/host/acme:/etc/traefik/acme" traefik
```
!!! warning
For concurrency reason, this file cannot be shared across multiple instances of Traefik. Use a key value store entry instead.
#### In a a Key Value Store Entry
ACME certificates can be stored in a key-value store entry.
```toml
storage = "traefik/acme/account"
```
!!! note "Storage Size"
Because key-value stores have limited entry size, the certificates list is compressed _before_ it is saved.
For example, it is possible to store up to _approximately_ 100 ACME certificates in Consul.
## Fallbacks
If Let's Encrypt is not reachable, the following certificates will apply:
1. Previously generated ACME certificates (before downtime)
1. Expired ACME certificates
1. Provided certificates
!!! note
For new (sub)domains which need Let's Encrypt authentification, the default Traefik certificate will be used until Traefik is restarted.

301
docs/content/routing/entrypoints.md Normal file
View file

@ -0,0 +1,301 @@
# EntryPoints
Opening Connections for Incomming Requests
{: .subtitle }
![EntryPoints](../assets/img/entrypoints.png)
Entrypoints are the network entry points into Traefik.
They can be defined using:
- a port (80, 443, ...)
- SSL (Certificates, Keys, authentication with a client certificate signed by a trusted CA, ...)
## Configuration Examples
??? example "HTTP only"
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
```
We define an `entrypoint` called `http` that will listen on port `80`.
??? example "HTTP & HTTPS"
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "tests/traefik.crt"
keyFile = "tests/traefik.key"
```
- Two entrypoints are defined: one called `http`, and the other called `https`.
- `http` listens on port `80`, and `https` on port `443`.
- We enabled SSL on `https` by giving it a certificate and a key.
!!! note
In the example, `http` and `https` are the names for the entrypoints and have nothing to do with the underlying protocol.
We could have written `entryPoints.foo` and `entryPoints.bar` instead.
!!! tip "Automatic HTTPS with ACME"
If you don't have certificate files and wish to automatically enable HTTPS, you should have a look at one of Traefik's most praised feature: [ACME & Let's Encrypt integration](./acme.md)
??? example "Client Certificate Authentication"
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.tls.ClientCA]
files = ["tests/clientca1.crt", "tests/clientca2.crt"]
optional = false
[[entryPoints.https.tls.certificates]]
certFile = "tests/traefik.crt"
keyFile = "tests/traefik.key"
```
- We enabled SSL on `https` by giving it a certificate and a key.
- Files containing Certificate Authorities (PEM format) were added.
!!! note "Multiple CAs"
It is possible to have multiple CA:s in the same file or keep them in separate files.
## Configuration
### General
Entrypoints are part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration). You can define them using a toml file, CLI arguments, or a key-value store. See the [complete reference](../reference/entrypoints.md) for the list of available options.
??? example "Using the CLI"
Here is an example of using the CLI to define `entrypoints`:
```shell
--entryPoints='Name:http Address::80'
--entryPoints='Name:https Address::443 TLS'
```
!!! note
The whitespace character (` `) is the option separator, and the comma (`,`) is the value separator for lists.
The option names are case-insensitive.
!!! warning "Using Docker Compose Files"
The syntax for passing arguments inside a docker compose file is a little different. Here are two examples.
```yaml
traefik:
image: traefik
command:
- --defaultentrypoints=powpow
- "--entryPoints=Name:powpow Address::42 Compress:true"
```
or
```yaml
traefik:
image: traefik
command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'
```
## TLS
### Static Certificates
To add SNI support, define `certFile` and `keyFile`.
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
```
!!! note
If you provide an empty TLS configuration, default self-signed certificates will be generated.
### Dynamic Certificates
To add / remove TLS certificates while Traefik is running, the [file provider](../providers/file.md) supports Dynamic TLS certificates in its `[[tls]]` section.
### Mutual Authentication
Traefik supports both optional and non optional (defaut value) mutual authentication.
- When `optional = false`, Traefik accepts connections only from client presenting a certificate signed by a CA listed in `ClientCA.files`.
- When `optional = true`, Traefik authorizes connections from client presenting a certificate signed by an unknown CA.
??? example "Non Optional Mutual Authentication"
In the following example, both `snitest.com` and `snitest.org` will require client certificates.
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.tls.ClientCA]
files = ["tests/clientca1.crt", "tests/clientca2.crt"]
optional = false
[[entryPoints.https.tls.certificates]]
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
[[entryPoints.https.tls.certificates]]
certFile = "integration/fixtures/https/snitest.org.cert"
keyFile = "integration/fixtures/https/snitest.org.key"
```
!!! note "ClientCA.files"
You can use a file per `CA:s`, or a single file containing multiple `CA:s` (in `PEM` format).
`ClientCA.files` is not optional: every client will have to present a valid certificate. (This requirement will apply to every server certificate declared in the entrypoint.)
### Minimum TLS Version
??? example "Min TLS version & [cipherSuites](https://godoc.org/crypto/tls#pkg-constants)"
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
[[entryPoints.https.tls.certificates]]
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
[[entryPoints.https.tls.certificates]]
certFile = "integration/fixtures/https/snitest.org.cert"
keyFile = "integration/fixtures/https/snitest.org.key"
```
### Strict SNI Checking
With strict SNI checking, Traefik won't allow connections without a matching certificate.
??? example "Strict SNI"
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
sniStrict = true
[[entryPoints.https.tls.certificates]]
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
```
### Default Certificate
Traefik can use a default certificate for connections without an SNI, or without a matching domain.
If no default certificate is provided, Traefik generates a self-signed and use it instead.
??? example "Setting a Default Certificate"
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.tls.defaultCertificate]
certFile = "integration/fixtures/https/snitest.com.cert"
keyFile = "integration/fixtures/https/snitest.com.key"
```
!!! note "Only One Default Certificate"
There can only be one `defaultCertificate` per entrypoint.
## ProxyProtocol
Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt).
??? example "Enabling Proxy Protocol with Trusted IPs"
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.proxyProtocol]
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
IPs in `trustedIPs` only will lead to remote client address replacement: Declare load-balancer IPs or CIDR range here.
??? example "Insecure Mode -- Testing Environnement Only"
In a test environments, you can configure Traefik to trust every incomming connection. Doing so, every remote client address will be replaced (`trustedIPs` won't have any effect)
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.proxyProtocol]
insecure = true
```
!!! warning "Queuing Traefik behind Another Load Balancer"
When queuing Traefik behind another load-balancer, make sure to configure Proxy Protocol on both sides.
Not doing so could introduce a security risk in your system (enabling request forgery).
## Forwarded Header
You can configure Traefik to trust the forwarded headers information (`X-Forwarded-*`)
??? example "Trusting Forwarded Headers from specific IPs"
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.forwardedHeaders]
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
??? example "Insecure Mode -- Always Trusting Forwarded Headers"
```toml
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.forwardedHeaders]
insecure = true
```

55
docs/content/routing/overview.md Normal file
View file

@ -0,0 +1,55 @@
# Overview
What's Happening to the Requests?
{: .subtitle }
Let's zoom on Traefik's architecture and talk about the components that enable the routes to be created.
First, when you start Traefik, you define [entrypoints](./entrypoints.md) (in their most basic forms, they are port numbers).
Then, connected to these entrypoints, [routers](./routers.md) analyze the incoming requests to see if they match a set of [rules](../routers#rule).
If they do, the router might transform the request using pieces of [middleware](../middlewares/overview.md) before forwarding them to your [services](./services.md).
![Architecture](../assets/img/architecture-overview.png)
## Clear Responsibilities
- [_Providers_](../providers/overview.md) discover the services that live on your infrastructure (their IP, health, ...)
- [_Entrypoints_](./entrypoints.md) listen for incomming traffic (ports, SSL, ...)
- [_Routers_](./routers.md) analyse the requests (host, path, headers, ...)
- [_Services_](./services.md) forward the request to your services (load balancing, ...)
- [_Middlewares_](../middlewares/overview.md) may update the request or make decisions based on the request (authentication, rate limiting, headers, ...)
## Example with a File Provider
Below is an example of a full configuration file for the [file provider](../providers/file.md) that forwards `http://domain/whoami/` requests to a service reachable on `http://private/whoami-service/`.
In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware](../middlewares/basicauth.md)).
```toml
[EntryPoints]
[EntryPoints.http]
address = ":8081" # Listen on port 8081 for incoming requests
[Providers]
# Enable the file provider to define routers / middlewares / services in a file
[Providers.file]
[Routers]
[Routers.to-whoami] # Define a connection between requests and services
rule = "Host(domain) && PathPrefix(/whoami/)"
middlewares = ["test-user"] # If the rule matches, applies the middleware
service = "whoami" # If the rule matches, forward to the whoami service (declared below)
[Middlewares]
[Middlewares.test-user.basicauth] # Define an authentication mechanism
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[Services]
[Services.whoami.loadbalancer] # Define how to reach an existing service on our infrastructure
[[Services.whoami.loadbalancer.servers]]
url = "http://private/whoami-service"
```
!!! note "The File Provider"
In this example, we use the [file provider](../providers/file.md).
Even if it is one of the least magical way of configuring Traefik, it explicitly describes every available notion.

134
docs/content/routing/routers.md Normal file
View file

@ -0,0 +1,134 @@
# Routers
Connecting Requests to Services
{: .subtitle }
![Routers](../assets/img/routers.png)
A router is in charge of connecting incoming requests to the services that can handle them.
In the process, routers may use pieces of [middleware](../middlewares/overview.md) to update the request, or act before forwarding the request to the service.
## Configuration Example
??? example "Requests /foo are Handled by service-foo -- Using the [File Provider](../providers/file.md)"
```toml
[Routers]
[Routers.my-router]
rule = "Path(/foo)"
service = "service-foo"
```
??? example "With a [Middleware](../middlewares/overview.md) -- using the [File Provider](../providers/file.md)"
```toml
[Routers]
[Routers.my-router]
rule = "Path(/foo)"
middlewares = ["authentication"] # declared elsewhere
service = "service-foo"
```
## Configuration
### EntryPoints
If not specified, routers will accept requests from all defined entrypoints.
If you want to limit the router scope to a set of entrypoint, set the entrypoints option.
??? example "Listens to Every EntryPoint"
```toml
[EntryPoints]
[EntryPoint.http]
# ...
[EntryPoint.https]
# ...
[EntryPoint.other]
# ...
[Routers]
[Routers.Router-1]
# By default, routers listen to every entrypoints
rule = "Host(traefik.io)"
service = "service-1"
```
??? example "Listens to Specific EntryPoints"
```toml
[EntryPoints]
[EntryPoint.http]
# ...
[EntryPoint.https]
# ...
[EntryPoint.other]
# ...
[Routers]
[Routers.Router-1]
entryPoints = ["https", "other"] # won't listen to entrypoint http
rule = "Host(traefik.io)"
service = "service-1"
```
### Rule
Rules are a set of matchers that determine if a particular request matches specific criteria.
If the rule is verified, then the router becomes active and calls middlewares, then forward the request to the service.
??? example "Host is traefik.io"
```
rule = "Host(`traefik.io`)"
```
??? example "Host is traefik.io OR Host is containo.us AND path is /traefik"
```
rule = "Host(`traefik.io`) || (Host(`containo.us`) && Path(`/traefik`))"
```
The table below lists all the available matchers:
| Rule | Description |
|--------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
| ``Headers(`key`, `value`)`` | Check if there is a key `key`defined in the headers, with the value `value` |
| ``HeadersRegexp(`key`, `regexp`)`` | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp` |
| ``Host(`domain-1`, ...)`` | Check if the request domain targets one of the given `domains`. |
| ``HostRegexp(`traefik.io`, `{subdomain:[a-z]+}.traefik.io`, ...)`` | Check if the request domain matches the given `regexp`. |
| `Method(methods, ...)` | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`) |
| ``Path(`path`, `/articles/{category}/{id:[0-9]+}`, ...)`` | Match exact request path. It accepts a sequence of literal and regular expression paths. |
| ``PathPrefix(`/products/`, `/articles/{category}/{id:[0-9]+}`)`` | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths. |
| ``Query(`foo=bar`, `bar=baz`)`` | Match` Query String parameters. It accepts a sequence of key=value pairs. |
!!! important "Regexp Syntax"
In order to use regular expressions with `Host` and `Path` expressions,
you must declare an arbitrarily named variable followed by the colon-separated regular expression, all enclosed in curly braces.
Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `/posts/{id:[0-9]+}`).
!!! tip "Combining Matchers Using Operators and Parenthesis"
You can combine multiple matchers using the AND (`&&`) and OR (`||) operators. You can also use parenthesis.
!!! important "Rule, Middleware, and Services"
The rule is evaluated "before" any middleware has the opportunity to work, and "before" the request is forwarded to the service.
!!! tip "Path Vs PathPrefix"
Use `Path` if your service listens on the exact path only. For instance, `Path: /products` would match `/products` but not `/products/shoes`.
Use a `*Prefix*` matcher if your service listens on a particular base path but also serves requests on sub-paths.
For instance, `PathPrefix: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
Since the path is forwarded as-is, your service is expected to listen on `/products`.
### Middlewares
You can attach a list of [middlewares](../middlewares/overview.md) to the routers.
The middlewares will take effect only if the rule matches, and before forwarding the request to the service.
### Service
You must attach a [service](./services.md) per router.
Services are the target for the router.

190
docs/content/routing/services.md Normal file
View file

@ -0,0 +1,190 @@
# Services
Configuring How to Reach the Services
{: .subtitle }
![Services](../assets/img/services.png)
The `Services` are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
## Configuration Example
??? example "Declaring a Service with Two Servers (with Load Balancing) -- Using the [File Provider](../providers/file.md)"
```toml
[Services]
[Services.my-service.LoadBalancer]
method = "wrr" # Load Balancing based on weights
[[Services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
weight = 30 # 30% of the requests will go to that instance
[[Services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-2/"
weight = 70 # 70% of the requests will go to that instance
```
## Configuration
### General
Currently, the `LoadBalancer` service is the only supported kind of `Service` (see below).
However, since Traefik is an ever evolving project, other kind of Services will be available in the future,
reason why you have to specify what kind of service you declare.
### Load Balancer
The `LoadBalancer` service is able to load balance the requests between multiple instances of your programs.
??? example "Declaring a Service with Two Servers (with Load Balancing) -- Using the [File Provider](../providers/file.md)"
```toml
[Services]
[Services.my-service.LoadBalancer]
method = "wrr" # Load Balancing based on weights
[[Services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
weight = 50 # 50% of the requests will go to that instance
[[Services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-2/"
weight = 50 # 50% of the requests will go to that instance
```
#### Servers
Servers declare a single instance of your program.
The `url` option point to a specific instance.
The `weight` option defines the weight of the server for the load balancing algorithm.
!!! note
Paths in the servers' `url` have no effet.
If you want the requests to be sent to a specific path on your servers,
configure your [`routers`](./routers.md) to use a corresponding [Middleware](../middlewares/overview.md) (e.g. the [AddPrefix](../middlewares/addprefix.md) or [ReplacePath](../middlewares/replacepath.md)) middlewares.
??? example "A Service with One Server -- Using the [File Provider](../providers/file.md)"
```toml
[Services]
[Services.my-service.LoadBalancer]
[[Services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
```
#### Load-balancing
Various methods of load balancing are supported:
- `wrr`: Weighted Round Robin.
- `drr`: Dynamic Round Robin: increases weights on servers that perform better than others (rolls back to original weights when the server list is updated)
??? example "Load Balancing Using DRR -- Using the [File Provider](../providers/file.md)"
```toml
[Services]
[Services.my-service.LoadBalancer]
method = "drr"
[[Services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
[[Services.my-service.LoadBalancer.servers]]
url = "http://private-ip-server-1/"
```
#### Sticky sessions
When sticky sessions are enabled, a cookie is set on the initial request to track which server handles the first response.
On subsequent requests, the client is forwarded to the same server.
!!! note "Stickiness & Unhealthy Servers"
If the server specified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).
!!! note "Cookie Name"
The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
??? example "Adding Stickiness"
```toml
[Services]
[Services.my-service]
[Services.my-service.LoadBalancer.stickiness]
```
??? example "Adding Stickiness with a Custom Cookie Name"
```toml
[Services]
[Services.my-service]
[Services.my-service.LoadBalancer.stickiness]
cookieName = "my_stickiness_cookie_name"
```
#### Health Check
Configure healthcheck to remove unhealthy servers from the load balancing rotation.
Traefik will consider your servers healthy as long as they return status codes between `2XX` and `3XX` to the health check requests (carried out every `interval`).
Below are the available options for the health check mechanism:
- `path` is appended to the server URL to set the healcheck endpoint.
- `scheme`, if defined, will replace the server URL `scheme` for the healthcheck endpoint
- `hostname`, if defined, will replace the server URL `hostname` for the healthcheck endpoint.
- `port`, if defined, will replace the server URL `port` for the healthcheck endpoint.
- `interval` defines the frequency of the healthcheck calls.
- `timeout` defines the maximum duration Traefik will wait for a healthcheck request before considering the server failed (unhealthy).
- `headers` defines custom headers to be sent to the healthcheck endpoint.
!!! note "Interval & Timeout Format"
Interval and timeout are to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
The interval must be greater than the timeout. If configuration doesn't reflect this, the interval will be set to timeout + 1 second.
!!! note "Recovering Servers"
Traefik keeps monitoring the health of unhealthy servers.
If a server has recovered (returning `2xx` -> `3xx` responses again), it will be added back to the load balacer rotation pool.
??? example "Custom Interval & Timeout -- Using the File Provider"
```toml
[Services]
[Servicess.Service-1]
[Services.Service-1.healthcheck]
path = "/health"
interval = "10s"
timeout = "3s"
```
??? example "Custom Port -- Using the File Provider"
```toml
[Services]
[Services.Service-1]
[Services.Service-1.healthcheck]
path = "/health"
port = 8080
```
??? example "Custom Scheme -- Using the File Provider"
```toml
[Services]
[Services.Service-1]
[Services.Service-1.healthcheck]
path = "/health"
scheme = "http"
```
??? example "Additional HTTP Headers -- Using the File Provider"
```toml
[Services]
[Services.Service-1]
[Servicess.Service-1.healthcheck]
path = "/health"
[Service.Service-1.healthcheck.headers]
My-Custom-Header = "foo"
My-Header = "bar"
```