homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

New Routing Reference Documentation

Browse source
This commit is contained in:
Sheddy 2025-03-10 14:28:06 +00:00 committed by GitHub
parent 3c99135bf9
commit b7170df2c3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
65 changed files with 12109 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

55
docs/content/reference/routing-configuration/tcp/middlewares/inflightconn.md Normal file
View file

@ -0,0 +1,55 @@
---
title: 'Traefik InFlightConn Middleware - TCP'
description: "Limiting the number of simultaneous connections."
---
To proactively prevent Services from being overwhelmed with high load, the number of allowed simultaneous connections by IP can be limited with the `inFlightConn` TCP middleware.
## Configuration Examples
```yaml tab="Structured (YAML)"
# Limiting to 10 simultaneous connections
tcp:
middlewares:
test-inflightconn:
inFlightConn:
amount: 10
```
```toml tab="Structured (TOML)"
# Limiting to 10 simultaneous connections
[tcp.middlewares]
[tcp.middlewares.test-inflightconn.inFlightConn]
amount = 10
```
```yaml tab="Labels"
labels:
- "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
```
```json tab="Tags"
// Limiting to 10 simultaneous connections
{
//..
"Tags" : [
"traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
]
}
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: MiddlewareTCP
metadata:
name: test-inflightconn
spec:
inFlightConn:
amount: 10
```
## Configuration Options
| Field | Description | Default | Required |
|:------|:------------|------------------|-------|
| `amount` | The `amount` option defines the maximum amount of allowed simultaneous connections. <br /> The middleware closes the connection if there are already `amount` connections opened. | "" | Yes |

60
docs/content/reference/routing-configuration/tcp/middlewares/ipallowlist.md Normal file
View file

@ -0,0 +1,60 @@
---
title: "Traefik TCP Middlewares IPAllowList"
description: "Learn how to use IPAllowList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
---
`iPAllowList` limits allowed requests based on the client IP.
## Configuration Examples
```yaml tab="Structured (YAML)"
# Accepts request from defined IP
tcp:
middlewares:
test-ipallowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
```
```toml tab="Structured (TOML)"
# Accepts request from defined IP
[tcp.middlewares]
[tcp.middlewares.test-ipallowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="Labels"
# Accepts connections from defined IP
labels:
- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```json tab="Tags"
// Accepts request from defined IP
{
//...
"Tags" : [
"traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"s
]
}
```
```yaml tab="Kubernetes"
apiVersion: traefik.io/v1alpha1
kind: MiddlewareTCP
metadata:
name: test-ipallowlist
spec:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
```
## Configuration Options
| Field | Description | Default | Required |
|:------|:------------|------------------|-------|
| `sourceRange` | The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).| | Yes |

112
docs/content/reference/routing-configuration/tcp/middlewares/overview.md Normal file
View file

@ -0,0 +1,112 @@
---
title: "Traefik Proxy TCP Middleware Overview"
description: "Read the official Traefik Proxy documentation for an overview of the available TCP middleware."
---
# TCP Middleware Overview
Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service (or before the answer from the services are sent to the clients).
There are several available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
Middlewares that use the same protocol can be combined into chains to fit every scenario.
## Configuration Example
```yaml tab="Structured (YAML)"
# As YAML Configuration File
tcp:
routers:
router1:
service: myService
middlewares:
- "foo-ip-allowlist"
rule: "Host(`example.com`)"
middlewares:
foo-ip-allowlist:
ipAllowList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
services:
service1:
loadBalancer:
servers:
- address: "10.0.0.10:4000"
- address: "10.0.0.11:4000"
```
```toml tab="Structured (TOML)"
# As TOML Configuration File
[tcp.routers]
[tcp.routers.router1]
service = "myService"
middlewares = ["foo-ip-allowlist"]
rule = "Host(`example.com`)"
[tcp.middlewares]
[tcp.middlewares.foo-ip-allowlist.ipAllowList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[tcp.services]
[tcp.services.service1]
[tcp.services.service1.loadBalancer]
[[tcp.services.service1.loadBalancer.servers]]
address = "10.0.0.10:4000"
[[tcp.services.service1.loadBalancer.servers]]
address = "10.0.0.11:4000"
```
```yaml tab="Labels"
labels:
# Create a middleware named `foo-ip-allowlist`
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
```
```json tab="Consul Catalog"
{
//...
"Tags" : [
// Create a middleware named `foo-ip-allowlist`
"traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7",
// Apply the middleware named `foo-ip-allowlist` to the router named `router1`
"traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
]
}
```
```yaml tab="Kubernetes"
---
apiVersion: traefik.io/v1alpha1
kind: MiddlewareTCP
metadata:
name: foo-ip-allowlist
spec:
ipAllowList:
sourcerange:
- 127.0.0.1/32
- 192.168.1.7
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroute
spec:
# more fields...
routes:
# more fields...
middlewares:
- name: foo-ip-allowlist
```
## Available TCP Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [InFlightConn](inflightconn.md) | Limits the number of simultaneous connections. | Security, Request lifecycle |
| [IPAllowList](ipallowlist.md) | Limit the allowed client IPs. | Security, Request lifecycle |

201
docs/content/reference/routing-configuration/tcp/router/rules-and-priority.md Normal file
View file

@ -0,0 +1,201 @@
---
title: "Traefik TCP Routers Rules & Priority Documentation"
description: "In Traefik Proxy, a router is in charge of connecting incoming requests to the Services that can handle them. Read the technical documentation."
---
## General
!!! note
- The character @ is not authorized in the router name
- If both HTTP routers and TCP routers listen to the same [EntryPoint](../../../install-configuration/entrypoints.md), the TCP routers will apply before the HTTP routers. If no matching route is found for the TCP routers, then the HTTP routers will take over.
## Rules
Rules are a set of matchers configured with values, that determine if a particular connection matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service.
The table below lists all the available matchers:
| Rule | Description |
|-------------------------------------------------------------|:-------------------------------------------------------------------------------------------------|
| [```HostSNI(`domain`)```](#hostsni-and-hostsniregexp) | Checks if the connection's Server Name Indication is equal to `domain`.<br /> More information [here](#hostsni-and-hostsniregexp). |
| [```HostSNIRegexp(`regexp`)```](#hostsni-and-hostsniregexp) | Checks if the connection's Server Name Indication matches `regexp`.<br />Use a [Go](https://golang.org/pkg/regexp/) flavored syntax.<br /> More information [here](#hostsni-and-hostsniregexp). |
| [```ClientIP(`ip`)```](#clientip) | Checks if the connection's client IP correspond to `ip`. It accepts IPv4, IPv6 and CIDR formats.<br /> More information [here](#clientip). |
| [```ALPN(`protocol`)```](#alpn) | Checks if the connection's ALPN protocol equals `protocol`.<br /> More information [here](#alpn). |
!!! tip "Backticks or Quotes?"
To set the value of a rule, use [backticks](https://en.wiktionary.org/wiki/backtick) ``` ` ``` or escaped double-quotes `\"`.
Single quotes `'` are not accepted since the values are [Go's String Literals](https://golang.org/ref/spec#String_literals).
### Expressing Complex Rules Using Operators and Parenthesis
The usual AND (`&&`) and OR (`||`) logical operators can be used, with the expected precedence rules,
as well as parentheses.
One can invert a matcher by using the NOT (`!`) operator.
The following rule matches connections where:
- Either Server Name Indication is `example.com` OR,
- Server Name Indication is `example.org` AND ALPN protocol is NOT `h2`
```yaml
HostSNI(`example.com`) || (HostSNI(`example.org`) && !ALPN(`h2`))
```
### HostSNI and HostSNIRegexp
`HostSNI` and `HostSNIRegexp` matchers allow to match connections targeted to a given domain.
These matchers do not support non-ASCII characters, use punycode encoded values ([rfc 3492](https://tools.ietf.org/html/rfc3492)) to match such domains.
!!! note "HostSNI & TLS"
It is important to note that the Server Name Indication is an extension of the TLS protocol.
Hence, only TLS routers will be able to specify a domain name with that rule.
However, there is one special use case for `HostSNI` with non-TLS routers:
when one wants a non-TLS router that matches all (non-TLS) requests,
one should use the specific ```HostSNI(`*`)``` syntax.
#### Examples
Match all connections:
```yaml tab="HostSNI"
HostSNI(`*`)
```
```yaml tab="HostSNIRegexp"
HostSNIRegexp(`^.*$`)
```
Match TCP connections sent to `example.com`:
```yaml
HostSNI(`example.com`)
```
Match TCP connections opened on any subdomain of `example.com`:
```yaml
HostSNIRegexp(`^.+\.example\.com$`)
```
### ClientIP
The `ClientIP` matcher allows matching connections opened by a client with the given IP.
#### Examples
Match connections opened by a given IP:
```yaml tab="IPv4"
ClientIP(`10.76.105.11`)
```
```yaml tab="IPv6"
ClientIP(`::1`)
```
Match connections coming from a given subnet:
```yaml tab="IPv4"
ClientIP(`192.168.1.0/24`)
```
```yaml tab="IPv6"
ClientIP(`fe80::/10`)
```
### ALPN
The `ALPN` matcher allows matching connections the given protocol.
It would be a security issue to let a user-defined router catch the response to
an ACME TLS challenge previously initiated by Traefik.
For this reason, the `ALPN` matcher is not allowed to match the `ACME-TLS/1`
protocol, and Traefik returns an error if this is attempted.
#### Example
Match connections using the ALPN protocol `h2`:
```yaml
ALPN(`h2`)
```
## Priority Calculation
???+ info "How default priorities are computed"
```yaml tab="Structured (YAML)"
tcp:
routers:
Router-1:
rule: "ClientIP(`192.168.0.12`)"
entryPoints:
- "web"
service: service-1
priority: 2
Router-2:
rule: "ClientIP(`192.168.0.0/24`)"
entryPoints:
- "web"
priority: 1
service: service-2
```
```toml tab="Structured (TOML)"
[tcp.routers]
[tcp.routers.Router-1]
rule = "ClientIP(`192.168.0.12`)"
entryPoints = ["web"]
service = "service-1"
priority = 2
[tcp.routers.Router-2]
rule = "ClientIP(`192.168.0.0/24`)"
entryPoints = ["web"]
priority = 1
service = "service-2
```
```yaml tab="Labels"
labels:
- "traefik.tcp.routers.Router-1.rule="ClientIP(`192.168.0.12`)"
- "traefik.tcp.routers.Router-1.entryPoints=web"
- "traefik.tcp.routers.Router-1.service=service-1"
- "traefik.tcp.routers.Router-1.priority=2"
- "traefik.tcp.routers.Router-2.rule="ClientIP(`192.168.0.0/24`)"
- "traefik.tcp.routers.Router-2.entryPoints=web"
- "traefik.tcp.routers.Router-2.service=service-2"
- "traefik.tcp.routers.Router-2.priority=1"
```
```json tab="Tags"
{
//...
"Tags": [
"traefik.tcp.routers.Router-1.rule=ClientIP(`192.168.0.12`)",
"traefik.tcp.routers.Router-1.entryPoints=web",
"traefik.tcp.routers.Router-1.service=service-1",
"traefik.tcp.routers.Router-1.priority=2",
"traefik.tcp.routers.Router-2.rule=ClientIP(`192.168.0.0/24`)",
"traefik.tcp.routers.Router-2.entryPoints=web",
"traefik.tcp.routers.Router-2.service=service-2",
"traefik.tcp.routers.Router-2.priority=1"
]
}
```
In the example above, the priority is configured so that `Router-1` will handle requests from `192.168.0.12`.
To avoid path overlap, routes are sorted, by default, in descending order using rules length.
The priority is directly equal to the length of the rule, and so the longest length has the highest priority.
A value of `0` for the priority is ignored: `priority: 0` means that the default rules length sorting is used.
Traefik reserves a range of priorities for its internal routers, the maximum user-defined router priority value is:
- `(MaxInt32 - 1000)` for 32-bit platforms,
- `(MaxInt64 - 1000)` for 64-bit platforms.

116
docs/content/reference/routing-configuration/tcp/serverstransport.md Normal file
View file

@ -0,0 +1,116 @@
---
title: "ServersTransport TCP"
description: "The ServersTransport allows configuring the connection between Traefik and the TCP servers in Kubernetes."
---
ServersTransport allows to configure the transport between Traefik and your TCP servers.
## Configuration Example
Declare the serversTransport:
```yaml tab="Structured (YAML)"
tcp:
serversTransports:
mytransport:
dialTimeout: "30s"
dialKeepAlive: "20s"
terminationDelay: "200ms"
tls:
serverName: "example.com"
certificates:
- "/path/to/cert1.pem"
- "/path/to/cert2.pem"
insecureSkipVerify: true
rootcas:
- "/path/to/rootca.pem"
peerCertURI: "spiffe://example.org/peer"
spiffe:
ids:
- "spiffe://example.org/id1"
- "spiffe://example.org/id2"
trustDomain: "example.org"
```
```toml tab="Structured (TOML)"
[tcp.serversTransports.mytransport]
dialTimeout = "30s"
dialKeepAlive = "20s"
terminationDelay = "200ms"
[tcp.serversTransports.mytransport.tls]
serverName = "example.com"
certificates = ["/path/to/cert1.pem", "/path/to/cert2.pem"]
insecureSkipVerify = true
rootcas = ["/path/to/rootca.pem"]
peerCertURI = "spiffe://example.org/peer"
[tcp.serversTransports.mytransport.spiffe]
ids = ["spiffe://example.org/id1", "spiffe://example.org/id2"]
trustDomain = "example.org"
```
Attach the serversTransport to a service:
```yaml tab="Structured (YAML)"
tcp:
services:
Service01:
loadBalancer:
serversTransport: mytransport
```
```toml tab="Structured(TOML)"
## Dynamic configuration
[tcp.services]
[tcp.services.Service01]
[tcp.services.Service01.loadBalancer]
serversTransport = "mytransport"
```
```yaml tab="Labels"
labels:
- "traefik.tcp.services.Service01.loadBalancer.serversTransport=mytransport"
```
```json tab="Tags"
{
// ...
"Tags": [
"traefik.tcp.services.Service01.loadBalancer.serversTransport=mytransport"
]
}
```
## Configuration Options
| Field | Description | Default | Required |
|:------|:----------------------------------------------------------|:---------------------|:---------|
| `serverstransport.`<br />`dialTimeout` | Defines the timeout when dialing the backend TCP service. If zero, no timeout exists. | 30s | No |
| `serverstransport.`<br />`dialKeepAlive` | Defines the interval between keep-alive probes for an active network connection. | 15s | No |
| `serverstransport.`<br />`terminationDelay` | Sets the time limit for the proxy to fully terminate connections on both sides after initiating the termination sequence, with a negative value indicating no deadline. More Information [here](#terminationdelay) | 100ms | No |
| `serverstransport.`<br />`tls` | Defines the TLS configuration. An empty `tls` section enables TLS. | | No |
| `serverstransport.`<br />`tls`<br />`.serverName` | Configures the server name that will be used for SNI. | | No |
| `serverstransport.`<br />`tls`<br />`.certificates` | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS. | | No |
| `serverstransport.`<br />`tls`<br />`.insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. | false | No |
| `serverstransport.`<br />`tls`<br />`.rootcas` | Defines the root certificate authorities to use when verifying server certificates. (for mTLS connections). | | No |
| `serverstransport.`<br />`tls.`<br />`peerCertURI` | Defines the URI used to match against SAN URIs during the server's certificate verification. | false | No |
| `serverstransport.`<br />`spiffe`<br />`.ids` | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. | | No |
| `serverstransport.`<br />`spiffe`<br />`.trustDomain` | Allow SPIFFE trust domain. | "" | No |
!!! note "SPIFFE"
Please note that SPIFFE must be enabled in the [install configuration](../../install-configuration/tls/spiffe.md) (formerly known as static configuration) before using it to secure the connection between Traefik and the backends.
### `terminationDelay`
As a proxy between a client and a server, it can happen that either side (e.g. client side) decides to terminate its writing capability on the connection (i.e. issuance of a FIN packet).
The proxy needs to propagate that intent to the other side, and so when that happens, it also does the same on its connection with the other side (e.g. backend side).
However, if for some reason (bad implementation, or malicious intent) the other side does not eventually do the same as well,
the connection would stay half-open, which would lock resources for however long.
To that end, as soon as the proxy enters this termination sequence, it sets a deadline on fully terminating the connections on both sides.
The termination delay controls that deadline.
A negative value means an infinite deadline (i.e. the connection is never fully terminated by the proxy itself).

104
docs/content/reference/routing-configuration/tcp/service.md Normal file
View file

@ -0,0 +1,104 @@
---
title: "Traefik TCP Services Documentation"
description: "A service is in charge of connecting incoming requests to the Servers that can handle them. Read the technical documentation."
---
## General
Each of the fields of the service section represents a kind of service. Which means, that for each specified service, one of the fields, and only one, has to be enabled to define what kind of service is created. Currently, the two available kinds are `LoadBalancer`, and `Weighted`.
## Servers Load Balancer
The servers load balancer is in charge of balancing the requests between the servers of the same service.
### Configuration Examples
Declaring a Service with Two Servers -- Using the [File Provider](../../install-configuration/providers/others/file.md)
```yaml tab="Structured (YAML)"
tcp:
services:
my-service:
loadBalancer:
servers:
- address: "xx.xx.xx.xx:xx"
- address: "xx.xx.xx.xx:xx"
```
```toml tab="Structured (TOML)"
[tcp.services]
[tcp.services.my-service.loadBalancer]
[[tcp.services.my-service.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
[[tcp.services.my-service.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
```
## Configuration Options
| Field | Description | Default |
|----------|------------------------------------------|--------- |
| `servers` | Servers declare a single instance of your program. | "" |
| `servers.address` | The address option (IP:Port) point to a specific instance. | "" |
| `servers.tls` | The `tls` option determines whether to use TLS when dialing with the backend. | false |
| `servers.serversTransport` | `serversTransport` allows to reference a TCP [ServersTransport](./serverstransport.md configuration for the communication between Traefik and your servers. If no serversTransport is specified, the default@internal will be used. | "" |
| `servers.proxyProtocol.version` | Traefik supports PROXY Protocol version 1 and 2 on TCP Services. More Information [here](#serversproxyprotocolversion) | 2 |
### servers.proxyProtocol.version
Traefik supports [PROXY Protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2 on TCP Services. It can be enabled by setting `proxyProtocol` on the load balancer.
The option specifies the version of the protocol to be used. Either 1 or 2.
## Weighted Round Robin
The Weighted Round Robin (alias `WRR`) load-balancer of services is in charge of balancing the requests between multiple services based on provided weights.
This strategy is only available to load balance between [services](./service.md) and not between servers.
!!! info "Supported Providers"
This strategy can be defined currently with the [File](../../install-configuration/providers/others/file.md) or [IngressRoute](../../install-configuration/providers/kubernetes/kubernetes-crd.md) providers.
```yaml tab="Structured (YAML)"
tcp:
services:
app:
weighted:
services:
- name: appv1
weight: 3
- name: appv2
weight: 1
appv1:
loadBalancer:
servers:
- address: "xxx.xxx.xxx.xxx:8080"
appv2:
loadBalancer:
servers:
- address: "xxx.xxx.xxx.xxx:8080"
```
```toml tab="Structured (TOML)"
[tcp.services]
[tcp.services.app]
[[tcp.services.app.weighted.services]]
name = "appv1"
weight = 3
[[tcp.services.app.weighted.services]]
name = "appv2"
weight = 1
[tcp.services.appv1]
[tcp.services.appv1.loadBalancer]
[[tcp.services.appv1.loadBalancer.servers]]
address = "private-ip-server-1:8080/"
[tcp.services.appv2]
[tcp.services.appv2.loadBalancer]
[[tcp.services.appv2.loadBalancer.servers]]
address = "private-ip-server-2:8080/"
```

104
docs/content/reference/routing-configuration/tcp/tls.md Normal file
View file

@ -0,0 +1,104 @@
---
title: "Traefik TLS Documentation"
description: "Learn how to configure the transport layer security (TLS) connection for TCP services in Traefik Proxy. Read the technical documentation."
---
## General
When a router is configured to handle HTTPS traffic, include a `tls` field in its definition. This field tells Traefik that the router should process only TLS requests and ignore non-TLS traffic.
By default, a router with a TLS field will terminate the TLS connections, meaning that it will send decrypted data to the services.
## Configuration Example
```yaml tab="Structured (YAML)"
tcp:
routers:
my-tls-router:
rule: "HostSNI(`example.com`)"
service: "my-tcp-service"
tls:
passthrough: true
options: "my-tls-options"
domains:
- main: "example.com"
sans:
- "www.example.com"
- "api.example.com"
certResolver: "myresolver"
```
```toml tab="Structured (TOML)"
[tcp.routers.my-tls-router]
rule = "HostSNI(`example.com`)"
service = "my-tcp-service"
[tcp.routers.my-tls-router.tls]
passthrough = true
options = "my-tls-options"
certResolver = "myresolver"
[[tcp.routers.my-tls-router.tls.domains]]
main = "example.com"
sans = ["www.example.com", "api.example.com"]
```
```yaml tab="Labels"
labels:
- "traefik.tcp.routers.my-tls-router.tls=true"
- "traefik.tcp.routers.my-tls-router.rule=HostSNI(`example.com`)"
- "traefik.tcp.routers.my-tls-router.service=my-tcp-service"
- "traefik.tcp.routers.my-tls-router.tls.passthrough=true"
- "traefik.tcp.routers.my-tls-router.tls.options=my-tls-options"
- "traefik.tcp.routers.my-tls-router.tls.certResolver=myresolver"
- "traefik.tcp.routers.my-tls-router.tls.domains[0].main=example.com"
- "traefik.tcp.routers.my-tls-router.tls.domains[0].sans=www.example.com,api.example.com"
```
```json tab="Tags"
{
//...
"Tags": [
"traefik.tcp.routers.my-tls-router.tls=true"
"traefik.tcp.routers.my-tls-router.rule=HostSNI(`example.com`)",
"traefik.tcp.routers.my-tls-router.service=my-tcp-service",
"traefik.tcp.routers.my-tls-router.tls.passthrough=true",
"traefik.tcp.routers.my-tls-router.tls.options=my-tls-options",
"traefik.tcp.routers.my-tls-router.tls.certResolver=myresolver",
"traefik.tcp.routers.my-tls-router.tls.domains[0].main=example.com",
"traefik.tcp.routers.my-tls-router.tls.domains[0].sans=www.example.com,api.example.com"
]
}
```
??? info "Postgres STARTTLS"
Traefik supports the Postgres STARTTLS protocol,
which allows TLS routing for Postgres connections.
To do so, Traefik reads the first bytes sent by a Postgres client,
identifies if they correspond to the message of a STARTTLS negotiation,
and, if so, acknowledges and signals the client that it can start the TLS handshake.
Please note/remember that there are subtleties inherent to STARTTLS in whether the connection ends up being a TLS one or not.
These subtleties depend on the `sslmode` value in the client configuration (and on the server authentication rules).
Therefore, it is recommended to use the `require` value for the `sslmode`.
Afterwards, the TLS handshake, and routing based on TLS, can proceed as expected.
!!! warning "Postgres STARTTLS with TCP TLS PassThrough routers"
As mentioned above, the `sslmode` configuration parameter does have an impact on whether a STARTTLS session will succeed.
In particular in the context of TCP TLS PassThrough, some of the values (such as `allow`) do not even make sense.
Which is why, once more it is recommended to use the `require` value.
## Configuration Options
| Field | Description | Default | Required |
|:------------------|:--------------------|:-----------------------------------------------|:---------|
|`passthrough`| Defines whether the requests should be forwarded "as is", keeping all data encrypted. | false | No |
|`options`| enables fine-grained control of the TLS parameters. It refers to a [TLS Options](../http/tls/tls-certificates.md#tls-options) and will be applied only if a `HostSNI` rule is defined. | "" | No |
|`domains`| Defines a set of SANs (alternative domains) for each main domain. Every domain must have A/AAAA records pointing to Traefik. Each domain & SAN will lead to a certificate request.| [] | No |
|`certResolver`| If defined, Traefik will try to generate certificates based on routers `Host` & `HostSNI` rules. | "" | No |
{!traefik-for-business-applications.md!}