traefik/docs/configuration/entrypoints.md

# Entry Points Definition

## Reference

### TOML

```toml
[entryPoints]
  [entryPoints.http]
    address = ":80"
    compress = true

    [entryPoints.http.whitelist]
      sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
      useXForwardedFor = true

    [entryPoints.http.tls]
      minVersion = "VersionTLS12"
      cipherSuites = [
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_RSA_WITH_AES_256_GCM_SHA384"
       ]
      [[entryPoints.http.tls.certificates]]
        certFile = "path/to/my.cert"
        keyFile = "path/to/my.key"
      [[entryPoints.http.tls.certificates]]
        certFile = "path/to/other.cert"
        keyFile = "path/to/other.key"
      # ...
      [entryPoints.http.tls.clientCA]
        files = ["path/to/ca1.crt", "path/to/ca2.crt"]
        optional = false

    [entryPoints.http.redirect]
      entryPoint = "https"
      regex = "^http://localhost/(.*)"
      replacement = "http://mydomain/$1"
      permanent = true

    [entryPoints.http.auth]
      headerField = "X-WebAuth-User"
      [entryPoints.http.auth.basic]
        users = [
          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
          "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
        ]
        usersFile = "/path/to/.htpasswd"
      [entryPoints.http.auth.digest]
        users = [
          "test:traefik:a2688e031edb4be6a3797f3882655c05",
          "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
        ]
        usersFile = "/path/to/.htdigest"
      [entryPoints.http.auth.forward]
        address = "https://authserver.com/auth"
        trustForwardHeader = true
        [entryPoints.http.auth.forward.tls]
          ca =  [ "path/to/local.crt"]
          caOptional = true
          cert = "path/to/foo.cert"
          key = "path/to/foo.key"
          insecureSkipVerify = true

    [entryPoints.http.proxyProtocol]
      insecure = true
      trustedIPs = ["10.10.10.1", "10.10.10.2"]

    [entryPoints.http.forwardedHeaders]
      trustedIPs = ["10.10.10.1", "10.10.10.2"]

  [entryPoints.https]
    # ...
```

### CLI

For more information about the CLI, see the documentation about [Traefik command](/basics/#traefik).

```shell
--entryPoints='Name:http Address::80'
--entryPoints='Name:https Address::443 TLS'
```

!!! note
    Whitespace is used as option separator and `,` is used as value separator for the list.  
    The names of the options are case-insensitive.

In compose file the entrypoint syntax is different:

```yaml
traefik:
    image: traefik
    command:
        - --defaultentrypoints=powpow
        - "--entryPoints=Name:powpow Address::42 Compress:true"
```
or
```yaml
traefik:
    image: traefik
    command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'
```

#### All available options:

```ini
Name:foo
Address::80
TLS:/my/path/foo.cert,/my/path/foo.key;/my/path/goo.cert,/my/path/goo.key;/my/path/hoo.cert,/my/path/hoo.key
TLS
TLS.MinVersion:VersionTLS11
TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384
CA:car
CA.Optional:true
Redirect.EntryPoint:https
Redirect.Regex:http://localhost/(.*)
Redirect.Replacement:http://mydomain/$1
Redirect.Permanent:true
Compress:true
WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16
WhiteList.UseXForwardedFor:true
ProxyProtocol.TrustedIPs:192.168.0.1
ProxyProtocol.Insecure:true
ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e
Auth.HeaderField:X-WebAuth-User
Auth.Forward.Address:https://authserver.com/auth
Auth.Forward.TrustForwardHeader:true
Auth.Forward.TLS.CA:path/to/local.crt
Auth.Forward.TLS.CAOptional:true
Auth.Forward.TLS.Cert:path/to/foo.cert
Auth.Forward.TLS.Key:path/to/foo.key
Auth.Forward.TLS.InsecureSkipVerify:true
```

## Basic

```toml
# Entrypoints definition
#
# Default:
# [entryPoints]
#   [entryPoints.http]
#   address = ":80"
#
[entryPoints]
  [entryPoints.http]
  address = ":80"
```

## Redirect HTTP to HTTPS

To redirect an http entrypoint to an https entrypoint (with SNI support).

```toml
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "integration/fixtures/https/snitest.com.cert"
      keyFile = "integration/fixtures/https/snitest.com.key"
      [[entryPoints.https.tls.certificates]]
      certFile = "integration/fixtures/https/snitest.org.cert"
      keyFile = "integration/fixtures/https/snitest.org.key"
```

!!! note
    Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case).

## Rewriting URL

To redirect an entrypoint rewriting the URL.

```toml
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    regex = "^http://localhost/(.*)"
    replacement = "http://mydomain/$1"
```

!!! note
    Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an `entrypoint` is defined for the redirection (they will not be used in this case).

Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.

Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).

## TLS

### Static Certificates

Define an entrypoint with SNI support.

```toml
[entryPoints]
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "integration/fixtures/https/snitest.com.cert"
      keyFile = "integration/fixtures/https/snitest.com.key"
```

!!! note
    If an empty TLS configuration is done, default self-signed certificates are generated.


### Dynamic Certificates

If you need to add or remove TLS certificates while Traefik is started, Dynamic TLS certificates are supported using the [file provider](/configuration/backends/file).


## TLS Mutual Authentication

TLS Mutual Authentication can be `optional` or not.
If it's `optional`, Træfik will authorize connection with certificates not signed by a specified Certificate Authority (CA).
Otherwise, Træfik will only accept clients that present a certificate signed by a specified Certificate Authority (CA).
`ClientCAFiles` can be configured with multiple `CA:s` in the same file or use multiple files containing one or several `CA:s`.
The `CA:s` has to be in PEM format.

By default, `ClientCAFiles` is not optional, all clients will be required to present a valid cert.
The requirement will apply to all server certs in the entrypoint.

In the example below both `snitest.com` and `snitest.org` will require client certs

```toml
[entryPoints]
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
    [entryPoints.https.tls.ClientCA]
    files = ["tests/clientca1.crt", "tests/clientca2.crt"]
    optional = false
    [[entryPoints.https.tls.certificates]]
    certFile = "integration/fixtures/https/snitest.com.cert"
    keyFile = "integration/fixtures/https/snitest.com.key"
    [[entryPoints.https.tls.certificates]]
    certFile = "integration/fixtures/https/snitest.org.cert"
    keyFile = "integration/fixtures/https/snitest.org.key"
```

!!! note
    The deprecated argument `ClientCAFiles` allows adding Client CA files which are mandatory.
    If this parameter exists, the new ones are not checked.

## Authentication

### Basic Authentication

Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate them.

Users can be specified directly in the TOML file, or indirectly by referencing an external file;
 if both are provided, the two are merged, with external file contents having precedence.

```toml
# To enable basic auth on an entrypoint with 2 user/pass: test:test and test2:test2
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.http.auth.basic]
  users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
  usersFile = "/path/to/.htpasswd"
```

### Digest Authentication

You can use `htdigest` to generate them.

Users can be specified directly in the TOML file, or indirectly by referencing an external file;
 if both are provided, the two are merged, with external file contents having precedence

```toml
# To enable digest auth on an entrypoint with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.http.auth.digest]
  users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
  usersFile = "/path/to/.htdigest"
```

### Forward Authentication

This configuration will first forward the request to `http://authserver.com/auth`.

If the response code is 2XX, access is granted and the original request is performed.
Otherwise, the response from the authentication server is returned.

```toml
[entryPoints]
  [entryPoints.http]
    # ...
    # To enable forward auth on an entrypoint
    [entryPoints.http.auth.forward]
    address = "https://authserver.com/auth"

    # Trust existing X-Forwarded-* headers.
    # Useful with another reverse proxy in front of Traefik.
    #
    # Optional
    # Default: false
    #
    trustForwardHeader = true

    # Enable forward auth TLS connection.
    #
    # Optional
    #
    [entryPoints.http.auth.forward.tls]
    cert = "authserver.crt"
    key = "authserver.key"
```

## Specify Minimum TLS Version

To specify an https entry point with a minimum TLS version, and specifying an array of cipher suites (from [crypto/tls](https://godoc.org/crypto/tls#pkg-constants)).

```toml
[entryPoints]
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_RSA_WITH_AES_256_GCM_SHA384"
    ]
      [[entryPoints.https.tls.certificates]]
      certFile = "integration/fixtures/https/snitest.com.cert"
      keyFile = "integration/fixtures/https/snitest.com.key"
      [[entryPoints.https.tls.certificates]]
      certFile = "integration/fixtures/https/snitest.org.cert"
      keyFile = "integration/fixtures/https/snitest.org.key"
```

## Compression

To enable compression support using gzip format.

```toml
[entryPoints]
  [entryPoints.http]
  address = ":80"
  compress = true
```

Responses are compressed when:

* The response body is larger than `512` bytes
* And the `Accept-Encoding` request header contains `gzip`
* And the response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

## White Listing

To enable IP white listing at the entry point level.

```toml
[entryPoints]
  [entryPoints.http]
    address = ":80"

    [entryPoints.http.whiteList]
      sourceRange = ["127.0.0.1/32", "192.168.1.7"]
      # useXForwardedFor = true
```

## ProxyProtocol

To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support.
Only IPs in `trustedIPs` will lead to remote client address replacement: you should declare your load-balancer IP or CIDR range here (in testing environment, you can trust everyone using `insecure = true`).

!!! danger
    When queuing Træfik behind another load-balancer, be sure to carefully configure Proxy Protocol on both sides.
    Otherwise, it could introduce a security risk in your system by forging requests.

```toml
[entryPoints]
  [entryPoints.http]
    address = ":80"

    # Enable ProxyProtocol
    [entryPoints.http.proxyProtocol]
      # List of trusted IPs
      #
      # Required
      # Default: []
      #
      trustedIPs = ["127.0.0.1/32", "192.168.1.7"]

      # Insecure mode FOR TESTING ENVIRONNEMENT ONLY
      #
      # Optional
      # Default: false
      #
      # insecure = true
```

## Forwarded Header

Only IPs in `trustedIPs` will be authorized to trust the client forwarded headers (`X-Forwarded-*`).

```toml
[entryPoints]
  [entryPoints.http]
    address = ":80"

    # Enable Forwarded Headers
    [entryPoints.http.forwardedHeaders]
      # List of trusted IPs
      #
      # Required
      # Default: []
      #
      trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
Enhance documentation. 2017-09-05 13:58:03 +00:00			`# Entry Points Definition`

Enhance file provider documentation. 2018-01-29 13:36:03 +00:00			`## Reference`

Add documentation about entry points definition with CLI. 2018-02-05 07:54:03 +00:00			`### TOML`

Enhance file provider documentation. 2018-01-29 13:36:03 +00:00			```toml
			`[entryPoints]`
			`[entryPoints.http]`
			`address = ":80"`
			`compress = true`

Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`[entryPoints.http.whitelist]`
			`sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]`
			`useXForwardedFor = true`

Enhance file provider documentation. 2018-01-29 13:36:03 +00:00			`[entryPoints.http.tls]`
			`minVersion = "VersionTLS12"`
Fix doc cipher suites 2018-02-21 07:00:03 +00:00			`cipherSuites = [`
			`"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",`
			`"TLS_RSA_WITH_AES_256_GCM_SHA384"`
			`]`
Enhance file provider documentation. 2018-01-29 13:36:03 +00:00			`[[entryPoints.http.tls.certificates]]`
			`certFile = "path/to/my.cert"`
			`keyFile = "path/to/my.key"`
			`[[entryPoints.http.tls.certificates]]`
			`certFile = "path/to/other.cert"`
			`keyFile = "path/to/other.key"`
			`# ...`
			`[entryPoints.http.tls.clientCA]`
			`files = ["path/to/ca1.crt", "path/to/ca2.crt"]`
			`optional = false`

			`[entryPoints.http.redirect]`
			`entryPoint = "https"`
			`regex = "^http://localhost/(.*)"`
			`replacement = "http://mydomain/$1"`
			`permanent = true`

			`[entryPoints.http.auth]`
			`headerField = "X-WebAuth-User"`
			`[entryPoints.http.auth.basic]`
			`users = [`
			`"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",`
			`"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",`
			`]`
			`usersFile = "/path/to/.htpasswd"`
			`[entryPoints.http.auth.digest]`
			`users = [`
			`"test:traefik:a2688e031edb4be6a3797f3882655c05",`
			`"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",`
			`]`
			`usersFile = "/path/to/.htdigest"`
			`[entryPoints.http.auth.forward]`
			`address = "https://authserver.com/auth"`
			`trustForwardHeader = true`
			`[entryPoints.http.auth.forward.tls]`
			`ca = [ "path/to/local.crt"]`
			`caOptional = true`
			`cert = "path/to/foo.cert"`
			`key = "path/to/foo.key"`
			`insecureSkipVerify = true`

			`[entryPoints.http.proxyProtocol]`
			`insecure = true`
			`trustedIPs = ["10.10.10.1", "10.10.10.2"]`

			`[entryPoints.http.forwardedHeaders]`
			`trustedIPs = ["10.10.10.1", "10.10.10.2"]`

			`[entryPoints.https]`
			`# ...`
			```

Add documentation about entry points definition with CLI. 2018-02-05 07:54:03 +00:00			`### CLI`

			`For more information about the CLI, see the documentation about [Traefik command](/basics/#traefik).`

			```shell
			`--entryPoints='Name:http Address::80'`
			`--entryPoints='Name:https Address::443 TLS'`
			```

			`!!! note`
			Whitespace is used as option separator and `,` is used as value separator for the list.
			`The names of the options are case-insensitive.`

Explain how to write entrypoints definition in a compose file 2018-02-09 17:16:04 +00:00			`In compose file the entrypoint syntax is different:`

			```yaml
			`traefik:`
			`image: traefik`
			`command:`
			`- --defaultentrypoints=powpow`
			`- "--entryPoints=Name:powpow Address::42 Compress:true"`
			```
			`or`
			```yaml
			`traefik:`
			`image: traefik`
			`command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'`
			```

			`#### All available options:`
Add documentation about entry points definition with CLI. 2018-02-05 07:54:03 +00:00
			```ini
			`Name:foo`
			`Address::80`
Enhance entry point TLS CLI reference. 2018-05-13 15:12:03 +00:00			`TLS:/my/path/foo.cert,/my/path/foo.key;/my/path/goo.cert,/my/path/goo.key;/my/path/hoo.cert,/my/path/hoo.key`
Add documentation about entry points definition with CLI. 2018-02-05 07:54:03 +00:00			`TLS`
Support TLS MinVersion and CipherSuite as CLI option. 2018-04-04 09:56:04 +00:00			`TLS.MinVersion:VersionTLS11`
			`TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384`
Add documentation about entry points definition with CLI. 2018-02-05 07:54:03 +00:00			`CA:car`
			`CA.Optional:true`
			`Redirect.EntryPoint:https`
			`Redirect.Regex:http://localhost/(.*)`
			`Redirect.Replacement:http://mydomain/$1`
Add new options to the CLI entrypoint definition. 2018-02-08 08:30:06 +00:00			`Redirect.Permanent:true`
Add documentation about entry points definition with CLI. 2018-02-05 07:54:03 +00:00			`Compress:true`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16`
			`WhiteList.UseXForwardedFor:true`
Add documentation about entry points definition with CLI. 2018-02-05 07:54:03 +00:00			`ProxyProtocol.TrustedIPs:192.168.0.1`
Fix typo in documentation 2018-04-23 08:28:04 +00:00			`ProxyProtocol.Insecure:true`
Add documentation about entry points definition with CLI. 2018-02-05 07:54:03 +00:00			`ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24`
Add new options to the CLI entrypoint definition. 2018-02-08 08:30:06 +00:00			`Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0`
			`Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e`
			`Auth.HeaderField:X-WebAuth-User`
			`Auth.Forward.Address:https://authserver.com/auth`
			`Auth.Forward.TrustForwardHeader:true`
			`Auth.Forward.TLS.CA:path/to/local.crt`
			`Auth.Forward.TLS.CAOptional:true`
			`Auth.Forward.TLS.Cert:path/to/foo.cert`
			`Auth.Forward.TLS.Key:path/to/foo.key`
			`Auth.Forward.TLS.InsecureSkipVerify:true`
Add documentation about entry points definition with CLI. 2018-02-05 07:54:03 +00:00			```
Enhance file provider documentation. 2018-01-29 13:36:03 +00:00
			`## Basic`

Enhance documentation. 2017-09-05 13:58:03 +00:00			```toml
			`# Entrypoints definition`
			`#`
			`# Default:`
			`# [entryPoints]`
			`# [entryPoints.http]`
			`# address = ":80"`
			`#`
			`[entryPoints]`
			`[entryPoints.http]`
			`address = ":80"`
			```

			`## Redirect HTTP to HTTPS`

			`To redirect an http entrypoint to an https entrypoint (with SNI support).`

			```toml
			`[entryPoints]`
			`[entryPoints.http]`
			`address = ":80"`
			`[entryPoints.http.redirect]`
			`entryPoint = "https"`
			`[entryPoints.https]`
			`address = ":443"`
			`[entryPoints.https.tls]`
			`[[entryPoints.https.tls.certificates]]`
Make the TLS certificates management dynamic. 2017-11-09 11:16:03 +00:00			`certFile = "integration/fixtures/https/snitest.com.cert"`
			`keyFile = "integration/fixtures/https/snitest.com.key"`
Enhance documentation. 2017-09-05 13:58:03 +00:00			`[[entryPoints.https.tls.certificates]]`
Make the TLS certificates management dynamic. 2017-11-09 11:16:03 +00:00			`certFile = "integration/fixtures/https/snitest.org.cert"`
			`keyFile = "integration/fixtures/https/snitest.org.key"`
Enhance documentation. 2017-09-05 13:58:03 +00:00			```

Add a note about redirection rule to precise how regex/replacement work. 2017-10-22 07:44:03 +00:00			`!!! note`
			Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case).

Enhance documentation. 2017-09-05 13:58:03 +00:00			`## Rewriting URL`

			`To redirect an entrypoint rewriting the URL.`

			```toml
			`[entryPoints]`
			`[entryPoints.http]`
			`address = ":80"`
			`[entryPoints.http.redirect]`
			`regex = "^http://localhost/(.*)"`
			`replacement = "http://mydomain/$1"`
			```

Add a note about redirection rule to precise how regex/replacement work. 2017-10-22 07:44:03 +00:00			`!!! note`
Docs: regex+replacement hints for URL rewriting 2018-02-07 12:42:04 +00:00			Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an `entrypoint` is defined for the redirection (they will not be used in this case).

			Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.

			`Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).`
Add a note about redirection rule to precise how regex/replacement work. 2017-10-22 07:44:03 +00:00
Make the TLS certificates management dynamic. 2017-11-09 11:16:03 +00:00			`## TLS`

Fix doc dynamic certificates 2018-01-23 08:12:03 +00:00			`### Static Certificates`

Make the TLS certificates management dynamic. 2017-11-09 11:16:03 +00:00			`Define an entrypoint with SNI support.`

			```toml
			`[entryPoints]`
			`[entryPoints.https]`
			`address = ":443"`
			`[entryPoints.https.tls]`
			`[[entryPoints.https.tls.certificates]]`
			`certFile = "integration/fixtures/https/snitest.com.cert"`
			`keyFile = "integration/fixtures/https/snitest.com.key"`
			```

			`!!! note`
			`If an empty TLS configuration is done, default self-signed certificates are generated.`
Enhance file provider documentation. 2018-01-29 13:36:03 +00:00
Fix doc dynamic certificates 2018-01-23 08:12:03 +00:00
			`### Dynamic Certificates`

			`If you need to add or remove TLS certificates while Traefik is started, Dynamic TLS certificates are supported using the [file provider](/configuration/backends/file).`

Make the TLS certificates management dynamic. 2017-11-09 11:16:03 +00:00
Enhance documentation. 2017-09-05 13:58:03 +00:00			`## TLS Mutual Authentication`

Allow adding optional Client CA files 2017-11-10 09:30:04 +00:00			TLS Mutual Authentication can be `optional` or not.
			If it's `optional`, Træfik will authorize connection with certificates not signed by a specified Certificate Authority (CA).
			`Otherwise, Træfik will only accept clients that present a certificate signed by a specified Certificate Authority (CA).`
Enhance documentation. 2017-09-05 13:58:03 +00:00			`ClientCAFiles` can be configured with multiple `CA:s` in the same file or use multiple files containing one or several `CA:s`.
			The `CA:s` has to be in PEM format.

Allow adding optional Client CA files 2017-11-10 09:30:04 +00:00			By default, `ClientCAFiles` is not optional, all clients will be required to present a valid cert.
Enhance documentation. 2017-09-05 13:58:03 +00:00			`The requirement will apply to all server certs in the entrypoint.`

			In the example below both `snitest.com` and `snitest.org` will require client certs

			```toml
			`[entryPoints]`
			`[entryPoints.https]`
			`address = ":443"`
			`[entryPoints.https.tls]`
Allow adding optional Client CA files 2017-11-10 09:30:04 +00:00			`[entryPoints.https.tls.ClientCA]`
			`files = ["tests/clientca1.crt", "tests/clientca2.crt"]`
			`optional = false`
Enhance documentation. 2017-09-05 13:58:03 +00:00			`[[entryPoints.https.tls.certificates]]`
Make the TLS certificates management dynamic. 2017-11-09 11:16:03 +00:00			`certFile = "integration/fixtures/https/snitest.com.cert"`
			`keyFile = "integration/fixtures/https/snitest.com.key"`
Enhance documentation. 2017-09-05 13:58:03 +00:00			`[[entryPoints.https.tls.certificates]]`
Make the TLS certificates management dynamic. 2017-11-09 11:16:03 +00:00			`certFile = "integration/fixtures/https/snitest.org.cert"`
			`keyFile = "integration/fixtures/https/snitest.org.key"`
Enhance documentation. 2017-09-05 13:58:03 +00:00			```

Allow adding optional Client CA files 2017-11-10 09:30:04 +00:00			`!!! note`
Compress ACME certificates in KV stores. 2018-02-09 09:38:03 +00:00			The deprecated argument `ClientCAFiles` allows adding Client CA files which are mandatory.
			`If this parameter exists, the new ones are not checked.`
Allow adding optional Client CA files 2017-11-10 09:30:04 +00:00
Enhance documentation. 2017-09-05 13:58:03 +00:00			`## Authentication`

			`### Basic Authentication`

Update documentation on onHostRule, ping examples, and web deprecation 2018-02-16 09:32:03 +00:00			Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate them.
Enhance documentation. 2017-09-05 13:58:03 +00:00
Update documentation on onHostRule, ping examples, and web deprecation 2018-02-16 09:32:03 +00:00			`Users can be specified directly in the TOML file, or indirectly by referencing an external file;`
Enhance documentation. 2017-09-05 13:58:03 +00:00			`if both are provided, the two are merged, with external file contents having precedence.`

			```toml
			`# To enable basic auth on an entrypoint with 2 user/pass: test:test and test2:test2`
			`[entryPoints]`
			`[entryPoints.http]`
			`address = ":80"`
			`[entryPoints.http.auth.basic]`
			`users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]`
			`usersFile = "/path/to/.htpasswd"`
			```

			`### Digest Authentication`

Update documentation on onHostRule, ping examples, and web deprecation 2018-02-16 09:32:03 +00:00			You can use `htdigest` to generate them.
Enhance documentation. 2017-09-05 13:58:03 +00:00
Update documentation on onHostRule, ping examples, and web deprecation 2018-02-16 09:32:03 +00:00			`Users can be specified directly in the TOML file, or indirectly by referencing an external file;`
Enhance documentation. 2017-09-05 13:58:03 +00:00			`if both are provided, the two are merged, with external file contents having precedence`

			```toml
			`# To enable digest auth on an entrypoint with 2 user/realm/pass: test:traefik:test and test2:traefik:test2`
			`[entryPoints]`
			`[entryPoints.http]`
			`address = ":80"`
Fix redirect problem on dashboard + docs/tests on [web] 2018-01-11 08:46:03 +00:00			`[entryPoints.http.auth.digest]`
Fix concurrent map writes on digest auth 2018-01-12 19:00:06 +00:00			`users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]`
Enhance documentation. 2017-09-05 13:58:03 +00:00			`usersFile = "/path/to/.htdigest"`
			```

Add forward auth documentation. 2017-09-14 19:26:02 +00:00			`### Forward Authentication`

			This configuration will first forward the request to `http://authserver.com/auth`.

			`If the response code is 2XX, access is granted and the original request is performed.`
Update documentation on onHostRule, ping examples, and web deprecation 2018-02-16 09:32:03 +00:00			`Otherwise, the response from the authentication server is returned.`
Add forward auth documentation. 2017-09-14 19:26:02 +00:00
			```toml
			`[entryPoints]`
entrypoints -> entryPoints 2017-10-30 12:20:03 +00:00			`[entryPoints.http]`
Add forward auth documentation. 2017-09-14 19:26:02 +00:00			`# ...`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`# To enable forward auth on an entrypoint`
entrypoints -> entryPoints 2017-10-30 12:20:03 +00:00			`[entryPoints.http.auth.forward]`
Add forward auth documentation. 2017-09-14 19:26:02 +00:00			`address = "https://authserver.com/auth"`
Enhance file provider documentation. 2018-01-29 13:36:03 +00:00
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`# Trust existing X-Forwarded-* headers.`
			`# Useful with another reverse proxy in front of Traefik.`
			`#`
			`# Optional`
			`# Default: false`
			`#`
			`trustForwardHeader = true`
Enhance file provider documentation. 2018-01-29 13:36:03 +00:00
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`# Enable forward auth TLS connection.`
			`#`
			`# Optional`
			`#`
entrypoints -> entryPoints 2017-10-30 12:20:03 +00:00			`[entryPoints.http.auth.forward.tls]`
Add forward auth documentation. 2017-09-14 19:26:02 +00:00			`cert = "authserver.crt"`
			`key = "authserver.key"`
			```

Enhance documentation. 2017-09-05 13:58:03 +00:00			`## Specify Minimum TLS Version`

Add link to crypto/tls godoc. 2017-11-27 14:24:03 +00:00			`To specify an https entry point with a minimum TLS version, and specifying an array of cipher suites (from [crypto/tls](https://godoc.org/crypto/tls#pkg-constants)).`
Enhance documentation. 2017-09-05 13:58:03 +00:00
			```toml
			`[entryPoints]`
			`[entryPoints.https]`
			`address = ":443"`
			`[entryPoints.https.tls]`
Add forward auth documentation. 2017-09-14 19:26:02 +00:00			`minVersion = "VersionTLS12"`
Fix doc cipher suites 2018-02-21 07:00:03 +00:00			`cipherSuites = [`
			`"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",`
			`"TLS_RSA_WITH_AES_256_GCM_SHA384"`
			`]`
Enhance documentation. 2017-09-05 13:58:03 +00:00			`[[entryPoints.https.tls.certificates]]`
Add forward auth documentation. 2017-09-14 19:26:02 +00:00			`certFile = "integration/fixtures/https/snitest.com.cert"`
			`keyFile = "integration/fixtures/https/snitest.com.key"`
Enhance documentation. 2017-09-05 13:58:03 +00:00			`[[entryPoints.https.tls.certificates]]`
Add forward auth documentation. 2017-09-14 19:26:02 +00:00			`certFile = "integration/fixtures/https/snitest.org.cert"`
			`keyFile = "integration/fixtures/https/snitest.org.key"`
Enhance documentation. 2017-09-05 13:58:03 +00:00			```

			`## Compression`

			`To enable compression support using gzip format.`

			```toml
			`[entryPoints]`
			`[entryPoints.http]`
			`address = ":80"`
			`compress = true`
			```

Improve compression documentation 2017-09-29 08:34:03 +00:00			`Responses are compressed when:`

			* The response body is larger than `512` bytes
			* And the `Accept-Encoding` request header contains `gzip`
			* And the response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`## White Listing`
Enhance documentation. 2017-09-05 13:58:03 +00:00
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`To enable IP white listing at the entry point level.`
Enhance documentation. 2017-09-05 13:58:03 +00:00
			```toml
			`[entryPoints]`
			`[entryPoints.http]`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`address = ":80"`

Fix basic documentation 2018-03-27 12:58:03 +00:00			`[entryPoints.http.whiteList]`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 16:40:04 +00:00			`sourceRange = ["127.0.0.1/32", "192.168.1.7"]`
			`# useXForwardedFor = true`
Enhance documentation. 2017-09-05 13:58:03 +00:00			```

Fix Proxy Protocol documentation 2017-10-12 09:10:03 +00:00			`## ProxyProtocol`
Enhance documentation. 2017-09-05 13:58:03 +00:00
			`To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support.`
Add TrustForwardHeader options. 2017-10-16 10:46:03 +00:00			Only IPs in `trustedIPs` will lead to remote client address replacement: you should declare your load-balancer IP or CIDR range here (in testing environment, you can trust everyone using `insecure = true`).
Add trusted whitelist proxy protocol 2017-10-10 12:50:03 +00:00
Fix Proxy Protocol documentation 2017-10-12 09:10:03 +00:00			`!!! danger`
			`When queuing Træfik behind another load-balancer, be sure to carefully configure Proxy Protocol on both sides.`
Enhance file provider documentation. 2018-01-29 13:36:03 +00:00			`Otherwise, it could introduce a security risk in your system by forging requests.`
Enhance documentation. 2017-09-05 13:58:03 +00:00
			```toml
			`[entryPoints]`
			`[entryPoints.http]`
Add TrustForwardHeader options. 2017-10-16 10:46:03 +00:00			`address = ":80"`

			`# Enable ProxyProtocol`
			`[entryPoints.http.proxyProtocol]`
			`# List of trusted IPs`
			`#`
			`# Required`
			`# Default: []`
			`#`
			`trustedIPs = ["127.0.0.1/32", "192.168.1.7"]`

			`# Insecure mode FOR TESTING ENVIRONNEMENT ONLY`
			`#`
			`# Optional`
			`# Default: false`
			`#`
			`# insecure = true`
			```

			`## Forwarded Header`

Minor grammar change 2017-11-02 09:38:03 +00:00			Only IPs in `trustedIPs` will be authorized to trust the client forwarded headers (`X-Forwarded-*`).
Add TrustForwardHeader options. 2017-10-16 10:46:03 +00:00
			```toml
			`[entryPoints]`
			`[entryPoints.http]`
			`address = ":80"`

			`# Enable Forwarded Headers`
			`[entryPoints.http.forwardedHeaders]`
			`# List of trusted IPs`
			`#`
			`# Required`
			`# Default: []`
			`#`
			`trustedIPs = ["127.0.0.1/32", "192.168.1.7"]`
Enhance documentation. 2017-09-05 13:58:03 +00:00			```