From bfde17b4d7d981e8c693f87ac25215bf7220016e Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Mon, 23 Sep 2019 14:32:04 +0200 Subject: [PATCH] Improve routing documentation --- docs/content/contributing/data-collection.md | 81 ++- docs/content/getting-started/concepts.md | 4 +- .../getting-started/configuration-overview.md | 18 +- .../getting-started/install-traefik.md | 8 +- docs/content/https/acme.md | 8 +- docs/content/https/tls.md | 2 +- docs/content/index.md | 2 +- docs/content/middlewares/basicauth.md | 4 +- docs/content/middlewares/buffering.md | 222 +++++++- docs/content/middlewares/circuitbreaker.md | 21 +- docs/content/middlewares/compress.md | 14 +- docs/content/middlewares/digestauth.md | 4 +- docs/content/middlewares/errorpages.md | 6 +- docs/content/middlewares/forwardauth.md | 4 +- docs/content/middlewares/headers.md | 2 +- docs/content/middlewares/inflightreq.md | 95 +++- docs/content/middlewares/ipwhitelist.md | 53 +- docs/content/middlewares/passtlsclientcert.md | 10 +- docs/content/middlewares/ratelimit.md | 31 +- docs/content/migration/v1-to-v2.md | 5 +- docs/content/observability/access-logs.md | 6 +- docs/content/observability/logs.md | 2 +- docs/content/operations/api.md | 4 +- docs/content/operations/cli.md | 6 +- docs/content/operations/dashboard.md | 4 +- docs/content/providers/docker.md | 131 +---- docs/content/providers/file.md | 19 +- docs/content/providers/kubernetes-crd.md | 201 +------ docs/content/providers/kubernetes-ingress.md | 5 +- docs/content/providers/marathon.md | 93 +--- docs/content/providers/overview.md | 9 +- docs/content/providers/rancher.md | 75 +-- docs/content/routing/entrypoints.md | 452 ++++++++++++---- docs/content/routing/overview.md | 8 +- .../providers/crd_ingress_route.yml | 0 .../providers/crd_middlewares.yml | 0 .../providers/crd_tls_option.yml | 0 docs/content/routing/providers/docker.md | 490 +++++++++++++++++ .../routing/providers/kubernetes-crd.md | 205 +++++++ docs/content/routing/providers/marathon.md | 299 +++++++++++ docs/content/routing/providers/rancher.md | 280 ++++++++++ docs/content/routing/routers/index.md | 500 +++++++++++------- docs/content/routing/services/index.md | 56 +- docs/mkdocs.yml | 7 +- .../components/_commons/PanelMiddlewares.vue | 2 +- 45 files changed, 2465 insertions(+), 983 deletions(-) rename docs/content/{ => routing}/providers/crd_ingress_route.yml (100%) rename docs/content/{ => routing}/providers/crd_middlewares.yml (100%) rename docs/content/{ => routing}/providers/crd_tls_option.yml (100%) create mode 100644 docs/content/routing/providers/docker.md create mode 100644 docs/content/routing/providers/kubernetes-crd.md create mode 100644 docs/content/routing/providers/marathon.md create mode 100644 docs/content/routing/providers/rancher.md diff --git a/docs/content/contributing/data-collection.md b/docs/content/contributing/data-collection.md index b8950c7cb..67fe211c2 100644 --- a/docs/content/contributing/data-collection.md +++ b/docs/content/contributing/data-collection.md @@ -42,54 +42,51 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col - a hash of the configuration - an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed). -!!! note - We do not collect the dynamic configuration information (routers & services). - We do not collect these data to run advertising programs. - We do not sell these data to third-parties. +!!! info + + - We do not collect the dynamic configuration information (routers & services). + - We do not collect this data to run advertising programs. + - We do not sell this data to third-parties. ### Example of Collected Data -??? example "Original configuration" +```toml tab="Original configuration" +[entryPoints] + [entryPoints.web] + address = ":80" - ```toml - [entryPoints] - [entryPoints.web] - address = ":80" - - [api] - - [providers.docker] - endpoint = "tcp://10.10.10.10:2375" - exposedByDefault = true - swarmMode = true - - [providers.docker.TLS] - ca = "dockerCA" - cert = "dockerCert" - key = "dockerKey" - insecureSkipVerify = true - ``` +[api] -??? example "Resulting Obfuscated Configuration" +[providers.docker] + endpoint = "tcp://10.10.10.10:2375" + exposedByDefault = true + swarmMode = true - ```toml - [entryPoints] - [entryPoints.web] - address = ":80" - - [api] - - [providers.docker] - endpoint = "xxxx" - exposedByDefault = true - swarmMode = true - - [providers.docker.TLS] - ca = "xxxx" - cert = "xxxx" - key = "xxxx" - insecureSkipVerify = false - ``` + [providers.docker.TLS] + ca = "dockerCA" + cert = "dockerCert" + key = "dockerKey" + insecureSkipVerify = true +``` + +```toml tab="Resulting Obfuscated Configuration" +[entryPoints] + [entryPoints.web] + address = ":80" + +[api] + +[providers.docker] + endpoint = "xxxx" + exposedByDefault = true + swarmMode = true + + [providers.docker.TLS] + ca = "xxxx" + cert = "xxxx" + key = "xxxx" + insecureSkipVerify = false +``` ## The Code for Data Collection diff --git a/docs/content/getting-started/concepts.md b/docs/content/getting-started/concepts.md index 12d860720..6d1f64cf7 100644 --- a/docs/content/getting-started/concepts.md +++ b/docs/content/getting-started/concepts.md @@ -23,11 +23,11 @@ The opposite is true: when you remove a service from your infrastructure, the ro You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules. -!!! note "Many different rules" +!!! info "Many different rules" In the example above, we used the request [path](../routing/routers/index.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers/index.md#rule). -!!! note "Updating the requests" +!!! info "Updating the requests" In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services. diff --git a/docs/content/getting-started/configuration-overview.md b/docs/content/getting-started/configuration-overview.md index a24aa7b7f..8a6b87a4c 100644 --- a/docs/content/getting-started/configuration-overview.md +++ b/docs/content/getting-started/configuration-overview.md @@ -21,23 +21,25 @@ This configuration can change and is seamlessly hot-reloaded, without any reques ## The Dynamic Configuration -Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md). +Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file. -!!! Note +Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../routing/overview.md). + +!!! info "" In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers. -!!! Note +!!! info "HTTPS Certificates also belong to the dynamic configuration." - HTTPS Certificates also belong to the dynamic configuration. You can add / update / remove them without restarting your Traefik instance. + You can add / update / remove them without restarting your Traefik instance. ## The Static Configuration -There are three different, mutually exclusive, ways to define static configuration options in Traefik: +There are three different, **mutually exclusive** (e.g. you can use only one at the same time), ways to define static configuration options in Traefik: -- In a configuration file -- In the command-line arguments -- As environment variables +1. In a configuration file +1. In the command-line arguments +1. As environment variables These ways are evaluated in the order listed above. diff --git a/docs/content/getting-started/install-traefik.md b/docs/content/getting-started/install-traefik.md index a3d0b3db5..96cf721b1 100644 --- a/docs/content/getting-started/install-traefik.md +++ b/docs/content/getting-started/install-traefik.md @@ -10,7 +10,7 @@ You can install Traefik with the following flavors: Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.0/traefik.sample.toml): -```shell +```bash docker run -d -p 8080:8080 -p 80:80 \ -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.0 ``` @@ -21,14 +21,14 @@ For more details, go to the [Docker provider documentation](../providers/docker. * Prefer a fixed version than the latest that could be an unexpected version. ex: `traefik:v2.0.0` - * Docker images comes in 2 flavors: scratch based or alpine based. + * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine). * All the orchestrator using docker images could fetch the official Traefik docker image. ## Use the Binary Distribution Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page. -??? tip "Check the integrity of the downloaded file" +??? info "Check the integrity of the downloaded file" ```bash tab="Linux" # Compare this value to the one found in traefik-${traefik_version}_checksums.txt @@ -45,7 +45,7 @@ Grab the latest binary from the [releases](https://github.com/containous/traefik Get-FileHash ./traefik_${traefik_version}_windows_${arch}.zip -Algorithm SHA256 ``` -??? tip "Extract the downloaded archive" +??? info "Extract the downloaded archive" ```bash tab="Linux" tar -zxvf traefik_${traefik_version}_linux_${arch}.tar.gz diff --git a/docs/content/https/acme.md b/docs/content/https/acme.md index 38c56443c..4d7dae917 100644 --- a/docs/content/https/acme.md +++ b/docs/content/https/acme.md @@ -81,7 +81,7 @@ Traefik automatically tracks the expiry date of ACME certificates it generates. If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically. -!!! note +!!! info "" Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing. ## The Different ACME Challenges @@ -162,7 +162,7 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web ``` -!!! note +!!! info "" Redirection is fully compatible with the `HTTP-01` challenge. ### `dnsChallenge` @@ -278,7 +278,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76) [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider. -!!! note "`delayBeforeCheck`" +!!! info "`delayBeforeCheck`" By default, the `provider` verifies the TXT record _before_ letting ACME verify. You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero). This option is useful when internal networks block external DNS queries. @@ -398,5 +398,5 @@ If Let's Encrypt is not reachable, the following certificates will apply: 1. Expired ACME certificates 1. Provided certificates -!!! note +!!! important For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted. diff --git a/docs/content/https/tls.md b/docs/content/https/tls.md index b1ea03216..c6d3d8efa 100644 --- a/docs/content/https/tls.md +++ b/docs/content/https/tls.md @@ -40,7 +40,7 @@ tls: In the above example, we've used the [file provider](../providers/file.md) to handle these definitions. It is the only available method to configure the certificates (as well as the options and the stores). - However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](../providers/kubernetes-crd.md#tls). + However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](../routing/providers/kubernetes-crd.md#tls). ## Certificates Stores diff --git a/docs/content/index.md b/docs/content/index.md index 8202ba071..58b8aa523 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -18,6 +18,6 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo -- The Traefik Maintainer Team -!!! Note +!!! info If you're a businness running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. diff --git a/docs/content/middlewares/basicauth.md b/docs/content/middlewares/basicauth.md index 2e44eb076..40d7461cd 100644 --- a/docs/content/middlewares/basicauth.md +++ b/docs/content/middlewares/basicauth.md @@ -77,7 +77,7 @@ Passwords must be encoded using MD5, SHA1, or BCrypt. The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format. -!!! Note +!!! note "" - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`. - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. @@ -154,7 +154,7 @@ The `usersFile` option is the path to an external file that contains the authori The file content is a list of `name:encoded-password`. -!!! Note +!!! note "" - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`. - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. diff --git a/docs/content/middlewares/buffering.md b/docs/content/middlewares/buffering.md index 28e25489f..d03c78026 100644 --- a/docs/content/middlewares/buffering.md +++ b/docs/content/middlewares/buffering.md @@ -16,7 +16,7 @@ This can help services deal with large data (multipart/form-data for example), a ```yaml tab="Docker" # Sets the maximum request body to 2Mb labels: -- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000" +- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000" ``` ```yaml tab="Kubernetes" @@ -27,26 +27,26 @@ metadata: name: limit spec: buffering: - maxRequestBodyBytes: 250000 + maxRequestBodyBytes: 2000000 ``` ```json tab="Marathon" "labels": { - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "250000" + "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000" } ``` ```yaml tab="Rancher" # Sets the maximum request body to 2Mb labels: -- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000" +- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000" ``` ```toml tab="File (TOML)" # Sets the maximum request body to 2Mb [http.middlewares] [http.middlewares.limit.buffering] - maxRequestBodyBytes = 250000 + maxRequestBodyBytes = 2000000 ``` ```yaml tab="File (YAML)" @@ -55,7 +55,7 @@ http: middlewares: limit: buffering: - maxRequestBodyBytes: 250000 + maxRequestBodyBytes: 2000000 ``` ## Configuration Options @@ -64,11 +64,91 @@ http: With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes). -If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response. +If the request exceeds the allowed size, it is not forwarded to the service and the client gets a `413 (Request Entity Too Large)` response. + +```yaml tab="Docker" +labels: +- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000" +``` + +```yaml tab="Kubernetes" +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: limit +spec: + buffering: + maxRequestBodyBytes: 2000000 +``` + +```json tab="Marathon" +"labels": { + "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000" +} +``` + +```yaml tab="Rancher" +labels: +- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000" +``` + +```toml tab="File (TOML)" +[http.middlewares] + [http.middlewares.limit.buffering] + maxRequestBodyBytes = 2000000 +``` + +```yaml tab="File (YAML)" +http: + middlewares: + limit: + buffering: + maxRequestBodyBytes: 2000000 +``` ### `memRequestBodyBytes` -You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. +You can configure a threshold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. + +```yaml tab="Docker" +labels: +- "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000" +``` + +```yaml tab="Kubernetes" +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: limit +spec: + buffering: + memRequestBodyBytes: 2000000 +``` + +```json tab="Marathon" +"labels": { + "traefik.http.middlewares.limit.buffering.memRequestBodyBytes": "2000000" +} +``` + +```yaml tab="Rancher" +labels: +- "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000" +``` + +```toml tab="File (TOML)" +[http.middlewares] + [http.middlewares.limit.buffering] + memRequestBodyBytes = 2000000 +``` + +```yaml tab="File (YAML)" +http: + middlewares: + limit: + buffering: + memRequestBodyBytes: 2000000 +``` ### `maxResponseBodyBytes` @@ -76,21 +156,137 @@ With the `maxReesponseBodyBytes` option, you can configure the maximum allowed r If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead. +```yaml tab="Docker" +labels: +- "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000" +``` + +```yaml tab="Kubernetes" +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: limit +spec: + buffering: + maxResponseBodyBytes: 2000000 +``` + +```json tab="Marathon" +"labels": { + "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes": "2000000" +} +``` + +```yaml tab="Rancher" +labels: +- "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000" +``` + +```toml tab="File (TOML)" +[http.middlewares] + [http.middlewares.limit.buffering] + maxResponseBodyBytes = 2000000 +``` + +```yaml tab="File (YAML)" +http: + middlewares: + limit: + buffering: + maxResponseBodyBytes: 2000000 +``` + ### `memResponseBodyBytes` -You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. +You can configure a threshold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. + +```yaml tab="Docker" +labels: +- "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000" +``` + +```yaml tab="Kubernetes" +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: limit +spec: + buffering: + memResponseBodyBytes: 2000000 +``` + +```json tab="Marathon" +"labels": { + "traefik.http.middlewares.limit.buffering.memResponseBodyBytes": "2000000" +} +``` + +```yaml tab="Rancher" +labels: +- "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000" +``` + +```toml tab="File (TOML)" +[http.middlewares] + [http.middlewares.limit.buffering] + memResponseBodyBytes = 2000000 +``` + +```yaml tab="File (YAML)" +http: + middlewares: + limit: + buffering: + memResponseBodyBytes: 2000000 +``` ### `retryExpression` You can have the Buffering middleware replay the request with the help of the `retryExpression` option. -!!! example "Retries once in case of a network error" +??? example "Retries once in case of a network error" - ```toml - retryExpression = "IsNetworkError() && Attempts() < 2" + ```yaml tab="Docker" + labels: + - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2" ``` -Available functions for the retry expression are: + ```yaml tab="Kubernetes" + apiVersion: traefik.containo.us/v1alpha1 + kind: Middleware + metadata: + name: limit + spec: + buffering: + retryExpression: "IsNetworkError() && Attempts() < 2" + ``` + + ```json tab="Marathon" + "labels": { + "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2" + } + ``` + + ```yaml tab="Rancher" + labels: + - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2" + ``` + + ```toml tab="File (TOML)" + [http.middlewares] + [http.middlewares.limit.buffering] + retryExpression = "IsNetworkError() && Attempts() < 2" + ``` + + ```yaml tab="File (YAML)" + http: + middlewares: + limit: + buffering: + retryExpression: "IsNetworkError() && Attempts() < 2" + ``` + +The retry expression is defined as a logical combination of the functions below with the operators AND (`&&`) and OR (`||`). At least one function is required: - `Attempts()` number of attempts (the first one counts) - `ResponseCode()` response code of the service diff --git a/docs/content/middlewares/circuitbreaker.md b/docs/content/middlewares/circuitbreaker.md index 1f4c928ed..cc0a4445e 100644 --- a/docs/content/middlewares/circuitbreaker.md +++ b/docs/content/middlewares/circuitbreaker.md @@ -12,14 +12,19 @@ When your system becomes unhealthy, the circuit becomes open and the requests ar To assess if your system is healthy, the circuit breaker constantly monitors the services. -!!! Note +!!! note "" - The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state. - The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state. !!! important - Each router will eventually gets its own instance of a given circuit breaker. If two different routers refer to the same circuit breaker definition, they will get one instance each. It means that one circuit breaker can be open while the other stays close: their state is not shared. This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route. + Each router will eventually gets its own instance of a given circuit breaker. + + If two different routers refer to the same circuit breaker definition, they will get one instance each. + It means that one circuit breaker can be open while the other stays closed: their state is not shared. + + This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route. ## Configuration Examples @@ -117,7 +122,7 @@ The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`, The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`). -!!! Note +!!! note "" If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0. `from`is inclusive, `to` is exclusive. @@ -130,7 +135,7 @@ You can trigger the circuit breaker when a given proportion of your requests bec For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS. -!!! Note +!!! note "" You must provide a float number (with the trailing .0) for the quantile value @@ -155,14 +160,16 @@ Here is the list of supported operators: - Lesser or equal than (`<=`) - Equal (`==`) - Not Equal (`!=`) - + ### Fallback mechanism -The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured. +The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). +This behavior cannot be configured. ### `CheckPeriod` -The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured. +The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. +By default, `CheckPeriod` is 100ms. This value cannot be configured. ### `FallbackDuration` diff --git a/docs/content/middlewares/compress.md b/docs/content/middlewares/compress.md index 8137899f2..b6c0a6680 100644 --- a/docs/content/middlewares/compress.md +++ b/docs/content/middlewares/compress.md @@ -51,10 +51,10 @@ http: compress: {} ``` -## Notes - -Responses are compressed when: - -* The response body is larger than `1400` bytes. -* The `Accept-Encoding` request header contains `gzip`. -* The response is not already compressed, i.e. the `Content-Encoding` response header is not already set. +!!! info + + Responses are compressed when: + + * The response body is larger than `1400` bytes. + * The `Accept-Encoding` request header contains `gzip`. + * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set. diff --git a/docs/content/middlewares/digestauth.md b/docs/content/middlewares/digestauth.md index c4d57c2da..6091b5240 100644 --- a/docs/content/middlewares/digestauth.md +++ b/docs/content/middlewares/digestauth.md @@ -69,7 +69,7 @@ http: The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format. -!!! Note +!!! note "" - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`. - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. @@ -136,7 +136,7 @@ The `usersFile` option is the path to an external file that contains the authori The file content is a list of `name:realm:encoded-password`. -!!! Note +!!! note "" - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`. - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. diff --git a/docs/content/middlewares/errorpages.md b/docs/content/middlewares/errorpages.md index f1a56dd2c..276e04c88 100644 --- a/docs/content/middlewares/errorpages.md +++ b/docs/content/middlewares/errorpages.md @@ -78,7 +78,7 @@ http: # ... definition of error-handler-service and my-service ``` -!!! note +!!! note "" In this example, the error page URL is based on the status code (`query=/{status}.html`). ## Configuration Options @@ -89,7 +89,7 @@ The `status` that will trigger the error page. The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included). -!!! Note +!!! note "" You can define either a status code like `500` or ranges with a syntax like `500-599`. @@ -97,7 +97,7 @@ The status code ranges are inclusive (`500-599` will trigger with every code bet The service that will serve the new requested error page. -!!! Note +!!! note "" In kubernetes, you need to reference a kubernetes service instead of a traefik service. ### `query` diff --git a/docs/content/middlewares/forwardauth.md b/docs/content/middlewares/forwardauth.md index 39ae2220d..98ac65a79 100644 --- a/docs/content/middlewares/forwardauth.md +++ b/docs/content/middlewares/forwardauth.md @@ -385,7 +385,7 @@ http: key: "path/to/foo.key" ``` -!!! Note +!!! info For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. #### `tls.key` @@ -454,7 +454,7 @@ http: key: "path/to/foo.key" ``` -!!! Note +!!! info For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. #### `tls.insecureSkipVerify` diff --git a/docs/content/middlewares/headers.md b/docs/content/middlewares/headers.md index 9ba57f386..80301e608 100644 --- a/docs/content/middlewares/headers.md +++ b/docs/content/middlewares/headers.md @@ -251,7 +251,7 @@ http: !!! warning If the custom header name is the same as one header name of the request or response, it will be replaced. -!!! note +!!! note "" The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options). ### `customRequestHeaders` diff --git a/docs/content/middlewares/inflightreq.md b/docs/content/middlewares/inflightreq.md index 770a3463d..15890907f 100644 --- a/docs/content/middlewares/inflightreq.md +++ b/docs/content/middlewares/inflightreq.md @@ -59,6 +59,49 @@ http: The `amount` option defines the maximum amount of allowed simultaneous in-flight request. The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy). +```yaml tab="Docker" +labels: +- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10" +``` + +```yaml tab="Kubernetes" +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: test-inflightreq +spec: + inFlightReq: + amount: 10 +``` + +```json tab="Marathon" +"labels": { + "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10" +} +``` + +```yaml tab="Rancher" +# Limiting to 10 simultaneous connections +labels: +- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10" +``` + +```toml tab="File (TOML)" +# Limiting to 10 simultaneous connections +[http.middlewares] + [http.middlewares.test-inflightreq.inFlightReq] + amount = 10 +``` + +```yaml tab="File (YAML)" +# Limiting to 10 simultaneous connections +http: + middlewares: + test-inflightreq: + inFlightReq: + amount: 10 +``` + ### `sourceCriterion` SourceCriterion defines what criterion is used to group requests as originating from a common source. @@ -76,7 +119,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty. - `depth` is ignored if its value is lesser than or equal to 0. -!!! note "Example of Depth & X-Forwarded-For" +!!! example "Example of Depth & X-Forwarded-For" If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`). @@ -86,14 +129,58 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` | | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` | +```yaml tab="Docker" +labels: +- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2" +``` + +```yaml tab="Kubernetes" +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: test-inflightreq +spec: + inFlightReq: + sourceCriterion: + ipStrategy: + depth: 2 +``` + +```yaml tab="Rancher" +labels: +- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2" +``` + +```json tab="Marathon" +"labels": { + "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth": "2" +} +``` + +```toml tab="File (TOML)" +[http.middlewares] + [http.middlewares.test-inflightreq.inflightreq] + [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy] + depth = 2 +``` + +```yaml tab="File (YAML)" +http: + middlewares: + test-inflightreq: + inFlightReq: + sourceCriterion: + ipStrategy: + depth: 2 +``` + ##### `ipStrategy.excludedIPs` `excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list. -!!! important - If `depth` is specified, `excludedIPs` is ignored. +!!! important "If `depth` is specified, `excludedIPs` is ignored." -!!! note "Example of ExcludedIPs & X-Forwarded-For" +!!! example "Example of ExcludedIPs & X-Forwarded-For" | `X-Forwarded-For` | `excludedIPs` | clientIP | |-----------------------------------------|-----------------------|--------------| diff --git a/docs/content/middlewares/ipwhitelist.md b/docs/content/middlewares/ipwhitelist.md index 1594c13cc..7bc4014b6 100644 --- a/docs/content/middlewares/ipwhitelist.md +++ b/docs/content/middlewares/ipwhitelist.md @@ -71,18 +71,8 @@ The `ipStrategy` option defines two parameters that sets how Traefik will determ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right). -!!! note "Examples of Depth & X-Forwarded-For" +!!! example "Examples of Depth & X-Forwarded-For" - If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`). - - ??? note "More examples" - - | `X-Forwarded-For` | `depth` | clientIP | - |-----------------------------------------|---------|--------------| - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` | - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` | - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` | - ```yaml tab="Docker" # Whitelisting Based on `X-Forwarded-For` with `depth=2` labels: @@ -140,29 +130,24 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th ipStrategy: depth: 2 ``` + + If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`). + + ??? example "More examples" + + | `X-Forwarded-For` | `depth` | clientIP | + |-----------------------------------------|---------|--------------| + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` | -!!! note +!!! info - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty. - `depth` is ignored if its value is lesser than or equal to 0. #### `ipStrategy.excludedIPs` -`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list. - -!!! note "Examples of ExcludedIPs & X-Forwarded-For" - - | `X-Forwarded-For` | `excludedIPs` | clientIP | - |-----------------------------------------|-----------------------|--------------| - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` | - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` | - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` | - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` | - | `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` | - -!!! important - If `depth` is specified, `excludedIPs` is ignored. - ```yaml tab="Docker" # Exclude from `X-Forwarded-For` labels: @@ -214,3 +199,17 @@ http: - "127.0.0.1/32" - "192.168.1.7" ``` + +`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list. + +!!! important "If `depth` is specified, `excludedIPs` is ignored." + +!!! example "Examples of ExcludedIPs & X-Forwarded-For" + + | `X-Forwarded-For` | `excludedIPs` | clientIP | + |-----------------------------------------|-----------------------|--------------| + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` | + | `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` | diff --git a/docs/content/middlewares/passtlsclientcert.md b/docs/content/middlewares/passtlsclientcert.md index ff53b05cc..6bb2ccfb8 100644 --- a/docs/content/middlewares/passtlsclientcert.md +++ b/docs/content/middlewares/passtlsclientcert.md @@ -218,7 +218,7 @@ PassTLSClientCert can add two headers to the request: - `X-Forwarded-Tls-Client-Cert` that contains the escaped pem. - `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string. -!!! note +!!! info The headers are filled with escaped string so it can be safely placed inside a URL query. In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options. @@ -374,12 +374,12 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E -----END CERTIFICATE----- ``` -!!! note "Extracted data" +!!! info "Extracted data" The delimiters and `\n` will be removed. If there are more than one certificate, they are separated by a "`;`". -!!! note "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit" +!!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit" The header size limit of web servers is commonly between 4kb and 8kb. You could change the server configuration to allow bigger header or use the `info` option with the needed field(s). @@ -395,7 +395,7 @@ The following example shows an unescaped result that uses all the available fiel Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2 ``` -!!! note "Multiple certificates" +!!! info "Multiple certificates" If there are more than one certificate, they are separated by a `;`. @@ -450,7 +450,7 @@ The escape SANs info part will be like: SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2 ``` -!!! note "multiple values" +!!! info "multiple values" All the SANs data are separated by a `,`. diff --git a/docs/content/middlewares/ratelimit.md b/docs/content/middlewares/ratelimit.md index fcd0d4eb4..8d37b2104 100644 --- a/docs/content/middlewares/ratelimit.md +++ b/docs/content/middlewares/ratelimit.md @@ -173,7 +173,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty. - `depth` is ignored if its value is lesser than or equal to 0. -!!! note "Example of Depth & X-Forwarded-For" +!!! example "Example of Depth & X-Forwarded-For" If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`). @@ -185,21 +185,6 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th ##### `ipStrategy.excludedIPs` -`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list. - -!!! important - If `depth` is specified, `excludedIPs` is ignored. - -!!! note "Example of ExcludedIPs & X-Forwarded-For" - - | `X-Forwarded-For` | `excludedIPs` | clientIP | - |-----------------------------------------|-----------------------|--------------| - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` | - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` | - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` | - | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` | - | `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` | - ```yaml tab="Docker" labels: - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7" @@ -249,6 +234,20 @@ http: - "192.168.1.7" ``` +`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list. + +!!! important "If `depth` is specified, `excludedIPs` is ignored." + +!!! example "Example of ExcludedIPs & X-Forwarded-For" + + | `X-Forwarded-For` | `excludedIPs` | clientIP | + |-----------------------------------------|-----------------------|--------------| + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` | + | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` | + | `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` | + #### `sourceCriterion.requestHeaderName` Requests having the same value for the given header are grouped as coming from the same source. diff --git a/docs/content/migration/v1-to-v2.md b/docs/content/migration/v1-to-v2.md index 3ec4686ff..ca37b52c6 100644 --- a/docs/content/migration/v1-to-v2.md +++ b/docs/content/migration/v1-to-v2.md @@ -8,7 +8,7 @@ which require one to update their configuration when they migrate from v1 to v2. The goal of this page is to recapitulate all of these changes, and in particular to give examples, feature by feature, of how the configuration looked like in v1, and how it now looks like in v2. -!!! Note "Migration Helper" +!!! info "Migration Helper" We created a tool to help during the migration: [traefik-migration-tool](https://github.com/containous/traefik-migration-tool) @@ -16,6 +16,7 @@ feature by feature, of how the configuration looked like in v1, and how it now l - convert `Ingress` to Traefik `IngressRoute` resources. - convert `acme.json` file from v1 to v2 format. + - migrate the static configuration contained in the file `traefik.toml` to a Traefik v2 file. ## Frontends and Backends Are Dead...
... Long Live Routers, Middlewares, and Services @@ -829,7 +830,7 @@ As the dashboard access is now secured by default you can either: * define a [specific router](../operations/api.md#configuration) with the `api@internal` service and one authentication middleware like the following example * or use the [unsecure](../operations/api.md#insecure) option of the API -!!! note "Dashboard with k8s and dedicated router" +!!! info "Dashboard with k8s and dedicated router" As `api@internal` is not a Kubernetes service, you have to use the file provider or the `insecure` API option. diff --git a/docs/content/observability/access-logs.md b/docs/content/observability/access-logs.md index 5e6551a51..50f448f94 100644 --- a/docs/content/observability/access-logs.md +++ b/docs/content/observability/access-logs.md @@ -32,7 +32,7 @@ By default, logs are written using the Common Log Format (CLF). To write logs in JSON, use `json` in the `format` option. If the given format is unsupported, the default (CLF) is used instead. -!!! note "Common Log Format" +!!! info "Common Log Format" ```html - [] " " "" "" "" "" ms @@ -174,7 +174,7 @@ accessLog: --accesslog.fields.headers.names.Content-Type="keep" ``` -??? list "Available Fields" +??? info "Available Fields" | Field | Description | |-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -214,5 +214,5 @@ accessLog: Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal. This allows the logs to be rotated and processed by an external program, such as `logrotate`. -!!! note +!!! warning This does not work on Windows due to the lack of USR signals. diff --git a/docs/content/observability/logs.md b/docs/content/observability/logs.md index 712052de9..37e002f4a 100644 --- a/docs/content/observability/logs.md +++ b/docs/content/observability/logs.md @@ -80,5 +80,5 @@ log: Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal. This allows the logs to be rotated and processed by an external program, such as `logrotate`. -!!! note +!!! warning This does not work on Windows due to the lack of USR signals. diff --git a/docs/content/operations/api.md b/docs/content/operations/api.md index f960607ed..4508a00a5 100644 --- a/docs/content/operations/api.md +++ b/docs/content/operations/api.md @@ -97,7 +97,7 @@ http: Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`. -!!! Note +!!! info If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080. ```toml tab="File (TOML)" @@ -138,7 +138,7 @@ api: _Optional, Default=false_ -Enable additional endpoints for debugging and profiling, served under `/debug/`. +Enable additional [endpoints](./api.md#endpoints) for debugging and profiling, served under `/debug/`. ```toml tab="File (TOML)" [api] diff --git a/docs/content/operations/cli.md b/docs/content/operations/cli.md index 1a025de4e..35cb3a539 100644 --- a/docs/content/operations/cli.md +++ b/docs/content/operations/cli.md @@ -26,6 +26,8 @@ traefik [--flag=flag_argument] [-f [flag_argument]] traefik [--flag[=true|false| ]] [-f [true|false| ]] ``` +All flags are documented in the [(static configuration) CLI reference](../reference/static-configuration/cli.md). + !!! info "Flags are case insensitive." ### `healthcheck` @@ -36,8 +38,8 @@ Its exit status is `0` if Traefik is healthy and `1` otherwise. This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism. -!!! note - The [`ping` endpoint](../ping/) must be enabled to allow the `healthcheck` command to call `/ping`. +!!! info + The [`ping` endpoint](../operations/ping.md) must be enabled to allow the `healthcheck` command to call `/ping`. Usage: diff --git a/docs/content/operations/dashboard.md b/docs/content/operations/dashboard.md index 1cfecd275..74dfe5ec6 100644 --- a/docs/content/operations/dashboard.md +++ b/docs/content/operations/dashboard.md @@ -14,7 +14,7 @@ By default, the dashboard is available on `/dashboard` on port `:8080`. There is also a redirect of `/` to `/dashboard`, but one should not rely on that property as it is bound to change, and it might make for confusing routing rules anyway. -!!! note "Did You Know?" +!!! info "Did You Know?" It is possible to customize the dashboard endpoint. To learn how, refer to the [API documentation](./api.md) @@ -57,6 +57,6 @@ api: like authentication ([basicAuth](../middlewares/basicauth.md) , [digestAuth](../middlewares/digestauth.md), [forwardAuth](../middlewares/forwardauth.md)) or [whitelisting](../middlewares/ipwhitelist.md). More information about `api@internal` can be found in the [API documentation](./api.md#configuration) -!!! note "Did You Know?" +!!! info "Did You Know?" The API provides more features than the Dashboard. To learn more about it, refer to the [API documentation](./api.md) diff --git a/docs/content/providers/docker.md b/docs/content/providers/docker.md index 01de7a24e..9e0715175 100644 --- a/docs/content/providers/docker.md +++ b/docs/content/providers/docker.md @@ -37,7 +37,7 @@ Attach labels to your containers and let Traefik do the rest! my-container: # ... labels: - - traefik.http.routers.my-container.rule=Host(`my-domain`) + - traefik.http.routers.my-container.rule=Host(`mydomain.com`) ``` ??? example "Configuring Docker Swarm & Deploying / Exposing Services" @@ -76,18 +76,21 @@ Attach labels to your containers and let Traefik do the rest! my-container: deploy: labels: - - traefik.http.routers.my-container.rule=Host(`my-domain`) + - traefik.http.routers.my-container.rule=Host(`mydomain.com`) - traefik.http.services.my-container-service.loadbalancer.server.port=8080 ``` !!! important "Labels in Docker Swarm Mode" - While in Swarm Mode, Traefik uses labels found on services, not on individual containers. Therefore, if you use a compose file with Swarm Mode, labels should be defined in the `deploy` part of your service. + While in Swarm Mode, Traefik uses labels found on services, not on individual containers. + + Therefore, if you use a compose file with Swarm Mode, labels should be defined in the `deploy` part of your service. This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)). -## Provider Configuration Options +## Routing Configuration -!!! tip "Browse the Reference" - If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) and the [dynamic](../reference/dynamic-configuration/docker.md) configuration references. +See the dedicated section in [routing](../routing/providers/docker.md). + +## Provider Configuration ### `endpoint` @@ -118,11 +121,11 @@ Traefik requires access to the docker socket to get its dynamic configuration. `[...] only **trusted** users should be allowed to control your Docker daemon [...]` - !!! note "Improved Security" + !!! tip "Improved Security" [TraefikEE](https://containo.us/traefikee) solves this problem by separating the control plane (connected to Docker) and the data plane (handling the requests). - ??? tip "Resources about Docker's Security" + ??? info "Resources about Docker's Security" - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY) - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html) @@ -141,14 +144,14 @@ Traefik requires access to the docker socket to get its dynamic configuration. With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes. - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process). - ??? tip "Additional Resources" + ??? info "Additional Resources" - [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174) - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/) - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/) - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy) -!!! note "Traefik & Swarm Mode" +!!! info "Traefik & Swarm Mode" To let Traefik access the Docker Socket of the Swarm manager, it is mandatory to schedule Traefik on the Swarm manager nodes. ??? example "Using the docker.sock" @@ -159,7 +162,6 @@ Traefik requires access to the docker socket to get its dynamic configuration. version: '3' services: - traefik: image: traefik:v2.0 # The official v2.0 Traefik docker image ports: @@ -213,10 +215,10 @@ providers: Traefik routes requests to the IP/Port of the matching container. When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port. -When used in conjunction with the `traefik.http.services.XXX.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port), -Traefik tries to find a binding on port `traefik.http.services.XXX.loadbalancer.server.port`. +When used in conjunction with the `traefik.http.services..loadbalancer.server.port` label (that tells Traefik to route requests to a specific port), +Traefik tries to find a binding on port `traefik.http.services..loadbalancer.server.port`. If it can't find such a binding, Traefik falls back on the internal network IP of the container, -but still uses the `traefik.http.services.XXX.loadbalancer.server.port` that is set in the label. +but still uses the `traefik.http.services..loadbalancer.server.port` that is set in the label. ??? example "Examples of `usebindportip` in different situations." @@ -230,8 +232,13 @@ but still uses the `traefik.http.services.XXX.loadbalancer.server.port` that is | LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort | | LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort | - !!! note - In the above table, ExtIp stands for "external IP found in the binding", IntIp stands for "internal network container's IP", ExtPort stands for "external Port found in the binding", and IntPort stands for "internal network container's port." + !!! info "" + In the above table: + + - `ExtIp` stands for "external IP found in the binding" + - `IntIp` stands for "internal network container's IP", + - `ExtPort` stands for "external Port found in the binding" + - `IntPort` stands for "internal network container's port." ### `exposedByDefault` @@ -538,95 +545,3 @@ providers: ```bash tab="CLI" --providers.docker.tls.insecureSkipVerify=true ``` - -## Routing Configuration Options - -!!! note "Labels" - - - Labels are case insensitive. - - The complete list of labels can be found [the reference page](../reference/dynamic-configuration/docker.md) - -### General - -Traefik creates, for each container, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md). - -The Service automatically gets a server per instance of the container, -and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels). - -### Routers - -To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.http.routers.{name-of-your-choice}.` and followed by the option you want to change. For example, to change the rule, you could add the label `traefik.http.routers.my-container.rule=Host(my-domain)`. - -Every [Router](../routing/routers/index.md) parameter can be updated this way. - -### Services - -To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.http.services.{name-of-your-choice}.`, followed by the option you want to change. For example, to change the passhostheader behavior, you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false`. - -Every [Service](../routing/services/index.md) parameter can be updated this way. - -### Middleware - -You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options. For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`. - -??? example "Declaring and Referencing a Middleware" - - ```yaml - services: - my-container: - # ... - labels: - - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https - - traefik.http.routers.my-container.middlewares=my-redirect - ``` - -!!! warning "Conflicts in Declaration" - - If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared. - -More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md). - -### TCP - -You can declare TCP Routers and/or Services using labels. - -??? example "Declaring TCP Routers and Services" - - ```yaml - services: - my-container: - # ... - labels: - - traefik.tcp.routers.my-router.rule="HostSNI(`my-host.com`)" - - traefik.tcp.routers.my-router.tls="true" - - traefik.tcp.services.my-service.loadbalancer.server.port="4123" - ``` - -!!! warning "TCP and HTTP" - - If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined). - You can declare both a TCP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually). - -### Specific Options - -#### `traefik.enable` - -You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false. - -This option overrides the value of `exposedByDefault`. - -#### `traefik.docker.network` - -Overrides the default docker network to use for connections to the container. - -If a container is linked to several networks, be sure to set the proper network name (you can check this with `docker inspect `), otherwise it will randomly pick one (depending on how docker is returning them). - -!!! warning - When deploying a stack from a compose file `stack`, the networks defined are prefixed with `stack`. - -#### `traefik.docker.lbswarm` - -Enables Swarm's inbuilt load balancer (only relevant in Swarm Mode). - -If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs. -Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm. diff --git a/docs/content/providers/file.md b/docs/content/providers/file.md index 78e471a1c..ca99369ba 100644 --- a/docs/content/providers/file.md +++ b/docs/content/providers/file.md @@ -9,7 +9,7 @@ You can write these configuration elements: * In [a dedicated file](#filename) * In [several dedicated files](#directory) -!!! note +!!! info The file provider is the default format used throughout the documentation to show samples of the configuration for many features. !!! tip @@ -96,15 +96,12 @@ You can write these configuration elements: passHostHeader: false ``` -## Provider Configuration Options +## Provider Configuration + +If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../reference/dynamic-configuration/file.md) references and the [static configuration](../reference/static-configuration/overview.md). -!!! tip "Browse the Reference" - If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) and the [dynamic](../reference/dynamic-configuration/file.md) configuration references. - ### `filename` -_Optional_ - Defines the path of the configuration file. ```toml tab="File (TOML)" @@ -125,8 +122,6 @@ providers: ### `directory` -_Optional_ - Defines the directory that contains the configuration files. ```toml tab="File (TOML)" @@ -147,8 +142,6 @@ providers: ### `watch` -_Optional_ - Set the `watch` option to `true` to allow Traefik to automatically watch for file changes. It works with both the `filename` and the `directory` options. @@ -174,8 +167,8 @@ providers: ### Go Templating !!! warning - Go Templating only works along with dedicated configuration files. - Templating does not work in the Traefik main configuration file. + Go Templating only works along with dedicated dynamic configuration files. + Templating does not work in the Traefik main static configuration file. Traefik allows using Go templating. Thus, it's possible to define easily lot of routers, services and TLS certificates as described in the file `template-rules.toml` : diff --git a/docs/content/providers/kubernetes-crd.md b/docs/content/providers/kubernetes-crd.md index 24c95b4e7..5be3c8cff 100644 --- a/docs/content/providers/kubernetes-crd.md +++ b/docs/content/providers/kubernetes-crd.md @@ -8,6 +8,10 @@ Traefik used to support Kubernetes only through the [Kubernetes Ingress provider However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations, we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster. +## Resource Configuration + +See the dedicated section in [routing](../routing/providers/kubernetes-crd.md). + ## Provider Configuration ### `endpoint` @@ -189,203 +193,6 @@ providers: --providers.kubernetescrd.throttleDuration="10s" ``` -## Resource Configuration - -If you're in a hurry, maybe you'd rather go through the [dynamic](../reference/dynamic-configuration/kubernetes-crd.md) configuration reference. - -### Traefik IngressRoute definition - -```yaml ---8<-- "content/providers/crd_ingress_route.yml" -``` - -That `IngressRoute` kind can then be used to define an `IngressRoute` object, such as in: - -```yaml -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: ingressroutefoo - -spec: - entryPoints: - - web - routes: - # Match is the rule corresponding to an underlying router. - # Later on, match could be the simple form of a path prefix, e.g. just "/bar", - # but for now we only support a traefik style matching rule. - - match: Host(`foo.com`) && PathPrefix(`/bar`) - # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", - # "Parameter", etc, to support simpler forms of rule matching, but for now we - # only support "Rule". - kind: Rule - # (optional) Priority disambiguates rules of the same length, for route matching. - priority: 12 - services: - - name: whoami - port: 80 - # (default 1) A weight used by the weighted round-robin strategy (WRR). - weight: 1 - # (default true) PassHostHeader controls whether to leave the request's Host - # Header as it was before it reached the proxy, or whether to let the proxy set it - # to the destination (backend) host. - passHostHeader: true - responseForwarding: - # (default 100ms) Interval between flushes of the buffered response body to the client. - flushInterval: 100ms - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRouteTCP -metadata: - name: ingressroutetcpfoo.crd - -spec: - entryPoints: - - footcp - routes: - # Match is the rule corresponding to an underlying router. - - match: HostSNI(`*`) - services: - - name: whoamitcp - port: 8080 -``` - -### Middleware - -Additionally, to allow for the use of middlewares in an `IngressRoute`, we defined the CRD below for the `Middleware` kind. - -```yaml ---8<-- "content/providers/crd_middlewares.yml" -``` - -Once the `Middleware` kind has been registered with the Kubernetes cluster, it can then be used in `IngressRoute` definitions, such as: - -```yaml -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: stripprefix - namespace: foo - -spec: - stripPrefix: - prefixes: - - /stripit - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: ingressroutebar - -spec: - entryPoints: - - web - routes: - - match: Host(`bar.com`) && PathPrefix(`/stripit`) - kind: Rule - services: - - name: whoami - port: 80 - middlewares: - - name: stripprefix - namespace: foo -``` - -!!! important "Cross-provider namespace" - - As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource -(in the reference to the middleware) with the [provider namespace](../middlewares/overview.md#provider-namespace), -when the definition of the middleware is from another provider. -In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. - -More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md). - -### TLS Option - -Additionally, to allow for the use of TLS options in an IngressRoute, we defined the CRD below for the TLSOption kind. -More information about TLS Options is available in the dedicated [TLS Configuration Options](../../https/tls/#tls-options). - -```yaml ---8<-- "content/providers/crd_tls_option.yml" -``` - -Once the TLSOption kind has been registered with the Kubernetes cluster or defined in the File Provider, it can then be used in IngressRoute definitions, such as: - -```yaml -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSOption -metadata: - name: mytlsoption - namespace: default - -spec: - minVersion: VersionTLS12 - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: ingressroutebar - -spec: - entryPoints: - - web - routes: - - match: Host(`bar.com`) && PathPrefix(`/stripit`) - kind: Rule - services: - - name: whoami - port: 80 - tls: - options: - name: mytlsoption - namespace: default -``` - -!!! important "References and namespaces" - - If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the IngressRoute. - - Additionally, when the definition of the TLS option is from another provider, -the cross-provider syntax (`middlewarename@provider`) should be used to refer to the TLS option, -just as in the [middleware case](../middlewares/overview.md#provider-namespace). -Specifying a namespace attribute in this case would not make any sense, and will be ignored. - -### TLS - -To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`: - -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: supersecret - -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0= - ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: ingressroutetls - -spec: - entryPoints: - - web - routes: - - match: Host(`foo.com`) && PathPrefix(`/bar`) - kind: Rule - services: - - name: whoami - port: 443 - tls: - secretName: supersecret -``` - ## Further Also see the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt. diff --git a/docs/content/providers/kubernetes-ingress.md b/docs/content/providers/kubernetes-ingress.md index a8819ae98..17c7da7a2 100644 --- a/docs/content/providers/kubernetes-ingress.md +++ b/docs/content/providers/kubernetes-ingress.md @@ -47,10 +47,7 @@ spec: servicePort: 80 ``` -## Provider Configuration Options - -!!! tip "Browse the Reference" - If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) configuration reference. +## Provider Configuration ### `endpoint` diff --git a/docs/content/providers/marathon.md b/docs/content/providers/marathon.md index 3b2da761a..fe288fbd8 100644 --- a/docs/content/providers/marathon.md +++ b/docs/content/providers/marathon.md @@ -49,10 +49,11 @@ See also [Marathon user guide](../user-guides/marathon.md). } ``` -## Provider Configuration Options +## Routing Configuration -!!! tip "Browse the Reference" - If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) and the [dynamic](../reference/dynamic-configuration/marathon.md) configuration references. +See the dedicated section in [routing](../routing/providers/marathon.md). + +## Provider Configuration ### `basic` @@ -589,89 +590,3 @@ providers: ``` Enables watching for Marathon changes. - -## Routing Configuration Options - -!!! note "Labels" - - - Labels are case insensitive. - - The complete list of labels can be found [the reference page](../reference/dynamic-configuration/marathon.md) - -### General - -Traefik creates, for each Marathon application, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md). - -The Service automatically gets a server per instance of the application, -and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels). - -### Routers - -To update the configuration of the Router automatically attached to the application, -add labels starting with `traefik.http.routers.{router-name-of-your-choice}.` and followed by the option you want to change. -For example, to change the routing rule, you could add the label ```traefik.http.routers.routername.rule=Host(`my-domain`)```. - -Every [Router](../routing/routers/index.md) parameter can be updated this way. - -### Services - -To update the configuration of the Service automatically attached to the container, -add labels starting with `traefik.http.services.{service-name-of-your-choice}.`, followed by the option you want to change. -For example, to change the passHostHeader behavior, you'd add the label `traefik.http.services.servicename.loadbalancer.passhostheader=false`. - -Every [Service](../routing/services/index.md) parameter can be updated this way. - -### Middleware - -You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options. -For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`. - -??? example "Declaring and Referencing a Middleware" - - ```json - { - ... - "labels": { - "traefik.http.middlewares.my-redirect.redirectscheme.scheme": "https", - "traefik.http.routers.my-container.middlewares": "my-redirect" - } - } - ``` - -!!! warning "Conflicts in Declaration" - - If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared. - -More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md). - -### TCP - -You can declare TCP Routers and/or Services using labels. - -??? example "Declaring TCP Routers and Services" - - ```json - { - ... - "labels": { - "traefik.tcp.routers.my-router.rule": "HostSNI(`my-host.com`)", - "traefik.tcp.routers.my-router.tls": "true", - "traefik.tcp.services.my-service.loadbalancer.server.port": "4123" - } - } - ``` - -!!! warning "TCP and HTTP" - - If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (as it would by default if no TCP Router/Service is defined). - Both a TCP Router/Service and an HTTP Router/Service can be created for the same application, but it has to be done explicitly in the config. - -### Specific Options - -#### `traefik.enable` - -Setting this option controls whether Traefik exposes the application. -It overrides the value of `exposedByDefault`. - -#### `traefik.marathon.ipadressidx` - -If a task has several IP addresses, this option specifies which one, in the list of available addresses, to select. diff --git a/docs/content/providers/overview.md b/docs/content/providers/overview.md index 796d45d5c..bb1280510 100644 --- a/docs/content/providers/overview.md +++ b/docs/content/providers/overview.md @@ -32,12 +32,12 @@ Below is the list of the currently supported providers in Traefik. | [Kubernetes](./kubernetes-crd.md) | Orchestrator | Custom Resource | | [Marathon](./marathon.md) | Orchestrator | Label | | [Rancher](./rancher.md) | Orchestrator | Label | -| [File](./file.md) | Manual | TOML format | +| [File](./file.md) | Manual | TOML/YAML format | -!!! note "More Providers" +!!! info "More Providers" - The current version of Traefik is in development and doesn't support (yet) every provider. - See the previous version (1.7) for more providers. + The current version of Traefik doesn't support (yet) every provider. + See the [previous version (v1.7)](https://docs.traefik.io/v1.7/) for more providers. + + ```yaml + - "traefik.http.routers.myrouter.priority=42" + ``` + +### Services + +To update the configuration of the Service automatically attached to the container, +add labels starting with `traefik.http.services..`, followed by the option you want to change. + +For example, to change the `passHostHeader` behavior, +you'd add the label `traefik.http.services..loadbalancer.passhostheader=false`. + +??? info "`traefik.http.services..loadbalancer.server.port`" + + Registers a port. + Useful when the container exposes multiples ports. + + Mandatory for Docker Swarm. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.server.port=8080" + ``` + +??? info "`traefik.http.services..loadbalancer.server.scheme`" + + Overrides the default scheme. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.server.scheme=http" + ``` + +??? info "`traefik.http.services..loadbalancer.passhostheader`" + + + ```yaml + - "traefik.http.services.myservice.loadbalancer.passhostheader=true" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.headers.`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo=foobar" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.hostname`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.hostname=foobar.com" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.interval`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.path`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.port`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.port=42" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.scheme`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.scheme=http" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.timeout`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.sticky=true" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky.cookie.httponly`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly=true" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky.cookie.name`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky.cookie.secure`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true" + ``` + +??? info "`traefik.http.services..loadbalancer.responseforwarding.flushinterval`" + + + FlushInterval specifies the flush interval to flush to the client while copying the response body. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10" + ``` + +### Middleware + +You can declare pieces of middleware using labels starting with `traefik.http.middlewares..`, +followed by the middleware type/options. + +For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`, +you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme=https`. + +More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md). + +??? example "Declaring and Referencing a Middleware" + + ```yaml + services: + my-container: + # ... + labels: + # Declaring a middleware + - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https + # Referencing a middleware + - traefik.http.routers.my-container.middlewares=my-redirect + ``` + +!!! warning "Conflicts in Declaration" + + If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared. + +### TCP + +You can declare TCP Routers and/or Services using labels. + +??? example "Declaring TCP Routers and Services" + + ```yaml + services: + my-container: + # ... + labels: + - "traefik.tcp.routers.my-router.rule=HostSNI(`my-host.com`)" + - "traefik.tcp.routers.my-router.tls=true" + - "traefik.tcp.services.my-service.loadbalancer.server.port=4123" + ``` + +!!! warning "TCP and HTTP" + + If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined). + You can declare both a TCP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually). + +#### TCP Routers + +??? info "`traefik.tcp.routers..entrypoints`" + + See [entry points](../routers/index.md#entrypoints_1) for more information. + + ```yaml + - "traefik.tcp.routers.mytcprouter.entrypoints=ep1,ep2" + ``` + +??? info "`traefik.tcp.routers..rule`" + + See [rule](../routers/index.md#rule_1) for more information. + + ```yaml + - "traefik.tcp.routers.mytcprouter.rule=HostSNI(`myhost.com`)" + ``` + +??? info "`traefik.tcp.routers..service`" + + See [service](../routers/index.md#services) for more information. + + ```yaml + - "traefik.tcp.routers.mytcprouter.service=myservice" + ``` + +??? info "`traefik.tcp.routers..tls`" + + See [TLS](../routers/index.md#tls_1) for more information. + + ```yaml + - "traefik.tcp.routers.mytcprouter.tls=true" + ``` + +??? info "`traefik.tcp.routers..tls.certresolver`" + + See [certResolver](../routers/index.md#certresolver_1) for more information. + + ```yaml + - "traefik.tcp.routers.mytcprouter.tls.certresolver=myresolver" + ``` + +??? info "`traefik.tcp.routers..tls.domains[n].main`" + + See [domains](../routers/index.md#domains_1) for more information. + + ```yaml + - "traefik.tcp.routers.mytcprouter.tls.domains[0].main=foobar.com" + ``` + +??? info "`traefik.tcp.routers..tls.domains[n].sans`" + + See [domains](../routers/index.md#domains_1) for more information. + + ```yaml + - "traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com" + ``` + +??? info "`traefik.tcp.routers..tls.options`" + + See [options](../routers/index.md#options_1) for more information. + + ```yaml + - "traefik.tcp.routers.mytcprouter.tls.options=mysoptions" + ``` + +??? info "`traefik.tcp.routers..tls.passthrough`" + + See [TLS](../routers/index.md#tls_1) for more information. + + ```yaml + - "traefik.tcp.routers.mytcprouter.tls.passthrough=true" + ``` + +#### TCP Services + +??? info "`traefik.tcp.services..loadbalancer.server.port`" + + Registers a port of the application. + + ```yaml + - "traefik.tcp.services.mytcpservice.loadbalancer.server.port=423" + ``` + +??? info "`traefik.tcp.services..loadbalancer.terminationdelay`" + + + ```yaml + - "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100" + ``` + +### Specific Provider Options + +#### `traefik.enable` + +```yaml +- "traefik.enable=true" +``` + +You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false. + +This option overrides the value of `exposedByDefault`. + +#### `traefik.docker.network` + +```yaml +- "traefik.docker.network=mynetwork" +``` + +Overrides the default docker network to use for connections to the container. + +If a container is linked to several networks, be sure to set the proper network name (you can check this with `docker inspect `), +otherwise it will randomly pick one (depending on how docker is returning them). + +!!! warning + When deploying a stack from a compose file `stack`, the networks defined are prefixed with `stack`. + +#### `traefik.docker.lbswarm` + +```yaml +- "traefik.docker.lbswarm=true" +``` + +Enables Swarm's inbuilt load balancer (only relevant in Swarm Mode). + +If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs. +Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm. diff --git a/docs/content/routing/providers/kubernetes-crd.md b/docs/content/routing/providers/kubernetes-crd.md new file mode 100644 index 000000000..96b192daf --- /dev/null +++ b/docs/content/routing/providers/kubernetes-crd.md @@ -0,0 +1,205 @@ +# Traefik & Kubernetes + +The Kubernetes Ingress Controller, The Custom Resource Way. +{: .subtitle } + +## Resource Configuration + +If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../../reference/dynamic-configuration/kubernetes-crd.md) reference. + +### Traefik IngressRoute definition + +```yaml +--8<-- "content/routing/providers/crd_ingress_route.yml" +``` + +That `IngressRoute` kind can then be used to define an `IngressRoute` object, such as in: + +```yaml +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroutefoo + +spec: + entryPoints: + - web + routes: + # Match is the rule corresponding to an underlying router. + # Later on, match could be the simple form of a path prefix, e.g. just "/bar", + # but for now we only support a traefik style matching rule. + - match: Host(`foo.com`) && PathPrefix(`/bar`) + # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", + # "Parameter", etc, to support simpler forms of rule matching, but for now we + # only support "Rule". + kind: Rule + # (optional) Priority disambiguates rules of the same length, for route matching. + priority: 12 + services: + - name: whoami + port: 80 + # (default 1) A weight used by the weighted round-robin strategy (WRR). + weight: 1 + # (default true) PassHostHeader controls whether to leave the request's Host + # Header as it was before it reached the proxy, or whether to let the proxy set it + # to the destination (backend) host. + passHostHeader: true + responseForwarding: + # (default 100ms) Interval between flushes of the buffered response body to the client. + flushInterval: 100ms + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRouteTCP +metadata: + name: ingressroutetcpfoo.crd + +spec: + entryPoints: + - footcp + routes: + # Match is the rule corresponding to an underlying router. + - match: HostSNI(`*`) + services: + - name: whoamitcp + port: 8080 +``` + +### Middleware + +Additionally, to allow for the use of middlewares in an `IngressRoute`, we defined the CRD below for the `Middleware` kind. + +```yaml +--8<-- "content/routing/providers/crd_middlewares.yml" +``` + +Once the `Middleware` kind has been registered with the Kubernetes cluster, it can then be used in `IngressRoute` definitions, such as: + +```yaml +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: stripprefix + namespace: foo + +spec: + stripPrefix: + prefixes: + - /stripit + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroutebar + +spec: + entryPoints: + - web + routes: + - match: Host(`bar.com`) && PathPrefix(`/stripit`) + kind: Rule + services: + - name: whoami + port: 80 + middlewares: + - name: stripprefix + namespace: foo +``` + +!!! important "Cross-provider namespace" + + As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource +(in the reference to the middleware) with the [provider namespace](../../middlewares/overview.md#provider-namespace), +when the definition of the middleware is from another provider. +In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. + +More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md). + +### TLS Option + +Additionally, to allow for the use of TLS options in an IngressRoute, we defined the CRD below for the TLSOption kind. +More information about TLS Options is available in the dedicated [TLS Configuration Options](../../../https/tls/#tls-options). + +```yaml +--8<-- "content/routing/providers/crd_tls_option.yml" +``` + +Once the TLSOption kind has been registered with the Kubernetes cluster or defined in the File Provider, it can then be used in IngressRoute definitions, such as: + +```yaml +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: mytlsoption + namespace: default + +spec: + minVersion: VersionTLS12 + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroutebar + +spec: + entryPoints: + - web + routes: + - match: Host(`bar.com`) && PathPrefix(`/stripit`) + kind: Rule + services: + - name: whoami + port: 80 + tls: + options: + name: mytlsoption + namespace: default +``` + +!!! important "References and namespaces" + + If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the IngressRoute. + + Additionally, when the definition of the TLS option is from another provider, +the cross-provider syntax (`middlewarename@provider`) should be used to refer to the TLS option, +just as in the [middleware case](../../middlewares/overview.md#provider-namespace). +Specifying a namespace attribute in this case would not make any sense, and will be ignored. + +### TLS + +To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: supersecret + +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0= + +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ingressroutetls + +spec: + entryPoints: + - web + routes: + - match: Host(`foo.com`) && PathPrefix(`/bar`) + kind: Rule + services: + - name: whoami + port: 443 + tls: + secretName: supersecret +``` + +## Further + +Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt. diff --git a/docs/content/routing/providers/marathon.md b/docs/content/routing/providers/marathon.md new file mode 100644 index 000000000..c3a30418d --- /dev/null +++ b/docs/content/routing/providers/marathon.md @@ -0,0 +1,299 @@ +# Traefik & Marathon + +Traefik can be configured to use Marathon as a provider. +{: .subtitle } + +See also [Marathon user guide](../../user-guides/marathon.md). + +## Routing Configuration + +!!! info "Labels" + + - Labels are case insensitive. + - The complete list of labels can be found [the reference page](../../reference/dynamic-configuration/marathon.md) + +### General + +Traefik creates, for each Marathon application, a corresponding [service](../services/index.md) and [router](../routers/index.md). + +The Service automatically gets a server per instance of the application, +and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels). + +### Routers + +To update the configuration of the Router automatically attached to the application, +add labels starting with `traefik.http.routers.{router-name-of-your-choice}.` and followed by the option you want to change. + +For example, to change the routing rule, you could add the label ```"traefik.http.routers.routername.rule": "Host(`mydomain.com`)"```. + +??? info "`traefik.http.routers..rule`" + + See [rule](../routers/index.md#rule) for more information. + + ```json + "traefik.http.routers.myrouter.rule": "Host(`mydomain.com`)" + ``` + +??? info "`traefik.http.routers..entrypoints`" + + See [entry points](../routers/index.md#entrypoints) for more information. + + ```json + "traefik.http.routers.myrouter.entrypoints": "web,websecure" + ``` + +??? info "`traefik.http.routers..middlewares`" + + See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information. + + ```json + "traefik.http.routers.myrouter.middlewares": "auth,prefix,cb" + ``` + +??? info "`traefik.http.routers..service`" + + See [rule](../routers/index.md#service) for more information. + + ```json + "traefik.http.routers.myrouter.service": "myservice" + ``` + +??? info "`traefik.http.routers..tls`" + + See [tls](../routers/index.md#tls) for more information. + + ```json + "traefik.http.routers.myrouter>.tls": "true" + ``` + +??? info "`traefik.http.routers..tls.certresolver`" + + See [certResolver](../routers/index.md#certresolver) for more information. + + ```json + "traefik.http.routers.myrouter.tls.certresolver": "myresolver" + ``` + +??? info "`traefik.http.routers..tls.domains[n].main`" + + See [domains](../routers/index.md#domains) for more information. + + ```json + "traefik.http.routers.myrouter.tls.domains[0].main": "foobar.com" + ``` + +??? info "`traefik.http.routers..tls.domains[n].sans`" + + See [domains](../routers/index.md#domains) for more information. + + ```json + "traefik.http.routers.myrouter.tls.domains[0].sans": "test.foobar.com,dev.foobar.com" + ``` + +??? info "`traefik.http.routers..tls.options`" + + See [options](../routers/index.md#options) for more information. + + ```json + "traefik.http.routers.myrouter.tls.options": "foobar" + ``` + +??? info "`traefik.http.routers..priority`" + + + ```json + "traefik.http.routers.myrouter.priority": "42" + ``` + +### Services + +To update the configuration of the Service automatically attached to the container, +add labels starting with `traefik.http.services.{service-name-of-your-choice}.`, followed by the option you want to change. + +For example, to change the passHostHeader behavior, you'd add the label `"traefik.http.services.servicename.loadbalancer.passhostheader": "false"`. + +??? info "`traefik.http.services..loadbalancer.server.port`" + + Registers a port. + Useful when the container exposes multiples ports. + + ```json + "traefik.http.services.myservice.loadbalancer.server.port": "8080" + ``` + +??? info "`traefik.http.services..loadbalancer.server.scheme`" + + Overrides the default scheme. + + ```json + "traefik.http.services.myservice.loadbalancer.server.scheme": "http" + ``` + +??? info "`traefik.http.services..loadbalancer.passhostheader`" + + + ```json + "traefik.http.services.myservice.loadbalancer.passhostheader": "true" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.headers.`" + + See [health check](../services/index.md#health-check) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo": "foobar" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.hostname`" + + See [health check](../services/index.md#health-check) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.healthcheck.hostname": "foobar.com" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.interval`" + + See [health check](../services/index.md#health-check) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.healthcheck.interval": "10" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.path`" + + See [health check](../services/index.md#health-check) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.healthcheck.path": "/foo" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.port`" + + See [health check](../services/index.md#health-check) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.healthcheck.port": "42" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.scheme`" + + See [health check](../services/index.md#health-check) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.healthcheck.scheme": "http" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.timeout`" + + See [health check](../services/index.md#health-check) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.healthcheck.timeout": "10" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.sticky": "true" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky.cookie.httponly`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly": "true" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky.cookie.name`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.sticky.cookie.name": "foobar" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky.cookie.secure`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```json + "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure": "true" + ``` + +??? info "`traefik.http.services..loadbalancer.responseforwarding.flushinterval`" + + + FlushInterval specifies the flush interval to flush to the client while copying the response body. + + ```json + "traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval": "10" + ``` + +### Middleware + +You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options. + +For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`, you'd write `"traefik.http.middlewares.my-redirect.redirectscheme.scheme": "https"`. + +More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md). + +??? example "Declaring and Referencing a Middleware" + + ```json + { + ... + "labels": { + "traefik.http.middlewares.my-redirect.redirectscheme.scheme": "https", + "traefik.http.routers.my-container.middlewares": "my-redirect" + } + } + ``` + +!!! warning "Conflicts in Declaration" + + If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared. + +### TCP + +You can declare TCP Routers and/or Services using labels. + +??? example "Declaring TCP Routers and Services" + + ```json + { + ... + "labels": { + "traefik.tcp.routers.my-router.rule": "HostSNI(`my-host.com`)", + "traefik.tcp.routers.my-router.tls": "true", + "traefik.tcp.services.my-service.loadbalancer.server.port": "4123" + } + } + ``` + +!!! warning "TCP and HTTP" + + If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (as it would by default if no TCP Router/Service is defined). + Both a TCP Router/Service and an HTTP Router/Service can be created for the same application, but it has to be done explicitly in the config. + +### Specific Provider Options + +#### `traefik.enable` + +```json +"traefik.enable": "true" +``` + +Setting this option controls whether Traefik exposes the application. +It overrides the value of `exposedByDefault`. + +#### `traefik.marathon.ipadressidx` + +```json +"traefik.marathon.ipadressidx": "1" +``` + +If a task has several IP addresses, this option specifies which one, in the list of available addresses, to select. diff --git a/docs/content/routing/providers/rancher.md b/docs/content/routing/providers/rancher.md new file mode 100644 index 000000000..6beef3b30 --- /dev/null +++ b/docs/content/routing/providers/rancher.md @@ -0,0 +1,280 @@ +# Traefik & Rancher + +A Story of Labels, Services & Containers +{: .subtitle } + +![Rancher](../../assets/img/providers/rancher.png) + +Attach labels to your services and let Traefik do the rest! + +!!! important "This provider is specific to Rancher 1.x." + + Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query. + As such, Rancher 2.x users should utilize the [Kubernetes provider](./kubernetes-crd.md) directly. + +## Routing Configuration + +!!! info "Labels" + + - Labels are case insensitive. + - The complete list of labels can be found [the reference page](../../reference/dynamic-configuration/rancher.md) + +### General + +Traefik creates, for each rancher service, a corresponding [service](../services/index.md) and [router](../routers/index.md). + +The Service automatically gets a server per container in this rancher service, and the router gets a default rule attached to it, based on the service name. + +### Routers + +To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change. + +For example, to change the rule, you could add the label ```traefik.http.routers.my-container.rule=Host(`mydomain.com`)```. + +??? info "`traefik.http.routers..rule`" + + See [rule](../routers/index.md#rule) for more information. + + ```yaml + - "traefik.http.routers.myrouter.rule=Host(`mydomain.com`)" + ``` + +??? info "`traefik.http.routers..entrypoints`" + + See [entry points](../routers/index.md#entrypoints) for more information. + + ```yaml + - "traefik.http.routers.myrouter.entrypoints=web,websecure" + ``` + +??? info "`traefik.http.routers..middlewares`" + + See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information. + + ```yaml + - "traefik.http.routers.myrouter.middlewares=auth,prefix,cb" + ``` + +??? info "`traefik.http.routers..service`" + + See [rule](../routers/index.md#service) for more information. + + ```yaml + - "traefik.http.routers.myrouter.service=myservice" + ``` + +??? info "`traefik.http.routers..tls`" + + See [tls](../routers/index.md#tls) for more information. + + ```yaml + - "traefik.http.routers.myrouter>.tls=true" + ``` + +??? info "`traefik.http.routers..tls.certresolver`" + + See [certResolver](../routers/index.md#certresolver) for more information. + + ```yaml + - "traefik.http.routers.myrouter.tls.certresolver=myresolver" + ``` + +??? info "`traefik.http.routers..tls.domains[n].main`" + + See [domains](../routers/index.md#domains) for more information. + + ```yaml + - "traefik.http.routers.myrouter.tls.domains[0].main=foobar.com" + ``` + +??? info "`traefik.http.routers..tls.domains[n].sans`" + + See [domains](../routers/index.md#domains) for more information. + + ```yaml + - "traefik.http.routers.myrouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com" + ``` + +??? info "`traefik.http.routers..tls.options`" + + See [options](../routers/index.md#options) for more information. + + ```yaml + - "traefik.http.routers.myrouter.tls.options=foobar" + ``` + +??? info "`traefik.http.routers..priority`" + + + ```yaml + - "traefik.http.routers.myrouter.priority=42" + ``` + +### Services + +To update the configuration of the Service automatically attached to the container, +add labels starting with `traefik.http.services.{name-of-your-choice}.`, followed by the option you want to change. + +For example, to change the `passHostHeader` behavior, +you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false`. + +??? info "`traefik.http.services..loadbalancer.server.port`" + + Registers a port. + Useful when the container exposes multiples ports. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.server.port=8080" + ``` + +??? info "`traefik.http.services..loadbalancer.server.scheme`" + + Overrides the default scheme. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.server.scheme=http" + ``` + +??? info "`traefik.http.services..loadbalancer.passhostheader`" + + + ```yaml + - "traefik.http.services.myservice.loadbalancer.passhostheader=true" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.headers.`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo=foobar" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.hostname`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.hostname=foobar.com" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.interval`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.path`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.port`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.port=42" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.scheme`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.scheme=http" + ``` + +??? info "`traefik.http.services..loadbalancer.healthcheck.timeout`" + + See [health check](../services/index.md#health-check) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.sticky=true" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky.cookie.httponly`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly=true" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky.cookie.name`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar" + ``` + +??? info "`traefik.http.services..loadbalancer.sticky.cookie.secure`" + + See [sticky sessions](../services/index.md#sticky-sessions) for more information. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true" + ``` + +??? info "`traefik.http.services..loadbalancer.responseforwarding.flushinterval`" + + + FlushInterval specifies the flush interval to flush to the client while copying the response body. + + ```yaml + - "traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10" + ``` + +### Middleware + +You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options. + +For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`. + +More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md). + +??? example "Declaring and Referencing a Middleware" + + ```yaml + # ... + labels: + # Declaring a middleware + - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https + # Referencing a middleware + - traefik.http.routers.my-container.middlewares=my-redirect + ``` + +!!! warning "Conflicts in Declaration" + + If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared. + +### Specific Provider Options + +#### `traefik.enable` + +```yaml +- "traefik.enable=true" +``` + +You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false. + +This option overrides the value of `exposedByDefault`. + +#### Port Lookup + +Traefik is capable of detecting the port to use, by following the default rancher flow. +That means, if you just expose lets say port `:1337` on the rancher ui, traefik will pick up this port and use it. diff --git a/docs/content/routing/routers/index.md b/docs/content/routing/routers/index.md index c9067a1af..3ddc440b6 100644 --- a/docs/content/routing/routers/index.md +++ b/docs/content/routing/routers/index.md @@ -13,84 +13,74 @@ In the process, routers may use pieces of [middleware](../../middlewares/overvie ??? example "Requests /foo are Handled by service-foo -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" - [http.routers] - [http.routers.my-router] - rule = "Path(`/foo`)" - service = "service-foo" + ## Dynamic configuration + [http.routers] + [http.routers.my-router] + rule = "Path(`/foo`)" + service = "service-foo" ``` ```yaml tab="YAML" - http: - routers: - my-router: - rule: "Path(`/foo`)" - service: service-foo - ``` - -??? example "With a [middleware](../../middlewares/overview.md) -- using the [File Provider](../../providers/file.md)" - - ```toml tab="TOML" - [http.routers] - [http.routers.my-router] - rule = "Path(`/foo`)" - # declared elsewhere - middlewares = ["authentication"] - service = "service-foo" - ``` - - ```yaml tab="YAML" - http: - routers: - my-router: - rule: "Path(`/foo`)" - # declared elsewhere - middlewares: - - authentication - service: service-foo + ## Dynamic configuration + http: + routers: + my-router: + rule: "Path(`/foo`)" + service: service-foo ``` ??? example "Forwarding all (non-tls) requests on port 3306 to a database service" - ```toml tab="TOML" - ## Static configuration ## - - [entryPoints] - [entryPoints.web] - address = ":80" - [entryPoints.mysql-default] - address = ":3306" - - ## Dynamic configuration ## + **Dynamic Configuration** + ```toml tab="File (TOML)" + ## Dynamic configuration [tcp] [tcp.routers] [tcp.routers.to-database] - entryPoints = ["mysql-default"] + entryPoints = ["mysql"] # Catch every request (only available rule for non-tls routers. See below.) rule = "HostSNI(`*`)" service = "database" ``` - ```yaml tab="YAML" - ## Static configuration ## - - entryPoints: - web: - address: ":80" - mysql-default: - address: ":3306" - - ## Dynamic configuration ## - + ```yaml tab="File (YAML)" + ## Dynamic configuration tcp: routers: to-database: entryPoints: - - "mysql-default" + - "mysql" # Catch every request (only available rule for non-tls routers. See below.) rule: "HostSNI(`*`)" service: database ``` + + **Static Configuration** + + ```toml tab="File (TOML)" + ## Static configuration + [entryPoints] + [entryPoints.web] + address = ":80" + [entryPoints.mysql] + address = ":3306" + ``` + + ```yaml tab="File (YAML)" + ## Static configuration + entryPoints: + web: + address: ":80" + mysql: + address: ":3306" + ``` + + ```bash tab="CLI" + ## Static configuration + --entryPoints.web.address=":80" + --entryPoints.mysql.address=":3306" + ``` ## Configuring HTTP Routers @@ -101,20 +91,10 @@ If you want to limit the router scope to a set of entry points, set the `entryPo ??? example "Listens to Every EntryPoint" - ```toml tab="TOML" - ## Static configuration ## + **Dynamic Configuration** - [entryPoints] - [entryPoints.web] - # ... - [entryPoints.web-secure] - # ... - [entryPoints.other] - # ... - - - ## Dynamic configuration ## - + ```toml tab="File (TOML)" + ## Dynamic configuration [http.routers] [http.routers.Router-1] # By default, routers listen to every entry points @@ -122,19 +102,8 @@ If you want to limit the router scope to a set of entry points, set the `entryPo service = "service-1" ``` - ```yaml tab="YAML" - ## Static configuration ## - - entryPoints: - web: - # ... - web-secure: - # ... - other: - # ... - - ## Dynamic configuration ## - + ```yaml tab="File (YAML)" + ## Dynamic configuration http: routers: Router-1: @@ -142,66 +111,108 @@ If you want to limit the router scope to a set of entry points, set the `entryPo rule: "Host(`traefik.io`)" service: "service-1" ``` + + **Static Configuration** + + ```toml tab="File (TOML)" + ## Static configuration + [entryPoints] + [entryPoints.web] + address = ":80" + [entryPoints.websecure] + address = ":443" + [entryPoints.other] + address = ":9090" + ``` + + ```yaml tab="File (YAML)" + ## Static configuration + entryPoints: + web: + address: ":80" + websecure: + address: ":443" + other: + address: ":9090" + ``` + + ```bash tab="CLI" + ## Static configuration + --entrypoints.web.address=":80" + --entrypoints.websecure.address=":443" + --entrypoints.other.address=":9090" + ``` ??? example "Listens to Specific EntryPoints" - ```toml tab="TOML" - ## Static configuration ## - - [entryPoints] - [entryPoints.web] - # ... - [entryPoints.web-secure] - # ... - [entryPoints.other] - # ... - - ## Dynamic configuration ## + **Dynamic Configuration** + ```toml tab="File (TOML)" + ## Dynamic configuration [http.routers] [http.routers.Router-1] # won't listen to entry point web - entryPoints = ["web-secure", "other"] + entryPoints = ["websecure", "other"] rule = "Host(`traefik.io`)" service = "service-1" ``` - ```yaml tab="YAML" - ## Static configuration ## - - entryPoints: - web: - # ... - web-secure: - # ... - other: - # ... - - ## Dynamic configuration ## - + ```yaml tab="File (YAML)" + ## Dynamic configuration http: routers: Router-1: # won't listen to entry point web entryPoints: - - "web-secure" + - "websecure" - "other" rule: "Host(`traefik.io`)" service: "service-1" ``` + **Static Configuration** + + ```toml tab="File (TOML)" + ## Static configuration + [entryPoints] + [entryPoints.web] + address = ":80" + [entryPoints.websecure] + address = ":443" + [entryPoints.other] + address = ":9090" + ``` + + ```yaml tab="File (YAML)" + ## Static configuration + entryPoints: + web: + address: ":80" + websecure: + address: ":443" + other: + address: ":9090" + ``` + + ```bash tab="CLI" + ## Static configuration + --entrypoints.web.address=":80" + --entrypoints.websecure.address=":443" + --entrypoints.other.address=":9090" + ``` + ### Rule Rules are a set of matchers that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service. -??? example "Host is traefik.io" +!!! example "Host is traefik.io" ```toml rule = "Host(`traefik.io`)" ``` -??? example "Host is traefik.io OR Host is containo.us AND path is /traefik" +!!! example "Host is traefik.io OR Host is containo.us AND path is /traefik" ```toml rule = "Host(`traefik.io`) || (Host(`containo.us`) && Path(`/traefik`))" @@ -226,7 +237,7 @@ The table below lists all the available matchers: you must declare an arbitrarily named variable followed by the colon-separated regular expression, all enclosed in curly braces. Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `/posts/{id:[0-9]+}`). -!!! tip "Combining Matchers Using Operators and Parenthesis" +!!! info "Combining Matchers Using Operators and Parenthesis" You can combine multiple matchers using the AND (`&&`) and OR (`||`) operators. You can also use parenthesis. @@ -234,7 +245,7 @@ The table below lists all the available matchers: The rule is evaluated "before" any middleware has the opportunity to work, and "before" the request is forwarded to the service. -!!! tip "Path Vs PathPrefix" +!!! info "Path Vs PathPrefix" Use `Path` if your service listens on the exact path only. For instance, `Path: /products` would match `/products` but not `/products/shoes`. @@ -247,14 +258,40 @@ The table below lists all the available matchers: You can attach a list of [middlewares](../../middlewares/overview.md) to each HTTP router. The middlewares will take effect only if the rule matches, and before forwarding the request to the service. +!!! tip "Middlewares order" + + Middlewares are applied in the same order as their declaration in **router**. + +??? example "With a [middleware](../../middlewares/overview.md) -- using the [File Provider](../../providers/file.md)" + + ```toml tab="TOML" + ## Dynamic configuration + [http.routers] + [http.routers.my-router] + rule = "Path(`/foo`)" + # declared elsewhere + middlewares = ["authentication"] + service = "service-foo" + ``` + + ```yaml tab="YAML" + ## Dynamic configuration + http: + routers: + my-router: + rule: "Path(`/foo`)" + # declared elsewhere + middlewares: + - authentication + service: service-foo + ``` + ### Service You must attach a [service](../services/index.md) per router. Services are the target for the router. -!!! note "HTTP Only" - - HTTP routers can only target HTTP services (not TCP services). +!!! important "HTTP routers can only target HTTP services (not TCP services)." ### TLS @@ -265,7 +302,8 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted ??? example "Configuring the router to accept HTTPS requests only" - ```toml tab="TOML" + ```toml tab="File (TOML)" + ## Dynamic configuration [http.routers] [http.routers.Router-1] rule = "Host(`foo-domain`) && Path(`/foo-path/`)" @@ -274,7 +312,8 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted [http.routers.Router-1.tls] ``` - ```yaml tab="YAML" + ```yaml tab="File (YAML)" + ## Dynamic configuration http: routers: Router-1: @@ -284,17 +323,19 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted tls: {} ``` -!!! note "HTTPS & ACME" +!!! info "HTTPS & ACME" In the current version, with [ACME](../../https/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section. !!! important "Routers for HTTP & HTTPS" - If you need to define the same route for both HTTP and HTTPS requests, you will need to define two different routers: one with the tls section, one without. + If you need to define the same route for both HTTP and HTTPS requests, you will need to define two different routers: + one with the tls section, one without. ??? example "HTTP & HTTPS routes" - ```toml tab="TOML" + ```toml tab="File (TOML)" + ## Dynamic configuration [http.routers] [http.routers.my-https-router] rule = "Host(`foo-domain`) && Path(`/foo-path/`)" @@ -307,7 +348,8 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted service = "service-id" ``` - ```yaml tab="YAML" + ```yaml tab="File (YAML)" + ## Dynamic configuration http: routers: my-https-router: @@ -326,15 +368,20 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted The `options` field enables fine-grained control of the TLS parameters. It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined. -!!! note "Server Name Association" +!!! info "Server Name Association" - Even though one might get the impression that a TLS options reference is mapped to a router, or a router rule, one should realize that it is actually mapped only to the host name found in the `Host` part of the rule. Of course, there could also be several `Host` parts in a rule, in which case the TLS options reference would be mapped to as many host names. + Even though one might get the impression that a TLS options reference is mapped to a router, or a router rule, + one should realize that it is actually mapped only to the host name found in the `Host` part of the rule. + Of course, there could also be several `Host` parts in a rule, in which case the TLS options reference would be mapped to as many host names. - Another thing to keep in mind is: the TLS option is picked from the mapping mentioned above and based on the server name provided during the TLS handshake, and it all happens before routing actually occurs. + Another thing to keep in mind is: + the TLS option is picked from the mapping mentioned above and based on the server name provided during the TLS handshake, + and it all happens before routing actually occurs. ??? example "Configuring the TLS options" - ```toml tab="TOML" + ```toml tab="File (TOML)" + ## Dynamic configuration [http.routers] [http.routers.Router-1] rule = "Host(`foo-domain`) && Path(`/foo-path/`)" @@ -352,7 +399,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied ] ``` - ```yaml tab="YAML" + ```yaml tab="File (YAML)" + ## Dynamic configuration http: routers: Router-1: @@ -373,9 +421,12 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied !!! important "Conflicting TLS Options" - Since a TLS options reference is mapped to a host name, if a configuration introduces a situation where the same host name (from a `Host` rule) gets matched with two TLS options references, a conflict occurs, such as in the example below: + Since a TLS options reference is mapped to a host name, + if a configuration introduces a situation where the same host name (from a `Host` rule) gets matched with two TLS options references, + a conflict occurs, such as in the example below: - ```toml tab="TOML" + ```toml tab="File (TOML)" + ## Dynamic configuration [http.routers] [http.routers.routerfoo] rule = "Host(`snitest.com`) && Path(`/foo`)" @@ -389,7 +440,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied options = "bar" ``` - ```yaml tab="YAML" + ```yaml tab="File (YAML)" + ## Dynamic configuration http: routers: routerfoo: @@ -409,7 +461,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied If `certResolver` is defined, Traefik will try to generate certificates based on routers `Host` & `HostSNI` rules. -```toml tab="TOML" +```toml tab="File (TOML)" +## Dynamic configuration [http.routers] [http.routers.routerfoo] rule = "Host(`snitest.com`) && Path(`/foo`)" @@ -417,7 +470,8 @@ If `certResolver` is defined, Traefik will try to generate certificates based on certResolver = "foo" ``` -```yaml tab="YAML" +```yaml tab="File (YAML)" +## Dynamic configuration http: routers: routerfoo: @@ -426,8 +480,8 @@ http: certResolver: foo ``` -!!! note "Multiple Hosts in a Rule" - The rule `Host(test1.traefik.io,test2.traefik.io)` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`. +!!! info "Multiple Hosts in a Rule" + The rule ```Host(`test1.traefik.io`,`test2.traefik.io`)``` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`. #### `domains` @@ -435,7 +489,8 @@ You can set SANs (alternative domains) for each main domain. Every domain must have A/AAAA records pointing to Traefik. Each domain & SAN will lead to a certificate request. -```toml tab="TOML" +```toml tab="File (TOML)" +## Dynamic configuration [http.routers] [http.routers.routerbar] rule = "Host(`snitest.com`) && Path(`/bar`)" @@ -443,10 +498,11 @@ Each domain & SAN will lead to a certificate request. certResolver = "bar" [[http.routers.routerbar.tls.domains]] main = "snitest.com" - sans = "*.snitest.com" + sans = ["*.snitest.com"] ``` -```yaml tab="YAML" +```yaml tab="File (YAML)" +## Dynamic configuration http: routers: routerbar: @@ -466,13 +522,12 @@ In this case the generated DNS TXT record for both domains is the same. Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant, it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail. -The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue. -The [Supported `provider` table](../../https/acme.md#providers) indicates if they allow generating certificates for a wildcard domain and its root domain. +The Traefik ACME client library [lego](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue. +The [supported `provider` table](../../https/acme.md#providers) indicates if they allow generating certificates for a wildcard domain and its root domain. -!!! note - Wildcard certificates can only be verified through a [`DNS-01` challenge](../../https/acme.md#dnschallenge). +!!! important "Wildcard certificates can only be verified through a [`DNS-01` challenge](../../https/acme.md#dnschallenge)." -!!! note "Double Wildcard Certificates" +!!! warning "Double Wildcard Certificates" It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`). ## Configuring TCP Routers @@ -488,19 +543,11 @@ If not specified, TCP routers will accept requests from all defined entry points If you want to limit the router scope to a set of entry points, set the entry points option. ??? example "Listens to Every Entry Point" + + **Dynamic Configuration** - ```toml tab="TOML" - ## Static configuration ## - - [entryPoints] - [entryPoints.web] - # ... - [entryPoints.web-secure] - # ... - [entryPoints.other] - # ... - - ## Dynamic configuration ## + ```toml tab="File (TOML)" + ## Dynamic configuration [tcp.routers] [tcp.routers.Router-1] @@ -511,18 +558,8 @@ If you want to limit the router scope to a set of entry points, set the entry po [tcp.routers.Router-1.tls] ``` - ```yaml tab="YAML" - ## Static configuration ## - - entryPoints: - web: - # ... - web-secure: - # ... - other: - # ... - - ## Dynamic configuration ## + ```yaml tab="File (YAML)" + ## Dynamic configuration tcp: routers: @@ -534,50 +571,63 @@ If you want to limit the router scope to a set of entry points, set the entry po tls: {} ``` -??? example "Listens to Specific Entry Points" + **Static Configuration** - ```toml tab="TOML" - ## Static configuration ## + ```toml tab="File (TOML)" + ## Static configuration [entryPoints] [entryPoints.web] - # ... - [entryPoints.web-secure] - # ... + address = ":80" + [entryPoints.websecure] + address = ":443" [entryPoints.other] - # ... - - ## Dynamic configuration ## + address = ":9090" + ``` + ```yaml tab="File (YAML)" + ## Static configuration + + entryPoints: + web: + address: ":80" + websecure: + address: ":443" + other: + address: ":9090" + ``` + + ```bash tab="CLI" + ## Static configuration + --entrypoints.web.address=":80" + --entrypoints.websecure.address=":443" + --entrypoints.other.address=":9090" + ``` + +??? example "Listens to Specific Entry Points" + + **Dynamic Configuration** + + ```toml tab="File (TOML)" + ## Dynamic configuration [tcp.routers] [tcp.routers.Router-1] # won't listen to entry point web - entryPoints = ["web-secure", "other"] + entryPoints = ["websecure", "other"] rule = "HostSNI(`traefik.io`)" service = "service-1" # will route TLS requests (and ignore non tls requests) [tcp.routers.Router-1.tls] ``` - ```yaml tab="YAML" - ## Static configuration ## - - entryPoints: - web: - # ... - web-secure: - # ... - other: - # ... - - ## Dynamic configuration ## - + ```yaml tab="File (YAML)" + ## Dynamic configuration tcp: routers: Router-1: # won't listen to entry point web entryPoints: - - "web-secure" + - "websecure" - "other" rule: "HostSNI(`traefik.io`)" service: "service-1" @@ -585,6 +635,39 @@ If you want to limit the router scope to a set of entry points, set the entry po tls: {} ``` + **Static Configuration** + + ```toml tab="File (TOML)" + ## Static configuration + + [entryPoints] + [entryPoints.web] + address = ":80" + [entryPoints.websecure] + address = ":443" + [entryPoints.other] + address = ":9090" + ``` + + ```yaml tab="File (YAML)" + ## Static configuration + + entryPoints: + web: + address: ":80" + websecure: + address: ":443" + other: + address: ":9090" + ``` + + ```bash tab="CLI" + ## Static configuration + --entrypoints.web.address=":80" + --entrypoints.websecure.address=":443" + --entrypoints.other.address=":9090" + ``` + ### Rule | Rule | Description | @@ -602,20 +685,20 @@ If you want to limit the router scope to a set of entry points, set the entry po You must attach a TCP [service](../services/index.md) per TCP router. Services are the target for the router. -!!! note "TCP Only" - - TCP routers can only target TCP services (not HTTP services). +!!! important "TCP routers can only target TCP services (not HTTP services)." ### TLS #### General When a TLS section is specified, it instructs Traefik that the current router is dedicated to TLS requests only (and that the router should ignore non-TLS requests). + By default, Traefik will terminate the SSL connections (meaning that it will send decrypted data to the services), but Traefik can be configured in order to let the requests pass through (keeping the data encrypted), and be forwarded to the service "as is". ??? example "Configuring TLS Termination" - ```toml tab="TOML" + ```toml tab="File (TOML)" + ## Dynamic configuration [tcp.routers] [tcp.routers.Router-1] rule = "HostSNI(`foo-domain`)" @@ -624,7 +707,8 @@ Services are the target for the router. [tcp.routers.Router-1.tls] ``` - ```yaml tab="YAML" + ```yaml tab="File (YAML)" + ## Dynamic configuration tcp: routers: Router-1: @@ -636,7 +720,8 @@ Services are the target for the router. ??? example "Configuring passthrough" - ```toml tab="TOML" + ```toml tab="File (TOML)" + ## Dynamic configuration [tcp.routers] [tcp.routers.Router-1] rule = "HostSNI(`foo-domain`)" @@ -645,7 +730,8 @@ Services are the target for the router. passthrough = true ``` - ```yaml tab="YAML" + ```yaml tab="File (YAML)" + ## Dynamic configuration tcp: routers: Router-1: @@ -655,7 +741,7 @@ Services are the target for the router. passthrough: true ``` -!!! note "TLS & ACME" +!!! info "TLS & ACME" In the current version, with [ACME](../../https/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section. @@ -664,9 +750,10 @@ Services are the target for the router. The `options` field enables fine-grained control of the TLS parameters. It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined. -??? example "Configuring the tls options" +!!! example "Configuring the tls options" - ```toml tab="TOML" + ```toml tab="File (TOML)" + ## Dynamic configuration [tcp.routers] [tcp.routers.Router-1] rule = "HostSNI(`foo-domain`)" @@ -684,7 +771,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied ] ``` - ```yaml tab="YAML" + ```yaml tab="File (YAML)" + ## Dynamic configuration tcp: routers: Router-1: @@ -707,7 +795,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied See [`certResolver` for HTTP router](./index.md#certresolver) for more information. -```toml tab="TOML" +```toml tab="File (TOML)" +## Dynamic configuration [tcp.routers] [tcp.routers.routerfoo] rule = "HostSNI(`snitest.com`)" @@ -715,7 +804,8 @@ See [`certResolver` for HTTP router](./index.md#certresolver) for more informati certResolver = "foo" ``` -```yaml tab="YAML" +```yaml tab="File (YAML)" +## Dynamic configuration tcp: routers: routerfoo: @@ -728,7 +818,8 @@ tcp: See [`domains` for HTTP router](./index.md#domains) for more information. -```toml tab="TOML" +```toml tab="File (TOML)" +## Dynamic configuration [tcp.routers] [tcp.routers.routerbar] rule = "HostSNI(`snitest.com`)" @@ -736,10 +827,11 @@ See [`domains` for HTTP router](./index.md#domains) for more information. certResolver = "bar" [[tcp.routers.routerbar.tls.domains]] main = "snitest.com" - sans = "*.snitest.com" + sans = ["*.snitest.com"] ``` -```yaml tab="YAML" +```yaml tab="File (YAML)" +## Dynamic configuration tcp: routers: routerbar: diff --git a/docs/content/routing/services/index.md b/docs/content/routing/services/index.md index fb71898eb..95c79c57f 100644 --- a/docs/content/routing/services/index.md +++ b/docs/content/routing/services/index.md @@ -12,6 +12,7 @@ The `Services` are responsible for configuring how to reach the actual services ??? example "Declaring an HTTP Service with Two Servers -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [http.services] [http.services.my-service.loadBalancer] @@ -22,6 +23,7 @@ The `Services` are responsible for configuring how to reach the actual services ``` ```yaml tab="YAML" + ## Dynamic configuration http: services: my-service: @@ -34,6 +36,7 @@ The `Services` are responsible for configuring how to reach the actual services ??? example "Declaring a TCP Service with Two Servers -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [tcp.services] [tcp.services.my-service.loadBalancer] [[tcp.services.my-service.loadBalancer.servers]] @@ -61,6 +64,7 @@ The load balancers are able to load balance the requests between multiple instan ??? example "Declaring a Service with Two Servers (with Load Balancing) -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [http.services] [http.services.my-service.loadBalancer] @@ -85,14 +89,15 @@ The load balancers are able to load balance the requests between multiple instan Servers declare a single instance of your program. The `url` option point to a specific instance. -!!! note - Paths in the servers' `url` have no effet. +!!! info "" + Paths in the servers' `url` have no effect. If you want the requests to be sent to a specific path on your servers, configure your [`routers`](../routers/index.md) to use a corresponding [middleware](../../middlewares/overview.md) (e.g. the [AddPrefix](../../middlewares/addprefix.md) or [ReplacePath](../../middlewares/replacepath.md)) middlewares. ??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [http.services] [http.services.my-service.loadBalancer] [[http.services.my-service.loadBalancer.servers]] @@ -100,6 +105,7 @@ The `url` option point to a specific instance. ``` ```yaml tab="YAML" + ## Dynamic configuration http: services: my-service: @@ -115,6 +121,7 @@ For now, only round robin load balancing is supported: ??? example "Load Balancing -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [http.services] [http.services.my-service.loadBalancer] [[http.services.my-service.loadBalancer.servers]] @@ -124,6 +131,7 @@ For now, only round robin load balancing is supported: ``` ```yaml tab="YAML" + ## Dynamic configuration http: services: my-service: @@ -138,27 +146,29 @@ For now, only round robin load balancing is supported: When sticky sessions are enabled, a cookie is set on the initial request to track which server handles the first response. On subsequent requests, the client is forwarded to the same server. -!!! note "Stickiness & Unhealthy Servers" +!!! info "Stickiness & Unhealthy Servers" If the server specified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server). -!!! note "Cookie Name" +!!! info "Cookie Name" The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`). -!!! note "Secure & HTTPOnly flags" +!!! info "Secure & HTTPOnly flags" By default, the affinity cookie is created without those flags. One however can change that through configuration. -??? example "Adding Stickiness" +??? example "Adding Stickiness -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [http.services] [http.services.my-service] [http.services.my-service.loadBalancer.sticky.cookie] ``` ```yaml tab="YAML" + ## Dynamic configuration http: services: my-service: @@ -167,9 +177,10 @@ On subsequent requests, the client is forwarded to the same server. cookie: {} ``` -??? example "Adding Stickiness with custom Options" +??? example "Adding Stickiness with custom Options -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [http.services] [http.services.my-service] [http.services.my-service.loadBalancer.sticky.cookie] @@ -179,6 +190,7 @@ On subsequent requests, the client is forwarded to the same server. ``` ```yaml tab="YAML" + ## Dynamic configuration http: services: my-service: @@ -205,12 +217,12 @@ Below are the available options for the health check mechanism: - `timeout` defines the maximum duration Traefik will wait for a health check request before considering the server failed (unhealthy). - `headers` defines custom headers to be sent to the health check endpoint. -!!! note "Interval & Timeout Format" +!!! info "Interval & Timeout Format" Interval and timeout are to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). The interval must be greater than the timeout. If configuration doesn't reflect this, the interval will be set to timeout + 1 second. -!!! note "Recovering Servers" +!!! info "Recovering Servers" Traefik keeps monitoring the health of unhealthy servers. If a server has recovered (returning `2xx` -> `3xx` responses again), it will be added back to the load balacer rotation pool. @@ -218,6 +230,7 @@ Below are the available options for the health check mechanism: ??? example "Custom Interval & Timeout -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [http.services] [http.servicess.Service-1] [http.services.Service-1.loadBalancer.healthCheck] @@ -227,6 +240,7 @@ Below are the available options for the health check mechanism: ``` ```yaml tab="YAML" + ## Dynamic configuration http: servicess: Service-1: @@ -240,6 +254,7 @@ Below are the available options for the health check mechanism: ??? example "Custom Port -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [http.services] [http.services.Service-1] [http.services.Service-1.loadBalancer.healthCheck] @@ -248,6 +263,7 @@ Below are the available options for the health check mechanism: ``` ```yaml tab="YAML" + ## Dynamic configuration http: services: Service-1: @@ -260,6 +276,7 @@ Below are the available options for the health check mechanism: ??? example "Custom Scheme -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [http.services] [http.services.Service-1] [http.services.Service-1.loadBalancer.healthCheck] @@ -268,6 +285,7 @@ Below are the available options for the health check mechanism: ``` ```yaml tab="YAML" + ## Dynamic configuration http: services: Service-1: @@ -280,6 +298,7 @@ Below are the available options for the health check mechanism: ??? example "Additional HTTP Headers -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [http.services] [http.services.Service-1] [http.services.Service-1.loadBalancer.healthCheck] @@ -291,6 +310,7 @@ Below are the available options for the health check mechanism: ``` ```yaml tab="YAML" + ## Dynamic configuration http: services: Service-1: @@ -308,9 +328,10 @@ The WRR is able to load balance the requests between multiple services based on This strategy is only available to load balance between [services](./index.md) and not between [servers](./index.md#servers). -This strategy can be defined only with [File](../../providers/file.md). +!!! info "This strategy can be defined only with [File](../../providers/file.md)." ```toml tab="TOML" +## Dynamic configuration [http.services] [http.services.app] [[http.services.app.weighted.services]] @@ -332,6 +353,7 @@ This strategy can be defined only with [File](../../providers/file.md). ``` ```yaml tab="YAML" +## Dynamic configuration http: services: app: @@ -357,9 +379,10 @@ http: The mirroring is able to mirror requests sent to a service to other services. -This strategy can be defined only with [File](../../providers/file.md). +!!! info "This strategy can be defined only with [File](../../providers/file.md)." ```toml tab="TOML" +## Dynamic configuration [http.services] [http.services.mirrored-api] [http.services.mirrored-api.mirroring] @@ -380,6 +403,7 @@ This strategy can be defined only with [File](../../providers/file.md). ``` ```yaml tab="YAML" +## Dynamic configuration http: services: mirrored-api: @@ -416,6 +440,7 @@ The servers load balancer is in charge of balancing the requests between the ser ??? example "Declaring a Service with Two Servers -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [tcp.services] [tcp.services.my-service.loadBalancer] [[tcp.services.my-service.loadBalancer.servers]] @@ -425,6 +450,7 @@ The servers load balancer is in charge of balancing the requests between the ser ``` ```yaml tab="YAML" + ## Dynamic configuration tcp: services: my-service: @@ -442,6 +468,7 @@ The `address` option (IP:Port) point to a specific instance. ??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [tcp.services] [tcp.services.my-service.loadBalancer] [[tcp.services.my-service.loadBalancer.servers]] @@ -449,6 +476,7 @@ The `address` option (IP:Port) point to a specific instance. ``` ```yaml tab="YAML" + ## Dynamic configuration tcp: services: my-service: @@ -474,6 +502,7 @@ A negative value means an infinite deadline (i.e. the connection is never fully ??? example "A Service with a termination delay -- Using the [File Provider](../../providers/file.md)" ```toml tab="TOML" + ## Dynamic configuration [tcp.services] [tcp.services.my-service.loadBalancer] [[tcp.services.my-service.loadBalancer]] @@ -481,6 +510,7 @@ A negative value means an infinite deadline (i.e. the connection is never fully ``` ```yaml tab="YAML" + ## Dynamic configuration tcp: services: my-service: @@ -488,7 +518,7 @@ A negative value means an infinite deadline (i.e. the connection is never fully terminationDelay: 200 ``` -### Weighted +### Weighted Round Robin The Weighted Round Robin (alias `WRR`) load-balancer of services is in charge of balancing the requests between multiple services based on provided weights. @@ -497,6 +527,7 @@ This strategy is only available to load balance between [services](./index.md) a This strategy can only be defined with [File](../../providers/file.md). ```toml tab="TOML" +## Dynamic configuration [tcp.services] [tcp.services.app] [[tcp.services.app.weighted.services]] @@ -518,6 +549,7 @@ This strategy can only be defined with [File](../../providers/file.md). ``` ```yaml tab="YAML" +## Dynamic configuration tcp: services: app: diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 6af5e4126..968158389 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -82,9 +82,14 @@ nav: - 'Marathon': 'providers/marathon.md' - 'Routing & Load Balancing': - 'Overview': 'routing/overview.md' - - 'Entrypoints': 'routing/entrypoints.md' + - 'EntryPoints': 'routing/entrypoints.md' - 'Routers': 'routing/routers/index.md' - 'Services': 'routing/services/index.md' + - 'Providers': + - 'Docker': 'routing/providers/docker.md' + - 'Rancher': 'routing/providers/rancher.md' + - 'Marathon': 'routing/providers/marathon.md' + - 'Kubernetes IngressRoute': 'routing/providers/kubernetes-crd.md' - 'HTTPS & TLS': - 'Overview': 'https/overview.md' - 'TLS': 'https/tls.md' diff --git a/webui/src/components/_commons/PanelMiddlewares.vue b/webui/src/components/_commons/PanelMiddlewares.vue index a961e2871..a516496c2 100644 --- a/webui/src/components/_commons/PanelMiddlewares.vue +++ b/webui/src/components/_commons/PanelMiddlewares.vue @@ -3,7 +3,7 @@
-
{{ middleware.name }}
+
{{ middleware.name }}