Entry Points Definition

Reference

TOML

  1. defaultEntryPoints = ["http", "https"]
  2. # ...
  3. # ...
  4. [entryPoints]
  5. [entryPoints.http]
  6. address = ":80"
  7. compress = true
  8. [entryPoints.http.whitelist]
  9. sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
  10. useXForwardedFor = true
  11. [entryPoints.http.tls]
  12. minVersion = "VersionTLS12"
  13. cipherSuites = [
  14. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  15. "TLS_RSA_WITH_AES_256_GCM_SHA384"
  16. ]
  17. [[entryPoints.http.tls.certificates]]
  18. certFile = "path/to/my.cert"
  19. keyFile = "path/to/my.key"
  20. [[entryPoints.http.tls.certificates]]
  21. certFile = "path/to/other.cert"
  22. keyFile = "path/to/other.key"
  23. # ...
  24. [entryPoints.http.tls.clientCA]
  25. files = ["path/to/ca1.crt", "path/to/ca2.crt"]
  26. optional = false
  27. [entryPoints.http.redirect]
  28. entryPoint = "https"
  29. regex = "^http://localhost/(.*)"
  30. replacement = "http://mydomain/$1"
  31. permanent = true
  32. [entryPoints.http.auth]
  33. headerField = "X-WebAuth-User"
  34. [entryPoints.http.auth.basic]
  35. removeHeader = true
  36. users = [
  37. "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
  38. "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
  39. ]
  40. usersFile = "/path/to/.htpasswd"
  41. [entryPoints.http.auth.digest]
  42. removeHeader = true
  43. users = [
  44. "test:traefik:a2688e031edb4be6a3797f3882655c05",
  45. "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
  46. ]
  47. usersFile = "/path/to/.htdigest"
  48. [entryPoints.http.auth.forward]
  49. address = "https://authserver.com/auth"
  50. trustForwardHeader = true
  51. authResponseHeaders = ["X-Auth-User"]
  52. [entryPoints.http.auth.forward.tls]
  53. ca = "path/to/local.crt"
  54. caOptional = true
  55. cert = "path/to/foo.cert"
  56. key = "path/to/foo.key"
  57. insecureSkipVerify = true
  58. [entryPoints.http.proxyProtocol]
  59. insecure = true
  60. trustedIPs = ["10.10.10.1", "10.10.10.2"]
  61. [entryPoints.http.forwardedHeaders]
  62. trustedIPs = ["10.10.10.1", "10.10.10.2"]
  63. [entryPoints.https]
  64. # ...

CLI

For more information about the CLI, see the documentation about Traefik command.

  1. --entryPoints='Name:http Address::80'
  2. --entryPoints='Name:https Address::443 TLS'

Note

Whitespace is used as option separator and , is used as value separator for the list.

The names of the options are case-insensitive.

In compose file the entrypoint syntax is different. Notice how quotes are used:

  1. traefik:
  2. image: traefik:v1.7
  3. command:
  4. - --defaultentrypoints=powpow
  5. - "--entryPoints=Name:powpow Address::42 Compress:true"

or

  1. traefik:
  2. image: traefik:v1.7
  3. command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'

All available options:

  1. Name:foo
  2. Address::80
  3. TLS:/my/path/foo.cert,/my/path/foo.key;/my/path/goo.cert,/my/path/goo.key;/my/path/hoo.cert,/my/path/hoo.key
  4. TLS
  5. TLS.MinVersion:VersionTLS11
  6. TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384
  7. TLS.SniStrict:true
  8. TLS.DefaultCertificate.Cert:path/to/foo.cert
  9. TLS.DefaultCertificate.Key:path/to/foo.key
  10. CA:car
  11. CA.Optional:true
  12. Redirect.EntryPoint:https
  13. Redirect.Regex:http://localhost/(.*)
  14. Redirect.Replacement:http://mydomain/$1
  15. Redirect.Permanent:true
  16. Compress:true
  17. WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16
  18. WhiteList.UseXForwardedFor:true
  19. ProxyProtocol.TrustedIPs:192.168.0.1
  20. ProxyProtocol.Insecure:true
  21. ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
  22. Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
  23. Auth.Basic.Removeheader:true
  24. Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e
  25. Auth.Digest.Removeheader:true
  26. Auth.HeaderField:X-WebAuth-User
  27. Auth.Forward.Address:https://authserver.com/auth
  28. Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret
  29. Auth.Forward.TrustForwardHeader:true
  30. Auth.Forward.TLS.CA:path/to/local.crt
  31. Auth.Forward.TLS.CAOptional:true
  32. Auth.Forward.TLS.Cert:path/to/foo.cert
  33. Auth.Forward.TLS.Key:path/to/foo.key
  34. Auth.Forward.TLS.InsecureSkipVerify:true

Basic

  1. # Entrypoints definition
  2. #
  3. # Default:
  4. # [entryPoints]
  5. # [entryPoints.http]
  6. # address = ":80"
  7. #
  8. [entryPoints]
  9. [entryPoints.http]
  10. address = ":80"

Redirect HTTP to HTTPS

To redirect an http entrypoint to an https entrypoint (with SNI support).

  1. [entryPoints]
  2. [entryPoints.http]
  3. address = ":80"
  4. [entryPoints.http.redirect]
  5. entryPoint = "https"
  6. [entryPoints.https]
  7. address = ":443"
  8. [entryPoints.https.tls]
  9. [[entryPoints.https.tls.certificates]]
  10. certFile = "integration/fixtures/https/snitest.com.cert"
  11. keyFile = "integration/fixtures/https/snitest.com.key"
  12. [[entryPoints.https.tls.certificates]]
  13. certFile = "integration/fixtures/https/snitest.org.cert"
  14. keyFile = "integration/fixtures/https/snitest.org.key"

Note

Please note that regex and replacement do not have to be set in the redirect structure if an entrypoint is defined for the redirection (they will not be used in this case).

Rewriting URL

To redirect an entrypoint rewriting the URL.

  1. [entryPoints]
  2. [entryPoints.http]
  3. address = ":80"
  4. [entryPoints.http.redirect]
  5. regex = "^http://localhost/(.*)"
  6. replacement = "http://mydomain/$1"

Note

Please note that regex and replacement do not have to be set in the redirect structure if an entrypoint is defined for the redirection (they will not be used in this case).

Care should be taken when defining replacement expand variables: $1x is equivalent to ${1x}, not ${1}x (see Regexp.Expand), so use ${1} syntax.

Regular expressions and replacements can be tested using online tools such as Go Playground or the Regex101.

TLS

Static Certificates

Define an entrypoint with SNI support.

  1. [entryPoints]
  2. [entryPoints.https]
  3. address = ":443"
  4. [entryPoints.https.tls]
  5. [[entryPoints.https.tls.certificates]]
  6. certFile = "integration/fixtures/https/snitest.com.cert"
  7. keyFile = "integration/fixtures/https/snitest.com.key"

Note

If an empty TLS configuration is provided, default self-signed certificates are generated.

Dynamic Certificates

If you need to add or remove TLS certificates while Traefik is started, Dynamic TLS certificates are supported using the file provider.

TLS Mutual Authentication

TLS Mutual Authentication can be optional or not.

  • If optional = true, if a certificate is provided, verifies if it is signed by a specified Certificate Authority (CA). Otherwise proceeds without any certificate.
  • If optional = false, Traefik will only accept clients that present a certificate signed by a specified Certificate Authority (CA).

Warning

While the TLS 1.1 and 1.2 RFCs specify that clients should proceed with handshaking by sending an empty list should they have no certs for the CAs specified by the server, not all do so in practice. Use this feature with caution should you require maximum compatibility with a wide variety of client user agents which may not strictly implement these specs.

ClientCAFiles can be configured with multiple CA:s in the same file or use multiple files containing one or several CA:s. The CA:s has to be in PEM format.

By default, ClientCAFiles is not optional, all clients will be required to present a valid cert. The requirement will apply to all server certs in the entrypoint.

In the example below both snitest.com and snitest.org will require client certs

  1. [entryPoints]
  2. [entryPoints.https]
  3. address = ":443"
  4. [entryPoints.https.tls]
  5. [entryPoints.https.tls.ClientCA]
  6. files = ["tests/clientca1.crt", "tests/clientca2.crt"]
  7. optional = false
  8. [[entryPoints.https.tls.certificates]]
  9. certFile = "integration/fixtures/https/snitest.com.cert"
  10. keyFile = "integration/fixtures/https/snitest.com.key"
  11. [[entryPoints.https.tls.certificates]]
  12. certFile = "integration/fixtures/https/snitest.org.cert"
  13. keyFile = "integration/fixtures/https/snitest.org.key"

Note

The deprecated argument ClientCAFiles allows adding Client CA files which are mandatory. If this parameter exists, the new ones are not checked.

Authentication

Basic Authentication

Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate them.

Users can be specified directly in the TOML file, or indirectly by referencing an external file; if both are provided, the two are merged, with external file contents having precedence.

  1. # To enable basic auth on an entrypoint with 2 user/pass: test:test and test2:test2
  2. [entryPoints]
  3. [entryPoints.http]
  4. address = ":80"
  5. [entryPoints.http.auth.basic]
  6. users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
  7. usersFile = "/path/to/.htpasswd"

Optionally, you can:

  • pass authenticated user to application via headers
  1. [entryPoints]
  2. [entryPoints.http]
  3. address = ":80"
  4. [entryPoints.http.auth]
  5. headerField = "X-WebAuth-User" # <-- header for the authenticated user
  6. [entryPoints.http.auth.basic]
  7. users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
  • remove the Authorization header
  1. [entryPoints]
  2. [entryPoints.http]
  3. address = ":80"
  4. [entryPoints.http.auth]
  5. [entryPoints.http.auth.basic]
  6. removeHeader = true # <-- remove the Authorization header
  7. users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]

Digest Authentication

You can use htdigest to generate them.

Users can be specified directly in the TOML file, or indirectly by referencing an external file; if both are provided, the two are merged, with external file contents having precedence

  1. # To enable digest auth on an entrypoint with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
  2. [entryPoints]
  3. [entryPoints.http]
  4. address = ":80"
  5. [entryPoints.http.auth.digest]
  6. users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
  7. usersFile = "/path/to/.htdigest"

Optionally, you can!

  • pass authenticated user to application via headers.
  1. [entryPoints]
  2. [entryPoints.http]
  3. address = ":80"
  4. [entryPoints.http.auth]
  5. headerField = "X-WebAuth-User" # <-- header for the authenticated user
  6. [entryPoints.http.auth.digest]
  7. users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
  • remove the Authorization header.
  1. [entryPoints]
  2. [entryPoints.http]
  3. address = ":80"
  4. [entryPoints.http.auth]
  5. [entryPoints.http.auth.digest]
  6. removeHeader = true # <-- remove the Authorization header
  7. users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]

Forward Authentication

This configuration will first forward the request to http://authserver.com/auth.

If the response code is 2XX, access is granted and the original request is performed. Otherwise, the response from the authentication server is returned.

  1. [entryPoints]
  2. [entryPoints.http]
  3. # ...
  4. # To enable forward auth on an entrypoint
  5. [entryPoints.http.auth.forward]
  6. address = "https://authserver.com/auth"
  7. # Trust existing X-Forwarded-* headers.
  8. # Useful with another reverse proxy in front of Traefik.
  9. #
  10. # Optional
  11. # Default: false
  12. #
  13. trustForwardHeader = true
  14. # Copy headers from the authentication server to the request.
  15. #
  16. # Optional
  17. #
  18. authResponseHeaders = ["X-Auth-User", "X-Secret"]
  19. # Enable forward auth TLS connection.
  20. #
  21. # Optional
  22. #
  23. [entryPoints.http.auth.forward.tls]
  24. ca = "path/to/local.crt"
  25. caOptional = true
  26. cert = "path/to/foo.cert"
  27. key = "path/to/foo.key"

Specify Minimum TLS Version

To specify an https entry point with a minimum TLS version, and specifying an array of cipher suites (from crypto/tls).

  1. [entryPoints]
  2. [entryPoints.https]
  3. address = ":443"
  4. [entryPoints.https.tls]
  5. minVersion = "VersionTLS12"
  6. cipherSuites = [
  7. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  8. "TLS_RSA_WITH_AES_256_GCM_SHA384"
  9. ]
  10. [[entryPoints.https.tls.certificates]]
  11. certFile = "integration/fixtures/https/snitest.com.cert"
  12. keyFile = "integration/fixtures/https/snitest.com.key"
  13. [[entryPoints.https.tls.certificates]]
  14. certFile = "integration/fixtures/https/snitest.org.cert"
  15. keyFile = "integration/fixtures/https/snitest.org.key"

Strict SNI Checking

To enable strict SNI checking, so that connections cannot be made if a matching certificate does not exist.

  1. [entryPoints]
  2. [entryPoints.https]
  3. address = ":443"
  4. [entryPoints.https.tls]
  5. sniStrict = true
  6. [[entryPoints.https.tls.certificates]]
  7. certFile = "integration/fixtures/https/snitest.com.cert"
  8. keyFile = "integration/fixtures/https/snitest.com.key"

Default Certificate

To enable a default certificate to serve, so that connections without SNI or without a matching domain will be served this certificate.

  1. [entryPoints]
  2. [entryPoints.https]
  3. address = ":443"
  4. [entryPoints.https.tls]
  5. [entryPoints.https.tls.defaultCertificate]
  6. certFile = "integration/fixtures/https/snitest.com.cert"
  7. keyFile = "integration/fixtures/https/snitest.com.key"

Note

There can only be one defaultCertificate set per entrypoint. Use a single set of square brackets [ ], instead of the two needed for normal certificates. If no default certificate is provided, a self-signed certificate will be generated by Traefik, and used instead.

Compression

To enable compression support using gzip format.

  1. [entryPoints]
  2. [entryPoints.http]
  3. address = ":80"
  4. compress = true

Responses are compressed when:

  • The response body is larger than 512 bytes
  • And the Accept-Encoding request header contains gzip
  • And the response is not already compressed, i.e. the Content-Encoding response header is not already set.

White Listing

To enable IP white listing at the entry point level.

  1. [entryPoints]
  2. [entryPoints.http]
  3. address = ":80"
  4. [entryPoints.http.whiteList]
  5. sourceRange = ["127.0.0.1/32", "192.168.1.7"]
  6. # useXForwardedFor = true

ProxyProtocol

To enable ProxyProtocol support. Only IPs in trustedIPs will lead to remote client address replacement: you should declare your load-balancer IP or CIDR range here (in testing environment, you can trust everyone using insecure = true).

Danger

When queuing Traefik behind another load-balancer, be sure to carefully configure Proxy Protocol on both sides. Otherwise, it could introduce a security risk in your system by forging requests.

  1. [entryPoints]
  2. [entryPoints.http]
  3. address = ":80"
  4. # Enable ProxyProtocol
  5. [entryPoints.http.proxyProtocol]
  6. # List of trusted IPs
  7. #
  8. # Required
  9. # Default: []
  10. #
  11. trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
  12. # Insecure mode FOR TESTING ENVIRONNEMENT ONLY
  13. #
  14. # Optional
  15. # Default: false
  16. #
  17. # insecure = true

Forwarded Header

Only IPs in trustedIPs will be authorized to trust the client forwarded headers (X-Forwarded-*).

  1. [entryPoints]
  2. [entryPoints.http]
  3. address = ":80"
  4. # Enable Forwarded Headers
  5. [entryPoints.http.forwardedHeaders]
  6. # List of trusted IPs
  7. #
  8. # Required
  9. # Default: []
  10. #
  11. trustedIPs = ["127.0.0.1/32", "192.168.1.7"]