- Migration Guide: From v1 to v2
- Frontends and Backends Are Dead… … Long Live Routers, Middlewares, and Services
- TLS Configuration is Now Dynamic, per Router.
- HTTP to HTTPS Redirection is Now Configured on Routers
- Strip and Rewrite Path Prefixes
- ACME (LetsEncrypt)
- Traefik Logs
- Access Logs
- Tracing
- Metrics
- No More Root Level Key/Values
- Dashboard
- Providers
- Some Tips You Should Know
Migration Guide: From v1 to v2
How to Migrate from Traefik v1 to Traefik v2.
The version 2 of Traefik introduces a number of breaking changes, which require one to update their configuration when they migrate from v1 to v2. The goal of this page is to recapitulate all of these changes, and in particular to give examples, feature by feature, of how the configuration looked like in v1, and how it now looks like in v2.
Migration Helper
We created a tool to help during the migration: traefik-migration-tool
This tool allows to:
- convert
Ingress
to TraefikIngressRoute
resources. - convert
acme.json
file from v1 to v2 format. - migrate the static configuration contained in the file
traefik.toml
to a Traefik v2 file.
Frontends and Backends Are Dead… … Long Live Routers, Middlewares, and Services
During the transition from v1 to v2, a number of internal pieces and components of Traefik were rewritten and reorganized. As such, the combination of core notions such as frontends and backends has been replaced with the combination of routers, services, and middlewares.
Typically, a router replaces a frontend, and a service assumes the role of a backend, with each router referring to a service. However, even though a backend was in charge of applying any desired modification on the fly to the incoming request, the router defers that responsibility to another component. Instead, a dedicated middleware is now defined for each kind of such modification. Then any router can refer to an instance of the wanted middleware.
One frontend with basic auth and one backend, become one router, one service, and one basic auth middleware.
v1
labels:
- "traefik.frontend.rule=Host:test.localhost;PathPrefix:/test"
- "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: traefik
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/rule-type: PathPrefix
spec:
rules:
- host: test.localhost
http:
paths:
- path: /test
backend:
serviceName: server0
servicePort: 80
- path: /test
backend:
serviceName: server1
servicePort: 80
[frontends]
[frontends.frontend1]
entryPoints = ["http"]
backend = "backend1"
[frontends.frontend1.routes]
[frontends.frontend1.routes.route0]
rule = "Host:test.localhost"
[frontends.frontend1.routes.route0]
rule = "PathPrefix:/test"
[frontends.frontend1.auth]
[frontends.frontend1.auth.basic]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
[backends]
[backends.backend1]
[backends.backend1.servers.server0]
url = "http://10.10.10.1:80"
[backends.backend1.servers.server1]
url = "http://10.10.10.2:80"
[backends.backend1.loadBalancer]
method = "wrr"
v2
labels:
- "traefik.http.routers.router0.rule=Host(`example.com`) && PathPrefix(`/test`)"
- "traefik.http.routers.router0.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# The definitions below require the definitions for the Middleware and IngressRoute kinds.
# https://docs.traefik.io/v2.2/reference/dynamic-configuration/kubernetes-crd/#definitions
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basicauth
namespace: foo
spec:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
- test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- http
routes:
- match: Host(`test.localhost`) && PathPrefix(`/test`)
kind: Rule
services:
- name: server0
port: 80
- name: server1
port: 80
middlewares:
- name: basicauth
namespace: foo
[http.routers]
[http.routers.router0]
rule = "Host(`test.localhost`) && PathPrefix(`/test`)"
middlewares = ["auth"]
service = "my-service"
[http.services]
[[http.services.my-service.loadBalancer.servers]]
url = "http://10.10.10.1:80"
[[http.services.my-service.loadBalancer.servers]]
url = "http://10.10.10.2:80"
[http.middlewares]
[http.middlewares.auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
http:
routers:
router0:
rule: "Host(`test.localhost`) && PathPrefix(`/test`)"
service: my-service
middlewares:
- auth
services:
my-service:
loadBalancer:
servers:
- url: http://10.10.10.1:80
- url: http://10.10.10.2:80
middlewares:
auth:
basicAuth:
users:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
TLS Configuration is Now Dynamic, per Router.
TLS parameters used to be specified in the static configuration, as an entryPoint field. With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations. Then, a router's TLS field can refer to one of the TLS configurations defined at the root, hence defining the TLS configuration for that router.
TLS on websecure entryPoint becomes TLS option on Router-1
v1
# static configuration
[entryPoints]
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[[entryPoints.websecure.tls.certificates]]
certFile = "path/to/my.cert"
keyFile = "path/to/my.key"
--entryPoints='Name:websecure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
v2
# dynamic configuration
[http.routers]
[http.routers.Router-1]
rule = "Host(`example.com`)"
service = "service-id"
# will terminate the TLS request
[http.routers.Router-1.tls]
options = "myTLSOptions"
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[tls.options]
[tls.options.myTLSOptions]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
http:
routers:
Router-1:
rule: "Host(`example.com`)"
service: service-id
# will terminate the TLS request
tls:
options: myTLSOptions
tls:
certificates:
- certFile: /path/to/domain.cert
keyFile: /path/to/domain.key
options:
myTLSOptions:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# The definitions below require the definitions for the TLSOption and IngressRoute kinds.
# https://docs.traefik.io/v2.2/reference/dynamic-configuration/kubernetes-crd/#definitions
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: mytlsoption
namespace: default
spec:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`)
kind: Rule
services:
- name: whoami
port: 80
tls:
options:
name: mytlsoption
namespace: default
labels:
# myTLSOptions must be defined by another provider, in this instance in the File Provider.
# see the cross provider section
- "[email protected]"
HTTP to HTTPS Redirection is Now Configured on Routers
Previously on Traefik v1, the redirection was applied on an entry point or on a frontend. With Traefik v2 it is applied on an entry point or a Router.
To apply a redirection:
- on an entry point, the HTTP redirection has to be configured.
- on a router, one of the redirect middlewares, RedirectRegex or RedirectScheme, has to be configured and added to the router middlewares list.
Global HTTP to HTTPS redirection
v1
# static configuration
defaultEntryPoints = ["web", "websecure"]
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.redirect]
entryPoint = "websecure"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
--entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
--entryPoints='Name:websecure Address::443 TLS'
v2
## static configuration
--entrypoints.web.address=:80
--entrypoints.web.http.redirections.entrypoint.to=websecure
--entrypoints.web.http.redirections.entrypoint.scheme=https
--entrypoints.websecure.address=:443
--providers.docker=true
# traefik.toml
## static configuration
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
# traefik.yaml
## static configuration
entryPoints:
web:
address: 80
http:
redirections:
entrypoint:
to: websecure
scheme: https
websecure:
address: 443
HTTP to HTTPS redirection per domain
v1
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
[file]
[frontends]
[frontends.frontend1]
entryPoints = ["web", "websecure"]
[frontends.frontend1.routes]
[frontends.frontend1.routes.route0]
rule = "Host:example.net"
[frontends.frontend1.redirect]
entryPoint = "websecure"
v2
labels:
traefik.http.routers.app.rule: Host(`example.net`)
traefik.http.routers.app.entrypoints: web
traefik.http.routers.app.middlewares: https_redirect
traefik.http.routers.appsecured.rule: Host(`example.net`)
traefik.http.routers.appsecured.entrypoints: websecure
traefik.http.routers.appsecured.tls: true
traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: http-redirect-ingressRoute
spec:
entryPoints:
- web
routes:
- match: Host(`example.net`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: https_redirect
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: https-ingressRoute
spec:
entryPoints:
- websecure
routes:
- match: Host(`foo`)
kind: Rule
services:
- name: whoami
port: 80
tls: {}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https_redirect
spec:
redirectScheme:
scheme: https
permanent: true
## dynamic configuration
# dynamic-conf.toml
[http.routers]
[http.routers.router0]
rule = "Host(`example.net`)"
service = "my-service"
entrypoints = ["web"]
middlewares = ["https_redirect"]
[http.routers.router1]
rule = "Host(`example.net`)"
service = "my-service"
entrypoints = ["websecure"]
[http.routers.router1.tls]
[http.middlewares]
[http.middlewares.https_redirect.redirectScheme]
scheme = "https"
permanent = true
## dynamic configuration
# dynamic-conf.yml
http:
routers:
router0:
rule: "Host(`example.net`)"
entryPoints:
- web
middlewares:
- https_redirect
service: my-service
router1:
rule: "Host(`example.net`)"
entryPoints:
- websecure
service: my-service
tls: {}
middlewares:
https_redirect:
redirectScheme:
scheme: https
permanent: true
Strip and Rewrite Path Prefixes
With the new core notions of v2 (introduced earlier in the section "Frontends and Backends Are Dead… Long Live Routers, Middlewares, and Services"), transforming the URL path prefix of incoming requests is configured with middlewares, after the routing step with router rule PathPrefix
.
Use Case: Incoming requests to http://example.org/admin
are forwarded to the webapplication "admin", with the path /admin
stripped, e.g. to http://
. In this case, you must:
- First, configure a router named
admin
with a rule matching at least the path prefix with thePathPrefix
keyword, - Then, define a middleware of type
stripprefix
, which removes the prefix/admin
, associated to the routeradmin
.
Strip Path Prefix When Forwarding to Backend
v1
labels:
- "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: traefik
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip
spec:
rules:
- host: example.org
http:
paths:
- path: /admin
backend:
serviceName: admin-svc
servicePort: admin
[frontends.admin]
[frontends.admin.routes.admin_1]
rule = "Host:example.org;PathPrefixStrip:/admin"
v2
labels:
- "traefik.http.routers.admin.rule=Host(`example.org`) && PathPrefix(`/admin`)"
- "traefik.http.routers.admin.middlewares=admin-stripprefix"
- "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: http-redirect-ingressRoute
namespace: admin-web
spec:
entryPoints:
- web
routes:
- match: Host(`example.org`) && PathPrefix(`/admin`)
kind: Rule
services:
- name: admin-svc
port: admin
middlewares:
- name: admin-stripprefix
---
kind: Middleware
metadata:
name: admin-stripprefix
spec:
stripPrefix:
prefixes:
- /admin
## Dynamic configuration
# dynamic-conf.toml
[http.routers.router1]
rule = "Host(`example.org`) && PathPrefix(`/admin`)"
service = "admin-svc"
entrypoints = ["web"]
middlewares = ["admin-stripprefix"]
[http.middlewares]
[http.middlewares.admin-stripprefix.stripPrefix]
prefixes = ["/admin"]
# ...
## Dynamic Configuration
# dynamic-conf.yml
# As YAML Configuration File
http:
routers:
admin:
service: admin-svc
middlewares:
- "admin-stripprefix"
rule: "Host(`example.org`) && PathPrefix(`/admin`)"
middlewares:
admin-stripprefix:
stripPrefix:
prefixes:
- "/admin"
# ...
What About Other Path Transformations?
Instead of removing the path prefix with the stripprefix
middleware, you can also:
- Add a path prefix with the
addprefix
middleware - Replace the complete path of the request with the
replacepath
middleware - ReplaceRewrite path using Regexp with the
replacepathregex
middleware - And a lot more on the
middlewares
page
ACME (LetsEncrypt)
ACME is now a certificate resolver (under a certificatesResolvers section) but remains in the static configuration.
ACME from provider to a specific Certificate Resolver
v1
# static configuration
defaultEntryPoints = ["websecure","web"]
[entryPoints.web]
address = ":80"
[entryPoints.web.redirect]
entryPoint = "webs"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
[acme]
email = "[email protected]"
storage = "acme.json"
entryPoint = "websecure"
onHostRule = true
[acme.tlsChallenge]
--defaultentrypoints=websecure,web
--entryPoints=Name:web Address::80 Redirect.EntryPoint:websecure
--entryPoints=Name:websecure Address::443 TLS
[email protected]
--acme.storage=acme.json
--acme.entryPoint=websecure
--acme.onHostRule=true
--acme.tlschallenge=true
v2
# static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "myresolver"
[certificatesResolvers.myresolver.acme]
email = "[email protected]"
storage = "acme.json"
[certificatesResolvers.myresolver.acme.tlsChallenge]
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
http:
tls:
certResolver: myresolver
certificatesResolvers:
myresolver:
acme:
email: [email protected]
storage: acme.json
tlsChallenge: {}
--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
[email protected].com
--certificatesresolvers.myresolver.acme.storage=acme.json
--certificatesresolvers.myresolver.acme.tlschallenge=true
Traefik Logs
In the v2, all the log configuration remains in the static part but are unified under a log
section. There is no more log configuration at the root level.
Simple log configuration
v1
# static configuration
logLevel = "DEBUG"
[traefikLog]
filePath = "/path/to/traefik.log"
format = "json"
--logLevel=DEBUG
--traefikLog.filePath=/path/to/traefik.log
--traefikLog.format=json
v2
# static configuration
[log]
level = "DEBUG"
filePath = "/path/to/log-file.log"
format = "json"
# static configuration
log:
level: DEBUG
filePath: /path/to/log-file.log
format: json
--log.level=DEBUG
--log.filePath=/path/to/traefik.log
--log.format=json
Access Logs
Access Logs are configured in the same way as before.
But all request headers are now filtered out by default in Traefik v2. So during migration, you might want to consider enabling some needed fields (see access log configuration).
Tracing
Traefik v2 retains OpenTracing support. The backend
root option from the v1 is gone, you just have to set your tracing configuration.
Simple Jaeger tracing configuration
v1
# static configuration
[tracing]
backend = "jaeger"
servicename = "tracing"
[tracing.jaeger]
samplingParam = 1.0
samplingServerURL = "http://12.0.0.1:5778/sampling"
samplingType = "const"
localAgentHostPort = "12.0.0.1:6831"
--tracing.backend=jaeger
--tracing.servicename=tracing
--tracing.jaeger.localagenthostport=12.0.0.1:6831
--tracing.jaeger.samplingparam=1.0
--tracing.jaeger.samplingserverurl=http://12.0.0.1:5778/sampling
--tracing.jaeger.samplingtype=const
v2
# static configuration
[tracing]
servicename = "tracing"
[tracing.jaeger]
samplingParam = 1.0
samplingServerURL = "http://12.0.0.1:5778/sampling"
samplingType = "const"
localAgentHostPort = "12.0.0.1:6831"
# static configuration
tracing:
servicename: tracing
jaeger:
samplingParam: 1
samplingServerURL: 'http://12.0.0.1:5778/sampling'
samplingType: const
localAgentHostPort: '12.0.0.1:6831'
--tracing.servicename=tracing
--tracing.jaeger.localagenthostport=12.0.0.1:6831
--tracing.jaeger.samplingparam=1.0
--tracing.jaeger.samplingserverurl=http://12.0.0.1:5778/sampling
--tracing.jaeger.samplingtype=const
Metrics
The v2 retains metrics tools and allows metrics to be configured for the entrypoints and/or services. For a basic configuration, the metrics configuration remains the same.
Simple Prometheus metrics configuration
v1
# static configuration
[metrics.prometheus]
buckets = [0.1,0.3,1.2,5.0]
entryPoint = "traefik"
--metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
--metrics.prometheus.entrypoint=traefik
v2
# static configuration
[metrics.prometheus]
buckets = [0.1,0.3,1.2,5.0]
entryPoint = "metrics"
# static configuration
metrics:
prometheus:
buckets:
- 0.1
- 0.3
- 1.2
- 5
entryPoint: metrics
--metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
--metrics.prometheus.entrypoint=metrics
No More Root Level Key/Values
To avoid any source of confusion, there are no more configuration at the root level. Each root item has been moved to a related section or removed.
From root to dedicated section
v1
# static configuration
checkNewVersion = false
sendAnonymousUsage = true
logLevel = "DEBUG"
insecureSkipVerify = true
rootCAs = [ "/mycert.cert" ]
maxIdleConnsPerHost = 200
providersThrottleDuration = "2s"
AllowMinWeightZero = true
debug = true
defaultEntryPoints = ["web", "websecure"]
keepTrailingSlash = false
--checknewversion=false
--sendanonymoususage=true
--loglevel=DEBUG
--insecureskipverify=true
--rootcas=/mycert.cert
--maxidleconnsperhost=200
--providersthrottleduration=2s
--allowminweightzero=true
--debug=true
--defaultentrypoints=web,websecure
--keeptrailingslash=true
v2
# static configuration
[global]
checkNewVersion = true
sendAnonymousUsage = true
[log]
level = "DEBUG"
[serversTransport]
insecureSkipVerify = true
rootCAs = [ "/mycert.cert" ]
maxIdleConnsPerHost = 42
[providers]
providersThrottleDuration = 42
# static configuration
global:
checkNewVersion: true
sendAnonymousUsage: true
log:
level: DEBUG
serversTransport:
insecureSkipVerify: true
rootCAs:
- /mycert.cert
maxIdleConnsPerHost: 42
providers:
providersThrottleDuration: 42
--global.checknewversion=true
--global.sendanonymoususage=true
--log.level=DEBUG
--serverstransport.insecureskipverify=true
--serverstransport.rootcas=/mycert.cert
--serverstransport.maxidleconnsperhost=42
--providers.providersthrottleduration=42
Dashboard
You need to activate the API to access the dashboard.
To activate the dashboard, you can either:
- use the secure mode with the
[email protected]
service like in the following examples - or use the insecure mode
Activate and access the dashboard
v1
## static configuration
# traefik.toml
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
[entryPoints.websecure.auth]
[entryPoints.websecure.auth.basic]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
]
[api]
entryPoint = "websecure"
--entryPoints='Name:websecure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
--api
v2
# dynamic configuration
labels:
- "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
- "traefik.http.routers.api.entrypoints=websecure"
- "[email protected]"
- "traefik.http.routers.api.middlewares=myAuth"
- "traefik.http.routers.api.tls"
- "traefik.http.middlewares.myAuth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
## static configuration
# traefik.toml
[entryPoints.websecure]
address = ":443"
[api]
[providers.file]
directory = "/path/to/dynamic/config"
##---------------------##
## dynamic configuration
# /path/to/dynamic/config/dynamic-conf.toml
[http.routers.api]
rule = "Host(`traefik.docker.localhost`)"
entrypoints = ["websecure"]
service = "[email protected]al"
middlewares = ["myAuth"]
[http.routers.api.tls]
[http.middlewares.myAuth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
]
## static configuration
# traefik.yaml
entryPoints:
websecure:
address: ':443'
api: {}
providers:
file:
directory: /path/to/dynamic/config
##---------------------##
## dynamic configuration
# /path/to/dynamic/config/dynamic-conf.yaml
http:
routers:
api:
rule: Host(`traefik.docker.localhost`)
entrypoints:
- websecure
service: [email protected]
middlewares:
- myAuth
tls: {}
middlewares:
myAuth:
basicAuth:
users:
- 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
Providers
Supported providers, for now:
- Azure Service Fabric
- Consul
- Consul Catalog
- Docker
- DynamoDB
- ECS
- Etcd
- Eureka
- File
- Kubernetes Ingress
- Kubernetes IngressRoute
- Marathon
- Mesos
- Rancher
- Redis
- Rest
- Zookeeper
Some Tips You Should Know
- Different sources of static configuration (file, CLI flags, …) cannot be mixed.
- Now, configuration elements can be referenced between different providers by using the provider namespace notation:
@
. For instance, a router namedmyrouter
in a File Provider can refer to a service namedmyservice
defined in Docker Provider with the following notation:[email protected]
. - Middlewares are applied in the same order as their declaration in router.
- If you have any questions feel free to join our community forum.