EntryPoints
Opening Connections for Incoming Requests
EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP.
Configuration Examples
Port 80 only
## Static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
## Static configuration
entryPoints:
web:
address: ":80"
## Static configuration
--entryPoints.web.address=:80
We define an entrypoint
called web
that will listen on port 80
.
Port 80 & 443
## Static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
## Static configuration
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
## Static configuration
--entryPoints.web.address=:80
--entryPoints.websecure.address=:443
- Two entrypoints are defined: one called
web
, and the other calledwebsecure
. web
listens on port80
, andwebsecure
on port443
.
UDP on port 1704
## Static configuration
[entryPoints]
[entryPoints.streaming]
address = ":1704/udp"
## Static configuration
entryPoints:
streaming:
address: ":1704/udp"
## Static configuration
--entryPoints.streaming.address=:1704/udp
Configuration
General
EntryPoints are part of the static configuration. They can be defined by using a file (TOML or YAML) or CLI arguments.
See the complete reference for the list of available options
## Static configuration
[entryPoints]
[entryPoints.name]
address = ":8888" # same as ":8888/tcp"
[entryPoints.name.transport]
[entryPoints.name.transport.lifeCycle]
requestAcceptGraceTimeout = 42
graceTimeOut = 42
[entryPoints.name.transport.respondingTimeouts]
readTimeout = 42
writeTimeout = 42
idleTimeout = 42
[entryPoints.name.proxyProtocol]
insecure = true
trustedIPs = ["127.0.0.1", "192.168.0.1"]
[entryPoints.name.forwardedHeaders]
insecure = true
trustedIPs = ["127.0.0.1", "192.168.0.1"]
## Static configuration
entryPoints:
name:
address: ":8888" # same as ":8888/tcp"
transport:
lifeCycle:
requestAcceptGraceTimeout: 42
graceTimeOut: 42
respondingTimeouts:
readTimeout: 42
writeTimeout: 42
idleTimeout: 42
proxyProtocol:
insecure: true
trustedIPs:
- "127.0.0.1"
- "192.168.0.1"
forwardedHeaders:
insecure: true
trustedIPs:
- "127.0.0.1"
- "192.168.0.1"
## Static configuration
--entryPoints.name.address=:8888 # same as :8888/tcp
--entryPoints.name.transport.lifeCycle.requestAcceptGraceTimeout=42
--entryPoints.name.transport.lifeCycle.graceTimeOut=42
--entryPoints.name.transport.respondingTimeouts.readTimeout=42
--entryPoints.name.transport.respondingTimeouts.writeTimeout=42
--entryPoints.name.transport.respondingTimeouts.idleTimeout=42
--entryPoints.name.proxyProtocol.insecure=true
--entryPoints.name.proxyProtocol.trustedIPs=127.0.0.1,192.168.0.1
--entryPoints.name.forwardedHeaders.insecure=true
--entryPoints.name.forwardedHeaders.trustedIPs=127.0.0.1,192.168.0.1
Address
The address defines the port, and optionally the hostname, on which to listen for incoming connections and packets. It also defines the protocol to use (TCP or UDP). If no protocol is specified, the default is TCP. The format is:
[host]:port[/tcp|/udp]
If both TCP and UDP are wanted for the same port, two entryPoints definitions are needed, such as in the example below.
Both TCP and UDP on port 3179
## Static configuration
[entryPoints]
[entryPoints.tcpep]
address = ":3179"
[entryPoints.udpep]
address = ":3179/udp"
## Static configuration
entryPoints:
tcpep:
address: ":3179"
udpep:
address: ":3179/udp"
## Static configuration
--entryPoints.tcpep.address=:3179
--entryPoints.udpep.address=:3179/udp
Forwarded Headers
You can configure Traefik to trust the forwarded headers information (X-Forwarded-*
).
forwardedHeaders.trustedIPs
Trusting Forwarded Headers from specific IPs.
## Static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.forwardedHeaders]
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
## Static configuration
entryPoints:
web:
address: ":80"
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
## Static configuration
--entryPoints.web.address=:80
--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,192.168.1.7
forwardedHeaders.insecure
Insecure Mode (Always Trusting Forwarded Headers).
## Static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.forwardedHeaders]
insecure = true
## Static configuration
entryPoints:
web:
address: ":80"
forwardedHeaders:
insecure: true
## Static configuration
--entryPoints.web.address=:80
--entryPoints.web.forwardedHeaders.insecure
Transport
respondingTimeouts
respondingTimeouts
are timeouts for incoming requests to the Traefik instance. Setting them has no effect for UDP entryPoints.
transport.respondingTimeouts.readTimeout
Optional, Default=0s
readTimeout
is the maximum duration for reading the entire request, including the body.
If zero, no timeout exists.
Can be provided in a format supported by time.ParseDuration or as raw values (digits). If no units are provided, the value is parsed assuming seconds.
## Static configuration
[entryPoints]
[entryPoints.name]
address = ":8888"
[entryPoints.name.transport]
[entryPoints.name.transport.respondingTimeouts]
readTimeout = 42
## Static configuration
entryPoints:
name:
address: ":8888"
transport:
respondingTimeouts:
readTimeout: 42
## Static configuration
--entryPoints.name.address=:8888
--entryPoints.name.transport.respondingTimeouts.readTimeout=42
transport.respondingTimeouts.writeTimeout
Optional, Default=0s
writeTimeout
is the maximum duration before timing out writes of the response.
It covers the time from the end of the request header read to the end of the response write. If zero, no timeout exists.
Can be provided in a format supported by time.ParseDuration or as raw values (digits). If no units are provided, the value is parsed assuming seconds.
## Static configuration
[entryPoints]
[entryPoints.name]
address = ":8888"
[entryPoints.name.transport]
[entryPoints.name.transport.respondingTimeouts]
writeTimeout = 42
## Static configuration
entryPoints:
name:
address: ":8888"
transport:
respondingTimeouts:
writeTimeout: 42
## Static configuration
--entryPoints.name.address=:8888
--entryPoints.name.transport.respondingTimeouts.writeTimeout=42
transport.respondingTimeouts.idleTimeout
Optional, Default=180s
idleTimeout
is the maximum duration an idle (keep-alive) connection will remain idle before closing itself.
If zero, no timeout exists.
Can be provided in a format supported by time.ParseDuration or as raw values (digits). If no units are provided, the value is parsed assuming seconds.
## Static configuration
[entryPoints]
[entryPoints.name]
address = ":8888"
[entryPoints.name.transport]
[entryPoints.name.transport.respondingTimeouts]
idleTimeout = 42
## Static configuration
entryPoints:
name:
address: ":8888"
transport:
respondingTimeouts:
idleTimeout: 42
## Static configuration
--entryPoints.name.address=:8888
--entryPoints.name.transport.respondingTimeouts.idleTimeout=42
lifeCycle
Controls the behavior of Traefik during the shutdown phase.
lifeCycle.requestAcceptGraceTimeout
Optional, Default=0s
Duration to keep accepting requests prior to initiating the graceful termination period (as defined by the graceTimeOut
option). This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation.
Can be provided in a format supported by time.ParseDuration or as raw values (digits).
If no units are provided, the value is parsed assuming seconds. The zero duration disables the request accepting grace period, i.e., Traefik will immediately proceed to the grace period.
## Static configuration
[entryPoints]
[entryPoints.name]
address = ":8888"
[entryPoints.name.transport]
[entryPoints.name.transport.lifeCycle]
requestAcceptGraceTimeout = 42
## Static configuration
entryPoints:
name:
address: ":8888"
transport:
lifeCycle:
requestAcceptGraceTimeout: 42
## Static configuration
--entryPoints.name.address=:8888
--entryPoints.name.transport.lifeCycle.requestAcceptGraceTimeout=42
lifeCycle.graceTimeOut
Optional, Default=10s
Duration to give active requests a chance to finish before Traefik stops.
Can be provided in a format supported by time.ParseDuration or as raw values (digits).
If no units are provided, the value is parsed assuming seconds.
In this time frame no new requests are accepted.
## Static configuration
[entryPoints]
[entryPoints.name]
address = ":8888"
[entryPoints.name.transport]
[entryPoints.name.transport.lifeCycle]
graceTimeOut = 42
## Static configuration
entryPoints:
name:
address: ":8888"
transport:
lifeCycle:
graceTimeOut: 42
## Static configuration
--entryPoints.name.address=:8888
--entryPoints.name.transport.lifeCycle.graceTimeOut=42
ProxyProtocol
Traefik supports ProxyProtocol version 1 and 2.
If Proxy Protocol header parsing is enabled for the entry point, this entry point can accept connections with or without Proxy Protocol headers.
If the Proxy Protocol header is passed, then the version is determined automatically.
proxyProtocol.trustedIPs
Enabling Proxy Protocol with Trusted IPs.
## Static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.proxyProtocol]
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
## Static configuration
entryPoints:
web:
address: ":80"
proxyProtocol:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
--entryPoints.web.address=:80
--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,192.168.1.7
IPs in trustedIPs
only will lead to remote client address replacement: Declare load-balancer IPs or CIDR range here.
proxyProtocol.insecure
Insecure Mode (Testing Environment Only).
In a test environments, you can configure Traefik to trust every incoming connection. Doing so, every remote client address will be replaced (trustedIPs
won't have any effect)
## Static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.proxyProtocol]
insecure = true
## Static configuration
entryPoints:
web:
address: ":80"
proxyProtocol:
insecure: true
--entryPoints.web.address=:80
--entryPoints.web.proxyProtocol.insecure
Queuing Traefik behind Another Load Balancer
When queuing Traefik behind another load-balancer, make sure to configure Proxy Protocol on both sides. Not doing so could introduce a security risk in your system (enabling request forgery).
HTTP Options
This whole section is dedicated to options, keyed by entry point, that will apply only to HTTP routing.
Redirection
HTTPS redirection (80 to 443)
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
--entrypoints.web.address=:80
--entrypoints.web.http.redirections.entryPoint.to=websecure
--entrypoints.web.http.redirections.entryPoint.scheme=https
--entrypoints.websecure.address=:443
entryPoint
This section is a convenience to enable (permanent) redirecting of all incoming requests on an entry point (e.g. port 80
) to another entry point (e.g. port 443
) or an explicit port (:443
).
entryPoint.to
Required
The target element, it can be:
- an entry point name (ex:
websecure
) - a port (
:443
)
[entryPoints.foo]
# ...
[entryPoints.foo.http.redirections]
[entryPoints.foo.http.redirections.entryPoint]
to = "websecure"
entryPoints:
foo:
# ...
http:
redirections:
entryPoint:
to: websecure
--entrypoints.foo.http.redirections.entryPoint.to=websecure
entryPoint.scheme
Optional, Default="https"
The redirection target scheme.
[entryPoints.foo]
# ...
[entryPoints.foo.http.redirections]
[entryPoints.foo.http.redirections.entryPoint]
# ...
scheme = "https"
entryPoints:
foo:
# ...
http:
redirections:
entryPoint:
# ...
scheme: https
--entrypoints.foo.http.redirections.entryPoint.scheme=https
entryPoint.permanent
Optional, Default=true
To apply a permanent redirection.
[entryPoints.foo]
# ...
[entryPoints.foo.http.redirections]
[entryPoints.foo.http.redirections.entryPoint]
# ...
permanent = true
entryPoints:
foo:
# ...
http:
redirections:
entryPoint:
# ...
permanent: true
--entrypoints.foo.http.redirections.entrypoint.permanent=true
entryPoint.priority
Optional, Default=1
Priority of the generated router.
[entryPoints.foo]
# ...
[entryPoints.foo.http.redirections]
[entryPoints.foo.http.redirections.entryPoint]
# ...
priority = 10
entryPoints:
foo:
# ...
http:
redirections:
entryPoint:
# ...
priority: 10
--entrypoints.foo.http.redirections.entrypoint.priority=10
Middlewares
The list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point.
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http]
middlewares = ["[email protected]", "[email protected]"]
entryPoints:
websecure:
address: ':443'
http:
middlewares:
- [email protected]
- [email protected]
entrypoints.websecure.address=:443
[email protected],[email protected]
TLS
This section is about the default TLS configuration applied to all routers associated with the named entry point.
If a TLS section (i.e. any of its fields) is user-defined, then the default configuration does not apply at all.
The TLS section is the same as the TLS section on HTTP routers.
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
options = "foobar"
certResolver = "leresolver"
[[entryPoints.websecure.http.tls.domains]]
main = "example.com"
sans = ["foo.example.com", "bar.example.com"]
[[entryPoints.websecure.http.tls.domains]]
main = "test.com"
sans = ["foo.test.com", "bar.test.com"]
entryPoints:
websecure:
address: ':443'
http:
tls:
options: foobar
certResolver: leresolver
domains:
- main: example.com
sans:
- foo.example.com
- bar.example.com
- main: test.com
sans:
- foo.test.com
- bar.test.com
entrypoints.websecure.address=:443
entrypoints.websecure.http.tls.options=foobar
entrypoints.websecure.http.tls.certResolver=leresolver
entrypoints.websecure.http.tls.domains[0].main=example.com
entrypoints.websecure.http.tls.domains[0].sans=foo.example.com,bar.example.com
entrypoints.websecure.http.tls.domains[1].main=test.com
entrypoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com
Let's Encrypt
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "leresolver"
entryPoints:
websecure:
address: ':443'
http:
tls:
certResolver: leresolver
entrypoints.websecure.address=:443
entrypoints.websecure.http.tls.certResolver=leresolver