Migration Guide: From v1 to v2

How to Migrate from Traefik v1 to Traefik v2.

The version 2 of Traefik introduces a number of breaking changes, which require one to update their configuration when they migrate from v1 to v2. The goal of this page is to recapitulate all of these changes, and in particular to give examples, feature by feature, of how the configuration looked like in v1, and how it now looks like in v2.

Migration Helper

We created a tool to help during the migration: traefik-migration-tool

This tool allows to:

  • convert Ingress to Traefik IngressRoute resources.
  • convert acme.json file from v1 to v2 format.
  • migrate the static configuration contained in the file traefik.toml to a Traefik v2 file.

Frontends and Backends Are Dead…

… Long Live Routers, Middlewares, and Services

During the transition from v1 to v2, a number of internal pieces and components of Traefik were rewritten and reorganized. As such, the combination of core notions such as frontends and backends has been replaced with the combination of routers, services, and middlewares.

Typically, a router replaces a frontend, and a service assumes the role of a backend, with each router referring to a service. However, even though a backend was in charge of applying any desired modification on the fly to the incoming request, the router defers that responsibility to another component. Instead, a dedicated middleware is now defined for each kind of such modification. Then any router can refer to an instance of the wanted middleware.

One frontend with basic auth and one backend, become one router, one service, and one basic auth middleware.

v1

Docker

  1. labels:
  2. - "traefik.frontend.rule=Host:test.localhost;PathPrefix:/test"
  3. - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"

K8s Ingress

  1. apiVersion: networking.k8s.io/v1beta1
  2. kind: Ingress
  3. metadata:
  4. name: traefik
  5. namespace: kube-system
  6. annotations:
  7. kubernetes.io/ingress.class: traefik
  8. traefik.ingress.kubernetes.io/rule-type: PathPrefix
  9. spec:
  10. rules:
  11. - host: test.localhost
  12. http:
  13. paths:
  14. - path: /test
  15. backend:
  16. serviceName: server0
  17. servicePort: 80
  18. - path: /test
  19. backend:
  20. serviceName: server1
  21. servicePort: 80

File (TOML)

  1. [frontends]
  2. [frontends.frontend1]
  3. entryPoints = ["http"]
  4. backend = "backend1"
  5. [frontends.frontend1.routes]
  6. [frontends.frontend1.routes.route0]
  7. rule = "Host:test.localhost"
  8. [frontends.frontend1.routes.route0]
  9. rule = "PathPrefix:/test"
  10. [frontends.frontend1.auth]
  11. [frontends.frontend1.auth.basic]
  12. users = [
  13. "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
  14. "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
  15. ]
  16. [backends]
  17. [backends.backend1]
  18. [backends.backend1.servers.server0]
  19. url = "http://10.10.10.1:80"
  20. [backends.backend1.servers.server1]
  21. url = "http://10.10.10.2:80"
  22. [backends.backend1.loadBalancer]
  23. method = "wrr"

v2

Docker

  1. labels:
  2. - "traefik.http.routers.router0.rule=Host(`test.localhost`) && PathPrefix(`/test`)"
  3. - "traefik.http.routers.router0.middlewares=auth"
  4. - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"

K8s IngressRoute

  1. # The definitions below require the definitions for the Middleware and IngressRoute kinds.
  2. # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
  3. apiVersion: traefik.containo.us/v1alpha1
  4. kind: Middleware
  5. metadata:
  6. name: basicauth
  7. namespace: foo
  8. spec:
  9. basicAuth:
  10. users:
  11. - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
  12. - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
  13. ---
  14. apiVersion: traefik.containo.us/v1alpha1
  15. kind: IngressRoute
  16. metadata:
  17. name: ingressroutebar
  18. spec:
  19. entryPoints:
  20. - http
  21. routes:
  22. - match: Host(`test.localhost`) && PathPrefix(`/test`)
  23. kind: Rule
  24. services:
  25. - name: server0
  26. port: 80
  27. - name: server1
  28. port: 80
  29. middlewares:
  30. - name: basicauth
  31. namespace: foo

File (YAML)

  1. http:
  2. routers:
  3. router0:
  4. rule: "Host(`test.localhost`) && PathPrefix(`/test`)"
  5. service: my-service
  6. middlewares:
  7. - auth
  8. services:
  9. my-service:
  10. loadBalancer:
  11. servers:
  12. - url: http://10.10.10.1:80
  13. - url: http://10.10.10.2:80
  14. middlewares:
  15. auth:
  16. basicAuth:
  17. users:
  18. - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  19. - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"

File (TOML)

  1. [http.routers]
  2. [http.routers.router0]
  3. rule = "Host(`test.localhost`) && PathPrefix(`/test`)"
  4. middlewares = ["auth"]
  5. service = "my-service"
  6. [http.services]
  7. [[http.services.my-service.loadBalancer.servers]]
  8. url = "http://10.10.10.1:80"
  9. [[http.services.my-service.loadBalancer.servers]]
  10. url = "http://10.10.10.2:80"
  11. [http.middlewares]
  12. [http.middlewares.auth.basicAuth]
  13. users = [
  14. "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
  15. "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
  16. ]

TLS Configuration is Now Dynamic, per Router.

TLS parameters used to be specified in the static configuration, as an entryPoint field. With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations. Then, a router’s TLS field can refer to one of the TLS configurations defined at the root, hence defining the TLS configuration for that router.

TLS on websecure entryPoint becomes TLS option on Router-1

v1

File (TOML)

  1. # static configuration
  2. [entryPoints]
  3. [entryPoints.websecure]
  4. address = ":443"
  5. [entryPoints.websecure.tls]
  6. minVersion = "VersionTLS12"
  7. cipherSuites = [
  8. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  9. "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  10. "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  11. "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
  12. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  13. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  14. ]
  15. [[entryPoints.websecure.tls.certificates]]
  16. certFile = "path/to/my.cert"
  17. keyFile = "path/to/my.key"

CLI

  1. --entryPoints='Name:websecure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'

v2

File (YAML)

  1. http:
  2. routers:
  3. Router-1:
  4. rule: "Host(`example.com`)"
  5. service: service-id
  6. # will terminate the TLS request
  7. tls:
  8. options: myTLSOptions
  9. tls:
  10. certificates:
  11. - certFile: /path/to/domain.cert
  12. keyFile: /path/to/domain.key
  13. options:
  14. myTLSOptions:
  15. minVersion: VersionTLS12
  16. cipherSuites:
  17. - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  18. - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  19. - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  20. - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  21. - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

File (TOML)

  1. # dynamic configuration
  2. [http.routers]
  3. [http.routers.Router-1]
  4. rule = "Host(`example.com`)"
  5. service = "service-id"
  6. # will terminate the TLS request
  7. [http.routers.Router-1.tls]
  8. options = "myTLSOptions"
  9. [[tls.certificates]]
  10. certFile = "/path/to/domain.cert"
  11. keyFile = "/path/to/domain.key"
  12. [tls.options]
  13. [tls.options.myTLSOptions]
  14. minVersion = "VersionTLS12"
  15. cipherSuites = [
  16. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  17. "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  18. "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  19. "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
  20. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  21. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  22. ]

K8s IngressRoute

  1. # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
  2. # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
  3. apiVersion: traefik.containo.us/v1alpha1
  4. kind: TLSOption
  5. metadata:
  6. name: mytlsoption
  7. namespace: default
  8. spec:
  9. minVersion: VersionTLS12
  10. cipherSuites:
  11. - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  12. - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  13. - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  14. - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  15. - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  16. ---
  17. apiVersion: traefik.containo.us/v1alpha1
  18. kind: IngressRoute
  19. metadata:
  20. name: ingressroutebar
  21. spec:
  22. entryPoints:
  23. - web
  24. routes:
  25. - match: Host(`example.com`)
  26. kind: Rule
  27. services:
  28. - name: whoami
  29. port: 80
  30. tls:
  31. options:
  32. name: mytlsoption
  33. namespace: default

Docker

  1. labels:
  2. # myTLSOptions must be defined by another provider, in this instance in the File Provider.
  3. # see the cross provider section
  4. - "[email protected]"

HTTP to HTTPS Redirection is Now Configured on Routers

Previously on Traefik v1, the redirection was applied on an entry point or on a frontend. With Traefik v2 it is applied on an entry point or a Router.

To apply a redirection:

Global HTTP to HTTPS redirection

v1

File (TOML)

  1. # static configuration
  2. defaultEntryPoints = ["web", "websecure"]
  3. [entryPoints]
  4. [entryPoints.web]
  5. address = ":80"
  6. [entryPoints.web.redirect]
  7. entryPoint = "websecure"
  8. [entryPoints.websecure]
  9. address = ":443"
  10. [entryPoints.websecure.tls]

CLI

  1. --entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
  2. --entryPoints='Name:websecure Address::443 TLS'

v2

File (YAML)

  1. # traefik.yml
  2. ## static configuration
  3. entryPoints:
  4. web:
  5. address: ":80"
  6. http:
  7. redirections:
  8. entrypoint:
  9. to: websecure
  10. scheme: https
  11. websecure:
  12. address: ":443"

File (TOML)

  1. # traefik.toml
  2. ## static configuration
  3. [entryPoints.web]
  4. address = ":80"
  5. [entryPoints.web.http.redirections.entryPoint]
  6. to = "websecure"
  7. scheme = "https"
  8. [entryPoints.websecure]
  9. address = ":443"

CLI

  1. ## static configuration
  2. --entrypoints.web.address=:80
  3. --entrypoints.web.http.redirections.entrypoint.to=websecure
  4. --entrypoints.web.http.redirections.entrypoint.scheme=https
  5. --entrypoints.websecure.address=:443
  6. --providers.docker=true

HTTP to HTTPS redirection per domain

v1

File (TOML)

  1. [entryPoints]
  2. [entryPoints.web]
  3. address = ":80"
  4. [entryPoints.websecure]
  5. address = ":443"
  6. [entryPoints.websecure.tls]
  7. [file]
  8. [frontends]
  9. [frontends.frontend1]
  10. entryPoints = ["web", "websecure"]
  11. [frontends.frontend1.routes]
  12. [frontends.frontend1.routes.route0]
  13. rule = "Host:example.net"
  14. [frontends.frontend1.redirect]
  15. entryPoint = "websecure"

v2

Docker

  1. labels:
  2. traefik.http.routers.app.rule: Host(`example.net`)
  3. traefik.http.routers.app.entrypoints: web
  4. traefik.http.routers.app.middlewares: https_redirect
  5. traefik.http.routers.appsecured.rule: Host(`example.net`)
  6. traefik.http.routers.appsecured.entrypoints: websecure
  7. traefik.http.routers.appsecured.tls: true
  8. traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
  9. traefik.http.middlewares.https_redirect.redirectscheme.permanent: true

K8s IngressRoute

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: IngressRoute
  3. metadata:
  4. name: http-redirect-ingressroute
  5. spec:
  6. entryPoints:
  7. - web
  8. routes:
  9. - match: Host(`example.net`)
  10. kind: Rule
  11. services:
  12. - name: whoami
  13. port: 80
  14. middlewares:
  15. - name: https-redirect
  16. ---
  17. apiVersion: traefik.containo.us/v1alpha1
  18. kind: IngressRoute
  19. metadata:
  20. name: https-ingressroute
  21. spec:
  22. entryPoints:
  23. - websecure
  24. routes:
  25. - match: Host(`foo`)
  26. kind: Rule
  27. services:
  28. - name: whoami
  29. port: 80
  30. tls: {}
  31. ---
  32. apiVersion: traefik.containo.us/v1alpha1
  33. kind: Middleware
  34. metadata:
  35. name: https-redirect
  36. spec:
  37. redirectScheme:
  38. scheme: https
  39. permanent: true

File (YAML)

  1. ## dynamic configuration
  2. # dynamic-conf.yml
  3. http:
  4. routers:
  5. router0:
  6. rule: "Host(`example.net`)"
  7. entryPoints:
  8. - web
  9. middlewares:
  10. - https_redirect
  11. service: my-service
  12. router1:
  13. rule: "Host(`example.net`)"
  14. entryPoints:
  15. - websecure
  16. service: my-service
  17. tls: {}
  18. middlewares:
  19. https-redirect:
  20. redirectScheme:
  21. scheme: https
  22. permanent: true

File (TOML)

  1. ## dynamic configuration
  2. # dynamic-conf.toml
  3. [http.routers]
  4. [http.routers.router0]
  5. rule = "Host(`example.net`)"
  6. service = "my-service"
  7. entrypoints = ["web"]
  8. middlewares = ["https_redirect"]
  9. [http.routers.router1]
  10. rule = "Host(`example.net`)"
  11. service = "my-service"
  12. entrypoints = ["websecure"]
  13. [http.routers.router1.tls]
  14. [http.middlewares]
  15. [http.middlewares.https_redirect.redirectScheme]
  16. scheme = "https"
  17. permanent = true

Strip and Rewrite Path Prefixes

With the new core notions of v2 (introduced earlier in the section “Frontends and Backends Are Dead… Long Live Routers, Middlewares, and Services”), transforming the URL path prefix of incoming requests is configured with middlewares, after the routing step with router rule PathPrefix.

Use Case: Incoming requests to http://example.org/admin are forwarded to the webapplication “admin”, with the path /admin stripped, e.g. to http://<IP>:<port>/. In this case, you must:

  • First, configure a router named admin with a rule matching at least the path prefix with the PathPrefix keyword,
  • Then, define a middleware of type stripprefix, which removes the prefix /admin, associated to the router admin.

Strip Path Prefix When Forwarding to Backend

v1

Docker

  1. labels:
  2. - "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"

Kubernetes Ingress

  1. apiVersion: networking.k8s.io/v1beta1
  2. kind: Ingress
  3. metadata:
  4. name: traefik
  5. annotations:
  6. kubernetes.io/ingress.class: traefik
  7. traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip
  8. spec:
  9. rules:
  10. - host: example.org
  11. http:
  12. paths:
  13. - path: /admin
  14. backend:
  15. serviceName: admin-svc
  16. servicePort: admin

File (TOML)

  1. [frontends.admin]
  2. [frontends.admin.routes.admin_1]
  3. rule = "Host:example.org;PathPrefixStrip:/admin"

v2

Docker

  1. labels:
  2. - "traefik.http.routers.admin.rule=Host(`example.org`) && PathPrefix(`/admin`)"
  3. - "traefik.http.routers.admin.middlewares=admin-stripprefix"
  4. - "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"

Kubernetes IngressRoute

  1. ---
  2. apiVersion: traefik.containo.us/v1alpha1
  3. kind: IngressRoute
  4. metadata:
  5. name: http-redirect-ingressroute
  6. namespace: admin-web
  7. spec:
  8. entryPoints:
  9. - web
  10. routes:
  11. - match: Host(`example.org`) && PathPrefix(`/admin`)
  12. kind: Rule
  13. services:
  14. - name: admin-svc
  15. port: admin
  16. middlewares:
  17. - name: admin-stripprefix
  18. ---
  19. apiVersion: traefik.containo.us/v1alpha1
  20. kind: Middleware
  21. metadata:
  22. name: admin-stripprefix
  23. spec:
  24. stripPrefix:
  25. prefixes:
  26. - /admin

File (YAML)

  1. ## Dynamic Configuration
  2. # dynamic-conf.yml
  3. # As YAML Configuration File
  4. http:
  5. routers:
  6. admin:
  7. service: admin-svc
  8. middlewares:
  9. - "admin-stripprefix"
  10. rule: "Host(`example.org`) && PathPrefix(`/admin`)"
  11. middlewares:
  12. admin-stripprefix:
  13. stripPrefix:
  14. prefixes:
  15. - "/admin"
  16. # ...

File (TOML)

  1. ## Dynamic configuration
  2. # dynamic-conf.toml
  3. [http.routers.router1]
  4. rule = "Host(`example.org`) && PathPrefix(`/admin`)"
  5. service = "admin-svc"
  6. entrypoints = ["web"]
  7. middlewares = ["admin-stripprefix"]
  8. [http.middlewares]
  9. [http.middlewares.admin-stripprefix.stripPrefix]
  10. prefixes = ["/admin"]
  11. # ...

What About Other Path Transformations?

Instead of removing the path prefix with the stripprefix middleware, you can also:

ACME (LetsEncrypt)

ACME is now a certificate resolver (under a certificatesResolvers section) but remains in the static configuration.

ACME from provider to a specific Certificate Resolver

v1

File (TOML)

  1. # static configuration
  2. defaultEntryPoints = ["websecure","web"]
  3. [entryPoints.web]
  4. address = ":80"
  5. [entryPoints.web.redirect]
  6. entryPoint = "webs"
  7. [entryPoints.websecure]
  8. address = ":443"
  9. [entryPoints.websecure.tls]
  10. [acme]
  11. email = "[email protected]"
  12. storage = "acme.json"
  13. entryPoint = "websecure"
  14. onHostRule = true
  15. [acme.tlsChallenge]

CLI

  1. --defaultentrypoints=websecure,web
  2. --entryPoints=Name:web Address::80 Redirect.EntryPoint:websecure
  3. --entryPoints=Name:websecure Address::443 TLS
  4. [email protected]
  5. --acme.storage=acme.json
  6. --acme.entryPoint=websecure
  7. --acme.onHostRule=true
  8. --acme.tlschallenge=true

v2

File (YAML)

  1. entryPoints:
  2. web:
  3. address: ":80"
  4. websecure:
  5. address: ":443"
  6. http:
  7. tls:
  8. certResolver: myresolver
  9. certificatesResolvers:
  10. myresolver:
  11. acme:
  12. email: [email protected]
  13. storage: acme.json
  14. tlsChallenge: {}

File (TOML)

  1. # static configuration
  2. [entryPoints]
  3. [entryPoints.web]
  4. address = ":80"
  5. [entryPoints.websecure]
  6. address = ":443"
  7. [entryPoints.websecure.http.tls]
  8. certResolver = "myresolver"
  9. [certificatesResolvers.myresolver.acme]
  10. email = "[email protected]"
  11. storage = "acme.json"
  12. [certificatesResolvers.myresolver.acme.tlsChallenge]

CLI

  1. --entrypoints.web.address=:80
  2. --entrypoints.websecure.address=:443
  3. [email protected].com
  4. --certificatesresolvers.myresolver.acme.storage=acme.json
  5. --certificatesresolvers.myresolver.acme.tlschallenge=true

Traefik Logs

In the v2, all the log configuration remains in the static part but are unified under a log section. There is no more log configuration at the root level.

Simple log configuration

v1

File (TOML)

  1. # static configuration
  2. logLevel = "DEBUG"
  3. [traefikLog]
  4. filePath = "/path/to/traefik.log"
  5. format = "json"

CLI

  1. --logLevel=DEBUG
  2. --traefikLog.filePath=/path/to/traefik.log
  3. --traefikLog.format=json

v2

File (YAML)

  1. # static configuration
  2. log:
  3. level: DEBUG
  4. filePath: /path/to/log-file.log
  5. format: json

File (TOML)

  1. # static configuration
  2. [log]
  3. level = "DEBUG"
  4. filePath = "/path/to/log-file.log"
  5. format = "json"

CLI

  1. --log.level=DEBUG
  2. --log.filePath=/path/to/traefik.log
  3. --log.format=json

Access Logs

Access Logs are configured in the same way as before.

But all request headers are now filtered out by default in Traefik v2. So during migration, you might want to consider enabling some needed fields (see access log configuration).

Tracing

Traefik v2 retains OpenTracing support. The backend root option from the v1 is gone, you just have to set your tracing configuration.

Simple Jaeger tracing configuration

v1

File (TOML)

  1. # static configuration
  2. [tracing]
  3. backend = "jaeger"
  4. servicename = "tracing"
  5. [tracing.jaeger]
  6. samplingParam = 1.0
  7. samplingServerURL = "http://12.0.0.1:5778/sampling"
  8. samplingType = "const"
  9. localAgentHostPort = "12.0.0.1:6831"

CLI

  1. --tracing.backend=jaeger
  2. --tracing.servicename=tracing
  3. --tracing.jaeger.localagenthostport=12.0.0.1:6831
  4. --tracing.jaeger.samplingparam=1.0
  5. --tracing.jaeger.samplingserverurl=http://12.0.0.1:5778/sampling
  6. --tracing.jaeger.samplingtype=const

v2

File (YAML)

  1. # static configuration
  2. tracing:
  3. servicename: tracing
  4. jaeger:
  5. samplingParam: 1
  6. samplingServerURL: 'http://12.0.0.1:5778/sampling'
  7. samplingType: const
  8. localAgentHostPort: '12.0.0.1:6831'

File (TOML)

  1. # static configuration
  2. [tracing]
  3. servicename = "tracing"
  4. [tracing.jaeger]
  5. samplingParam = 1.0
  6. samplingServerURL = "http://12.0.0.1:5778/sampling"
  7. samplingType = "const"
  8. localAgentHostPort = "12.0.0.1:6831"

CLI

  1. --tracing.servicename=tracing
  2. --tracing.jaeger.localagenthostport=12.0.0.1:6831
  3. --tracing.jaeger.samplingparam=1.0
  4. --tracing.jaeger.samplingserverurl=http://12.0.0.1:5778/sampling
  5. --tracing.jaeger.samplingtype=const

Metrics

The v2 retains metrics tools and allows metrics to be configured for the entrypoints and/or services. For a basic configuration, the metrics configuration remains the same.

Simple Prometheus metrics configuration

v1

File (TOML)

  1. # static configuration
  2. [metrics.prometheus]
  3. buckets = [0.1,0.3,1.2,5.0]
  4. entryPoint = "traefik"

CLI

  1. --metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
  2. --metrics.prometheus.entrypoint=traefik

v2

File (YAML)

  1. # static configuration
  2. metrics:
  3. prometheus:
  4. buckets:
  5. - 0.1
  6. - 0.3
  7. - 1.2
  8. - 5
  9. entryPoint: metrics

File (TOML)

  1. # static configuration
  2. [metrics.prometheus]
  3. buckets = [0.1,0.3,1.2,5.0]
  4. entryPoint = "metrics"

CLI

  1. --metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
  2. --metrics.prometheus.entrypoint=metrics

No More Root Level Key/Values

To avoid any source of confusion, there are no more configuration at the root level. Each root item has been moved to a related section or removed.

From root to dedicated section

v1

File (TOML)

  1. # static configuration
  2. checkNewVersion = false
  3. sendAnonymousUsage = true
  4. logLevel = "DEBUG"
  5. insecureSkipVerify = true
  6. rootCAs = [ "/mycert.cert" ]
  7. maxIdleConnsPerHost = 200
  8. providersThrottleDuration = "2s"
  9. AllowMinWeightZero = true
  10. debug = true
  11. defaultEntryPoints = ["web", "websecure"]
  12. keepTrailingSlash = false

CLI

  1. --checknewversion=false
  2. --sendanonymoususage=true
  3. --loglevel=DEBUG
  4. --insecureskipverify=true
  5. --rootcas=/mycert.cert
  6. --maxidleconnsperhost=200
  7. --providersthrottleduration=2s
  8. --allowminweightzero=true
  9. --debug=true
  10. --defaultentrypoints=web,websecure
  11. --keeptrailingslash=true

v2

File (YAML)

  1. # static configuration
  2. global:
  3. checkNewVersion: true
  4. sendAnonymousUsage: true
  5. log:
  6. level: DEBUG
  7. serversTransport:
  8. insecureSkipVerify: true
  9. rootCAs:
  10. - /mycert.cert
  11. maxIdleConnsPerHost: 42
  12. providers:
  13. providersThrottleDuration: 42

File (TOML)

  1. # static configuration
  2. [global]
  3. checkNewVersion = true
  4. sendAnonymousUsage = true
  5. [log]
  6. level = "DEBUG"
  7. [serversTransport]
  8. insecureSkipVerify = true
  9. rootCAs = [ "/mycert.cert" ]
  10. maxIdleConnsPerHost = 42
  11. [providers]
  12. providersThrottleDuration = 42

CLI

  1. --global.checknewversion=true
  2. --global.sendanonymoususage=true
  3. --log.level=DEBUG
  4. --serverstransport.insecureskipverify=true
  5. --serverstransport.rootcas=/mycert.cert
  6. --serverstransport.maxidleconnsperhost=42
  7. --providers.providersthrottleduration=42

Dashboard

You need to activate the API to access the dashboard.

To activate the dashboard, you can either:

  • use the secure mode with the [[email protected]](https://doc.traefik.io/cdn-cgi/l/email-protection) service like in the following examples
  • or use the insecure mode

Activate and access the dashboard

v1

File (TOML)

  1. ## static configuration
  2. # traefik.toml
  3. [entryPoints.websecure]
  4. address = ":443"
  5. [entryPoints.websecure.tls]
  6. [entryPoints.websecure.auth]
  7. [entryPoints.websecure.auth.basic]
  8. users = [
  9. "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  10. ]
  11. [api]
  12. entryPoint = "websecure"

CLI

  1. --entryPoints='Name:websecure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
  2. --api

v2

Docker

  1. # dynamic configuration
  2. labels:
  3. - "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
  4. - "traefik.http.routers.api.entrypoints=websecure"
  5. - "[email protected]"
  6. - "traefik.http.routers.api.middlewares=myAuth"
  7. - "traefik.http.routers.api.tls"
  8. - "traefik.http.middlewares.myAuth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"

File (YAML)

  1. ## static configuration
  2. # traefik.yml
  3. entryPoints:
  4. websecure:
  5. address: ':443'
  6. api: {}
  7. providers:
  8. file:
  9. directory: /path/to/dynamic/config
  10. ##---------------------##
  11. ## dynamic configuration
  12. # /path/to/dynamic/config/dynamic-conf.yml
  13. http:
  14. routers:
  15. api:
  16. rule: Host(`traefik.docker.localhost`)
  17. entrypoints:
  18. - websecure
  19. service: [email protected]
  20. middlewares:
  21. - myAuth
  22. tls: {}
  23. middlewares:
  24. myAuth:
  25. basicAuth:
  26. users:
  27. - 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'

File (TOML)

  1. ## static configuration
  2. # traefik.toml
  3. [entryPoints.websecure]
  4. address = ":443"
  5. [api]
  6. [providers.file]
  7. directory = "/path/to/dynamic/config"
  8. ##---------------------##
  9. ## dynamic configuration
  10. # /path/to/dynamic/config/dynamic-conf.toml
  11. [http.routers.api]
  12. rule = "Host(`traefik.docker.localhost`)"
  13. entrypoints = ["websecure"]
  14. service = "[email protected]"
  15. middlewares = ["myAuth"]
  16. [http.routers.api.tls]
  17. [http.middlewares.myAuth.basicAuth]
  18. users = [
  19. "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  20. ]

Providers

Supported providers, for now:

  • Azure Service Fabric
  • Consul
  • Consul Catalog
  • Docker
  • DynamoDB
  • ECS
  • Etcd
  • Eureka
  • File
  • Kubernetes Ingress
  • Kubernetes IngressRoute
  • Marathon
  • Mesos
  • Rancher
  • Redis
  • Rest
  • Zookeeper

Some Tips You Should Know

  • Different sources of static configuration (file, CLI flags, …) cannot be mixed.
  • Now, configuration elements can be referenced between different providers by using the provider namespace notation: @<provider>. For instance, a router named myrouter in a File Provider can refer to a service named myservice defined in Docker Provider with the following notation: [[email protected]](https://doc.traefik.io/cdn-cgi/l/email-protection).
  • Middlewares are applied in the same order as their declaration in router.
  • If you have any questions feel free to join our community forum.