EntryPoints

Opening Connections for Incoming Requests

entryPoints

EntryPoints are the network entry points into Traefik.They define the port which will receive the requests (whether HTTP or TCP).

Configuration Examples

Port 80 only

  1. [entryPoints]
  2.   [entryPoints.web]
  3.     address = ":80"
  1. entryPoints:
  2.   web:
  3.    address: ":80"
  1. --entryPoints.web.address=:80

We define an entrypoint called web that will listen on port 80.Port 80 & 443

  1. [entryPoints]
  2.   [entryPoints.web]
  3.     address = ":80"
  5.   [entryPoints.web-secure]
  6.     address = ":443"
  1. entryPoints:
  2.   web:
  3.     address: ":80"
  5.   web-secure:
  6.     address: ":443"
  1. --entryPoints.web.address=:80
  2. --entryPoints.web-secure.address=:443
  • Two entrypoints are defined: one called web, and the other called web-secure.
  • web listens on port 80, and web-secure on port 443.

Configuration

General

EntryPoints are part of the static configuration.You can define them using a toml file, CLI arguments, or a key-value store.

See the complete reference for the list of available options:

  1. [entryPoints]
  3.   [entryPoints.EntryPoint0]
  4.     address = ":8888"
  5.     [entryPoints.EntryPoint0.transport]
  6.       [entryPoints.EntryPoint0.transport.lifeCycle]
  7.         requestAcceptGraceTimeout = 42
  8.         graceTimeOut = 42
  9.       [entryPoints.EntryPoint0.transport.respondingTimeouts]
  10.         readTimeout = 42
  11.         writeTimeout = 42
  12.         idleTimeout = 42
  13.     [entryPoints.EntryPoint0.proxyProtocol]
  14.       insecure = true
  15.       trustedIPs = ["foobar", "foobar"]
  16.     [entryPoints.EntryPoint0.forwardedHeaders]
  17.       insecure = true
  18.       trustedIPs = ["foobar", "foobar"]
  1. entryPoints:
  3.   EntryPoint0:
  4.     address: ":8888"
  5.     transport:
  6.       lifeCycle:
  7.         requestAcceptGraceTimeout: 42
  8.         graceTimeOut: 42
  9.       respondingTimeouts:
  10.         readTimeout: 42
  11.         writeTimeout: 42
  12.         idleTimeout: 42
  13.     proxyProtocol:
  14.       insecure: true
  15.       trustedIPs:
  16.       - "foobar"
  17.       - "foobar"
  18.     forwardedHeaders:
  19.       insecure: true
  20.       trustedIPs:
  21.       - "foobar"
  22.       - "foobar"
  1. --entryPoints.EntryPoint0.address=:8888
  2. --entryPoints.EntryPoint0.transport.lifeCycle.requestAcceptGraceTimeout=42
  3. --entryPoints.EntryPoint0.transport.lifeCycle.graceTimeOut=42
  4. --entryPoints.EntryPoint0.transport.respondingTimeouts.readTimeout=42
  5. --entryPoints.EntryPoint0.transport.respondingTimeouts.writeTimeout=42
  6. --entryPoints.EntryPoint0.transport.respondingTimeouts.idleTimeout=42
  7. --entryPoints.EntryPoint0.proxyProtocol.insecure=true
  8. --entryPoints.EntryPoint0.proxyProtocol.trustedIPs=foobar,foobar
  9. --entryPoints.EntryPoint0.forwardedHeaders.insecure=true
  10. --entryPoints.EntryPoint0.forwardedHeaders.trustedIPs=foobar,foobar

ProxyProtocol

Traefik supports ProxyProtocol version 1 and 2.

If proxyprotocol header parsing is enabled for the entry point, this entry point can accept connections with or without proxyprotocol headers.

If the proxyprotocol header is passed, then the version is determined automatically.Enabling Proxy Protocol with Trusted IPs

  1. [entryPoints]
  2.   [entryPoints.web]
  3.     address = ":80"
  5.     [entryPoints.web.proxyProtocol]
  6.       trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
  1. entryPoints:
  2.   web:
  3.     address: ":80"
  4.     proxyProtocol:
  5.       trustedIPs:
  6.       - "127.0.0.1/32"
  7.       - "192.168.1.7"
  1. --entryPoints.web.address=:80
  2. --entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,192.168.1.7

IPs in trustedIPs only will lead to remote client address replacement: Declare load-balancer IPs or CIDR range here.Insecure Mode — Testing Environment OnlyIn a test environments, you can configure Traefik to trust every incoming connection.Doing so, every remote client address will be replaced (trustedIPs won't have any effect)

  1. [entryPoints]
  2.   [entryPoints.web]
  3.     address = ":80"
  5.     [entryPoints.web.proxyProtocol]
  6.       insecure = true
  1. entryPoints:
  2.   web:
  3.     address: ":80"
  4.     proxyProtocol:
  5.       insecure: true
  1. --entryPoints.web.address=:80
  2. --entryPoints.web.proxyProtocol.insecure

Queuing Traefik behind Another Load Balancer

When queuing Traefik behind another load-balancer, make sure to configure Proxy Protocol on both sides.Not doing so could introduce a security risk in your system (enabling request forgery).

Forwarded Header

You can configure Traefik to trust the forwarded headers information (X-Forwarded-*)Trusting Forwarded Headers from specific IPs

  1. [entryPoints]
  2.   [entryPoints.web]
  3.     address = ":80"
  5.     [entryPoints.web.forwardedHeaders]
  6.       trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
  1. entryPoints:
  2.   web:
  3.     address: ":80"
  4.     forwardedHeaders:
  5.       trustedIPs:
  6.       - "127.0.0.1/32"
  7.       - "192.168.1.7"
  1. --entryPoints.web.address=:80
  2. --entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,192.168.1.7

Insecure Mode — Always Trusting Forwarded Headers

  1. [entryPoints]
  2.   [entryPoints.web]
  3.     address = ":80"
  5.     [entryPoints.web.forwardedHeaders]
  6.       insecure = true
  1. entryPoints:
  2.   web:
  3.     address: ":80"
  4.     forwardedHeaders:
  5.       insecure: true
  1. --entryPoints.web.address=:80
  2. --entryPoints.web.forwardedHeaders.insecure