EntryPoints
Opening Connections for Incoming Requests
EntryPoints are the network entry points into Traefik.They define the port which will receive the requests (whether HTTP or TCP).
Configuration Examples
Port 80 only
[entryPoints]
[entryPoints.web]
address = ":80"
entryPoints:
web:
address: ":80"
--entryPoints.web.address=:80
We define an entrypoint
called web
that will listen on port 80
.Port 80 & 443
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web-secure]
address = ":443"
entryPoints:
web:
address: ":80"
web-secure:
address: ":443"
--entryPoints.web.address=:80
--entryPoints.web-secure.address=:443
- Two entrypoints are defined: one called
web
, and the other calledweb-secure
. web
listens on port80
, andweb-secure
on port443
.
Configuration
General
EntryPoints are part of the static configuration.You can define them using a toml file, CLI arguments, or a key-value store.
See the complete reference for the list of available options:
[entryPoints]
[entryPoints.EntryPoint0]
address = ":8888"
[entryPoints.EntryPoint0.transport]
[entryPoints.EntryPoint0.transport.lifeCycle]
requestAcceptGraceTimeout = 42
graceTimeOut = 42
[entryPoints.EntryPoint0.transport.respondingTimeouts]
readTimeout = 42
writeTimeout = 42
idleTimeout = 42
[entryPoints.EntryPoint0.proxyProtocol]
insecure = true
trustedIPs = ["foobar", "foobar"]
[entryPoints.EntryPoint0.forwardedHeaders]
insecure = true
trustedIPs = ["foobar", "foobar"]
entryPoints:
EntryPoint0:
address: ":8888"
transport:
lifeCycle:
requestAcceptGraceTimeout: 42
graceTimeOut: 42
respondingTimeouts:
readTimeout: 42
writeTimeout: 42
idleTimeout: 42
proxyProtocol:
insecure: true
trustedIPs:
- "foobar"
- "foobar"
forwardedHeaders:
insecure: true
trustedIPs:
- "foobar"
- "foobar"
--entryPoints.EntryPoint0.address=:8888
--entryPoints.EntryPoint0.transport.lifeCycle.requestAcceptGraceTimeout=42
--entryPoints.EntryPoint0.transport.lifeCycle.graceTimeOut=42
--entryPoints.EntryPoint0.transport.respondingTimeouts.readTimeout=42
--entryPoints.EntryPoint0.transport.respondingTimeouts.writeTimeout=42
--entryPoints.EntryPoint0.transport.respondingTimeouts.idleTimeout=42
--entryPoints.EntryPoint0.proxyProtocol.insecure=true
--entryPoints.EntryPoint0.proxyProtocol.trustedIPs=foobar,foobar
--entryPoints.EntryPoint0.forwardedHeaders.insecure=true
--entryPoints.EntryPoint0.forwardedHeaders.trustedIPs=foobar,foobar
ProxyProtocol
Traefik supports ProxyProtocol version 1 and 2.
If proxyprotocol header parsing is enabled for the entry point, this entry point can accept connections with or without proxyprotocol headers.
If the proxyprotocol header is passed, then the version is determined automatically.Enabling Proxy Protocol with Trusted IPs
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.proxyProtocol]
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
entryPoints:
web:
address: ":80"
proxyProtocol:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
--entryPoints.web.address=:80
--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,192.168.1.7
IPs in trustedIPs
only will lead to remote client address replacement: Declare load-balancer IPs or CIDR range here.Insecure Mode — Testing Environment OnlyIn a test environments, you can configure Traefik to trust every incoming connection.Doing so, every remote client address will be replaced (trustedIPs
won't have any effect)
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.proxyProtocol]
insecure = true
entryPoints:
web:
address: ":80"
proxyProtocol:
insecure: true
--entryPoints.web.address=:80
--entryPoints.web.proxyProtocol.insecure
Queuing Traefik behind Another Load Balancer
When queuing Traefik behind another load-balancer, make sure to configure Proxy Protocol on both sides.Not doing so could introduce a security risk in your system (enabling request forgery).
Forwarded Header
You can configure Traefik to trust the forwarded headers information (X-Forwarded-*
)Trusting Forwarded Headers from specific IPs
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.forwardedHeaders]
trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
entryPoints:
web:
address: ":80"
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
--entryPoints.web.address=:80
--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,192.168.1.7
Insecure Mode — Always Trusting Forwarded Headers
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.forwardedHeaders]
insecure = true
entryPoints:
web:
address: ":80"
forwardedHeaders:
insecure: true
--entryPoints.web.address=:80
--entryPoints.web.forwardedHeaders.insecure