24 KiB
| obj | website | repo |
|---|---|---|
| application | https://traefik.io | https://github.com/traefik/traefik |
traefik
Traefik is an open-source Edge Router (Reverse Proxy) that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them.
Traefik is based on the concept of EntryPoints, Routers, Middlewares and Services.
- EntryPoints: EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP.
- Routers: A router is in charge of connecting incoming requests to the services that can handle them.
- Middlewares: Attached to the routers, middlewares can modify the requests or responses before they are sent to your service
- Services: Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
Docker Compose
version: "3"
services:
traefik:
image: traefik:v2.10.4
ports:
- 80:80
- 443:443
- 28080:8080
volumes:
- ./conf:/etc/traefik
- ./logs:/var/log/traefik/
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
Configuration
Configuration is done via the file traefik.yaml.
Entrypoints
You need to define some entrypoints which accept incoming traffik.
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
Routers
A router is in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of middleware to update the request, or act before forwarding the request to the service.
Routers can handle HTTP, TCP and UDP traffik.
Example:
http:
routers:
my-router:
rule: "Path(`/foo`)"
service: service-foo
Entrypoints
If not specified, HTTP routers will accept requests from all defined entry points. If you want to limit the router scope to a set of entry points, set the entryPoints option.
Listen only to specific entrypoints:
http:
routers:
Router-1:
# won't listen to entry point web
entryPoints:
- "websecure"
- "other"
rule: "Host(`example.com`)"
service: "service-1"
Rules
Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service.
http:
routers:
Router:
rule: "Host(`example.com`)"
The table below lists all the available matchers:
| Rule | Description |
|---|---|
| Headers(`key`, `value`) | Check if there is a key key defined in the headers, with the value value |
| HeadersRegexp(`key`, `regexp`) | Check if there is a key key defined in the headers, with a value that matches the regular expression regexp |
| Host(`example.com`, ...) | Check if the request domain (host header value) targets one of the given domains. |
| HostRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...) | Match the request domain |
| Method(`GET`, ...) | Check if the request method is one of the given methods (GET, POST, PUT, DELETE, PATCH, HEAD) |
| Path(`/path`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`, ...) | Match exact request path |
PathPrefix(/products/, /articles/{cat:[a-z]+}/{id:[0-9]+}) |
Match request prefix path |
| Query(`foo=bar`, `bar=baz`) | Match Query String parameters. It accepts a sequence of key=value pairs. |
| ClientIP(`10.0.0.0/16`, `::1`) | Match if the request client IP is one of the given IP/CIDR. It accepts IPv4, IPv6 and CIDR formats. |
Middlewares
You can attach a list of middlewares to each HTTP router. The middlewares will take effect only if the rule matches, and before forwarding the request to the service.
http:
routers:
my-router:
rule: "Path(`/foo`)"
middlewares:
- authentication
service: service-foo
Service
Each request must eventually be handled by a service, which is why each router definition should include a service target, which is basically where the request will be passed along to.
In general, a service assigned to a router should have been defined, but there are exceptions for label-based providers.
TLS
When a TLS section is specified, it instructs Traefik that the current router is dedicated to HTTPS requests only (and that the router should ignore HTTP (non TLS) requests). Traefik will terminate the SSL connections (meaning that it will send decrypted data to the services).
http:
routers:
Router-1:
rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
service: service-id
# will terminate the TLS request
tls: {}
certResolver
IfcertResolveris defined, Traefik will try to generate certificates based on routersHost&HostSNIrules.http: routers: routerfoo: rule: "Host(`snitest.com`) && Path(`/foo`)" tls: certResolver: foodomains
You can set SANs (alternative domains) for each main domain. Every domain must have A/AAAA records pointing to Traefik. Each domain & SAN will lead to a certificate request.http: routers: routerbar: rule: "Host(`snitest.com`) && Path(`/bar`)" tls: certResolver: "bar" domains: - main: "snitest.com" sans: - "*.snitest.com"
Services
The Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
Example:
http:
services:
my-service:
loadBalancer:
servers:
- url: "http://<private-ip-server-1>:<private-port-server-1>/"
- url: "http://<private-ip-server-2>:<private-port-server-2>/"
tcp:
services:
my-service:
loadBalancer:
servers:
- address: "<private-ip-server-1>:<private-port-server-1>"
- address: "<private-ip-server-2>:<private-port-server-2>"
Load Balancing
Traefik can load balance across multiple servers with the loadBalancer.servers list.
http:
services:
my-service:
loadBalancer:
servers:
- url: "http://server1:8080"
- url: "http://server2:8080
Servers Transport
serversTransport allows to reference a ServersTransport configuration for the communication between Traefik and your servers.
http:
services:
Service01:
loadBalancer:
serversTransport: mytransport
Define a serverTransport configuration:
http:
serversTransports:
mytransport:
You can define root CAs used for verifying SSL between traefik and your servers:
http:
serversTransports:
mytransport:
rootCAs:
- foo.crt
- bar.crt
Or skip SSL verification:
http:
serversTransports:
mytransport:
insecureSkipVerify: true
TLS
Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration: routers, and the TLS connection (and its underlying certificates).
Traefik requires you to define "Certificate Resolvers" in the static configuration, which are responsible for retrieving certificates from an ACME server.
certificatesResolvers:
myresolver:
# Enable ACME (Let's Encrypt): automatic SSL.
acme:
email: "test@example.com"
# File or key used for certificates storage.
storage: "acme.json"
# The certificates' duration in hours.
# It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
#
# Optional
# Default: 2160
#
certificatesDuration: 2160
# Use a TLS-ALPN-01 ACME challenge.
#
# Optional (but recommended)
#
tlsChallenge:
# Use a HTTP-01 ACME challenge.
#
# Optional
#
httpChallenge:
# EntryPoint to use for the HTTP-01 challenges.
#
# Required
#
entryPoint: web
# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
# Note: mandatory for wildcard certificate generation.
#
# Optional
#
dnsChallenge:
# DNS provider used.
#
# Required
#
provider: digitalocean
# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
# Useful if internal networks block external DNS queries.
#
# Optional
# Default: 0
#
delayBeforeCheck: 0
# Use following DNS servers to resolve the FQDN authority.
#
# Optional
# Default: empty
#
resolvers
- "1.1.1.1:53"
- "8.8.8.8:53"
Middlewares
Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service (or before the answer from the services are sent to the clients).
http:
routers:
router1:
service: myService
middlewares:
- "foo-add-prefix"
rule: "Host(`example.com`)"
middlewares:
foo-add-prefix:
addPrefix:
prefix: "/foo"
services:
service1:
loadBalancer:
servers:
- url: "http://127.0.0.1:80"
HTTP Middlewares
Add Prefix
The AddPrefix middleware updates the path of a request before forwarding it. So http://domain/path would be http://domain/prefix/path if used.
http:
middlewares:
add-foo:
addPrefix:
prefix: "/prefix"
BasicAuth
The BasicAuth middleware grants access to services to authorized users only.
users
Theusersoption is an array of authorized users. Each user must be declared using the name:hashed-password format.http: middlewares: test-auth: basicAuth: users: - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"usersFile
TheusersFileoption is the path to an external file that contains the authorized users for the middleware.http: middlewares: test-auth: basicAuth: usersFile: "/path/to/my/usersfile"headerField
You can define a header field to store the authenticated user using theheaderFieldoption.http: middlewares: my-auth: basicAuth: # ... headerField: "X-WebAuth-User"removeHeader
Set theremoveHeaderoption totrueto remove the authorization header before forwarding the request to your service. (Default value isfalse.)
Compress
Compress Responses before Sending them to the Client. The Compress middleware uses gzip compression.
excludedContentTypesspecifies a list of content types to compare the Content-Type header of the incoming requests and responses before compressing. The responses with content types defined inexcludedContentTypesare not compressed.minResponseBodyBytesspecifies the minimum amount of bytes a response body must have to be compressed. The default value is 1024, which should be a reasonable value for most cases.
http:
middlewares:
test-compress:
compress:
excludedContentTypes:
- text/event-stream
minResponseBodyBytes: 1200
ContentType
The Content-Type middleware - or rather its autoDetect option - specifies whether to let the Content-Type header, if it has not been defined by the backend, be automatically set to a value derived from the contents of the response.
http:
middlewares:
autodetect:
contentType:
autoDetect: true
DigestAuth
Adding Digest Authentication. The configuration options are the same as BasicAuth middleware.
http:
middlewares:
test-auth:
digestAuth:
users:
- "test:traefik:a2688e031edb4be6a3797f3882655c05"
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
Errors
The Errors middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
http:
middlewares:
test-errors:
errors:
status:
- "500"
- "501"
- "503"
- "505-599"
service: serviceError
query: "/{status}.html"
status
The status option defines which status or range of statuses should result in an error page.
The status code ranges are inclusive (505-599will trigger with every code between505and599,505and599included).service
The service that will serve the new requested error page.query
The URL for the error page (hosted byservice).
There are multiple variables that can be placed in the query option to insert values in the URL.
The table below lists all the available variables and their associated values.
| Variable | Value |
|---|---|
{status} |
The response status code. |
{url} |
The escaped request URL. |
ForwardAuth
The ForwardAuth middleware delegates authentication to an external service. If the service answers with a 2XX code, access is granted, and the original request is performed. Otherwise, the response from the authentication server is returned.
http:
middlewares:
test-auth:
forwardAuth:
address: "https://example.com/auth"
Forward-Request Headers
The following request properties are provided to the forward-auth target endpoint as X-Forwarded- headers:
| Property | Forward-Request Header |
|---|---|
| HTTP Method | X-Forwarded-Method |
| Protocol | X-Forwarded-Proto |
| Host | X-Forwarded-Host |
| Request URI | X-Forwarded-Uri |
| Source IP-Address | X-Forwarded-For |
address:
Theaddressoption defines the authentication server address.http: middlewares: test-auth: forwardAuth: address: "https://example.com/auth"trustForwardHeader
Set thetrustForwardHeaderoption totrueto trust allX-Forwarded-*headers.http: middlewares: test-auth: forwardAuth: address: "https://example.com/auth" trustForwardHeader: trueauthResponseHeaders
TheauthResponseHeadersoption is the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.http: middlewares: test-auth: forwardAuth: address: "https://example.com/auth" authResponseHeaders: - "X-Auth-User" - "X-Secret"authResponseHeadersRegex
TheauthResponseHeadersRegexoption is the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.http: middlewares: test-auth: forwardAuth: address: "https://example.com/auth" authResponseHeadersRegex: "^X-"authRequestHeaders
TheauthRequestHeadersoption is the list of the headers to copy from the request to the authentication server. It allows filtering headers that should not be passed to the authentication server. If not set or empty then all request headers are passed.http: middlewares: test-auth: forwardAuth: address: "https://example.com/auth" authRequestHeaders: - "Accept" - "X-CustomHeader"tls
Defines the TLS configuration used for the secure connection to the authentication server.http: middlewares: test-auth: forwardAuth: address: "https://example.com/auth" tls: # CA used for SSL ca: "path/to/local.crt" # Skip SSL insecureSkipVerify: true
Headers
Managing Request/Response headers
http:
middlewares:
testHeader:
headers:
customRequestHeaders:
X-Script-Name: "test"
customResponseHeaders:
X-Custom-Response-Header: "value"
- Add/Remove Headers
http: middlewares: testHeader: headers: customRequestHeaders: X-Script-Name: "test" # Adds X-Custom-Request-Header: "" # Removes customResponseHeaders: X-Custom-Response-Header: "" # Removes - CORS Headers
http: middlewares: testHeader: headers: accessControlAllowMethods: - GET - OPTIONS - PUT accessControlAllowHeaders: "*" accessControlAllowOriginList: - https://foo.bar.org - https://example.org accessControlMaxAge: 100 addVaryHeader: true
IPWhiteList
Limiting Clients to Specific IPs
IPWhitelist accepts / refuses requests based on the client IP.
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
Ratelimit
The RateLimit middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
It is based on a token bucket implementation. In this analogy, the average parameter (defined below) is the rate at which the bucket refills, and the burst is the size (volume) of the bucket.
http:
middlewares:
test-ratelimit:
rateLimit:
average: 100
burst: 50
average
averageis the maximum rate, by default in requests per second, allowed from a given source.
It defaults to0, which means no rate limiting.
The rate is actually defined by dividingaveragebyperiod.period
period, in combination withaverage, defines the actual maximum rate.
It defaults to1second.burst
burstis the maximum number of requests allowed to go through in the same arbitrarily small period of time. It defaults to1.
You can exclude IPs from rate limiting:
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
ipStrategy:
excludedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
RedirectScheme
The RedirectScheme middleware redirects the request if the request scheme is different from the configured scheme.
http:
middlewares:
test-redirectscheme:
redirectScheme:
scheme: https
permanent: true
RedirectRegex
The RedirectRegex redirects a request using regex matching and replacement.
http:
middlewares:
test-redirectregex:
redirectRegex:
regex: "^http://localhost/(.*)"
replacement: "http://mydomain/${1}"
ReplacePath
The ReplacePath middleware will:
- replace the actual path with the specified one.
- store the original path in a
X-Replaced-Pathheader.
http:
middlewares:
test-replacepath:
replacePath:
path: "/foo"
ReplacePathRegex
The ReplacePathRegex middleware will:
- replace the matching path with the specified one.
- store the original path in a
X-Replaced-Pathheader.
http:
middlewares:
test-replacepathregex:
replacePathRegex:
regex: "^/foo/(.*)"
replacement: "/bar/$1"
Retry
The Retry middleware reissues requests a given number of times to a backend server if that server does not reply. As soon as the server answers, the middleware stops retrying, regardless of the response status. The Retry middleware has an optional configuration to enable an exponential backoff.
http:
middlewares:
test-retry:
retry:
attempts: 4
initialInterval: 100ms
StripPrefix
Remove the specified prefixes from the URL path.
http:
middlewares:
test-stripprefix:
stripPrefix:
prefixes:
- "/foobar"
- "/fiibar"
StripPrefixRegex
Remove the matching prefixes from the URL path.
http:
middlewares:
test-stripprefixregex:
stripPrefixRegex:
regex:
- "/foo/[a-z0-9]+/[0-9]+/"
Access log
Access logs allow you to keep track of what request are made to your server.
To enable the access logs:
accessLog: {}
-
filePath:
By default access logs are written to the standard output. To write the logs into a log file, use thefilePathoption.accessLog: filePath: "/path/to/access.log" -
format:
By default, logs are written using the Common Log Format (CLF). To write logs in JSON, usejsonin theformatoption. If the given format is unsupported, the default (CLF) is used instead.Common Log Format
<remote_IP_address> - <client_user_name_if_available> [] "<request_method> <request_path> <request_protocol>" <HTTP_status> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>m
bufferingSize
To write the logs in an asynchronous fashion, specify abufferingSizeoption. This option represents the number of log lines Traefik will keep in memory before writing them to the selected output. In some cases, this option can greatly help performances.# Configuring a buffer of 100 lines accessLog: filePath: "/path/to/access.log" bufferingSize: 100
Filtering
To filter logs, you can specify a set of filters which are logically "OR-connected". Thus, specifying multiple filters will keep more access logs than specifying only one.
The available filters are:
statusCodes, to limit the access logs to requests with a status codes in the specified rangeretryAttempts, to keep the access logs when at least one retry has happenedminDuration, to keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format)
# Configuring Multiple Filters
accessLog:
filePath: "/path/to/access.log"
format: json
filters:
statusCodes:
- "200"
- "300-302"
retryAttempts: true
minDuration: "10ms"
Limiting the Fields/Including Headers
You can decide to limit the logged fields/headers to a given list with the fields.names and fields.headers options.
Each field can be set to:
keepto keep the valuedropto drop the valueredactto replace the value with "redacted"
The defaultMode for fields.names is keep.
The defaultMode for fields.headers is drop.
# Limiting the Logs to Specific Fields
accessLog:
filePath: "/path/to/access.log"
format: json
fields:
defaultMode: keep
names:
ClientUsername: drop
headers:
defaultMode: keep
names:
User-Agent: redact
Authorization: drop
Content-Type: keep