API¶
Traefik exposes a number of information through an API handler, such as the configuration of all routers, services, middlewares, etc.
As with all features of Traefik, this handler can be enabled with the static configuration.
Security¶
Enabling the API in production is not recommended, because it will expose all configuration elements, including sensitive data.
In production, it should be at least secured by authentication and authorizations.
Info
It's recommended to NOT publicly exposing the API's port, keeping it restricted to internal networks (as in the principle of least privilege, applied to networks).
Configuration¶
If you enable the API, a new special service
named api@internal
is created and can then be referenced in a router.
To enable the API handler, use the following option on the static configuration:
# Static Configuration
api: {}
# Static Configuration
[api]
--api=true
And then define a routing configuration on Traefik itself with the dynamic configuration:
# Dynamic Configuration
labels:
- "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# Dynamic Configuration
deploy:
labels:
- "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# Dummy service for Swarm port detection. The port can be any valid integer value.
- "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
spec:
routes:
- match: Host(`traefik.example.com`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: auth
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: auth
spec:
basicAuth:
secret: secretName # Kubernetes secret named "secretName"
# Dynamic Configuration
- "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# Dynamic Configuration
http:
routers:
api:
rule: Host(`traefik.example.com`)
service: api@internal
middlewares:
- auth
middlewares:
auth:
basicAuth:
users:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
# Dynamic Configuration
[http.routers.my-api]
rule = "Host(`traefik.example.com`)"
service = "api@internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
The router's rule must catch requests for the URI path /api
Using an "Host" rule is recommended, by catching all the incoming traffic on this host domain to the API. However, you can also use "path prefix" rule or any combination or rules.
# Matches http://traefik.example.com, http://traefik.example.com/api
# or http://traefik.example.com/hello
rule = "Host(`traefik.example.com`)"
# Matches http://api.traefik.example.com/api or http://example.com/api
# but does not match http://api.traefik.example.com/hello
rule = "PathPrefix(`/api`)"
# Matches http://traefik.example.com/api or http://traefik.example.com/dashboard
# but does not match http://traefik.example.com/hello
rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
insecure
¶
Enable the API in insecure
mode, which means that the API will be available directly on the entryPoint named traefik
, on path /api
.
Info
If the entryPoint named traefik
is not configured, it will be automatically created on port 8080.
api:
insecure: true
[api]
insecure = true
--api.insecure=true
dashboard
¶
Optional, Default=true
Enable the dashboard. More about the dashboard features here.
api:
dashboard: true
[api]
dashboard = true
--api.dashboard=true
With Dashboard enabled, the router rule must catch requests for both /api
and /dashboard
Please check the Dashboard documentation to learn more about this and to get examples.
debug
¶
Optional, Default=false
Enable additional endpoints for debugging and profiling, served under /debug/
.
api:
debug: true
[api]
debug = true
--api.debug=true
Endpoints¶
All the following endpoints must be accessed with a GET
HTTP request.
Pagination
By default, up to 100 results are returned per page, and the next page can be checked using the X-Next-Page
HTTP Header.
To control pagination, use the page
and per_page
query parameters.
curl https://traefik.example.com:8080/api/http/routers?page=2&per_page=20
Path | Description |
---|---|
/api/http/routers |
Lists all the HTTP routers information. |
/api/http/routers/{name} |
Returns the information of the HTTP router specified by name . |
/api/http/services |
Lists all the HTTP services information. |
/api/http/services/{name} |
Returns the information of the HTTP service specified by name . |
/api/http/middlewares |
Lists all the HTTP middlewares information. |
/api/http/middlewares/{name} |
Returns the information of the HTTP middleware specified by name . |
/api/tcp/routers |
Lists all the TCP routers information. |
/api/tcp/routers/{name} |
Returns the information of the TCP router specified by name . |
/api/tcp/services |
Lists all the TCP services information. |
/api/tcp/services/{name} |
Returns the information of the TCP service specified by name . |
/api/tcp/middlewares |
Lists all the TCP middlewares information. |
/api/tcp/middlewares/{name} |
Returns the information of the TCP middleware specified by name . |
/api/udp/routers |
Lists all the UDP routers information. |
/api/udp/routers/{name} |
Returns the information of the UDP router specified by name . |
/api/udp/services |
Lists all the UDP services information. |
/api/udp/services/{name} |
Returns the information of the UDP service specified by name . |
/api/entrypoints |
Lists all the entry points information. |
/api/entrypoints/{name} |
Returns the information of the entry point specified by name . |
/api/overview |
Returns statistic information about http and tcp as well as enabled features and providers. |
/api/rawdata |
Returns information about dynamic configurations, errors, status and dependency relations. |
/api/version |
Returns information about Traefik version. |
/debug/vars |
See the expvar Go documentation. |
/debug/pprof/ |
See the pprof Index Go documentation. |
/debug/pprof/cmdline |
See the pprof Cmdline Go documentation. |
/debug/pprof/profile |
See the pprof Profile Go documentation. |
/debug/pprof/symbol |
See the pprof Symbol Go documentation. |
/debug/pprof/trace |
See the pprof Trace Go documentation. |
Using Traefik OSS in Production?
If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.
Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.