| accesslog |
Access log settings. |
false |
| accesslog.addinternals |
Enables access log for internal services (ping, dashboard, etc...). |
false |
| accesslog.bufferingsize |
Number of access log lines to process in a buffered way. |
0 |
| accesslog.fields.defaultmode |
Default mode for fields: keep |
drop |
|
Default mode for fields: keep |
drop |
|
Override mode for headers |
|
| accesslog.fields.names.name |
Override mode for fields |
|
| accesslog.filepath |
Access log file path. Stdout is used when omitted or empty. |
|
| accesslog.filters.minduration |
Keep access logs when request took longer than the specified duration. |
0 |
| accesslog.filters.retryattempts |
Keep access logs when at least one retry happened. |
false |
| accesslog.filters.statuscodes |
Keep access logs with status codes in the specified range. |
|
| accesslog.format |
Access log format: json, common, or genericCLF |
common |
| accesslog.otlp |
Settings for OpenTelemetry. |
false |
| accesslog.otlp.grpc |
gRPC configuration for the OpenTelemetry collector. |
false |
| accesslog.otlp.grpc.endpoint |
Sets the gRPC endpoint (host:port) of the collector. |
localhost:4317 |
|
Headers sent with payload. |
|
| accesslog.otlp.grpc.insecure |
Disables client transport security for the exporter. |
false |
| accesslog.otlp.grpc.tls.ca |
TLS CA |
|
| accesslog.otlp.grpc.tls.cert |
TLS cert |
|
| accesslog.otlp.grpc.tls.insecureskipverify |
TLS insecure skip verify |
false |
| accesslog.otlp.grpc.tls.key |
TLS key |
|
| accesslog.otlp.http |
HTTP configuration for the OpenTelemetry collector. |
false |
| accesslog.otlp.http.endpoint |
Sets the HTTP endpoint (scheme://host:port/path) of the collector. |
https://localhost:4318 |
|
Headers sent with payload. |
|
| accesslog.otlp.http.tls.ca |
TLS CA |
|
| accesslog.otlp.http.tls.cert |
TLS cert |
|
| accesslog.otlp.http.tls.insecureskipverify |
TLS insecure skip verify |
false |
| accesslog.otlp.http.tls.key |
TLS key |
|
| accesslog.otlp.resourceattributes.name |
Defines additional resource attributes (key:value). |
|
| accesslog.otlp.servicename |
Defines the service name resource attribute. |
traefik |
| api |
Enable api/dashboard. |
false |
| api.basepath |
Defines the base path where the API and Dashboard will be exposed. |
/ |
| api.dashboard |
Activate dashboard. |
true |
| api.debug |
Enable additional endpoints for debugging and profiling. |
false |
| api.disabledashboardad |
Disable ad in the dashboard. |
false |
| api.insecure |
Activate API directly on the entryPoint named traefik. |
false |
| certificatesresolvers.name |
Certificates resolvers configuration. |
false |
| certificatesresolvers.name.acme.cacertificates |
Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. |
|
| certificatesresolvers.name.acme.caserver |
CA server to use. |
https://acme-v02.api.letsencrypt.org/directory |
| certificatesresolvers.name.acme.caservername |
Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. |
|
| certificatesresolvers.name.acme.casystemcertpool |
Define if the certificates pool must use a copy of the system cert pool. |
false |
| certificatesresolvers.name.acme.certificatesduration |
Certificates' duration in hours. |
2160 |
|
Timeout for receiving the response headers when communicating with the ACME server. |
30 |
| certificatesresolvers.name.acme.clienttimeout |
Timeout for a complete HTTP transaction with the ACME server. |
120 |
| certificatesresolvers.name.acme.dnschallenge |
Activate DNS-01 Challenge. |
false |
| certificatesresolvers.name.acme.dnschallenge.delaybeforecheck |
(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. |
0 |
| certificatesresolvers.name.acme.dnschallenge.disablepropagationcheck |
(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] |
false |
| certificatesresolvers.name.acme.dnschallenge.propagation |
DNS propagation checks configuration |
false |
| certificatesresolvers.name.acme.dnschallenge.propagation.delaybeforechecks |
Defines the delay before checking the challenge TXT record propagation. |
0 |
| certificatesresolvers.name.acme.dnschallenge.propagation.disableanschecks |
Disables the challenge TXT record propagation checks against authoritative nameservers. |
false |
| certificatesresolvers.name.acme.dnschallenge.propagation.disablechecks |
Disables the challenge TXT record propagation checks (not recommended). |
false |
| certificatesresolvers.name.acme.dnschallenge.propagation.requireallrns |
Requires the challenge TXT record to be propagated to all recursive nameservers. |
false |
| certificatesresolvers.name.acme.dnschallenge.provider |
Use a DNS-01 based challenge provider rather than HTTPS. |
|
| certificatesresolvers.name.acme.dnschallenge.resolvers |
Use following DNS servers to resolve the FQDN authority. |
|
| certificatesresolvers.name.acme.eab.hmacencoded |
Base64 encoded HMAC key from External CA. |
|
| certificatesresolvers.name.acme.eab.kid |
Key identifier from External CA. |
|
| certificatesresolvers.name.acme.email |
Email address used for registration. |
|
| certificatesresolvers.name.acme.emailaddresses |
CSR email addresses to use. |
|
| certificatesresolvers.name.acme.httpchallenge |
Activate HTTP-01 Challenge. |
false |
| certificatesresolvers.name.acme.httpchallenge.delay |
Delay between the creation of the challenge and the validation. |
0 |
| certificatesresolvers.name.acme.httpchallenge.entrypoint |
HTTP challenge EntryPoint |
|
| certificatesresolvers.name.acme.keytype |
KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. |
RSA4096 |
| certificatesresolvers.name.acme.preferredchain |
Preferred chain to use. |
|
| certificatesresolvers.name.acme.profile |
Certificate profile to use. |
|
| certificatesresolvers.name.acme.storage |
Storage to use. |
acme.json |
| certificatesresolvers.name.acme.tlschallenge |
Activate TLS-ALPN-01 Challenge. |
true |
| certificatesresolvers.name.tailscale |
Enables Tailscale certificate resolution. |
true |
| core.defaultrulesyntax |
Defines the rule parser default syntax (v2 or v3) |
v3 |
| entrypoints.name |
Entry points definition. |
false |
| entrypoints.name.address |
Entry point address. |
|
| entrypoints.name.allowacmebypass |
Enables handling of ACME TLS and HTTP challenges with custom routers. |
false |
| entrypoints.name.asdefault |
Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. |
false |
|
List of Connection headers that are allowed to pass through the middleware chain before being removed. |
|
|
Trust all forwarded headers. |
false |
|
Trust only forwarded headers from selected IPs. |
|
| entrypoints.name.http |
HTTP configuration. |
|
| entrypoints.name.http.encodequerysemicolons |
Defines whether request query semicolons should be URLEncoded. |
false |
|
Maximum size of request headers in bytes. |
1048576 |
| entrypoints.name.http.middlewares |
Default middlewares for the routers linked to the entry point. |
|
| entrypoints.name.http.redirections.entrypoint.permanent |
Applies a permanent redirection. |
true |
| entrypoints.name.http.redirections.entrypoint.priority |
Priority of the generated router. |
9223372036854775806 |
| entrypoints.name.http.redirections.entrypoint.scheme |
Scheme used for the redirection. |
https |
| entrypoints.name.http.redirections.entrypoint.to |
Targeted entry point of the redirection. |
|
| entrypoints.name.http.sanitizepath |
Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences). |
true |
| entrypoints.name.http.tls |
Default TLS configuration for the routers linked to the entry point. |
false |
| entrypoints.name.http.tls.certresolver |
Default certificate resolver for the routers linked to the entry point. |
|
| entrypoints.name.http.tls.domains |
Default TLS domains for the routers linked to the entry point. |
|
| entrypoints.name.http.tls.domains[0].main |
Default subject name. |
|
| entrypoints.name.http.tls.domains[0].sans |
Subject alternative names. |
|
| entrypoints.name.http.tls.options |
Default TLS options for the routers linked to the entry point. |
|
| entrypoints.name.http2.maxconcurrentstreams |
Specifies the number of concurrent streams per connection that each client is allowed to initiate. |
250 |
| entrypoints.name.http3 |
HTTP/3 configuration. |
false |
| entrypoints.name.http3.advertisedport |
UDP port to advertise, on which HTTP/3 is available. |
0 |
| entrypoints.name.observability.accesslogs |
Enables access-logs for this entryPoint. |
true |
| entrypoints.name.observability.metrics |
Enables metrics for this entryPoint. |
true |
| entrypoints.name.observability.traceverbosity |
Defines the tracing verbosity level for this entryPoint. |
minimal |
| entrypoints.name.observability.tracing |
Enables tracing for this entryPoint. |
true |
| entrypoints.name.proxyprotocol |
Proxy-Protocol configuration. |
false |
| entrypoints.name.proxyprotocol.insecure |
Trust all. |
false |
| entrypoints.name.proxyprotocol.trustedips |
Trust only selected IPs. |
|
| entrypoints.name.reuseport |
Enables EntryPoints from the same or different processes listening on the same TCP/UDP port. |
false |
| entrypoints.name.transport.keepalivemaxrequests |
Maximum number of requests before closing a keep-alive connection. |
0 |
| entrypoints.name.transport.keepalivemaxtime |
Maximum duration before closing a keep-alive connection. |
0 |
| entrypoints.name.transport.lifecycle.gracetimeout |
Duration to give active requests a chance to finish before Traefik stops. |
10 |
| entrypoints.name.transport.lifecycle.requestacceptgracetimeout |
Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. |
0 |
| entrypoints.name.transport.respondingtimeouts.idletimeout |
IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. |
180 |
| entrypoints.name.transport.respondingtimeouts.readtimeout |
ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. |
60 |
| entrypoints.name.transport.respondingtimeouts.writetimeout |
WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. |
0 |
| entrypoints.name.udp.timeout |
Timeout defines how long to wait on an idle session before releasing the related resources. |
3 |
| experimental.abortonpluginfailure |
Defines whether all plugins must be loaded successfully for Traefik to start. |
false |
| experimental.fastproxy |
Enables the FastProxy implementation. |
false |
| experimental.fastproxy.debug |
Enable debug mode for the FastProxy implementation. |
false |
| experimental.kubernetesgateway |
(Deprecated) Allow the Kubernetes gateway api provider usage. |
false |
| experimental.kubernetesingressnginx |
Allow the Kubernetes Ingress NGINX provider usage. |
false |
| experimental.localplugins.name |
Local plugins configuration. |
false |
| experimental.localplugins.name.modulename |
Plugin's module name. |
|
| experimental.localplugins.name.settings |
Plugin's settings (works only for wasm plugins). |
|
| experimental.localplugins.name.settings.envs |
Environment variables to forward to the wasm guest. |
|
| experimental.localplugins.name.settings.mounts |
Directory to mount to the wasm guest. |
|
| experimental.localplugins.name.settings.useunsafe |
Allow the plugin to use unsafe package. |
false |
| experimental.otlplogs |
Enables the OpenTelemetry logs integration. |
false |
| experimental.plugins.name.hash |
plugin's hash to validate' |
|
| experimental.plugins.name.modulename |
plugin's module name. |
|
| experimental.plugins.name.settings |
Plugin's settings (works only for wasm plugins). |
|
| experimental.plugins.name.settings.envs |
Environment variables to forward to the wasm guest. |
|
| experimental.plugins.name.settings.mounts |
Directory to mount to the wasm guest. |
|
| experimental.plugins.name.settings.useunsafe |
Allow the plugin to use unsafe package. |
false |
| experimental.plugins.name.version |
plugin's version. |
|
| global.checknewversion |
Periodically check if a new version has been released. |
true |
| global.sendanonymoususage |
Periodically send anonymous usage statistics. If the option is not specified, it will be disabled by default. |
false |
| hostresolver |
Enable CNAME Flattening. |
false |
| hostresolver.cnameflattening |
A flag to enable/disable CNAME flattening |
false |
| hostresolver.resolvconfig |
resolv.conf used for DNS resolving |
/etc/resolv.conf |
| hostresolver.resolvdepth |
The maximal depth of DNS recursive resolving |
5 |
| log |
Traefik log settings. |
false |
| log.compress |
Determines if the rotated log files should be compressed using gzip. |
false |
| log.filepath |
Traefik log file path. Stdout is used when omitted or empty. |
|
| log.format |
Traefik log format: json |
common |
| log.level |
Log level set to traefik logs. |
ERROR |
| log.maxage |
Maximum number of days to retain old log files based on the timestamp encoded in their filename. |
0 |
| log.maxbackups |
Maximum number of old log files to retain. |
0 |
| log.maxsize |
Maximum size in megabytes of the log file before it gets rotated. |
0 |
| log.nocolor |
When using the 'common' format, disables the colorized output. |
false |
| log.otlp |
Settings for OpenTelemetry. |
false |
| log.otlp.grpc |
gRPC configuration for the OpenTelemetry collector. |
false |
| log.otlp.grpc.endpoint |
Sets the gRPC endpoint (host:port) of the collector. |
localhost:4317 |
|
Headers sent with payload. |
|
| log.otlp.grpc.insecure |
Disables client transport security for the exporter. |
false |
| log.otlp.grpc.tls.ca |
TLS CA |
|
| log.otlp.grpc.tls.cert |
TLS cert |
|
| log.otlp.grpc.tls.insecureskipverify |
TLS insecure skip verify |
false |
| log.otlp.grpc.tls.key |
TLS key |
|
| log.otlp.http |
HTTP configuration for the OpenTelemetry collector. |
false |
| log.otlp.http.endpoint |
Sets the HTTP endpoint (scheme://host:port/path) of the collector. |
https://localhost:4318 |
|
Headers sent with payload. |
|
| log.otlp.http.tls.ca |
TLS CA |
|
| log.otlp.http.tls.cert |
TLS cert |
|
| log.otlp.http.tls.insecureskipverify |
TLS insecure skip verify |
false |
| log.otlp.http.tls.key |
TLS key |
|
| log.otlp.resourceattributes.name |
Defines additional resource attributes (key:value). |
|
| log.otlp.servicename |
Defines the service name resource attribute. |
traefik |
| metrics.addinternals |
Enables metrics for internal services (ping, dashboard, etc...). |
false |
| metrics.datadog |
Datadog metrics exporter type. |
false |
| metrics.datadog.addentrypointslabels |
Enable metrics on entry points. |
true |
| metrics.datadog.address |
Datadog's address. |
localhost:8125 |
| metrics.datadog.addrouterslabels |
Enable metrics on routers. |
false |
| metrics.datadog.addserviceslabels |
Enable metrics on services. |
true |
| metrics.datadog.prefix |
Prefix to use for metrics collection. |
traefik |
| metrics.datadog.pushinterval |
Datadog push interval. |
10 |
| metrics.influxdb2 |
InfluxDB v2 metrics exporter type. |
false |
| metrics.influxdb2.addentrypointslabels |
Enable metrics on entry points. |
true |
| metrics.influxdb2.additionallabels.name |
Additional labels (influxdb tags) on all metrics |
|
| metrics.influxdb2.address |
InfluxDB v2 address. |
http://localhost:8086 |
| metrics.influxdb2.addrouterslabels |
Enable metrics on routers. |
false |
| metrics.influxdb2.addserviceslabels |
Enable metrics on services. |
true |
| metrics.influxdb2.bucket |
InfluxDB v2 bucket ID. |
|
| metrics.influxdb2.org |
InfluxDB v2 org ID. |
|
| metrics.influxdb2.pushinterval |
InfluxDB v2 push interval. |
10 |
| metrics.influxdb2.token |
InfluxDB v2 access token. |
|
| metrics.otlp |
OpenTelemetry metrics exporter type. |
false |
| metrics.otlp.addentrypointslabels |
Enable metrics on entry points. |
true |
| metrics.otlp.addrouterslabels |
Enable metrics on routers. |
false |
| metrics.otlp.addserviceslabels |
Enable metrics on services. |
true |
| metrics.otlp.explicitboundaries |
Boundaries for latency metrics. |
0.005000, 0.010000, 0.025000, 0.050000, 0.075000, 0.100000, 0.250000, 0.500000, 0.750000, 1.000000, 2.500000, 5.000000, 7.500000, 10.000000 |
| metrics.otlp.grpc |
gRPC configuration for the OpenTelemetry collector. |
false |
| metrics.otlp.grpc.endpoint |
Sets the gRPC endpoint (host:port) of the collector. |
localhost:4317 |
|
Headers sent with payload. |
|
| metrics.otlp.grpc.insecure |
Disables client transport security for the exporter. |
false |
| metrics.otlp.grpc.tls.ca |
TLS CA |
|
| metrics.otlp.grpc.tls.cert |
TLS cert |
|
| metrics.otlp.grpc.tls.insecureskipverify |
TLS insecure skip verify |
false |
| metrics.otlp.grpc.tls.key |
TLS key |
|
| metrics.otlp.http |
HTTP configuration for the OpenTelemetry collector. |
false |
| metrics.otlp.http.endpoint |
Sets the HTTP endpoint (scheme://host:port/path) of the collector. |
https://localhost:4318 |
|
Headers sent with payload. |
|
| metrics.otlp.http.tls.ca |
TLS CA |
|
| metrics.otlp.http.tls.cert |
TLS cert |
|
| metrics.otlp.http.tls.insecureskipverify |
TLS insecure skip verify |
false |
| metrics.otlp.http.tls.key |
TLS key |
|
| metrics.otlp.pushinterval |
Period between calls to collect a checkpoint. |
10 |
| metrics.otlp.resourceattributes.name |
Defines additional resource attributes (key:value). |
|
| metrics.otlp.servicename |
Defines the service name resource attribute. |
traefik |
| metrics.prometheus |
Prometheus metrics exporter type. |
false |
| metrics.prometheus.addentrypointslabels |
Enable metrics on entry points. |
true |
| metrics.prometheus.addrouterslabels |
Enable metrics on routers. |
false |
| metrics.prometheus.addserviceslabels |
Enable metrics on services. |
true |
| metrics.prometheus.buckets |
Buckets for latency metrics. |
0.100000, 0.300000, 1.200000, 5.000000 |
| metrics.prometheus.entrypoint |
EntryPoint |
traefik |
|
Defines the extra labels for the requests_total metrics, and for each of them, the request header containing the value for this label. |
|
| metrics.prometheus.manualrouting |
Manual routing |
false |
| metrics.statsd |
StatsD metrics exporter type. |
false |
| metrics.statsd.addentrypointslabels |
Enable metrics on entry points. |
true |
| metrics.statsd.address |
StatsD address. |
localhost:8125 |
| metrics.statsd.addrouterslabels |
Enable metrics on routers. |
false |
| metrics.statsd.addserviceslabels |
Enable metrics on services. |
true |
| metrics.statsd.prefix |
Prefix to use for metrics collection. |
traefik |
| metrics.statsd.pushinterval |
StatsD push interval. |
10 |
| ocsp |
OCSP configuration. |
false |
| ocsp.responderoverrides.name |
Defines a map of OCSP responders to replace for querying OCSP servers. |
|
| ping |
Enable ping. |
false |
| ping.entrypoint |
EntryPoint |
traefik |
| ping.manualrouting |
Manual routing |
false |
| ping.terminatingstatuscode |
Terminating status code |
503 |
| providers.consul |
Enable Consul backend with default settings. |
false |
| providers.consul.endpoints |
KV store endpoints. |
127.0.0.1:8500 |
| providers.consul.namespaces |
Sets the namespaces used to discover the configuration (Consul Enterprise only). |
|
| providers.consul.rootkey |
Root key used for KV store. |
traefik |
| providers.consul.tls.ca |
TLS CA |
|
| providers.consul.tls.cert |
TLS cert |
|
| providers.consul.tls.insecureskipverify |
TLS insecure skip verify |
false |
| providers.consul.tls.key |
TLS key |
|
| providers.consul.token |
Per-request ACL token. |
|
| providers.consulcatalog |
Enable ConsulCatalog backend with default settings. |
false |
| providers.consulcatalog.cache |
Use local agent caching for catalog reads. |
false |
| providers.consulcatalog.connectaware |
Enable Consul Connect support. |
false |
| providers.consulcatalog.connectbydefault |
Consider every service as Connect capable by default. |
false |
| providers.consulcatalog.constraints |
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. |
|
| providers.consulcatalog.defaultrule |
Default rule. |
Host({{ normalize .Name }}) |
| providers.consulcatalog.endpoint.address |
The address of the Consul server |
|
| providers.consulcatalog.endpoint.datacenter |
Data center to use. If not provided, the default agent data center is used |
|
| providers.consulcatalog.endpoint.endpointwaittime |
WaitTime limits how long a Watch will block. If not provided, the agent default values will be used |
0 |
| providers.consulcatalog.endpoint.httpauth.password |
Basic Auth password |
|
| providers.consulcatalog.endpoint.httpauth.username |
Basic Auth username |
|
| providers.consulcatalog.endpoint.scheme |
The URI scheme for the Consul server |
|
| providers.consulcatalog.endpoint.tls.ca |
TLS CA |
|
| providers.consulcatalog.endpoint.tls.cert |
TLS cert |
|
| providers.consulcatalog.endpoint.tls.insecureskipverify |
TLS insecure skip verify |
false |
| providers.consulcatalog.endpoint.tls.key |
TLS key |
|
| providers.consulcatalog.endpoint.token |
Token is used to provide a per-request ACL token which overrides the agent's default token |
|
| providers.consulcatalog.exposedbydefault |
Expose containers by default. |
true |
| providers.consulcatalog.namespaces |
Sets the namespaces used to discover services (Consul Enterprise only). |
|
| providers.consulcatalog.prefix |
Prefix for consul service tags. |
traefik |
| providers.consulcatalog.refreshinterval |
Interval for check Consul API. |
15 |
| providers.consulcatalog.requireconsistent |
Forces the read to be fully consistent. |
false |
| providers.consulcatalog.servicename |
Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). |
traefik |
| providers.consulcatalog.stale |
Use stale consistency for catalog reads. |
false |
| providers.consulcatalog.strictchecks |
A list of service health statuses to allow taking traffic. |
passing, warning |
| providers.consulcatalog.watch |
Watch Consul API events. |
false |
| providers.docker |
Enable Docker backend with default settings. |
false |
| providers.docker.allowemptyservices |
Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. |
false |
| providers.docker.constraints |
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. |
|
| providers.docker.defaultrule |
Default rule. |
Host({{ normalize .Name }}) |
| providers.docker.endpoint |
Docker server endpoint. Can be a TCP or a Unix socket endpoint. |
unix:///var/run/docker.sock |
| providers.docker.exposedbydefault |
Expose containers by default. |
true |
| providers.docker.httpclienttimeout |
Client timeout for HTTP connections. |
0 |
| providers.docker.network |
Default Docker network used. |
|
| providers.docker.password |
Password for Basic HTTP authentication. |
|
| providers.docker.tls.ca |
TLS CA |
|
| providers.docker.tls.cert |
TLS cert |
|
| providers.docker.tls.insecureskipverify |
TLS insecure skip verify |
false |
| providers.docker.tls.key |
TLS key |
|
| providers.docker.usebindportip |
Use the ip address from the bound port, rather than from the inner network. |
false |
| providers.docker.username |
Username for Basic HTTP authentication. |
|
| providers.docker.watch |
Watch Docker events. |
true |
| providers.ecs |
Enable AWS ECS backend with default settings. |
false |
| providers.ecs.accesskeyid |
AWS credentials access key ID to use for making requests. |
|
| providers.ecs.autodiscoverclusters |
Auto discover cluster. |
false |
| providers.ecs.clusters |
ECS Cluster names. |
default |
| providers.ecs.constraints |
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. |
|
| providers.ecs.defaultrule |
Default rule. |
Host({{ normalize .Name }}) |
| providers.ecs.ecsanywhere |
Enable ECS Anywhere support. |
false |
| providers.ecs.exposedbydefault |
Expose services by default. |
true |
| providers.ecs.healthytasksonly |
Determines whether to discover only healthy tasks. |
false |
| providers.ecs.refreshseconds |
Polling interval (in seconds). |
15 |
| providers.ecs.region |
AWS region to use for requests. |
|
| providers.ecs.secretaccesskey |
AWS credentials access key to use for making requests. |
|
| providers.etcd |
Enable Etcd backend with default settings. |
false |
| providers.etcd.endpoints |
KV store endpoints. |
127.0.0.1:2379 |
| providers.etcd.password |
Password for authentication. |
|
| providers.etcd.rootkey |
Root key used for KV store. |
traefik |
| providers.etcd.tls.ca |
TLS CA |
|
| providers.etcd.tls.cert |
TLS cert |
|
| providers.etcd.tls.insecureskipverify |
TLS insecure skip verify |
false |
| providers.etcd.tls.key |
TLS key |
|
| providers.etcd.username |
Username for authentication. |
|
| providers.file.debugloggeneratedtemplate |
Enable debug logging of generated configuration template. |
false |
| providers.file.directory |
Load dynamic configuration from one or more .yml or .toml files in a directory. |
|
| providers.file.filename |
Load dynamic configuration from a file. |
|
| providers.file.watch |
Watch provider. |
true |
| providers.http |
Enable HTTP backend with default settings. |
false |
| providers.http.endpoint |
Load configuration from this endpoint. |
|
|
Define custom headers to be sent to the endpoint. |
|
| providers.http.pollinterval |
Polling interval for endpoint. |
5 |
| providers.http.polltimeout |
Polling timeout for endpoint. |
5 |
| providers.http.tls.ca |
TLS CA |
|
| providers.http.tls.cert |
TLS cert |
|
| providers.http.tls.insecureskipverify |
TLS insecure skip verify |
false |
| providers.http.tls.key |
TLS key |
|
| providers.kubernetescrd |
Enable Kubernetes backend with default settings. |
false |
| providers.kubernetescrd.allowcrossnamespace |
Allow cross namespace resource reference. |
false |
| providers.kubernetescrd.allowemptyservices |
Allow the creation of services without endpoints. |
false |
| providers.kubernetescrd.allowexternalnameservices |
Allow ExternalName services. |
false |
| providers.kubernetescrd.certauthfilepath |
Kubernetes certificate authority file path (not needed for in-cluster client). |
|
| providers.kubernetescrd.disableclusterscoperesources |
Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). |
false |
| providers.kubernetescrd.endpoint |
Kubernetes server endpoint (required for external cluster client). |
|
| providers.kubernetescrd.ingressclass |
Value of kubernetes.io/ingress.class annotation to watch for. |
|
| providers.kubernetescrd.labelselector |
Kubernetes label selector to use. |
|
| providers.kubernetescrd.namespaces |
Kubernetes namespaces. |
|
| providers.kubernetescrd.nativelbbydefault |
Defines whether to use Native Kubernetes load-balancing mode by default. |
false |
| providers.kubernetescrd.throttleduration |
Ingress refresh throttle duration |
0 |
| providers.kubernetescrd.token |
Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. |
|
| providers.kubernetesgateway |
Enable Kubernetes gateway api provider with default settings. |
false |
| providers.kubernetesgateway.certauthfilepath |
Kubernetes certificate authority file path (not needed for in-cluster client). |
|
| providers.kubernetesgateway.endpoint |
Kubernetes server endpoint (required for external cluster client). |
|
| providers.kubernetesgateway.experimentalchannel |
Toggles Experimental Channel resources support (TCPRoute, TLSRoute...). |
false |
| providers.kubernetesgateway.labelselector |
Kubernetes label selector to select specific GatewayClasses. |
|
| providers.kubernetesgateway.namespaces |
Kubernetes namespaces. |
|
| providers.kubernetesgateway.nativelbbydefault |
Defines whether to use Native Kubernetes load-balancing by default. |
false |
| providers.kubernetesgateway.statusaddress.hostname |
Hostname used for Kubernetes Gateway status address. |
|
| providers.kubernetesgateway.statusaddress.ip |
IP used to set Kubernetes Gateway status address. |
|
| providers.kubernetesgateway.statusaddress.service |
Published Kubernetes Service to copy status addresses from. |
|
| providers.kubernetesgateway.statusaddress.service.name |
Name of the Kubernetes service. |
|
| providers.kubernetesgateway.statusaddress.service.namespace |
Namespace of the Kubernetes service. |
|
| providers.kubernetesgateway.throttleduration |
Kubernetes refresh throttle duration |
0 |
| providers.kubernetesgateway.token |
Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. |
|
| providers.kubernetesingress |
Enable Kubernetes backend with default settings. |
false |
| providers.kubernetesingress.allowemptyservices |
Allow creation of services without endpoints. |
false |
| providers.kubernetesingress.allowexternalnameservices |
Allow ExternalName services. |
false |
| providers.kubernetesingress.certauthfilepath |
Kubernetes certificate authority file path (not needed for in-cluster client). |
|
| providers.kubernetesingress.disableclusterscoperesources |
Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). |
false |
| providers.kubernetesingress.disableingressclasslookup |
Disables the lookup of IngressClasses (Deprecated, please use DisableClusterScopeResources). |
false |
| providers.kubernetesingress.endpoint |
Kubernetes server endpoint (required for external cluster client). |
|
| providers.kubernetesingress.ingressclass |
Value of kubernetes.io/ingress.class annotation or IngressClass name to watch for. |
|
| providers.kubernetesingress.ingressendpoint.hostname |
Hostname used for Kubernetes Ingress endpoints. |
|
| providers.kubernetesingress.ingressendpoint.ip |
IP used for Kubernetes Ingress endpoints. |
|
| providers.kubernetesingress.ingressendpoint.publishedservice |
Published Kubernetes Service to copy status from. |
|
| providers.kubernetesingress.labelselector |
Kubernetes Ingress label selector to use. |
|
| providers.kubernetesingress.namespaces |
Kubernetes namespaces. |
|
| providers.kubernetesingress.nativelbbydefault |
Defines whether to use Native Kubernetes load-balancing mode by default. |
false |
| providers.kubernetesingress.strictprefixmatching |
Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). |
false |
| providers.kubernetesingress.throttleduration |
Ingress refresh throttle duration |
0 |
| providers.kubernetesingress.token |
Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. |
|
| providers.kubernetesingressnginx |
Enable Kubernetes Ingress NGINX provider. |
false |
| providers.kubernetesingressnginx.certauthfilepath |
Kubernetes certificate authority file path (not needed for in-cluster client). |
|
| providers.kubernetesingressnginx.controllerclass |
Ingress Class Controller value this controller satisfies. |
k8s.io/ingress-nginx |
| providers.kubernetesingressnginx.defaultbackendservice |
Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. |
|
| providers.kubernetesingressnginx.disablesvcexternalname |
Disable support for Services of type ExternalName. |
false |
| providers.kubernetesingressnginx.endpoint |
Kubernetes server endpoint (required for external cluster client). |
|
| providers.kubernetesingressnginx.ingressclass |
Name of the ingress class this controller satisfies. |
nginx |
| providers.kubernetesingressnginx.ingressclassbyname |
Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. |
false |
| providers.kubernetesingressnginx.publishservice |
Service fronting the Ingress controller. Takes the form 'namespace/name'. |
|
| providers.kubernetesingressnginx.publishstatusaddress |
Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. |
|
| providers.kubernetesingressnginx.throttleduration |
Ingress refresh throttle duration. |
0 |
| providers.kubernetesingressnginx.token |
Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. |
|
| providers.kubernetesingressnginx.watchingresswithoutclass |
Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. |
false |
| providers.kubernetesingressnginx.watchnamespace |
Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. |
|
| providers.kubernetesingressnginx.watchnamespaceselector |
Selector selects namespaces the controller watches for updates to Kubernetes objects. |
|
| providers.nomad |
Enable Nomad backend with default settings. |
false |
| providers.nomad.allowemptyservices |
Allow the creation of services without endpoints. |
false |
| providers.nomad.constraints |
Constraints is an expression that Traefik matches against the Nomad service's tags to determine whether to create route(s) for that service. |
|
| providers.nomad.defaultrule |
Default rule. |
Host({{ normalize .Name }}) |
| providers.nomad.endpoint.address |
The address of the Nomad server, including scheme and port. |
http://127.0.0.1:4646 |
| providers.nomad.endpoint.endpointwaittime |
WaitTime limits how long a Watch will block. If not provided, the agent default values will be used |
0 |
| providers.nomad.endpoint.region |
Nomad region to use. If not provided, the local agent region is used. |
|
| providers.nomad.endpoint.tls.ca |
TLS CA |
|
| providers.nomad.endpoint.tls.cert |
TLS cert |
|
| providers.nomad.endpoint.tls.insecureskipverify |
TLS insecure skip verify |
false |
| providers.nomad.endpoint.tls.key |
TLS key |
|
| providers.nomad.endpoint.token |
Token is used to provide a per-request ACL token. |
|
| providers.nomad.exposedbydefault |
Expose Nomad services by default. |
true |
| providers.nomad.namespaces |
Sets the Nomad namespaces used to discover services. |
|
| providers.nomad.prefix |
Prefix for nomad service tags. |
traefik |
| providers.nomad.refreshinterval |
Interval for polling Nomad API. |
15 |
| providers.nomad.stale |
Use stale consistency for catalog reads. |
false |
| providers.nomad.throttleduration |
Watch throttle duration. |
0 |
| providers.nomad.watch |
Watch Nomad Service events. |
false |
| providers.plugin.name |
Plugins configuration. |
|
| providers.providersthrottleduration |
Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. |
2 |
| providers.redis |
Enable Redis backend with default settings. |
false |
| providers.redis.db |
Database to be selected after connecting to the server. |
0 |
| providers.redis.endpoints |
KV store endpoints. |
127.0.0.1:6379 |
| providers.redis.password |
Password for authentication. |
|
| providers.redis.rootkey |
Root key used for KV store. |
traefik |
| providers.redis.sentinel.latencystrategy |
Defines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy). |
false |
| providers.redis.sentinel.mastername |
Name of the master. |
|
| providers.redis.sentinel.password |
Password for Sentinel authentication. |
|
| providers.redis.sentinel.randomstrategy |
Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). |
false |
| providers.redis.sentinel.replicastrategy |
Defines whether to route all commands to replica nodes (mutually exclusive with LatencyStrategy and RandomStrategy). |
false |
| providers.redis.sentinel.usedisconnectedreplicas |
Use replicas disconnected with master when cannot get connected replicas. |
false |
| providers.redis.sentinel.username |
Username for Sentinel authentication. |
|
| providers.redis.tls.ca |
TLS CA |
|
| providers.redis.tls.cert |
TLS cert |
|
| providers.redis.tls.insecureskipverify |
TLS insecure skip verify |
false |
| providers.redis.tls.key |
TLS key |
|
| providers.redis.username |
Username for authentication. |
|
| providers.rest |
Enable Rest backend with default settings. |
false |
| providers.rest.insecure |
Activate REST Provider directly on the entryPoint named traefik. |
false |
| providers.swarm |
Enable Docker Swarm backend with default settings. |
false |
| providers.swarm.allowemptyservices |
Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. |
false |
| providers.swarm.constraints |
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. |
|
| providers.swarm.defaultrule |
Default rule. |
Host({{ normalize .Name }}) |
| providers.swarm.endpoint |
Docker server endpoint. Can be a TCP or a Unix socket endpoint. |
unix:///var/run/docker.sock |
| providers.swarm.exposedbydefault |
Expose containers by default. |
true |
| providers.swarm.httpclienttimeout |
Client timeout for HTTP connections. |
0 |
| providers.swarm.network |
Default Docker network used. |
|
| providers.swarm.password |
Password for Basic HTTP authentication. |
|
| providers.swarm.refreshseconds |
Polling interval for swarm mode. |
15 |
| providers.swarm.tls.ca |
TLS CA |
|
| providers.swarm.tls.cert |
TLS cert |
|
| providers.swarm.tls.insecureskipverify |
TLS insecure skip verify |
false |
| providers.swarm.tls.key |
TLS key |
|
| providers.swarm.usebindportip |
Use the ip address from the bound port, rather than from the inner network. |
false |
| providers.swarm.username |
Username for Basic HTTP authentication. |
|
| providers.swarm.watch |
Watch Docker events. |
true |
| providers.zookeeper |
Enable ZooKeeper backend with default settings. |
false |
| providers.zookeeper.endpoints |
KV store endpoints. |
127.0.0.1:2181 |
| providers.zookeeper.password |
Password for authentication. |
|
| providers.zookeeper.rootkey |
Root key used for KV store. |
traefik |
| providers.zookeeper.username |
Username for authentication. |
|
| serverstransport.forwardingtimeouts.dialtimeout |
The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. |
30 |
| serverstransport.forwardingtimeouts.idleconntimeout |
The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself |
90 |
|
The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
0 |
| serverstransport.insecureskipverify |
Disable SSL certificate verification. |
false |
| serverstransport.maxidleconnsperhost |
If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used. If negative, disables connection reuse. |
200 |
| serverstransport.rootcas |
Add cert file for self-signed certificate. |
|
| serverstransport.spiffe |
Defines the SPIFFE configuration. |
false |
| serverstransport.spiffe.ids |
Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). |
|
| serverstransport.spiffe.trustdomain |
Defines the allowed SPIFFE trust domain. |
|
| spiffe.workloadapiaddr |
Defines the workload API address. |
|
| tcpserverstransport.dialkeepalive |
Defines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled |
15 |
| tcpserverstransport.dialtimeout |
Defines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. |
30 |
| tcpserverstransport.terminationdelay |
Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. |
0 |
| tcpserverstransport.tls |
Defines the TLS configuration. |
false |
| tcpserverstransport.tls.insecureskipverify |
Disables SSL certificate verification. |
false |
| tcpserverstransport.tls.rootcas |
Defines a list of CA secret used to validate self-signed certificate |
|
| tcpserverstransport.tls.spiffe |
Defines the SPIFFE TLS configuration. |
false |
| tcpserverstransport.tls.spiffe.ids |
Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). |
|
| tcpserverstransport.tls.spiffe.trustdomain |
Defines the allowed SPIFFE trust domain. |
|
| tracing |
Tracing configuration. |
false |
| tracing.addinternals |
Enables tracing for internal services (ping, dashboard, etc...). |
false |
|
Request headers to add as attributes for server and client spans. |
|
|
Response headers to add as attributes for server and client spans. |
|
| tracing.globalattributes.name |
(Deprecated) Defines additional resource attributes (key:value). |
|
| tracing.otlp |
Settings for OpenTelemetry. |
false |
| tracing.otlp.grpc |
gRPC configuration for the OpenTelemetry collector. |
false |
| tracing.otlp.grpc.endpoint |
Sets the gRPC endpoint (host:port) of the collector. |
localhost:4317 |
|
Headers sent with payload. |
|
| tracing.otlp.grpc.insecure |
Disables client transport security for the exporter. |
false |
| tracing.otlp.grpc.tls.ca |
TLS CA |
|
| tracing.otlp.grpc.tls.cert |
TLS cert |
|
| tracing.otlp.grpc.tls.insecureskipverify |
TLS insecure skip verify |
false |
| tracing.otlp.grpc.tls.key |
TLS key |
|
| tracing.otlp.http |
HTTP configuration for the OpenTelemetry collector. |
false |
| tracing.otlp.http.endpoint |
Sets the HTTP endpoint (scheme://host:port/path) of the collector. |
https://localhost:4318 |
|
Headers sent with payload. |
|
| tracing.otlp.http.tls.ca |
TLS CA |
|
| tracing.otlp.http.tls.cert |
TLS cert |
|
| tracing.otlp.http.tls.insecureskipverify |
TLS insecure skip verify |
false |
| tracing.otlp.http.tls.key |
TLS key |
|
| tracing.resourceattributes.name |
Defines additional resource attributes (key:value). |
|
| tracing.safequeryparams |
Query params to not redact. |
|
| tracing.samplerate |
Sets the rate between 0.0 and 1.0 of requests to trace. |
1.000000 |
| tracing.servicename |
Defines the service name resource attribute. |
traefik |