hub.token | Token to use for Hub platform API calls. | "" |
hub.apiManagement | Enable Hub API Management | |
hub.apiManagement.admission.listenAddr | WebHook admission server listen address | "0.0.0.0:9943" |
hub.apiManagement.admission.secretName | Certificate of the WebHook admission server. | "" |
hub.sendLogs | Enable export of errors logs to the platform. | true |
hub.rateLimit.redis.endpoints | Endpoints of the Redis instances to connect to | "" |
hub.rateLimit.redis.username | The username Traefik Hub will use to connect to Redis | "" |
hub.rateLimit.redis.password | The password Traefik Hub will use to connect to Redis | "" |
hub.rateLimit.redis.database | The database Traefik Hub will use to sore information | 0 |
hub.rateLimit.redis.cluster | Enable Redis Cluster | "" |
hub.rateLimit.redis.tls.caBundle | Custom CA bundle | "" |
hub.rateLimit.redis.tls.cert | TLS certificate | "" |
hub.rateLimit.redis.tls.key | TLS key | "" |
hub.rateLimit.redis.tls.insecureSkipVerify | Allow skipping the TLS verification | "" |
hub.rateLimit.redis.sentinel.masterSet | Name of the set of main nodes to use for main selection. Required when using Sentinel. | "" |
hub.rateLimit.redis.sentinel.username | Username to use for sentinel authentication (can be different from username ) | "" |
hub.rateLimit.redis.sentinel.password | Password to use for sentinel authentication (can be different from password ) | "" |
hub.platformURL | URL at which to reach the Hub platform API. | "" |
accesslog | Access log settings. | false |
accesslog.addinternals | Enables access log for internal services (ping, dashboard, etc...). | false |
accesslog.bufferingsize | Number of access log lines to process in a buffered way. | 0 |
accesslog.fields.defaultmode | Default mode for fields: keep | drop | keep |
accesslog.fields.headers.defaultmode | Default mode for fields: keep | drop | redact | drop |
accesslog.fields.headers.names.<name> | Override mode for headers | |
accesslog.fields.names.<name> | Override mode for fields | |
accesslog.filepath | Access log file path. Stdout is used when omitted or empty. | |
accesslog.filters.minduration | Keep access logs when request took longer than the specified duration. | 0 |
accesslog.filters.retryattempts | Keep access logs when at least one retry happened. | false |
accesslog.filters.statuscodes | Keep access logs with status codes in the specified range. | |
accesslog.format | Access log format: json | common | common |
api | Enable api/dashboard. | false |
api.dashboard | Activate dashboard. | true |
api.debug | Enable additional endpoints for debugging and profiling. | false |
api.disabledashboardad | Disable ad in the dashboard. | false |
api.insecure | Activate API directly on the entryPoint named traefik. | false |
certificatesresolvers.<name> | Certificates resolvers configuration. | false |
certificatesresolvers.<name>.acme.cacertificates | Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | |
certificatesresolvers.<name>.acme.caserver | CA server to use. | https://acme-v02.api.letsencrypt.org/directory |
certificatesresolvers.<name>.acme.caservername | Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | |
certificatesresolvers.<name>.acme.casystemcertpool | Define if the certificates pool must use a copy of the system cert pool. | false |
certificatesresolvers.<name>.acme.certificatesduration | Certificates' duration in hours. | 2160 |
certificatesresolvers.<name>.acme.dnschallenge | Activate DNS-01 Challenge. | false |
certificatesresolvers.<name>.acme.dnschallenge.delaybeforecheck | Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. | 0 |
certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck | Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] | false |
certificatesresolvers.<name>.acme.dnschallenge.provider | Use a DNS-01 based challenge provider rather than HTTPS. | |
certificatesresolvers.<name>.acme.dnschallenge.resolvers | Use following DNS servers to resolve the FQDN authority. | |
certificatesresolvers.<name>.acme.eab.hmacencoded | Base64 encoded HMAC key from External CA. | |
certificatesresolvers.<name>.acme.eab.kid | Key identifier from External CA. | |
certificatesresolvers.<name>.acme.email | Email address used for registration. | |
certificatesresolvers.<name>.acme.httpchallenge | Activate HTTP-01 Challenge. | false |
certificatesresolvers.<name>.acme.httpchallenge.entrypoint | HTTP challenge EntryPoint | |
certificatesresolvers.<name>.acme.keytype | KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. | RSA4096 |
certificatesresolvers.<name>.acme.preferredchain | Preferred chain to use. | |
certificatesresolvers.<name>.acme.storage | Storage to use. | acme.json |
certificatesresolvers.<name>.acme.tlschallenge | Activate TLS-ALPN-01 Challenge. | true |
certificatesresolvers.<name>.tailscale | Enables Tailscale certificate resolution. | true |
core.defaultrulesyntax | Defines the rule parser default syntax (v2 or v3) | v3 |
entrypoints.<name> | Entry points definition. | false |
entrypoints.<name>.address | Entry point address. | |
entrypoints.<name>.allowacmebypass | Enables handling of ACME TLS and HTTP challenges with custom routers. | false |
entrypoints.<name>.asdefault | Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. | false |
entrypoints.<name>.forwardedheaders.connection | List of Connection headers that are allowed to pass through the middleware chain before being removed. | |
entrypoints.<name>.forwardedheaders.insecure | Trust all forwarded headers. | false |
entrypoints.<name>.forwardedheaders.trustedips | Trust only forwarded headers from selected IPs. | |
entrypoints.<name>.http | HTTP configuration. | |
entrypoints.<name>.http.encodequerysemicolons | Defines whether request query semicolons should be URLEncoded. | false |
entrypoints.<name>.http.maxheaderbytes | Maximum size of request headers in bytes. | 1048576 |
entrypoints.<name>.http.middlewares | Default middlewares for the routers linked to the entry point. | |
entrypoints.<name>.http.redirections.entrypoint.permanent | Applies a permanent redirection. | true |
entrypoints.<name>.http.redirections.entrypoint.priority | Priority of the generated router. | 9223372036854775806 |
entrypoints.<name>.http.redirections.entrypoint.scheme | Scheme used for the redirection. | https |
entrypoints.<name>.http.redirections.entrypoint.to | Targeted entry point of the redirection. | |
entrypoints.<name>.http.tls | Default TLS configuration for the routers linked to the entry point. | false |
entrypoints.<name>.http.tls.certresolver | Default certificate resolver for the routers linked to the entry point. | |
entrypoints.<name>.http.tls.domains | Default TLS domains for the routers linked to the entry point. | |
entrypoints.<name>.http.tls.domains[n].main | Default subject name. | |
entrypoints.<name>.http.tls.domains[n].sans | Subject alternative names. | |
entrypoints.<name>.http.tls.options | Default TLS options for the routers linked to the entry point. | |
entrypoints.<name>.http2.maxconcurrentstreams | Specifies the number of concurrent streams per connection that each client is allowed to initiate. | 250 |
entrypoints.<name>.http3 | HTTP/3 configuration. | false |
entrypoints.<name>.http3.advertisedport | UDP port to advertise, on which HTTP/3 is available. | 0 |
entrypoints.<name>.proxyprotocol | Proxy-Protocol configuration. | false |
entrypoints.<name>.proxyprotocol.insecure | Trust all. | false |
entrypoints.<name>.proxyprotocol.trustedips | Trust only selected IPs. | |
entrypoints.<name>.reuseport | Enables EntryPoints from the same or different processes listening on the same TCP/UDP port. | false |
entrypoints.<name>.transport.keepalivemaxrequests | Maximum number of requests before closing a keep-alive connection. | 0 |
entrypoints.<name>.transport.keepalivemaxtime | Maximum duration before closing a keep-alive connection. | 0 |
entrypoints.<name>.transport.lifecycle.gracetimeout | Duration to give active requests a chance to finish before Traefik stops. | 10 |
entrypoints.<name>.transport.lifecycle.requestacceptgracetimeout | Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. | 0 |
entrypoints.<name>.transport.respondingtimeouts.idletimeout | IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. | 180 |
entrypoints.<name>.transport.respondingtimeouts.readtimeout | ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. | 60 |
entrypoints.<name>.transport.respondingtimeouts.writetimeout | WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. | 0 |
entrypoints.<name>.udp.timeout | Timeout defines how long to wait on an idle session before releasing the related resources. | 3 |
experimental.abortonpluginfailure | Defines whether all plugins must be loaded successfully for Traefik to start. | false |
experimental.fastproxy | Enable the FastProxy implementation. | false |
experimental.fastproxy.debug | Enable debug mode for the FastProxy implementation. | false |
experimental.kubernetesgateway | (Deprecated) Allow the Kubernetes gateway api provider usage. | false |
experimental.localplugins.<name> | Local plugins configuration. | false |
experimental.localplugins.<name>.modulename | Plugin's module name. | |
experimental.localplugins.<name>.settings | Plugin's settings (works only for wasm plugins). | |
experimental.localplugins.<name>.settings.envs | Environment variables to forward to the wasm guest. | |
experimental.localplugins.<name>.settings.mounts | Directory to mount to the wasm guest. | |
experimental.plugins.<name>.modulename | plugin's module name. | |
experimental.plugins.<name>.settings | Plugin's settings (works only for wasm plugins). | |
experimental.plugins.<name>.settings.envs | Environment variables to forward to the wasm guest. | |
experimental.plugins.<name>.settings.mounts | Directory to mount to the wasm guest. | |
experimental.plugins.<name>.version | plugin's version. | |
global.checknewversion | Periodically check if a new version has been released. | true |
global.sendanonymoususage | Periodically send anonymous usage statistics. If the option is not specified, it will be disabled by default. | false |
hostresolver | Enable CNAME Flattening. | false |
hostresolver.cnameflattening | A flag to enable/disable CNAME flattening | false |
hostresolver.resolvconfig | resolv.conf used for DNS resolving | /etc/resolv.conf |
hostresolver.resolvdepth | The maximal depth of DNS recursive resolving | 5 |
log | Traefik log settings. | false |
log.compress | Determines if the rotated log files should be compressed using gzip. | false |
log.filepath | Traefik log file path. Stdout is used when omitted or empty. | |
log.format | Traefik log format: json | common | common |
log.level | Log level set to traefik logs. | ERROR |
log.maxage | Maximum number of days to retain old log files based on the timestamp encoded in their filename. | 0 |
log.maxbackups | Maximum number of old log files to retain. | 0 |
log.maxsize | Maximum size in megabytes of the log file before it gets rotated. | 0 |
log.nocolor | When using the 'common' format, disables the colorized output. | false |
metrics.addinternals | Enables metrics for internal services (ping, dashboard, etc...). | false |
metrics.datadog | Datadog metrics exporter type. | false |
metrics.datadog.addentrypointslabels | Enable metrics on entry points. | true |
metrics.datadog.address | Datadog's address. | localhost:8125 |
metrics.datadog.addrouterslabels | Enable metrics on routers. | false |
metrics.datadog.addserviceslabels | Enable metrics on services. | true |
metrics.datadog.prefix | Prefix to use for metrics collection. | traefik |
metrics.datadog.pushinterval | Datadog push interval. | 10 |
metrics.influxdb2 | InfluxDB v2 metrics exporter type. | false |
metrics.influxdb2.addentrypointslabels | Enable metrics on entry points. | true |
metrics.influxdb2.additionallabels.<name> | Additional labels (influxdb tags) on all metrics | |
metrics.influxdb2.address | InfluxDB v2 address. | http://localhost:8086 |
metrics.influxdb2.addrouterslabels | Enable metrics on routers. | false |
metrics.influxdb2.addserviceslabels | Enable metrics on services. | true |
metrics.influxdb2.bucket | InfluxDB v2 bucket ID. | |
metrics.influxdb2.org | InfluxDB v2 org ID. | |
metrics.influxdb2.pushinterval | InfluxDB v2 push interval. | 10 |
metrics.influxdb2.token | InfluxDB v2 access token. | |
metrics.otlp | OpenTelemetry metrics exporter type. | false |
metrics.otlp.addentrypointslabels | Enable metrics on entry points. | true |
metrics.otlp.addrouterslabels | Enable metrics on routers. | false |
metrics.otlp.addserviceslabels | Enable metrics on services. | true |
metrics.otlp.explicitboundaries | Boundaries for latency metrics. | 0.005000, 0.010000, 0.025000, 0.050000, 0.075000, 0.100000, 0.250000, 0.500000, 0.750000, 1.000000, 2.500000, 5.000000, 7.500000, 10.000000 |
metrics.otlp.grpc | gRPC configuration for the OpenTelemetry collector. | false |
metrics.otlp.grpc.endpoint | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
metrics.otlp.grpc.headers.<name> | Headers sent with payload. | |
metrics.otlp.grpc.insecure | Disables client transport security for the exporter. | false |
metrics.otlp.grpc.tls.ca | TLS CA | |
metrics.otlp.grpc.tls.cert | TLS cert | |
metrics.otlp.grpc.tls.insecureskipverify | TLS insecure skip verify | false |
metrics.otlp.grpc.tls.key | TLS key | |
metrics.otlp.http | HTTP configuration for the OpenTelemetry collector. | false |
metrics.otlp.http.endpoint | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
metrics.otlp.http.headers.<name> | Headers sent with payload. | |
metrics.otlp.http.tls.ca | TLS CA | |
metrics.otlp.http.tls.cert | TLS cert | |
metrics.otlp.http.tls.insecureskipverify | TLS insecure skip verify | false |
metrics.otlp.http.tls.key | TLS key | |
metrics.otlp.pushinterval | Period between calls to collect a checkpoint. | 10 |
metrics.otlp.servicename | OTEL service name to use. | traefik |
metrics.prometheus | Prometheus metrics exporter type. | false |
metrics.prometheus.addentrypointslabels | Enable metrics on entry points. | true |
metrics.prometheus.addrouterslabels | Enable metrics on routers. | false |
metrics.prometheus.addserviceslabels | Enable metrics on services. | true |
metrics.prometheus.buckets | Buckets for latency metrics. | 0.100000, 0.300000, 1.200000, 5.000000 |
metrics.prometheus.entrypoint | EntryPoint | traefik |
metrics.prometheus.headerlabels.<name> | Defines the extra labels for the requests_total metrics, and for each of them, the request header containing the value for this label. | |
metrics.prometheus.manualrouting | Manual routing | false |
metrics.statsd | StatsD metrics exporter type. | false |
metrics.statsd.addentrypointslabels | Enable metrics on entry points. | true |
metrics.statsd.address | StatsD address. | localhost:8125 |
metrics.statsd.addrouterslabels | Enable metrics on routers. | false |
metrics.statsd.addserviceslabels | Enable metrics on services. | true |
metrics.statsd.prefix | Prefix to use for metrics collection. | traefik |
metrics.statsd.pushinterval | StatsD push interval. | 10 |
ping | Enable ping. | false |
ping.entrypoint | EntryPoint | traefik |
ping.manualrouting | Manual routing | false |
ping.terminatingstatuscode | Terminating status code | 503 |
providers.consul | Enable Consul backend with default settings. | false |
providers.consul.endpoints | KV store endpoints. | 127.0.0.1:8500 |
providers.consul.namespaces | Sets the namespaces used to discover the configuration (Consul Enterprise only). | |
providers.consul.rootkey | Root key used for KV store. | traefik |
providers.consul.tls.ca | TLS CA | |
providers.consul.tls.cert | TLS cert | |
providers.consul.tls.insecureskipverify | TLS insecure skip verify | false |
providers.consul.tls.key | TLS key | |
providers.consul.token | Per-request ACL token. | |
providers.consulcatalog | Enable ConsulCatalog backend with default settings. | false |
providers.consulcatalog.cache | Use local agent caching for catalog reads. | false |
providers.consulcatalog.connectaware | Enable Consul Connect support. | false |
providers.consulcatalog.connectbydefault | Consider every service as Connect capable by default. | false |
providers.consulcatalog.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
providers.consulcatalog.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
providers.consulcatalog.endpoint.address | The address of the Consul server | |
providers.consulcatalog.endpoint.datacenter | Data center to use. If not provided, the default agent data center is used | |
providers.consulcatalog.endpoint.endpointwaittime | WaitTime limits how long a Watch will block. If not provided, the agent default values will be used | 0 |
providers.consulcatalog.endpoint.httpauth.password | Basic Auth password | |
providers.consulcatalog.endpoint.httpauth.username | Basic Auth username | |
providers.consulcatalog.endpoint.scheme | The URI scheme for the Consul server | |
providers.consulcatalog.endpoint.tls.ca | TLS CA | |
providers.consulcatalog.endpoint.tls.cert | TLS cert | |
providers.consulcatalog.endpoint.tls.insecureskipverify | TLS insecure skip verify | false |
providers.consulcatalog.endpoint.tls.key | TLS key | |
providers.consulcatalog.endpoint.token | Token is used to provide a per-request ACL token which overrides the agent's default token | |
providers.consulcatalog.exposedbydefault | Expose containers by default. | true |
providers.consulcatalog.namespaces | Sets the namespaces used to discover services (Consul Enterprise only). | |
providers.consulcatalog.prefix | Prefix for consul service tags. | traefik |
providers.consulcatalog.refreshinterval | Interval for check Consul API. | 15 |
providers.consulcatalog.requireconsistent | Forces the read to be fully consistent. | false |
providers.consulcatalog.servicename | Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). | traefik |
providers.consulcatalog.stale | Use stale consistency for catalog reads. | false |
providers.consulcatalog.strictchecks | A list of service health statuses to allow taking traffic. | passing, warning |
providers.consulcatalog.watch | Watch Consul API events. | false |
providers.docker | Enable Docker backend with default settings. | false |
providers.docker.allowemptyservices | Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. | false |
providers.docker.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
providers.docker.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
providers.docker.endpoint | Docker server endpoint. Can be a TCP or a Unix socket endpoint. | unix:///var/run/docker.sock |
providers.docker.exposedbydefault | Expose containers by default. | true |
providers.docker.httpclienttimeout | Client timeout for HTTP connections. | 0 |
providers.docker.network | Default Docker network used. | |
providers.docker.password | Password for Basic HTTP authentication. | |
providers.docker.tls.ca | TLS CA | |
providers.docker.tls.cert | TLS cert | |
providers.docker.tls.insecureskipverify | TLS insecure skip verify | false |
providers.docker.tls.key | TLS key | |
providers.docker.usebindportip | Use the ip address from the bound port, rather than from the inner network. | false |
providers.docker.username | Username for Basic HTTP authentication. | |
providers.docker.watch | Watch Docker events. | true |
providers.ecs | Enable AWS ECS backend with default settings. | false |
providers.ecs.accesskeyid | AWS credentials access key ID to use for making requests. | |
providers.ecs.autodiscoverclusters | Auto discover cluster. | false |
providers.ecs.clusters | ECS Cluster names. | default |
providers.ecs.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
providers.ecs.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
providers.ecs.ecsanywhere | Enable ECS Anywhere support. | false |
providers.ecs.exposedbydefault | Expose services by default. | true |
providers.ecs.healthytasksonly | Determines whether to discover only healthy tasks. | false |
providers.ecs.refreshseconds | Polling interval (in seconds). | 15 |
providers.ecs.region | AWS region to use for requests. | |
providers.ecs.secretaccesskey | AWS credentials access key to use for making requests. | |
providers.etcd | Enable Etcd backend with default settings. | false |
providers.etcd.endpoints | KV store endpoints. | 127.0.0.1:2379 |
providers.etcd.password | Password for authentication. | |
providers.etcd.rootkey | Root key used for KV store. | traefik |
providers.etcd.tls.ca | TLS CA | |
providers.etcd.tls.cert | TLS cert | |
providers.etcd.tls.insecureskipverify | TLS insecure skip verify | false |
providers.etcd.tls.key | TLS key | |
providers.etcd.username | Username for authentication. | |
providers.file.debugloggeneratedtemplate | Enable debug logging of generated configuration template. | false |
providers.file.directory | Load dynamic configuration from one or more .yml or .toml files in a directory. | |
providers.file.filename | Load dynamic configuration from a file. | |
providers.file.watch | Watch provider. | true |
providers.http | Enable HTTP backend with default settings. | false |
providers.http.endpoint | Load configuration from this endpoint. | |
providers.http.headers.<name> | Define custom headers to be sent to the endpoint. | |
providers.http.pollinterval | Polling interval for endpoint. | 5 |
providers.http.polltimeout | Polling timeout for endpoint. | 5 |
providers.http.tls.ca | TLS CA | |
providers.http.tls.cert | TLS cert | |
providers.http.tls.insecureskipverify | TLS insecure skip verify | false |
providers.http.tls.key | TLS key | |
providers.kubernetescrd | Enable Kubernetes backend with default settings. | false |
providers.kubernetescrd.allowcrossnamespace | Allow cross namespace resource reference. | false |
providers.kubernetescrd.allowemptyservices | Allow the creation of services without endpoints. | false |
providers.kubernetescrd.allowexternalnameservices | Allow ExternalName services. | false |
providers.kubernetescrd.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
providers.kubernetescrd.disableclusterscoperesources | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
providers.kubernetescrd.endpoint | Kubernetes server endpoint (required for external cluster client). | |
providers.kubernetescrd.ingressclass | Value of kubernetes.io/ingress.class annotation to watch for. | |
providers.kubernetescrd.labelselector | Kubernetes label selector to use. | |
providers.kubernetescrd.namespaces | Kubernetes namespaces. | |
providers.kubernetescrd.nativelbbydefault | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
providers.kubernetescrd.throttleduration | Ingress refresh throttle duration | 0 |
providers.kubernetescrd.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
providers.kubernetesgateway | Enable Kubernetes gateway api provider with default settings. | false |
providers.kubernetesgateway.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
providers.kubernetesgateway.endpoint | Kubernetes server endpoint (required for external cluster client). | |
providers.kubernetesgateway.experimentalchannel | Toggles Experimental Channel resources support (TCPRoute, TLSRoute...). | false |
providers.kubernetesgateway.labelselector | Kubernetes label selector to select specific GatewayClasses. | |
providers.kubernetesgateway.namespaces | Kubernetes namespaces. | |
providers.kubernetesgateway.nativelbbydefault | Defines whether to use Native Kubernetes load-balancing by default. | false |
providers.kubernetesgateway.statusaddress.hostname | Hostname used for Kubernetes Gateway status address. | |
providers.kubernetesgateway.statusaddress.ip | IP used to set Kubernetes Gateway status address. | |
providers.kubernetesgateway.statusaddress.service | Published Kubernetes Service to copy status addresses from. | |
providers.kubernetesgateway.statusaddress.service.name | Name of the Kubernetes service. | |
providers.kubernetesgateway.statusaddress.service.namespace | Namespace of the Kubernetes service. | |
providers.kubernetesgateway.throttleduration | Kubernetes refresh throttle duration | 0 |
providers.kubernetesgateway.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
providers.kubernetesingress | Enable Kubernetes backend with default settings. | false |
providers.kubernetesingress.allowemptyservices | Allow creation of services without endpoints. | false |
providers.kubernetesingress.allowexternalnameservices | Allow ExternalName services. | false |
providers.kubernetesingress.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
providers.kubernetesingress.disableclusterscoperesources | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
providers.kubernetesingress.disableingressclasslookup | Disables the lookup of IngressClasses (Deprecated, please use DisableClusterScopeResources). | false |
providers.kubernetesingress.endpoint | Kubernetes server endpoint (required for external cluster client). | |
providers.kubernetesingress.ingressclass | Value of kubernetes.io/ingress.class annotation or IngressClass name to watch for. | |
providers.kubernetesingress.ingressendpoint.hostname | Hostname used for Kubernetes Ingress endpoints. | |
providers.kubernetesingress.ingressendpoint.ip | IP used for Kubernetes Ingress endpoints. | |
providers.kubernetesingress.ingressendpoint.publishedservice | Published Kubernetes Service to copy status from. | |
providers.kubernetesingress.labelselector | Kubernetes Ingress label selector to use. | |
providers.kubernetesingress.namespaces | Kubernetes namespaces. | |
providers.kubernetesingress.nativelbbydefault | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
providers.kubernetesingress.throttleduration | Ingress refresh throttle duration | 0 |
providers.kubernetesingress.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
providers.nomad | Enable Nomad backend with default settings. | false |
providers.nomad.allowemptyservices | Allow the creation of services without endpoints. | false |
providers.nomad.constraints | Constraints is an expression that Traefik matches against the Nomad service's tags to determine whether to create route(s) for that service. | |
providers.nomad.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
providers.nomad.endpoint.address | The address of the Nomad server, including scheme and port. | http://127.0.0.1:4646 |
providers.nomad.endpoint.endpointwaittime | WaitTime limits how long a Watch will block. If not provided, the agent default values will be used | 0 |
providers.nomad.endpoint.region | Nomad region to use. If not provided, the local agent region is used. | |
providers.nomad.endpoint.tls.ca | TLS CA | |
providers.nomad.endpoint.tls.cert | TLS cert | |
providers.nomad.endpoint.tls.insecureskipverify | TLS insecure skip verify | false |
providers.nomad.endpoint.tls.key | TLS key | |
providers.nomad.endpoint.token | Token is used to provide a per-request ACL token. | |
providers.nomad.exposedbydefault | Expose Nomad services by default. | true |
providers.nomad.namespaces | Sets the Nomad namespaces used to discover services. | |
providers.nomad.prefix | Prefix for nomad service tags. | traefik |
providers.nomad.refreshinterval | Interval for polling Nomad API. | 15 |
providers.nomad.stale | Use stale consistency for catalog reads. | false |
providers.nomad.throttleduration | Watch throttle duration. | 0 |
providers.nomad.watch | Watch Nomad Service events. | false |
providers.plugin.<name> | Plugins configuration. | |
providers.providersthrottleduration | Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. | 2 |
providers.redis | Enable Redis backend with default settings. | false |
providers.redis.db | Database to be selected after connecting to the server. | 0 |
providers.redis.endpoints | KV store endpoints. | 127.0.0.1:6379 |
providers.redis.password | Password for authentication. | |
providers.redis.rootkey | Root key used for KV store. | traefik |
providers.redis.sentinel.latencystrategy | Defines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy). | false |
providers.redis.sentinel.mastername | Name of the master. | |
providers.redis.sentinel.password | Password for Sentinel authentication. | |
providers.redis.sentinel.randomstrategy | Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). | false |
providers.redis.sentinel.replicastrategy | Defines whether to route all commands to replica nodes (mutually exclusive with LatencyStrategy and RandomStrategy). | false |
providers.redis.sentinel.usedisconnectedreplicas | Use replicas disconnected with master when cannot get connected replicas. | false |
providers.redis.sentinel.username | Username for Sentinel authentication. | |
providers.redis.tls.ca | TLS CA | |
providers.redis.tls.cert | TLS cert | |
providers.redis.tls.insecureskipverify | TLS insecure skip verify | false |
providers.redis.tls.key | TLS key | |
providers.redis.username | Username for authentication. | |
providers.rest | Enable Rest backend with default settings. | false |
providers.rest.insecure | Activate REST Provider directly on the entryPoint named traefik. | false |
providers.swarm | Enable Docker Swarm backend with default settings. | false |
providers.swarm.allowemptyservices | Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. | false |
providers.swarm.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
providers.swarm.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
providers.swarm.endpoint | Docker server endpoint. Can be a TCP or a Unix socket endpoint. | unix:///var/run/docker.sock |
providers.swarm.exposedbydefault | Expose containers by default. | true |
providers.swarm.httpclienttimeout | Client timeout for HTTP connections. | 0 |
providers.swarm.network | Default Docker network used. | |
providers.swarm.password | Password for Basic HTTP authentication. | |
providers.swarm.refreshseconds | Polling interval for swarm mode. | 15 |
providers.swarm.tls.ca | TLS CA | |
providers.swarm.tls.cert | TLS cert | |
providers.swarm.tls.insecureskipverify | TLS insecure skip verify | false |
providers.swarm.tls.key | TLS key | |
providers.swarm.usebindportip | Use the ip address from the bound port, rather than from the inner network. | false |
providers.swarm.username | Username for Basic HTTP authentication. | |
providers.swarm.watch | Watch Docker events. | true |
providers.zookeeper | Enable ZooKeeper backend with default settings. | false |
providers.zookeeper.endpoints | KV store endpoints. | 127.0.0.1:2181 |
providers.zookeeper.password | Password for authentication. | |
providers.zookeeper.rootkey | Root key used for KV store. | traefik |
providers.zookeeper.username | Username for authentication. | |
serverstransport.forwardingtimeouts.dialtimeout | The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. | 30 |
serverstransport.forwardingtimeouts.idleconntimeout | The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself | 90 |
serverstransport.forwardingtimeouts.responseheadertimeout | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. | 0 |
serverstransport.insecureskipverify | Disable SSL certificate verification. | false |
serverstransport.maxidleconnsperhost | If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used | 200 |
serverstransport.rootcas | Add cert file for self-signed certificate. | |
serverstransport.spiffe | Defines the SPIFFE configuration. | false |
serverstransport.spiffe.ids | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). | |
serverstransport.spiffe.trustdomain | Defines the allowed SPIFFE trust domain. | |
spiffe.workloadapiaddr | Defines the workload API address. | |
tcpserverstransport.dialkeepalive | Defines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled | 15 |
tcpserverstransport.dialtimeout | Defines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. | 30 |
tcpserverstransport.terminationdelay | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. | 0 |
tcpserverstransport.tls | Defines the TLS configuration. | false |
tcpserverstransport.tls.insecureskipverify | Disables SSL certificate verification. | false |
tcpserverstransport.tls.rootcas | Defines a list of CA secret used to validate self-signed certificate | |
tcpserverstransport.tls.spiffe | Defines the SPIFFE TLS configuration. | false |
tcpserverstransport.tls.spiffe.ids | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). | |
tcpserverstransport.tls.spiffe.trustdomain | Defines the allowed SPIFFE trust domain. | |
tracing | OpenTracing configuration. | false |
tracing.addinternals | Enables tracing for internal services (ping, dashboard, etc...). | false |
tracing.capturedrequestheaders | Request headers to add as attributes for server and client spans. | |
tracing.capturedresponseheaders | Response headers to add as attributes for server and client spans. | |
tracing.globalattributes.<name> | Defines additional attributes (key:value) on all spans. | |
tracing.otlp | Settings for OpenTelemetry. | false |
tracing.otlp.grpc | gRPC configuration for the OpenTelemetry collector. | false |
tracing.otlp.grpc.endpoint | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
tracing.otlp.grpc.headers.<name> | Headers sent with payload. | |
tracing.otlp.grpc.insecure | Disables client transport security for the exporter. | false |
tracing.otlp.grpc.tls.ca | TLS CA | |
tracing.otlp.grpc.tls.cert | TLS cert | |
tracing.otlp.grpc.tls.insecureskipverify | TLS insecure skip verify | false |
tracing.otlp.grpc.tls.key | TLS key | |
tracing.otlp.http | HTTP configuration for the OpenTelemetry collector. | false |
tracing.otlp.http.endpoint | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
tracing.otlp.http.headers.<name> | Headers sent with payload. | |
tracing.otlp.http.tls.ca | TLS CA | |
tracing.otlp.http.tls.cert | TLS cert | |
tracing.otlp.http.tls.insecureskipverify | TLS insecure skip verify | false |
tracing.otlp.http.tls.key | TLS key | |
tracing.safequeryparams | Query params to not redact. | |
tracing.samplerate | Sets the rate between 0.0 and 1.0 of requests to trace. | 1.000000 |
tracing.servicename | Set the name for this service. | traefik |