Skip to main content

Static Configuration Options

Configuration Options

FieldDescriptionDefault
hub.tokenToken to use for Hub platform API calls.""
hub.apiManagementEnable Hub API Management
hub.apiManagement.admission.listenAddrWebHook admission server listen address"0.0.0.0:9943"
hub.apiManagement.admission.secretNameCertificate of the WebHook admission server.""
hub.sendLogsEnable export of errors logs to the platform.true
hub.rateLimit.redis.endpoints Endpoints of the Redis instances to connect to""
hub.rateLimit.redis.username The username Traefik Hub will use to connect to Redis""
hub.rateLimit.redis.password The password Traefik Hub will use to connect to Redis""
hub.rateLimit.redis.database The database Traefik Hub will use to sore information0
hub.rateLimit.redis.cluster Enable Redis Cluster""
hub.rateLimit.redis.tls.caBundle Custom CA bundle""
hub.rateLimit.redis.tls.cert TLS certificate""
hub.rateLimit.redis.tls.key TLS key""
hub.rateLimit.redis.tls.insecureSkipVerify Allow skipping the TLS verification""
hub.rateLimit.redis.sentinel.masterSet Name of the set of main nodes to use for main selection. Required when using Sentinel.""
hub.rateLimit.redis.sentinel.username Username to use for sentinel authentication (can be different from username)""
hub.rateLimit.redis.sentinel.password Password to use for sentinel authentication (can be different from password)""
hub.platformURLURL at which to reach the Hub platform API.""
accesslogAccess log settings.false
accesslog.addinternalsEnables access log for internal services (ping, dashboard, etc...).false
accesslog.bufferingsizeNumber of access log lines to process in a buffered way.0
accesslog.fields.defaultmodeDefault mode for fields: keep | dropkeep
accesslog.fields.headers.defaultmodeDefault mode for fields: keep | drop | redactdrop
accesslog.fields.headers.names.<name>Override mode for headers
accesslog.fields.names.<name>Override mode for fields
accesslog.filepathAccess log file path. Stdout is used when omitted or empty.
accesslog.filters.mindurationKeep access logs when request took longer than the specified duration.0
accesslog.filters.retryattemptsKeep access logs when at least one retry happened.false
accesslog.filters.statuscodesKeep access logs with status codes in the specified range.
accesslog.formatAccess log format: json | commoncommon
apiEnable api/dashboard.false
api.basepathDefines the base path where the API and Dashboard will be exposed./
api.dashboardActivate dashboard.true
api.debugEnable additional endpoints for debugging and profiling.false
api.disabledashboardadDisable ad in the dashboard.false
api.insecureActivate API directly on the entryPoint named traefik.false
certificatesresolvers.<name>Certificates resolvers configuration.false
certificatesresolvers.<name>.acme.cacertificatesSpecify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
certificatesresolvers.<name>.acme.caserverCA server to use.https://acme-v02.api.letsencrypt.org/directory
certificatesresolvers.<name>.acme.caservernameSpecify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
certificatesresolvers.<name>.acme.casystemcertpoolDefine if the certificates pool must use a copy of the system cert pool.false
certificatesresolvers.<name>.acme.certificatesdurationCertificates' duration in hours.2160
certificatesresolvers.<name>.acme.dnschallengeActivate DNS-01 Challenge.false
certificatesresolvers.<name>.acme.dnschallenge.delaybeforecheck(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers.0
certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended]false
certificatesresolvers.<name>.acme.dnschallenge.propagationDNS propagation checks configurationfalse
certificatesresolvers.<name>.acme.dnschallenge.propagation.delaybeforechecksDefines the delay before checking the challenge TXT record propagation.0
certificatesresolvers.<name>.acme.dnschallenge.propagation.disableanschecksDisables the challenge TXT record propagation checks against authoritative nameservers.false
certificatesresolvers.<name>.acme.dnschallenge.propagation.disablechecksDisables the challenge TXT record propagation checks (not recommended).false
certificatesresolvers.<name>.acme.dnschallenge.propagation.requireallrnsRequires the challenge TXT record to be propagated to all recursive nameservers.false
certificatesresolvers.<name>.acme.dnschallenge.providerUse a DNS-01 based challenge provider rather than HTTPS.
certificatesresolvers.<name>.acme.dnschallenge.resolversUse following DNS servers to resolve the FQDN authority.
certificatesresolvers.<name>.acme.eab.hmacencodedBase64 encoded HMAC key from External CA.
certificatesresolvers.<name>.acme.eab.kidKey identifier from External CA.
certificatesresolvers.<name>.acme.emailEmail address used for registration.
certificatesresolvers.<name>.acme.httpchallengeActivate HTTP-01 Challenge.false
certificatesresolvers.<name>.acme.httpchallenge.entrypointHTTP challenge EntryPoint
certificatesresolvers.<name>.acme.keytypeKeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.RSA4096
certificatesresolvers.<name>.acme.preferredchainPreferred chain to use.
certificatesresolvers.<name>.acme.storageStorage to use.acme.json
certificatesresolvers.<name>.acme.tlschallengeActivate TLS-ALPN-01 Challenge.true
certificatesresolvers.<name>.tailscaleEnables Tailscale certificate resolution.true
core.defaultrulesyntaxDefines the rule parser default syntax (v2 or v3)v3
entrypoints.<name>Entry points definition.false
entrypoints.<name>.addressEntry point address.
entrypoints.<name>.allowacmebypassEnables handling of ACME TLS and HTTP challenges with custom routers.false
entrypoints.<name>.asdefaultAdds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined.false
entrypoints.<name>.forwardedheaders.connectionList of Connection headers that are allowed to pass through the middleware chain before being removed.
entrypoints.<name>.forwardedheaders.insecureTrust all forwarded headers.false
entrypoints.<name>.forwardedheaders.trustedipsTrust only forwarded headers from selected IPs.
entrypoints.<name>.httpHTTP configuration.
entrypoints.<name>.http.encodequerysemicolonsDefines whether request query semicolons should be URLEncoded.false
entrypoints.<name>.http.maxheaderbytesMaximum size of request headers in bytes.1048576
entrypoints.<name>.http.middlewaresDefault middlewares for the routers linked to the entry point.
entrypoints.<name>.http.redirections.entrypoint.permanentApplies a permanent redirection.true
entrypoints.<name>.http.redirections.entrypoint.priorityPriority of the generated router.9223372036854775806
entrypoints.<name>.http.redirections.entrypoint.schemeScheme used for the redirection.https
entrypoints.<name>.http.redirections.entrypoint.toTargeted entry point of the redirection.
entrypoints.<name>.http.tlsDefault TLS configuration for the routers linked to the entry point.false
entrypoints.<name>.http.tls.certresolverDefault certificate resolver for the routers linked to the entry point.
entrypoints.<name>.http.tls.domainsDefault TLS domains for the routers linked to the entry point.
entrypoints.<name>.http.tls.domains[n].mainDefault subject name.
entrypoints.<name>.http.tls.domains[n].sansSubject alternative names.
entrypoints.<name>.http.tls.optionsDefault TLS options for the routers linked to the entry point.
entrypoints.<name>.http2.maxconcurrentstreamsSpecifies the number of concurrent streams per connection that each client is allowed to initiate.250
entrypoints.<name>.http3HTTP/3 configuration.false
entrypoints.<name>.http3.advertisedportUDP port to advertise, on which HTTP/3 is available.0
entrypoints.<name>.proxyprotocolProxy-Protocol configuration.false
entrypoints.<name>.proxyprotocol.insecureTrust all.false
entrypoints.<name>.proxyprotocol.trustedipsTrust only selected IPs.
entrypoints.<name>.reuseportEnables EntryPoints from the same or different processes listening on the same TCP/UDP port.false
entrypoints.<name>.transport.keepalivemaxrequestsMaximum number of requests before closing a keep-alive connection.0
entrypoints.<name>.transport.keepalivemaxtimeMaximum duration before closing a keep-alive connection.0
entrypoints.<name>.transport.lifecycle.gracetimeoutDuration to give active requests a chance to finish before Traefik stops.10
entrypoints.<name>.transport.lifecycle.requestacceptgracetimeoutDuration to keep accepting requests before Traefik initiates the graceful shutdown procedure.0
entrypoints.<name>.transport.respondingtimeouts.idletimeoutIdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set.180
entrypoints.<name>.transport.respondingtimeouts.readtimeoutReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set.60
entrypoints.<name>.transport.respondingtimeouts.writetimeoutWriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set.0
entrypoints.<name>.udp.timeoutTimeout defines how long to wait on an idle session before releasing the related resources.3
experimental.abortonpluginfailureDefines whether all plugins must be loaded successfully for Traefik to start.false
experimental.fastproxyEnable the FastProxy implementation.false
experimental.fastproxy.debugEnable debug mode for the FastProxy implementation.false
experimental.kubernetesgateway(Deprecated) Allow the Kubernetes gateway api provider usage.false
experimental.localplugins.<name>Local plugins configuration.false
experimental.localplugins.<name>.modulenamePlugin's module name.
experimental.localplugins.<name>.settingsPlugin's settings (works only for wasm plugins).
experimental.localplugins.<name>.settings.envsEnvironment variables to forward to the wasm guest.
experimental.localplugins.<name>.settings.mountsDirectory to mount to the wasm guest.
experimental.plugins.<name>.modulenameplugin's module name.
experimental.plugins.<name>.settingsPlugin's settings (works only for wasm plugins).
experimental.plugins.<name>.settings.envsEnvironment variables to forward to the wasm guest.
experimental.plugins.<name>.settings.mountsDirectory to mount to the wasm guest.
experimental.plugins.<name>.versionplugin's version.
global.checknewversionPeriodically check if a new version has been released.true
global.sendanonymoususagePeriodically send anonymous usage statistics. If the option is not specified, it will be disabled by default.false
hostresolverEnable CNAME Flattening.false
hostresolver.cnameflatteningA flag to enable/disable CNAME flatteningfalse
hostresolver.resolvconfigresolv.conf used for DNS resolving/etc/resolv.conf
hostresolver.resolvdepthThe maximal depth of DNS recursive resolving5
logTraefik log settings.false
log.compressDetermines if the rotated log files should be compressed using gzip.false
log.filepathTraefik log file path. Stdout is used when omitted or empty.
log.formatTraefik log format: json | commoncommon
log.levelLog level set to traefik logs.ERROR
log.maxageMaximum number of days to retain old log files based on the timestamp encoded in their filename.0
log.maxbackupsMaximum number of old log files to retain.0
log.maxsizeMaximum size in megabytes of the log file before it gets rotated.0
log.nocolorWhen using the 'common' format, disables the colorized output.false
metrics.addinternalsEnables metrics for internal services (ping, dashboard, etc...).false
metrics.datadogDatadog metrics exporter type.false
metrics.datadog.addentrypointslabelsEnable metrics on entry points.true
metrics.datadog.addressDatadog's address.localhost:8125
metrics.datadog.addrouterslabelsEnable metrics on routers.false
metrics.datadog.addserviceslabelsEnable metrics on services.true
metrics.datadog.prefixPrefix to use for metrics collection.traefik
metrics.datadog.pushintervalDatadog push interval.10
metrics.influxdb2InfluxDB v2 metrics exporter type.false
metrics.influxdb2.addentrypointslabelsEnable metrics on entry points.true
metrics.influxdb2.additionallabels.<name>Additional labels (influxdb tags) on all metrics
metrics.influxdb2.addressInfluxDB v2 address.http://localhost:8086
metrics.influxdb2.addrouterslabelsEnable metrics on routers.false
metrics.influxdb2.addserviceslabelsEnable metrics on services.true
metrics.influxdb2.bucketInfluxDB v2 bucket ID.
metrics.influxdb2.orgInfluxDB v2 org ID.
metrics.influxdb2.pushintervalInfluxDB v2 push interval.10
metrics.influxdb2.tokenInfluxDB v2 access token.
metrics.otlpOpenTelemetry metrics exporter type.false
metrics.otlp.addentrypointslabelsEnable metrics on entry points.true
metrics.otlp.addrouterslabelsEnable metrics on routers.false
metrics.otlp.addserviceslabelsEnable metrics on services.true
metrics.otlp.explicitboundariesBoundaries for latency metrics.0.005000, 0.010000, 0.025000, 0.050000, 0.075000, 0.100000, 0.250000, 0.500000, 0.750000, 1.000000, 2.500000, 5.000000, 7.500000, 10.000000
metrics.otlp.grpcgRPC configuration for the OpenTelemetry collector.false
metrics.otlp.grpc.endpointSets the gRPC endpoint (host:port) of the collector.localhost:4317
metrics.otlp.grpc.headers.<name>Headers sent with payload.
metrics.otlp.grpc.insecureDisables client transport security for the exporter.false
metrics.otlp.grpc.tls.caTLS CA
metrics.otlp.grpc.tls.certTLS cert
metrics.otlp.grpc.tls.insecureskipverifyTLS insecure skip verifyfalse
metrics.otlp.grpc.tls.keyTLS key
metrics.otlp.httpHTTP configuration for the OpenTelemetry collector.false
metrics.otlp.http.endpointSets the HTTP endpoint (scheme://host:port/path) of the collector.https://localhost:4318
metrics.otlp.http.headers.<name>Headers sent with payload.
metrics.otlp.http.tls.caTLS CA
metrics.otlp.http.tls.certTLS cert
metrics.otlp.http.tls.insecureskipverifyTLS insecure skip verifyfalse
metrics.otlp.http.tls.keyTLS key
metrics.otlp.pushintervalPeriod between calls to collect a checkpoint.10
metrics.otlp.servicenameOTEL service name to use.traefik
metrics.prometheusPrometheus metrics exporter type.false
metrics.prometheus.addentrypointslabelsEnable metrics on entry points.true
metrics.prometheus.addrouterslabelsEnable metrics on routers.false
metrics.prometheus.addserviceslabelsEnable metrics on services.true
metrics.prometheus.bucketsBuckets for latency metrics.0.100000, 0.300000, 1.200000, 5.000000
metrics.prometheus.entrypointEntryPointtraefik
metrics.prometheus.headerlabels.<name>Defines the extra labels for the requests_total metrics, and for each of them, the request header containing the value for this label.
metrics.prometheus.manualroutingManual routingfalse
metrics.statsdStatsD metrics exporter type.false
metrics.statsd.addentrypointslabelsEnable metrics on entry points.true
metrics.statsd.addressStatsD address.localhost:8125
metrics.statsd.addrouterslabelsEnable metrics on routers.false
metrics.statsd.addserviceslabelsEnable metrics on services.true
metrics.statsd.prefixPrefix to use for metrics collection.traefik
metrics.statsd.pushintervalStatsD push interval.10
pingEnable ping.false
ping.entrypointEntryPointtraefik
ping.manualroutingManual routingfalse
ping.terminatingstatuscodeTerminating status code503
providers.consulEnable Consul backend with default settings.false
providers.consul.endpointsKV store endpoints.127.0.0.1:8500
providers.consul.namespacesSets the namespaces used to discover the configuration (Consul Enterprise only).
providers.consul.rootkeyRoot key used for KV store.traefik
providers.consul.tls.caTLS CA
providers.consul.tls.certTLS cert
providers.consul.tls.insecureskipverifyTLS insecure skip verifyfalse
providers.consul.tls.keyTLS key
providers.consul.tokenPer-request ACL token.
providers.consulcatalogEnable ConsulCatalog backend with default settings.false
providers.consulcatalog.cacheUse local agent caching for catalog reads.false
providers.consulcatalog.connectawareEnable Consul Connect support.false
providers.consulcatalog.connectbydefaultConsider every service as Connect capable by default.false
providers.consulcatalog.constraintsConstraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
providers.consulcatalog.defaultruleDefault rule.Host(`{{ normalize .Name }}`)
providers.consulcatalog.endpoint.addressThe address of the Consul server
providers.consulcatalog.endpoint.datacenterData center to use. If not provided, the default agent data center is used
providers.consulcatalog.endpoint.endpointwaittimeWaitTime limits how long a Watch will block. If not provided, the agent default values will be used0
providers.consulcatalog.endpoint.httpauth.passwordBasic Auth password
providers.consulcatalog.endpoint.httpauth.usernameBasic Auth username
providers.consulcatalog.endpoint.schemeThe URI scheme for the Consul server
providers.consulcatalog.endpoint.tls.caTLS CA
providers.consulcatalog.endpoint.tls.certTLS cert
providers.consulcatalog.endpoint.tls.insecureskipverifyTLS insecure skip verifyfalse
providers.consulcatalog.endpoint.tls.keyTLS key
providers.consulcatalog.endpoint.tokenToken is used to provide a per-request ACL token which overrides the agent's default token
providers.consulcatalog.exposedbydefaultExpose containers by default.true
providers.consulcatalog.namespacesSets the namespaces used to discover services (Consul Enterprise only).
providers.consulcatalog.prefixPrefix for consul service tags.traefik
providers.consulcatalog.refreshintervalInterval for check Consul API.15
providers.consulcatalog.requireconsistentForces the read to be fully consistent.false
providers.consulcatalog.servicenameName of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually).traefik
providers.consulcatalog.staleUse stale consistency for catalog reads.false
providers.consulcatalog.strictchecksA list of service health statuses to allow taking traffic.passing, warning
providers.consulcatalog.watchWatch Consul API events.false
providers.dockerEnable Docker backend with default settings.false
providers.docker.allowemptyservicesDisregards the Docker containers health checks with respect to the creation or removal of the corresponding services.false
providers.docker.constraintsConstraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
providers.docker.defaultruleDefault rule.Host(`{{ normalize .Name }}`)
providers.docker.endpointDocker server endpoint. Can be a TCP or a Unix socket endpoint.unix:///var/run/docker.sock
providers.docker.exposedbydefaultExpose containers by default.true
providers.docker.httpclienttimeoutClient timeout for HTTP connections.0
providers.docker.networkDefault Docker network used.
providers.docker.passwordPassword for Basic HTTP authentication.
providers.docker.tls.caTLS CA
providers.docker.tls.certTLS cert
providers.docker.tls.insecureskipverifyTLS insecure skip verifyfalse
providers.docker.tls.keyTLS key
providers.docker.usebindportipUse the ip address from the bound port, rather than from the inner network.false
providers.docker.usernameUsername for Basic HTTP authentication.
providers.docker.watchWatch Docker events.true
providers.ecsEnable AWS ECS backend with default settings.false
providers.ecs.accesskeyidAWS credentials access key ID to use for making requests.
providers.ecs.autodiscoverclustersAuto discover cluster.false
providers.ecs.clustersECS Cluster names.default
providers.ecs.constraintsConstraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
providers.ecs.defaultruleDefault rule.Host(`{{ normalize .Name }}`)
providers.ecs.ecsanywhereEnable ECS Anywhere support.false
providers.ecs.exposedbydefaultExpose services by default.true
providers.ecs.healthytasksonlyDetermines whether to discover only healthy tasks.false
providers.ecs.refreshsecondsPolling interval (in seconds).15
providers.ecs.regionAWS region to use for requests.
providers.ecs.secretaccesskeyAWS credentials access key to use for making requests.
providers.etcdEnable Etcd backend with default settings.false
providers.etcd.endpointsKV store endpoints.127.0.0.1:2379
providers.etcd.passwordPassword for authentication.
providers.etcd.rootkeyRoot key used for KV store.traefik
providers.etcd.tls.caTLS CA
providers.etcd.tls.certTLS cert
providers.etcd.tls.insecureskipverifyTLS insecure skip verifyfalse
providers.etcd.tls.keyTLS key
providers.etcd.usernameUsername for authentication.
providers.file.debugloggeneratedtemplateEnable debug logging of generated configuration template.false
providers.file.directoryLoad dynamic configuration from one or more .yml or .toml files in a directory.
providers.file.filenameLoad dynamic configuration from a file.
providers.file.watchWatch provider.true
providers.httpEnable HTTP backend with default settings.false
providers.http.endpointLoad configuration from this endpoint.
providers.http.headers.<name>Define custom headers to be sent to the endpoint.
providers.http.pollintervalPolling interval for endpoint.5
providers.http.polltimeoutPolling timeout for endpoint.5
providers.http.tls.caTLS CA
providers.http.tls.certTLS cert
providers.http.tls.insecureskipverifyTLS insecure skip verifyfalse
providers.http.tls.keyTLS key
providers.kubernetescrdEnable Kubernetes backend with default settings.false
providers.kubernetescrd.allowcrossnamespaceAllow cross namespace resource reference.false
providers.kubernetescrd.allowemptyservicesAllow the creation of services without endpoints.false
providers.kubernetescrd.allowexternalnameservicesAllow ExternalName services.false
providers.kubernetescrd.certauthfilepathKubernetes certificate authority file path (not needed for in-cluster client).
providers.kubernetescrd.disableclusterscoperesourcesDisables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services).false
providers.kubernetescrd.endpointKubernetes server endpoint (required for external cluster client).
providers.kubernetescrd.ingressclassValue of kubernetes.io/ingress.class annotation to watch for.
providers.kubernetescrd.labelselectorKubernetes label selector to use.
providers.kubernetescrd.namespacesKubernetes namespaces.
providers.kubernetescrd.nativelbbydefaultDefines whether to use Native Kubernetes load-balancing mode by default.false
providers.kubernetescrd.throttledurationIngress refresh throttle duration0
providers.kubernetescrd.tokenKubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token.
providers.kubernetesgatewayEnable Kubernetes gateway api provider with default settings.false
providers.kubernetesgateway.certauthfilepathKubernetes certificate authority file path (not needed for in-cluster client).
providers.kubernetesgateway.endpointKubernetes server endpoint (required for external cluster client).
providers.kubernetesgateway.experimentalchannelToggles Experimental Channel resources support (TCPRoute, TLSRoute...).false
providers.kubernetesgateway.labelselectorKubernetes label selector to select specific GatewayClasses.
providers.kubernetesgateway.namespacesKubernetes namespaces.
providers.kubernetesgateway.nativelbbydefaultDefines whether to use Native Kubernetes load-balancing by default.false
providers.kubernetesgateway.statusaddress.hostnameHostname used for Kubernetes Gateway status address.
providers.kubernetesgateway.statusaddress.ipIP used to set Kubernetes Gateway status address.
providers.kubernetesgateway.statusaddress.servicePublished Kubernetes Service to copy status addresses from.
providers.kubernetesgateway.statusaddress.service.nameName of the Kubernetes service.
providers.kubernetesgateway.statusaddress.service.namespaceNamespace of the Kubernetes service.
providers.kubernetesgateway.throttledurationKubernetes refresh throttle duration0
providers.kubernetesgateway.tokenKubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token.
providers.kubernetesingressEnable Kubernetes backend with default settings.false
providers.kubernetesingress.allowemptyservicesAllow creation of services without endpoints.false
providers.kubernetesingress.allowexternalnameservicesAllow ExternalName services.false
providers.kubernetesingress.certauthfilepathKubernetes certificate authority file path (not needed for in-cluster client).
providers.kubernetesingress.disableclusterscoperesourcesDisables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services).false
providers.kubernetesingress.disableingressclasslookupDisables the lookup of IngressClasses (Deprecated, please use DisableClusterScopeResources).false
providers.kubernetesingress.endpointKubernetes server endpoint (required for external cluster client).
providers.kubernetesingress.ingressclassValue of kubernetes.io/ingress.class annotation or IngressClass name to watch for.
providers.kubernetesingress.ingressendpoint.hostnameHostname used for Kubernetes Ingress endpoints.
providers.kubernetesingress.ingressendpoint.ipIP used for Kubernetes Ingress endpoints.
providers.kubernetesingress.ingressendpoint.publishedservicePublished Kubernetes Service to copy status from.
providers.kubernetesingress.labelselectorKubernetes Ingress label selector to use.
providers.kubernetesingress.namespacesKubernetes namespaces.
providers.kubernetesingress.nativelbbydefaultDefines whether to use Native Kubernetes load-balancing mode by default.false
providers.kubernetesingress.throttledurationIngress refresh throttle duration0
providers.kubernetesingress.tokenKubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token.
providers.nomadEnable Nomad backend with default settings.false
providers.nomad.allowemptyservicesAllow the creation of services without endpoints.false
providers.nomad.constraintsConstraints is an expression that Traefik matches against the Nomad service's tags to determine whether to create route(s) for that service.
providers.nomad.defaultruleDefault rule.Host(`{{ normalize .Name }}`)
providers.nomad.endpoint.addressThe address of the Nomad server, including scheme and port.http://127.0.0.1:4646
providers.nomad.endpoint.endpointwaittimeWaitTime limits how long a Watch will block. If not provided, the agent default values will be used0
providers.nomad.endpoint.regionNomad region to use. If not provided, the local agent region is used.
providers.nomad.endpoint.tls.caTLS CA
providers.nomad.endpoint.tls.certTLS cert
providers.nomad.endpoint.tls.insecureskipverifyTLS insecure skip verifyfalse
providers.nomad.endpoint.tls.keyTLS key
providers.nomad.endpoint.tokenToken is used to provide a per-request ACL token.
providers.nomad.exposedbydefaultExpose Nomad services by default.true
providers.nomad.namespacesSets the Nomad namespaces used to discover services.
providers.nomad.prefixPrefix for nomad service tags.traefik
providers.nomad.refreshintervalInterval for polling Nomad API.15
providers.nomad.staleUse stale consistency for catalog reads.false
providers.nomad.throttledurationWatch throttle duration.0
providers.nomad.watchWatch Nomad Service events.false
providers.plugin.<name>Plugins configuration.
providers.providersthrottledurationBackends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time.2
providers.redisEnable Redis backend with default settings.false
providers.redis.dbDatabase to be selected after connecting to the server.0
providers.redis.endpointsKV store endpoints.127.0.0.1:6379
providers.redis.passwordPassword for authentication.
providers.redis.rootkeyRoot key used for KV store.traefik
providers.redis.sentinel.latencystrategyDefines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy).false
providers.redis.sentinel.masternameName of the master.
providers.redis.sentinel.passwordPassword for Sentinel authentication.
providers.redis.sentinel.randomstrategyDefines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy).false
providers.redis.sentinel.replicastrategyDefines whether to route all commands to replica nodes (mutually exclusive with LatencyStrategy and RandomStrategy).false
providers.redis.sentinel.usedisconnectedreplicasUse replicas disconnected with master when cannot get connected replicas.false
providers.redis.sentinel.usernameUsername for Sentinel authentication.
providers.redis.tls.caTLS CA
providers.redis.tls.certTLS cert
providers.redis.tls.insecureskipverifyTLS insecure skip verifyfalse
providers.redis.tls.keyTLS key
providers.redis.usernameUsername for authentication.
providers.restEnable Rest backend with default settings.false
providers.rest.insecureActivate REST Provider directly on the entryPoint named traefik.false
providers.swarmEnable Docker Swarm backend with default settings.false
providers.swarm.allowemptyservicesDisregards the Docker containers health checks with respect to the creation or removal of the corresponding services.false
providers.swarm.constraintsConstraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
providers.swarm.defaultruleDefault rule.Host(`{{ normalize .Name }}`)
providers.swarm.endpointDocker server endpoint. Can be a TCP or a Unix socket endpoint.unix:///var/run/docker.sock
providers.swarm.exposedbydefaultExpose containers by default.true
providers.swarm.httpclienttimeoutClient timeout for HTTP connections.0
providers.swarm.networkDefault Docker network used.
providers.swarm.passwordPassword for Basic HTTP authentication.
providers.swarm.refreshsecondsPolling interval for swarm mode.15
providers.swarm.tls.caTLS CA
providers.swarm.tls.certTLS cert
providers.swarm.tls.insecureskipverifyTLS insecure skip verifyfalse
providers.swarm.tls.keyTLS key
providers.swarm.usebindportipUse the ip address from the bound port, rather than from the inner network.false
providers.swarm.usernameUsername for Basic HTTP authentication.
providers.swarm.watchWatch Docker events.true
providers.zookeeperEnable ZooKeeper backend with default settings.false
providers.zookeeper.endpointsKV store endpoints.127.0.0.1:2181
providers.zookeeper.passwordPassword for authentication.
providers.zookeeper.rootkeyRoot key used for KV store.traefik
providers.zookeeper.usernameUsername for authentication.
serverstransport.forwardingtimeouts.dialtimeoutThe amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists.30
serverstransport.forwardingtimeouts.idleconntimeoutThe maximum period for which an idle HTTP keep-alive connection will remain open before closing itself90
serverstransport.forwardingtimeouts.responseheadertimeoutThe amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists.0
serverstransport.insecureskipverifyDisable SSL certificate verification.false
serverstransport.maxidleconnsperhostIf non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used200
serverstransport.rootcasAdd cert file for self-signed certificate.
serverstransport.spiffeDefines the SPIFFE configuration.false
serverstransport.spiffe.idsDefines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
serverstransport.spiffe.trustdomainDefines the allowed SPIFFE trust domain.
spiffe.workloadapiaddrDefines the workload API address.
tcpserverstransport.dialkeepaliveDefines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled15
tcpserverstransport.dialtimeoutDefines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists.30
tcpserverstransport.terminationdelayDefines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability.0
tcpserverstransport.tlsDefines the TLS configuration.false
tcpserverstransport.tls.insecureskipverifyDisables SSL certificate verification.false
tcpserverstransport.tls.rootcasDefines a list of CA secret used to validate self-signed certificate
tcpserverstransport.tls.spiffeDefines the SPIFFE TLS configuration.false
tcpserverstransport.tls.spiffe.idsDefines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
tcpserverstransport.tls.spiffe.trustdomainDefines the allowed SPIFFE trust domain.
tracingOpenTracing configuration.false
tracing.addinternalsEnables tracing for internal services (ping, dashboard, etc...).false
tracing.capturedrequestheadersRequest headers to add as attributes for server and client spans.
tracing.capturedresponseheadersResponse headers to add as attributes for server and client spans.
tracing.globalattributes.<name>Defines additional attributes (key:value) on all spans.
tracing.otlpSettings for OpenTelemetry.false
tracing.otlp.grpcgRPC configuration for the OpenTelemetry collector.false
tracing.otlp.grpc.endpointSets the gRPC endpoint (host:port) of the collector.localhost:4317
tracing.otlp.grpc.headers.<name>Headers sent with payload.
tracing.otlp.grpc.insecureDisables client transport security for the exporter.false
tracing.otlp.grpc.tls.caTLS CA
tracing.otlp.grpc.tls.certTLS cert
tracing.otlp.grpc.tls.insecureskipverifyTLS insecure skip verifyfalse
tracing.otlp.grpc.tls.keyTLS key
tracing.otlp.httpHTTP configuration for the OpenTelemetry collector.false
tracing.otlp.http.endpointSets the HTTP endpoint (scheme://host:port/path) of the collector.https://localhost:4318
tracing.otlp.http.headers.<name>Headers sent with payload.
tracing.otlp.http.tls.caTLS CA
tracing.otlp.http.tls.certTLS cert
tracing.otlp.http.tls.insecureskipverifyTLS insecure skip verifyfalse
tracing.otlp.http.tls.keyTLS key
tracing.safequeryparamsQuery params to not redact.
tracing.samplerateSets the rate between 0.0 and 1.0 of requests to trace.1.000000
tracing.servicenameSet the name for this service.traefik