Skip to content

Traefik and Nomad Service Discovery

A story of Tags, Services & Nomads

Nomad

Attach tags to your Nomad services and let Traefik do the rest!

One of the best feature of Traefik is to delegate the routing configuration to the application level. With Nomad, Traefik can leverage tags attached to a service to generate routing rules.

Tags & sensitive data

We recommend to not use tags to store sensitive data (certificates, credentials, etc). Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).

Routing Configuration

tags

General

Traefik creates, for each Nomad service, a corresponding Traefik service and router.

The Traefik service automatically gets a server per instance in this Nomad service, and the router gets a default rule attached to it, based on the Nomad service name.

Routers

To update the configuration of the Router automatically attached to the service, add tags starting with traefik.routers.{name-of-your-choice}. and followed by the option you want to change.

For example, to change the rule, you could add the tag traefik.http.routers.my-service.rule=Host(`example.com`).

traefik.http.routers.<router_name>.rule

See rule for more information.

traefik.http.routers.myrouter.rule=Host(`example.com`)
traefik.http.routers.<router_name>.entrypoints

See entry points for more information.

traefik.http.routers.myrouter.entrypoints=web,websecure
traefik.http.routers.<router_name>.middlewares

See middlewares and middlewares overview for more information.

traefik.http.routers.myrouter.middlewares=auth,prefix,cb
traefik.http.routers.<router_name>.service

See rule for more information.

traefik.http.routers.myrouter.service=myservice
traefik.http.routers.<router_name>.tls

See tls for more information.

traefik.http.routers.myrouter.tls=true
traefik.http.routers.<router_name>.tls.certresolver

See certResolver for more information.

traefik.http.routers.myrouter.tls.certresolver=myresolver
traefik.http.routers.<router_name>.tls.domains[n].main

See domains for more information.

traefik.http.routers.myrouter.tls.domains[0].main=example.org
traefik.http.routers.<router_name>.tls.domains[n].sans

See domains for more information.

traefik.http.routers.myrouter.tls.domains[0].sans=test.example.org,dev.example.org
traefik.http.routers.<router_name>.tls.options

See options for more information.

traefik.http.routers.myrouter.tls.options=foobar
traefik.http.routers.<router_name>.observability.accesslogs

See accesslogs option for more information.

traefik.http.routers.myrouter.observability.accesslogs=true
traefik.http.routers.<router_name>.observability.metrics

See metrics option for more information.

traefik.http.routers.myrouter.observability.metrics=true
traefik.http.routers.<router_name>.observability.tracing

See tracing option for more information.

traefik.http.routers.myrouter.observability.tracing=true
traefik.http.routers.<router_name>.priority

See priority for more information.

traefik.http.routers.myrouter.priority=42

Services

To update the configuration of the Service automatically attached to the service, add tags starting with traefik.http.services.{name-of-your-choice}., followed by the option you want to change.

For example, to change the passHostHeader behavior, you'd add the tag traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false.

traefik.http.services.<service_name>.loadbalancer.server.port

Registers a port. Useful when the service exposes multiples ports.

traefik.http.services.myservice.loadbalancer.server.port=8080
traefik.http.services.<service_name>.loadbalancer.server.scheme

Overrides the default scheme.

traefik.http.services.myservice.loadbalancer.server.scheme=http
traefik.http.services.<service_name>.loadbalancer.serverstransport

Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one. See serverstransport for more information.

traefik.http.services.myservice.loadbalancer.serverstransport=foobar@file
traefik.http.services.<service_name>.loadbalancer.passhostheader

See pass Host header for more information.

traefik.http.services.myservice.loadbalancer.passhostheader=true
traefik.http.services.<service_name>.loadbalancer.healthcheck.headers.<header_name>

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo=foobar
traefik.http.services.<service_name>.loadbalancer.healthcheck.hostname

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.hostname=example.org
traefik.http.services.<service_name>.loadbalancer.healthcheck.interval

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
traefik.http.services.<service_name>.loadbalancer.healthcheck.path

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo
traefik.http.services.<service_name>.loadbalancer.healthcheck.status

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.status=42
traefik.http.services.<service_name>.loadbalancer.healthcheck.port

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.port=42
traefik.http.services.<service_name>.loadbalancer.healthcheck.scheme

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.scheme=http
traefik.http.services.<service_name>.loadbalancer.healthcheck.timeout

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10
traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.followredirects=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie

See sticky sessions for more information.

traefik.http.services.myservice.loadbalancer.sticky.cookie=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.httponly

See sticky sessions for more information.

traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.name

See sticky sessions for more information.

traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure

See sticky sessions for more information.

traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite

See sticky sessions for more information.

traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.maxage

See sticky sessions for more information.

traefik.http.services.myservice.loadbalancer.sticky.cookie.maxage=42
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.path

See sticky sessions for more information.

traefik.http.services.myservice.loadbalancer.sticky.cookie.path=/foobar
traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval

See response forwarding for more information.

traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10

Middleware

You can declare pieces of middleware using tags starting with traefik.http.middlewares.{name-of-your-choice}., followed by the middleware type/options.

For example, to declare a middleware redirectscheme named my-redirect, you'd write traefik.http.middlewares.my-redirect.redirectscheme.scheme: https.

More information about available middlewares in the dedicated middlewares section.

Declaring and Referencing a Middleware
# ...
# Declaring a middleware
traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
# Referencing a middleware
traefik.http.routers.my-service.middlewares=my-redirect

Conflicts in Declaration

If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.

TCP

You can declare TCP Routers and/or Services using tags.

Declaring TCP Routers and Services
traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)
traefik.tcp.routers.my-router.tls=true
traefik.tcp.services.my-service.loadbalancer.server.port=4123

TCP and HTTP

If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined). You can declare both a TCP Router/Service and an HTTP Router/Service for the same Nomad service (but you have to do so manually).

TCP Routers

traefik.tcp.routers.<router_name>.entrypoints

See entry points for more information.

traefik.tcp.routers.mytcprouter.entrypoints=ep1,ep2
traefik.tcp.routers.<router_name>.rule

See rule for more information.

traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)
traefik.tcp.routers.<router_name>.service

See service for more information.

traefik.tcp.routers.mytcprouter.service=myservice
traefik.tcp.routers.<router_name>.tls

See TLS for more information.

traefik.tcp.routers.mytcprouter.tls=true
traefik.tcp.routers.<router_name>.tls.certresolver

See certResolver for more information.

traefik.tcp.routers.mytcprouter.tls.certresolver=myresolver
traefik.tcp.routers.<router_name>.tls.domains[n].main

See domains for more information.

traefik.tcp.routers.mytcprouter.tls.domains[0].main=example.org
traefik.tcp.routers.<router_name>.tls.domains[n].sans

See domains for more information.

traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.example.org,dev.example.org
traefik.tcp.routers.<router_name>.tls.options

See options for more information.

traefik.tcp.routers.mytcprouter.tls.options=myoptions
traefik.tcp.routers.<router_name>.tls.passthrough

See TLS for more information.

traefik.tcp.routers.mytcprouter.tls.passthrough=true

TCP Services

traefik.tcp.services.<service_name>.loadbalancer.server.port

Registers a port of the application.

traefik.tcp.services.mytcpservice.loadbalancer.server.port=423
traefik.tcp.services.<service_name>.loadbalancer.server.tls

Determines whether to use TLS when dialing with the backend.

traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true
traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version

See PROXY protocol for more information.

traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
traefik.tcp.services.<service_name>.loadbalancer.serverstransport

Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one. See serverstransport for more information.

traefik.tcp.services.myservice.loadbalancer.serverstransport=foobar@file

UDP

You can declare UDP Routers and/or Services using tags.

Declaring UDP Routers and Services
traefik.udp.routers.my-router.entrypoints=udp
traefik.udp.services.my-service.loadbalancer.server.port=4123

UDP and HTTP

If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined). You can declare both a UDP Router/Service and an HTTP Router/Service for the same Nomad service (but you have to do so manually).

UDP Routers

traefik.udp.routers.<router_name>.entrypoints

See entry points for more information.

traefik.udp.routers.myudprouter.entrypoints=ep1,ep2
traefik.udp.routers.<router_name>.service

See service for more information.

traefik.udp.routers.myudprouter.service=myservice

UDP Services

traefik.udp.services.<service_name>.loadbalancer.server.port

Registers a port of the application.

traefik.udp.services.myudpservice.loadbalancer.server.port=423

Specific Provider Options

traefik.enable

traefik.enable=true

You can tell Traefik to consider (or not) the service by setting traefik.enable to true or false.

This option overrides the value of exposedByDefault.

traefik.nomad.canary

traefik.nomad.canary=true

When Nomad orchestrator is a provider (of service registration) for Traefik, one might have the need to distinguish within Traefik between a Canary instance of a service, or a production one. For example if one does not want them to be part of the same load-balancer.

Therefore, this option, which is meant to be provided as one of the values of the canary_tags field in the Nomad service stanza, allows Traefik to identify that the associated instance is a canary one.

Port Lookup

Traefik is capable of detecting the port to use, by following the default Nomad Service Discovery flow. That means, if you just expose lets say port :1337 on the Nomad job, traefik will pick up this port and use it.