Traefik and Nomad Service Discovery¶
One of the best feature of Traefik is to delegate the routing configuration to the application level. With Nomad, Traefik can leverage tags attached to a service to generate routing rules.
Tags & sensitive data
We recommend to not use tags to store sensitive data (certificates, credentials, etc). Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).
Configuration Examples¶
Configuring Nomad & Deploying / Exposing one Service
Enabling the nomad provider
providers:
nomad: {}[providers.nomad]--providers.nomad=trueAttaching tags to services (in your Nomad job file)
job "my-service" {
datacenters = ["dc1"]
group "web" {
task "app" {
driver = "docker"
service {
name = "my-service"
tags = [
"traefik.http.routers.my-service.rule=Host(`example.com`)",
]
}
}
}
}Specify a Custom Port for the Container
Forward requests for http://example.com to http://<private IP of container>:12345:
job "my-service" {
datacenters = ["dc1"]
group "web" {
task "app" {
driver = "docker"
service {
name = "my-service"
tags = [
"traefik.http.routers.my-service.rule=Host(`example.com`)",
"traefik.http.routers.my-service.service=my-service",
"traefik.http.services.my-service.loadbalancer.server.port=12345",
]
}
}
}
}Traefik Connecting to the Wrong Port: HTTP/502 Gateway Error
By default, Traefik uses the first exposed port of a container.
Setting the tag traefik.http.services.xxx.loadbalancer.server.port
overrides that behavior.
Specifying more than one router and service per container
Forwarding requests to more than one port on a container requires referencing the service loadbalancer port definition using the service parameter on the router.
In this example, requests are forwarded for http://example-a.com to http://<private IP of container>:8000 in addition to http://example-b.com forwarding to http://<private IP of container>:9000:
job "my-service" {
datacenters = ["dc1"]
group "web" {
task "app" {
driver = "docker"
service {
name = "my-service"
tags = [
"traefik.http.routers.www-router.rule=Host(`example-a.com`)",
"traefik.http.routers.www-router.service=www-service",
"traefik.http.services.www-service.loadbalancer.server.port=8000",
"traefik.http.routers.admin-router.rule=Host(`example-b.com`)",
"traefik.http.routers.admin-router.service=admin-service",
"traefik.http.services.admin-service.loadbalancer.server.port=9000",
]
}
}
}
}Configuration Options¶
Tags
Tags are case-insensitive.
TLS Default Generated Certificates
To learn how to configure Traefik default generated certificate, refer to the TLS Certificates page.
General¶
Traefik creates, for each Nomad service, a corresponding Traefik service and router.
The Traefik service automatically gets a server per instance in this Nomad service, and the router gets a default rule attached to it, based on the Nomad service name.
Routers¶
To update the configuration of the Router automatically attached to the service, add tags starting with traefik.routers.{name-of-your-choice}. and followed by the option you want to change.
For example, to change the rule, you could add the tag traefik.http.routers.my-service.rule=Host(`example.com`).
Configuration Options¶
| Label | Description | Value |
|---|---|---|
traefik.http.routers.<router_name>.rule |
See rule for more information. | Host(`example.com`) |
traefik.http.routers.<router_name>.ruleSyntax |
See ruleSyntax for more information. RuleSyntax option is deprecated and will be removed in the next major version. Please do not use this field and rewrite the router rules to use the v3 syntax. |
v3 |
traefik.http.routers.<router_name>.entrypoints |
See entry points for more information. | web,websecure |
traefik.http.routers.<router_name>.middlewares |
See middlewares overview for more information. | auth,prefix,cb |
traefik.http.routers.<router_name>.service |
See service for more information. | myservice |
traefik.http.routers.<router_name>.tls |
See tls for more information. | true |
traefik.http.routers.<router_name>.tls.certresolver |
See certResolver for more information. | myresolver |
traefik.http.routers.<router_name>.tls.domains[n].main |
See domains for more information. | example.org |
traefik.http.routers.<router_name>.tls.domains[n].sans |
See domains for more information. | test.example.org,dev.example.org |
traefik.http.routers.<router_name>.tls.options |
foobar |
|
traefik.http.routers.<router_name>.priority |
See priority for more information. | 42 |
traefik.http.routers.<router_name>.observability.accesslogs |
The accessLogs option controls whether the router will produce access-logs. | true |
traefik.http.routers.<router_name>.observability.metrics |
The metrics option controls whether the router will produce metrics. | true |
traefik.http.routers.<router_name>.observability.tracing |
The tracing option controls whether the router will produce traces. | true |
Services¶
To update the configuration of the Service automatically attached to the service,
add tags starting with traefik.http.services.{name-of-your-choice}., followed by the option you want to change.
For example, to change the passHostHeader behavior,
you'd add the tag traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false.
Configuration Options¶
Middleware¶
You can declare pieces of middleware using tags starting with traefik.http.middlewares.{name-of-your-choice}., followed by the middleware type/options.
For example, to declare a middleware redirectscheme named my-redirect, you'd write traefik.http.middlewares.my-redirect.redirectscheme.scheme: https.
More information about available middlewares in the dedicated middlewares section.
Declaring and Referencing a Middleware
# ...
# Declaring a middleware
traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
# Referencing a middleware
traefik.http.routers.my-service.middlewares=my-redirectConflicts in Declaration
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
TCP¶
You can declare TCP Routers and/or Services using tags.
Declaring TCP Routers and Services
traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)
traefik.tcp.routers.my-router.tls=true
traefik.tcp.services.my-service.loadbalancer.server.port=4123TCP and HTTP
If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined). You can declare both a TCP Router/Service and an HTTP Router/Service for the same Nomad service (but you have to do so manually).
TCP Routers¶
Configuration Options¶
| Label | Description | Value |
|---|---|---|
traefik.tcp.routers.<router_name>.entrypoints |
See entry points for more information. | ep1,ep2 |
traefik.tcp.routers.<router_name>.rule |
See rule for more information. | HostSNI(`example.com`) |
traefik.tcp.routers.<router_name>.ruleSyntax |
configure the rule syntax to be used for parsing the rule on a per-router basis. RuleSyntax option is deprecated and will be removed in the next major version. Please do not use this field and rewrite the router rules to use the v3 syntax. |
v3 |
traefik.tcp.routers.<router_name>.priority |
See priority for more information. | 42 |
traefik.tcp.routers.<router_name>.service |
See service for more information. | myservice |
traefik.tcp.routers.<router_name>.tls |
See TLS for more information. | true |
traefik.tcp.routers.<router_name>.tls.certresolver |
See certResolver for more information. | myresolver |
traefik.tcp.routers.<router_name>.tls.domains[n].main |
See TLS for more information. | example.org |
traefik.tcp.routers.<router_name>.tls.domains[n].sans |
See TLS for more information. | test.example.org,dev.example.org |
traefik.tcp.routers.<router_name>.tls.options |
See TLS for more information. | myoptions |
traefik.tcp.routers.<router_name>.tls.passthrough |
See Passthrough for more information. | true |
TCP Services¶
Configuration Options¶
| Label | Description | Value |
|---|---|---|
traefik.tcp.services.<service_name>.loadbalancer.server.port |
Registers a port of the application. | 423 |
traefik.tcp.services.<service_name>.loadbalancer.server.tls |
Determines whether to use TLS when dialing with the backend. | true |
traefik.tcp.services.<service_name>.loadbalancer.serverstransport |
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one. See serverstransport for more information. |
foobar@file |
TCP Middleware¶
You can declare pieces of middleware using tags starting with traefik.tcp.middlewares.{name-of-your-choice}., followed by the middleware type/options.
For example, to declare a middleware InFlightConn named test-inflightconn, you'd write traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10.
More information about available middlewares in the dedicated middlewares section.
Declaring and Referencing a Middleware
# ...
# Declaring a middleware
traefik.tcp.middlewares.test-inflightconn.amount=10
# Referencing a middleware
traefik.tcp.routers.my-service.middlewares=test-inflightconnConflicts in Declaration
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
UDP¶
You can declare UDP Routers and/or Services using tags.
Declaring UDP Routers and Services
traefik.udp.routers.my-router.entrypoints=udp
traefik.udp.services.my-service.loadbalancer.server.port=4123UDP and HTTP
If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined). You can declare both a UDP Router/Service and an HTTP Router/Service for the same Nomad service (but you have to do so manually).
UDP Routers¶
Configuration Options¶
| Label | Description | Value |
|---|---|---|
traefik.udp.routers.<router_name>.entrypoints |
See entry points for more information. | ep1,ep2 |
traefik.udp.routers.<router_name>.service |
See service for more information. | myservice |
UDP Services¶
Configuration Options¶
| Label | Description | Value |
|---|---|---|
traefik.udp.services.<service_name>.loadbalancer.server.port |
Registers a port of the application. | 423 |
Specific Provider Options¶
| Label | Description | Value |
|---|---|---|
traefik.enable |
You can tell Traefik to consider (or not) the service by setting traefik.enable to true or false.This option overrides the value of exposedByDefault. |
true |
traefik.nomad.canary |
When Nomad orchestrator is a provider (of service registration) for Traefik, one might have the need to distinguish within Traefik between a Canary instance of a service, or a production one. For example if one does not want them to be part of the same load-balancer. Therefore, this option, which is meant to be provided as one of the values of the canary_tags field in the Nomad service stanza, allows Traefik to identify that the associated instance is a canary one. |
true |
Port Lookup¶
Traefik is capable of detecting the port to use, by following the default Nomad Service Discovery flow.
That means, if you just expose lets say port :1337 on the Nomad job, traefik will pick up this port and use it.