Skip to content

Traefik & Rancher

A Story of Labels, Services & Containers

Rancher

Attach labels to your services and let Traefik do the rest!

One of the best feature of Traefik is to delegate the routing configuration to the application level. With Rancher, Traefik can leverage labels attached to a service to generate routing rules.

Labels & sensitive data

We recommend to not use labels to store sensitive data (certificates, credentials, etc). Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).

This provider is specific to Rancher 1.x.

Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query. As such, Rancher 2.x users should utilize the Kubernetes provider directly.

Routing Configuration

Labels

  • Labels are case-insensitive.
  • The complete list of labels can be found in the reference page.

General

Traefik creates, for each rancher service, a corresponding service and router.

The Service automatically gets a server per container in this rancher service, and the router gets a default rule attached to it, based on the service name.

Service definition

In general when configuring a Traefik provider, a service assigned to one (or several) router(s) must be defined as well for the routing to be functional.

There are, however, exceptions when using label-based configurations:

  1. If a label defines a router (e.g. through a router Rule) and a label defines a service (e.g. implicitly through a loadbalancer server port value), but the router does not specify any service, then that service is automatically assigned to the router.
  2. If a label defines a router (e.g. through a router Rule) but no service is defined, then a service is automatically created and assigned to the router.

As one would expect, in either of these cases, if in addition a service is specified for the router, then that service is the one assigned, regardless of whether it actually is defined or whatever else other services are defined.

Automatic service assignment with labels

With labels in a compose file

labels:
  - "traefik.http.routers.myproxy.rule=Host(`example.net`)"
  # service myservice gets automatically assigned to router myproxy
  - "traefik.http.services.myservice.loadbalancer.server.port=80"
Automatic service creation and assignment with labels

With labels in a compose file

labels:
  # no service specified or defined and yet one gets automatically created
  # and assigned to router myproxy.
  - "traefik.http.routers.myproxy.rule=Host(`example.net`)"

Routers

To update the configuration of the Router automatically attached to the container, add labels starting with traefik.routers.{name-of-your-choice}. and followed by the option you want to change.

For example, to change the rule, you could add the label traefik.http.routers.my-container.rule=Host(`example.com`).

The character @ is not authorized in the router name <router_name>.

traefik.http.routers.<router_name>.rule

See rule for more information.

- "traefik.http.routers.myrouter.rule=Host(`example.com`)"
traefik.http.routers.<router_name>.entrypoints

See entry points for more information.

- "traefik.http.routers.myrouter.entrypoints=ep1,ep2"
traefik.http.routers.<router_name>.middlewares

See middlewares and middlewares overview for more information.

- "traefik.http.routers.myrouter.middlewares=auth,prefix,cb"
traefik.http.routers.<router_name>.service

See rule for more information.

- "traefik.http.routers.myrouter.service=myservice"
traefik.http.routers.<router_name>.tls

See tls for more information.

- "traefik.http.routers.myrouter>.tls=true"
traefik.http.routers.<router_name>.tls.certresolver

See certResolver for more information.

- "traefik.http.routers.myrouter.tls.certresolver=myresolver"
traefik.http.routers.<router_name>.tls.domains[n].main

See domains for more information.

- "traefik.http.routers.myrouter.tls.domains[0].main=example.org"
traefik.http.routers.<router_name>.tls.domains[n].sans

See domains for more information.

- "traefik.http.routers.myrouter.tls.domains[0].sans=test.example.org,dev.example.org"
traefik.http.routers.<router_name>.tls.options

See options for more information.

- "traefik.http.routers.myrouter.tls.options=foobar"
traefik.http.routers.<router_name>.priority

See priority for more information.

- "traefik.http.routers.myrouter.priority=42"

Services

To update the configuration of the Service automatically attached to the container, add labels starting with traefik.http.services.{name-of-your-choice}., followed by the option you want to change.

For example, to change the passHostHeader behavior, you'd add the label traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false.

The character @ is not authorized in the service name <service_name>.

traefik.http.services.<service_name>.loadbalancer.server.port

Registers a port. Useful when the container exposes multiples ports.

- "traefik.http.services.myservice.loadbalancer.server.port=8080"
traefik.http.services.<service_name>.loadbalancer.server.scheme

Overrides the default scheme.

- "traefik.http.services.myservice.loadbalancer.server.scheme=http"
traefik.http.services.<service_name>.loadbalancer.serverstransport

Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one. See serverstransport for more information.

- "traefik.http.services.<service_name>.loadbalancer.serverstransport=foobar@file"
traefik.http.services.<service_name>.loadbalancer.passhostheader

See pass Host header for more information.

- "traefik.http.services.myservice.loadbalancer.passhostheader=true"
traefik.http.services.<service_name>.loadbalancer.healthcheck.headers.<header_name>

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo=foobar"
traefik.http.services.<service_name>.loadbalancer.healthcheck.hostname

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.hostname=example.org"
traefik.http.services.<service_name>.loadbalancer.healthcheck.interval

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
traefik.http.services.<service_name>.loadbalancer.healthcheck.path

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo"
traefik.http.services.<service_name>.loadbalancer.healthcheck.method

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.method=foobar"
traefik.http.services.<service_name>.loadbalancer.healthcheck.port

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.port=42"
traefik.http.services.<service_name>.loadbalancer.healthcheck.scheme

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.scheme=http"
traefik.http.services.<service_name>.loadbalancer.healthcheck.timeout

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10"
traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.followredirects=true"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie=true"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.httponly

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly=true"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.name

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none"
traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval

See response forwarding for more information.

- "traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10"

Middleware

You can declare pieces of middleware using labels starting with traefik.http.middlewares.{name-of-your-choice}., followed by the middleware type/options.

For example, to declare a middleware redirectscheme named my-redirect, you'd write traefik.http.middlewares.my-redirect.redirectscheme.scheme: https.

More information about available middlewares in the dedicated middlewares section.

The character @ is not authorized in the middleware name.

Declaring and Referencing a Middleware
# ...
labels:
  # Declaring a middleware
  - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
  # Referencing a middleware
  - traefik.http.routers.my-container.middlewares=my-redirect

Conflicts in Declaration

If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.

TCP

You can declare TCP Routers and/or Services using labels.

Declaring TCP Routers and Services
   services:
     my-container:
       # ...
       labels:
         - "traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)"
         - "traefik.tcp.routers.my-router.tls=true"
         - "traefik.tcp.services.my-service.loadbalancer.server.port=4123"

TCP and HTTP

If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined). You can declare both a TCP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).

TCP Routers

traefik.tcp.routers.<router_name>.entrypoints

See entry points for more information.

- "traefik.tcp.routers.mytcprouter.entrypoints=ep1,ep2"
traefik.tcp.routers.<router_name>.rule

See rule for more information.

- "traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)"
traefik.tcp.routers.<router_name>.service

See service for more information.

- "traefik.tcp.routers.mytcprouter.service=myservice"
traefik.tcp.routers.<router_name>.tls

See TLS for more information.

- "traefik.tcp.routers.mytcprouter.tls=true"
traefik.tcp.routers.<router_name>.tls.certresolver

See certResolver for more information.

- "traefik.tcp.routers.mytcprouter.tls.certresolver=myresolver"
traefik.tcp.routers.<router_name>.tls.domains[n].main

See domains for more information.

- "traefik.tcp.routers.mytcprouter.tls.domains[0].main=example.org"
traefik.tcp.routers.<router_name>.tls.domains[n].sans

See domains for more information.

- "traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.example.org,dev.example.org"
traefik.tcp.routers.<router_name>.tls.options

See options for more information.

- "traefik.tcp.routers.mytcprouter.tls.options=mysoptions"
traefik.tcp.routers.<router_name>.tls.passthrough

See TLS for more information.

- "traefik.tcp.routers.mytcprouter.tls.passthrough=true"
traefik.tcp.routers.<router_name>.priority

See priority for more information.

- "traefik.tcp.routers.myrouter.priority=42"

TCP Services

traefik.tcp.services.<service_name>.loadbalancer.server.port

Registers a port of the application.

- "traefik.tcp.services.mytcpservice.loadbalancer.server.port=423"
traefik.tcp.services.<service_name>.loadbalancer.terminationdelay

See termination delay for more information.

- "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100"
traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version

See PROXY protocol for more information.

- "traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1"

UDP

You can declare UDP Routers and/or Services using labels.

Declaring UDP Routers and Services
   services:
     my-container:
       # ...
       labels:
         - "traefik.udp.routers.my-router.entrypoints=udp"
         - "traefik.udp.services.my-service.loadbalancer.server.port=4123"

UDP and HTTP

If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined). You can declare both a UDP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).

UDP Routers

traefik.udp.routers.<router_name>.entrypoints

See entry points for more information.

- "traefik.udp.routers.myudprouter.entrypoints=ep1,ep2"
traefik.udp.routers.<router_name>.service

See service for more information.

- "traefik.udp.routers.myudprouter.service=myservice"

UDP Services

traefik.udp.services.<service_name>.loadbalancer.server.port

Registers a port of the application.

- "traefik.udp.services.myudpservice.loadbalancer.server.port=423"

Specific Provider Options

traefik.enable

- "traefik.enable=true"

You can tell Traefik to consider (or not) the container by setting traefik.enable to true or false.

This option overrides the value of exposedByDefault.

Port Lookup

Traefik is capable of detecting the port to use, by following the default rancher flow. That means, if you just expose lets say port :1337 on the rancher ui, traefik will pick up this port and use it.