Skip to content
GitHub

Traefik & ECS

One of the best feature of Traefik is to delegate the routing configuration to the application level. With ECS, Traefik can leverage labels attached to a container to generate routing rules.

Labels & sensitive data

We recommend to not use labels to store sensitive data (certificates, credentials, etc). Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).

Routing Configurationred

labels

Labels are case-insensitive.

TLS Default Generated Certificates

To learn how to configure Traefik default generated certificate, refer to the TLS Certificates page.

General

Traefik creates, for each elastic service, a corresponding service and router.

The Service automatically gets a server per elastic container, and the router gets a default rule attached to it, based on the service name.

Routers

To update the configuration of the Router automatically attached to the service, add labels starting with traefik.routers.{name-of-your-choice}. and followed by the option you want to change.

For example, to change the rule, you could add the label traefik.http.routers.my-service.rule=Host(`example.com`).

The character @ is not authorized in the router name <router_name>.

traefik.http.routers.<router_name>.rule

See rule for more information.

traefik.http.routers.myrouter.rule=Host(`example.com`)
traefik.http.routers.<router_name>.ruleSyntax

Warning

RuleSyntax option is deprecated and will be removed in the next major version. Please do not use this field and rewrite the router rules to use the v3 syntax.

See ruleSyntax for more information.

traefik.http.routers.myrouter.ruleSyntax=v3
traefik.http.routers.<router_name>.entrypoints

See entry points for more information.

traefik.http.routers.myrouter.entrypoints=web,websecure
traefik.http.routers.<router_name>.middlewares

See middlewares overview for more information.

traefik.http.routers.myrouter.middlewares=auth,prefix,cb
traefik.http.routers.<router_name>.service

See service for more information.

traefik.http.routers.myrouter.service=myservice
traefik.http.routers.<router_name>.tls

See tls for more information.

traefik.http.routers.myrouter.tls=true
traefik.http.routers.<router_name>.tls.certresolver

See certResolver for more information.

traefik.http.routers.myrouter.tls.certresolver=myresolver
traefik.http.routers.<router_name>.tls.domains[n].main

See domains for more information.

traefik.http.routers.myrouter.tls.domains[0].main=example.org
traefik.http.routers.<router_name>.tls.domains[n].sans

See domains for more information.

traefik.http.routers.myrouter.tls.domains[0].sans=test.example.org,dev.example.org
traefik.http.routers.<router_name>.tls.options 
traefik.http.routers.myrouter.tls.options=foobar
traefik.http.routers.<router_name>.observability.accesslogs

The accessLogs option controls whether the router will produce access-logs.

 "traefik.http.routers.myrouter.observability.accesslogs=true"
traefik.http.routers.<router_name>.observability.metrics

The metrics option controls whether the router will produce metrics.

 "traefik.http.routers.myrouter.observability.metrics=true"
traefik.http.routers.<router_name>.observability.tracing

The tracing option controls whether the router will produce traces.

 "traefik.http.routers.myrouter.observability.tracing=true"
traefik.http.routers.<router_name>.priority

See priority for more information.

traefik.http.routers.myrouter.priority=42

Services

To update the configuration of the Service automatically attached to the service, add labels starting with traefik.http.services.{name-of-your-choice}., followed by the option you want to change.

For example, to change the passHostHeader behavior, you'd add the label traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false.

The character @ is not authorized in the service name <service_name>.

traefik.http.services.<service_name>.loadbalancer.server.port

Registers a port. Useful when the service exposes multiples ports.

traefik.http.services.myservice.loadbalancer.server.port=8080
traefik.http.services.<service_name>.loadbalancer.server.scheme

Overrides the default scheme.

traefik.http.services.myservice.loadbalancer.server.scheme=http
traefik.http.services.<service_name>.loadbalancer.serverstransport

Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one. See serverstransport for more information.

traefik.http.services.<service_name>.loadbalancer.serverstransport=foobar@file
traefik.http.services.<service_name>.loadbalancer.passhostheader 
traefik.http.services.myservice.loadbalancer.passhostheader=true
traefik.http.services.<service_name>.loadbalancer.healthcheck.headers.<header_name>

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo=foobar
traefik.http.services.<service_name>.loadbalancer.healthcheck.hostname

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.hostname=example.org
traefik.http.services.<service_name>.loadbalancer.healthcheck.interval

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
traefik.http.services.<service_name>.loadbalancer.healthcheck.path

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo
traefik.http.services.<service_name>.loadbalancer.healthcheck.method

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.method=foobar
traefik.http.services.<service_name>.loadbalancer.healthcheck.status

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.status=42
traefik.http.services.<service_name>.loadbalancer.healthcheck.port

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.port=42
traefik.http.services.<service_name>.loadbalancer.healthcheck.scheme

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.scheme=http
traefik.http.services.<service_name>.loadbalancer.healthcheck.timeout

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10
traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects

See health check for more information.

traefik.http.services.myservice.loadbalancer.healthcheck.followredirects=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie 
traefik.http.services.myservice.loadbalancer.sticky.cookie=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.httponly 
traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.name 
traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.path 
 "traefik.http.services.myservice.loadbalancer.sticky.cookie.path=/foobar"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure 
traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite 
traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.maxage 
traefik.http.services.myservice.loadbalancer.sticky.cookie.maxage=42
traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval

FlushInterval specifies the flush interval to flush to the client while copying the response body.

traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10

Middleware

You can declare pieces of middleware using labels starting with traefik.http.middlewares.{name-of-your-choice}., followed by the middleware type/options.

For example, to declare a middleware redirectscheme named my-redirect, you'd write traefik.http.middlewares.my-redirect.redirectscheme.scheme: https.

More information about available middlewares in the dedicated middlewares section.

The character @ is not authorized in the middleware name.

Declaring and Referencing a Middleware 
# ...
# Declaring a middleware
traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
# Referencing a middleware
traefik.http.routers.my-service.middlewares=my-redirect

Conflicts in Declaration

If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.

TCP

You can declare TCP Routers and/or Services using labels.

Declaring TCP Routers and Services 
traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)
traefik.tcp.routers.my-router.tls=true
traefik.tcp.services.my-service.loadbalancer.server.port=4123

TCP and HTTP

If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined). You can declare both a TCP Router/Service and an HTTP Router/Service for the same elastic service (but you have to do so manually).

TCP Routers

traefik.tcp.routers.<router_name>.entrypoints

See entry points for more information.

traefik.tcp.routers.mytcprouter.entrypoints=ep1,ep2
traefik.tcp.routers.<router_name>.rule

See entry points for more information.

traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)
traefik.tcp.routers.<router_name>.ruleSyntax

Warning

RuleSyntax option is deprecated and will be removed in the next major version. Please do not use this field and rewrite the router rules to use the v3 syntax.

configure the rule syntax to be used for parsing the rule on a per-router basis.

traefik.tcp.routers.mytcprouter.ruleSyntax=v3
traefik.tcp.routers.<router_name>.service

See service for more information.

traefik.tcp.routers.mytcprouter.service=myservice
traefik.tcp.routers.<router_name>.tls

See TLS for more information.

traefik.tcp.routers.mytcprouter.tls=true
traefik.tcp.routers.<router_name>.tls.certresolver

See certResolver for more information.

traefik.tcp.routers.mytcprouter.tls.certresolver=myresolver
traefik.tcp.routers.<router_name>.tls.domains[n].main

See TLS for more information.

traefik.tcp.routers.mytcprouter.tls.domains[0].main=example.org
traefik.tcp.routers.<router_name>.tls.domains[n].sans

See TLS for more information.

traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.example.org,dev.example.org
traefik.tcp.routers.<router_name>.tls.options

See TLS for more information.

traefik.tcp.routers.mytcprouter.tls.options=mysoptions
traefik.tcp.routers.<router_name>.tls.passthrough

See Passthrough for more information.

traefik.tcp.routers.mytcprouter.tls.passthrough=true
traefik.tcp.routers.<router_name>.priority

See priority for more information.

traefik.tcp.routers.mytcprouter.priority=42

TCP Services

traefik.tcp.services.<service_name>.loadbalancer.server.port

Registers a port of the application.

traefik.tcp.services.mytcpservice.loadbalancer.server.port=423
traefik.tcp.services.<service_name>.loadbalancer.server.tls

Determines whether to use TLS when dialing with the backend.

traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true
traefik.http.services.<service_name>.loadbalancer.server.weight

Overrides the default weight.

traefik.http.services.myservice.loadbalancer.server.weight=42
traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version

See PROXY protocol for more information.

traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
traefik.tcp.services.<service_name>.loadbalancer.serverstransport

Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one. See serverstransport for more information.

traefik.tcp.services.<service_name>.loadbalancer.serverstransport=foobar@file

UDP

You can declare UDP Routers and/or Services using tags.

Declaring UDP Routers and Services 
traefik.udp.routers.my-router.entrypoints=udp
traefik.udp.services.my-service.loadbalancer.server.port=4123

UDP and HTTP

If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined). You can declare both a UDP Router/Service and an HTTP Router/Service for the same elastic service (but you have to do so manually).

TCP Middleware

You can declare pieces of middleware using tags starting with traefik.tcp.middlewares.{name-of-your-choice}., followed by the middleware type/options.

For example, to declare a middleware InFlightConn named test-inflightconn, you'd write traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10.

More information about available middlewares in the dedicated middlewares section.

Declaring and Referencing a Middleware 
# ...
# Declaring a middleware
traefik.tcp.middlewares.test-inflightconn.amount=10
# Referencing a middleware
traefik.tcp.routers.my-service.middlewares=test-inflightconn

Conflicts in Declaration

If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.

UDP Routers

traefik.udp.routers.<router_name>.entrypoints

See entry points for more information.

traefik.udp.routers.myudprouter.entrypoints=ep1,ep2
traefik.udp.routers.<router_name>.service

See service for more information.

traefik.udp.routers.myudprouter.service=myservice

UDP Services

traefik.udp.services.<service_name>.loadbalancer.server.port

Registers a port of the application.

traefik.udp.services.myudpservice.loadbalancer.server.port=423

Specific Provider Options

traefik.enable

traefik.enable=true

You can tell Traefik to consider (or not) the ECS service by setting traefik.enable to true or false.

This option overrides the value of exposedByDefault.