Traefik Docker Routing Documentation - Traefik (2024)

A Story of Labels & Containers

Traefik Docker Routing Documentation - Traefik (1)

Attach labels to your containers and let Traefik do the rest!

One of the best feature of Traefik is to delegate the routing configuration to the application level.With Docker, Traefik can leverage labels attached to a container to generate routing rules.

Labels & sensitive data

We recommend to not use labels to store sensitive data (certificates, credentials, etc).Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).

Configuration Examples

Configuring Docker & Deploying / Exposing Services

Enabling the docker provider

providers: docker: {}

[providers.docker]

--providers.docker=true

Attaching labels to containers (in your docker compose file)

version: "3"services: my-container: # ... labels: - traefik.http.routers.my-container.rule=Host(`example.com`)
Specify a Custom Port for the Container

Forward requests for http://example.com to http://<private IP of container>:12345:

version: "3"services: my-container: # ... labels: - traefik.http.routers.my-container.rule=Host(`example.com`) # Tell Traefik to use the port 12345 to connect to `my-container` - traefik.http.services.my-service.loadbalancer.server.port=12345

Traefik Connecting to the Wrong Port: HTTP/502 Gateway Error

By default, Traefik uses the first exposed port of a container.

Setting the label traefik.http.services.xxx.loadbalancer.server.portoverrides that behavior.

Specifying more than one router and service per container

Forwarding requests to more than one port on a container requires referencing the service loadbalancer port definition using the service parameter on the router.

In this example, requests are forwarded for http://example-a.com to http://<private IP of container>:8000 in addition to http://example-b.com forwarding to http://<private IP of container>:9000:

version: "3"services: my-container: # ... labels: - traefik.http.routers.www-router.rule=Host(`example-a.com`) - traefik.http.routers.www-router.service=www-service - traefik.http.services.www-service.loadbalancer.server.port=8000 - traefik.http.routers.admin-router.rule=Host(`example-b.com`) - traefik.http.routers.admin-router.service=admin-service - traefik.http.services.admin-service.loadbalancer.server.port=9000

Routing Configuration

Labels

  • Labels are case insensitive.
  • The complete list of labels can be found in the reference page.

General

Traefik creates, for each container, a corresponding service and router.

The Service automatically gets a server per instance of the container,and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels).

Service definition

In general when configuring a Traefik provider,a service assigned to one (or several) router(s) must be defined as well for the routing to be functional.

There are, however, exceptions when using label-based configurations:

  1. If a label defines a router (e.g. through a router Rule)and a label defines a service (e.g. implicitly through a loadbalancer server port value),but the router does not specify any service,then that service is automatically assigned to the router.
  2. If a label defines a router (e.g. through a router Rule) but no service is defined,then a service is automatically created and assigned to the router.

As one would expect, in either of these cases, if in addition a service is specified for the router,then that service is the one assigned, regardless of whether it actually is defined or whatever else other services are defined.

Automatic service assignment with labels

With labels in a compose file

labels: - "traefik.http.routers.myproxy.rule=Host(`example.net`)" # service myservice gets automatically assigned to router myproxy - "traefik.http.services.myservice.loadbalancer.server.port=80"
Automatic service creation and assignment with labels

With labels in a compose file

labels: # no service specified or defined and yet one gets automatically created # and assigned to router myproxy. - "traefik.http.routers.myproxy.rule=Host(`example.net`)"

Routers

To update the configuration of the Router automatically attached to the container,add labels starting with traefik.http.routers.<name-of-your-choice>. and followed by the option you want to change.

For example, to change the rule, you could add the label traefik.http.routers.my-container.rule=Host(`example.com`).

The character @ is not authorized in the router name <router_name>.

traefik.http.routers.<router_name>.rule

See rule for more information.

- "traefik.http.routers.myrouter.rule=Host(`example.com`)"
traefik.http.routers.<router_name>.entrypoints

See entry points for more information.

- "traefik.http.routers.myrouter.entrypoints=ep1,ep2"
traefik.http.routers.<router_name>.middlewares

See middlewares and middlewares overview for more information.

- "traefik.http.routers.myrouter.middlewares=auth,prefix,cb"
traefik.http.routers.<router_name>.service

See service for more information.

- "traefik.http.routers.myrouter.service=myservice"
traefik.http.routers.<router_name>.tls

See tls for more information.

- "traefik.http.routers.myrouter.tls=true"
traefik.http.routers.<router_name>.tls.certresolver

See certResolver for more information.

- "traefik.http.routers.myrouter.tls.certresolver=myresolver"
traefik.http.routers.<router_name>.tls.domains[n].main

See domains for more information.

- "traefik.http.routers.myrouter.tls.domains[0].main=example.org"
traefik.http.routers.<router_name>.tls.domains[n].sans

See domains for more information.

- "traefik.http.routers.myrouter.tls.domains[0].sans=test.example.org,dev.example.org"
traefik.http.routers.<router_name>.tls.options

See options for more information.

- "traefik.http.routers.myrouter.tls.options=foobar"
traefik.http.routers.<router_name>.priority

See priority for more information.

- "traefik.http.routers.myrouter.priority=42"

Services

To update the configuration of the Service automatically attached to the container,add labels starting with traefik.http.services.<name-of-your-choice>., followed by the option you want to change.

For example, to change the passHostHeader behavior,you'd add the label traefik.http.services.<name-of-your-choice>.loadbalancer.passhostheader=false.

The character @ is not authorized in the service name <service_name>.

traefik.http.services.<service_name>.loadbalancer.server.port

Registers a port.Useful when the container exposes multiples ports.

- "traefik.http.services.myservice.loadbalancer.server.port=8080"
traefik.http.services.<service_name>.loadbalancer.server.scheme

Overrides the default scheme.

- "traefik.http.services.myservice.loadbalancer.server.scheme=http"
traefik.http.services.<service_name>.loadbalancer.serverstransport

Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.See serverstransport for more information.

- "traefik.http.services.<service_name>.loadbalancer.serverstransport=foobar@file"
traefik.http.services.<service_name>.loadbalancer.passhostheader

See pass Host header for more information.

- "traefik.http.services.myservice.loadbalancer.passhostheader=true"
traefik.http.services.<service_name>.loadbalancer.healthcheck.headers.<header_name>

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo=foobar"
traefik.http.services.<service_name>.loadbalancer.healthcheck.hostname

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.hostname=example.org"
traefik.http.services.<service_name>.loadbalancer.healthcheck.interval

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
traefik.http.services.<service_name>.loadbalancer.healthcheck.path

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo"
traefik.http.services.<service_name>.loadbalancer.healthcheck.method

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.method=foobar"
traefik.http.services.<service_name>.loadbalancer.healthcheck.status

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.status=42"
traefik.http.services.<service_name>.loadbalancer.healthcheck.port

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.port=42"
traefik.http.services.<service_name>.loadbalancer.healthcheck.scheme

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.scheme=http"
traefik.http.services.<service_name>.loadbalancer.healthcheck.timeout

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10s"
traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects

See health check for more information.

- "traefik.http.services.myservice.loadbalancer.healthcheck.followredirects=true"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie=true"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.httponly

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly=true"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.name

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none"
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.maxage

See sticky sessions for more information.

- "traefik.http.services.myservice.loadbalancer.sticky.cookie.maxage=42"
traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval

See response forwarding for more information.

- "traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10"

Middleware

You can declare pieces of middleware using labels starting with traefik.http.middlewares.<name-of-your-choice>.,followed by the middleware type/options.

For example, to declare a middleware redirectscheme named my-redirect,you'd write traefik.http.middlewares.my-redirect.redirectscheme.scheme=https.

More information about available middlewares in the dedicated middlewares section.

The character @ is not authorized in the middleware name.

Declaring and Referencing a Middleware
 services: my-container: # ... labels: # Declaring a middleware - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https # Referencing a middleware - traefik.http.routers.my-container.middlewares=my-redirect

Conflicts in Declaration

If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.

TCP

You can declare TCP Routers and/or Services using labels.

Declaring TCP Routers and Services
 services: my-container: # ... labels: - "traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)" - "traefik.tcp.routers.my-router.tls=true" - "traefik.tcp.services.my-service.loadbalancer.server.port=4123"

TCP and HTTP

If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined).You can declare both a TCP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).

TCP Routers

traefik.tcp.routers.<router_name>.entrypoints

See entry points for more information.

- "traefik.tcp.routers.mytcprouter.entrypoints=ep1,ep2"
traefik.tcp.routers.<router_name>.rule

See rule for more information.

- "traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)"
traefik.tcp.routers.<router_name>.service

See service for more information.

- "traefik.tcp.routers.mytcprouter.service=myservice"
traefik.tcp.routers.<router_name>.tls

See TLS for more information.

- "traefik.tcp.routers.mytcprouter.tls=true"
traefik.tcp.routers.<router_name>.tls.certresolver

See certResolver for more information.

- "traefik.tcp.routers.mytcprouter.tls.certresolver=myresolver"
traefik.tcp.routers.<router_name>.tls.domains[n].main

See domains for more information.

- "traefik.tcp.routers.mytcprouter.tls.domains[0].main=example.org"
traefik.tcp.routers.<router_name>.tls.domains[n].sans

See domains for more information.

- "traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.example.org,dev.example.org"
traefik.tcp.routers.<router_name>.tls.options

See options for more information.

- "traefik.tcp.routers.mytcprouter.tls.options=mysoptions"
traefik.tcp.routers.<router_name>.tls.passthrough

See TLS for more information.

- "traefik.tcp.routers.mytcprouter.tls.passthrough=true"
traefik.tcp.routers.<router_name>.priority

See priority for more information.

- "traefik.tcp.routers.myrouter.priority=42"

TCP Services

traefik.tcp.services.<service_name>.loadbalancer.server.port

Registers a port of the application.

- "traefik.tcp.services.mytcpservice.loadbalancer.server.port=423"
traefik.tcp.services.<service_name>.loadbalancer.server.tls

Determines whether to use TLS when dialing with the backend.

- "traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true"
traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version

See PROXY protocol for more information.

- "traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1"
traefik.tcp.services.<service_name>.loadbalancer.serverstransport

Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.See serverstransport for more information.

- "traefik.tcp.services.<service_name>.loadbalancer.serverstransport=foobar@file"

UDP

You can declare UDP Routers and/or Services using labels.

Declaring UDP Routers and Services
 services: my-container: # ... labels: - "traefik.udp.routers.my-router.entrypoints=udp" - "traefik.udp.services.my-service.loadbalancer.server.port=4123"

UDP and HTTP

If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined).You can declare both a UDP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).

UDP Routers

traefik.udp.routers.<router_name>.entrypoints

See entry points for more information.

- "traefik.udp.routers.myudprouter.entrypoints=ep1,ep2"
traefik.udp.routers.<router_name>.service

See service for more information.

- "traefik.udp.routers.myudprouter.service=myservice"

UDP Services

traefik.udp.services.<service_name>.loadbalancer.server.port

Registers a port of the application.

- "traefik.udp.services.myudpservice.loadbalancer.server.port=423"

Specific Provider Options

traefik.enable

- "traefik.enable=true"

You can tell Traefik to consider (or not) the container by setting traefik.enable to true or false.

This option overrides the value of exposedByDefault.

traefik.docker.network

- "traefik.docker.network=mynetwork"

Overrides the default docker network to use for connections to the container.

If a container is linked to several networks, be sure to set the proper network name (you can check this with docker inspect <container_id>),otherwise it will randomly pick one (depending on how docker is returning them).

Warning

When deploying a stack from a compose file stack, the networks defined are prefixed with stack.

Traefik Docker Routing Documentation - Traefik (2024)

FAQs

How does Traefik work with Docker? ›

Traefik retrieves the private IP and port of containers from the Docker API. Port detection for private communication works as follows: If a container exposes a single port, then Traefik uses this port. If a container exposes multiple ports, then Traefik uses the lowest port.

What is the default load balancer port for Traefik? ›

Traefik automatically creates a loadbalancer service addressing port 80 ignoring the "- traefik. tcp. services.

What is EntryPoints in Traefik? ›

EntryPoints are the network entry points into Traefik Hub. They define the port which will receive the packets, and whether to listen for TCP or UDP connections.

What is the default Web port for Traefik? ›

web listens on port 80 , and websecure on port 443 .

Does Traefik need to be in the same network? ›

The Traefik container has to be attached to the same network as the containers to be exposed . If no networks are specified in the Docker Compose file, Docker creates a default one that allows Traefik to reach the containers defined in the same file.

What is better, nginx or Traefik? ›

NGINX offers greater control and customization possibilities, while Traefik is more user-friendly and simpler to set up. The choice between Traefik and NGINX will ultimately depend on your unique requirements, the intricacy of your application, and the degree of control and customization you need.

Does Traefik do load balancing? ›

This job starts an instance of Traefik and configures it to discover its configuration from Consul. This Traefik instance provides routing and load balancing to the sample web application. This configuration uses a static port for the load balancer to 8080 .

Does Traefik require tls? ›

Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration: routers, and the TLS connection (and its underlying certificates). When a router has to handle HTTPS traffic, it should be specified with a tls field of the router definition.

Which load balancer supports path based routing? ›

Path-based routing is one of the unique features offered by Application Load Balancer. Path-based routing is also referred to as URL-based routing. The Application load balancer will forward the requests to the specific targets based on the Rules configured in the load balancer.

What is the Traefik frontend rule? ›

A frontend is a set of rules that forwards the incoming traffic from an entrypoint to a backend. Frontends can be defined using the following rules: Headers: Content-Type, application/json : Headers adds a matcher for request header values. It accepts a sequence of key/value pairs to be matched.

What are the basics of Traefik? ›

Traefik is an Edge Router; this means that it's the door to your platform, and that it intercepts and routes every incoming request: it knows all the logic and every rule that determine which services handle which requests (based on the path, the host, headers, etc.).

Is Traefik written in go? ›

Traefik[1] is written in Golang, which is technically a (depending on your viewpoint) memory-safe language.

Does Traefik support UDP? ›

the general answer is yes. Traefik can handle TCP and UDP. Just be aware that UDP "routers" at this time are pretty much only load-balancers in one form or another.

Does Traefik support HTTP 3? ›

Now, HTTP/3 is out of the experimental stage and fully production-ready in Traefik! Keep in mind that, as HTTP/3 actually uses UDP, when traefik is configured with a TCP entryPoint on port N with HTTP/3 enabled, the underlying HTTP/3 server that is started automatically listens on UDP port N too.

Does Traefik support HTTP2? ›

Traefik Proxy 2.6 taps into these checks for HTTP/2 connections, and when one of them fails, it tears down the connection and rebuilds it on the next request.

How to install Traefik with Docker? ›

Install Traefik
  1. Use the official Docker image.
  2. Use the Helm Chart.
  3. Use the binary distribution.
  4. Compile your binary from the sources.

What is the point of Traefik? ›

Traefik is an Edge Router; this means that it's the door to your platform, and that it intercepts and routes every incoming request: it knows all the logic and every rule that determine which services handle which requests (based on the path, the host, headers, etc.).

How does Traefik work in Kubernetes? ›

Traefik uses the Kubernetes API to discover running services. To use the Kubernetes API, Traefik needs some permissions. This permission mechanism is based on roles defined by the cluster administrator. The role is then bound to an account used by an application, in this case, Traefik Proxy.

How does Traefik proxy work? ›

Unlike a traditional reverse proxy, which requires manual configuration, Traefik uses service discovery to dynamically configure routing. Traefik supports all major protocols, leveraging a rich set of middleware for load balancing, rate-limiting, circuit-breakers, mirroring, authentication, and more.

Top Articles
Latest Posts
Article information

Author: Carlyn Walter

Last Updated:

Views: 5285

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Carlyn Walter

Birthday: 1996-01-03

Address: Suite 452 40815 Denyse Extensions, Sengermouth, OR 42374

Phone: +8501809515404

Job: Manufacturing Technician

Hobby: Table tennis, Archery, Vacation, Metal detecting, Yo-yoing, Crocheting, Creative writing

Introduction: My name is Carlyn Walter, I am a lively, glamorous, healthy, clean, powerful, calm, combative person who loves writing and wants to share my knowledge and understanding with you.