• EntryPoints
    • Configuration Examples
    • Configuration
      • General
    • ProxyProtocol
    • Forwarded Header

    EntryPoints

    Opening Connections for Incoming Requests

    entryPoints

    EntryPoints are the network entry points into Traefik.They define the port which will receive the requests (whether HTTP or TCP).

    Configuration Examples

    Port 80 only

    1. [entryPoints]
    2.   [entryPoints.web]
    3.     address = ":80"
    1. entryPoints:
    2.   web:
    3.    address: ":80"
    1. --entryPoints.web.address=:80

    We define an entrypoint called web that will listen on port 80.Port 80 & 443

    1. [entryPoints]
    2.   [entryPoints.web]
    3.     address = ":80"
    5.   [entryPoints.web-secure]
    6.     address = ":443"
    1. entryPoints:
    2.   web:
    3.     address: ":80"
    5.   web-secure:
    6.     address: ":443"
    1. --entryPoints.web.address=:80
    2. --entryPoints.web-secure.address=:443
    • Two entrypoints are defined: one called web, and the other called web-secure.
    • web listens on port 80, and web-secure on port 443.

    Configuration

    General

    EntryPoints are part of the static configuration.You can define them using a toml file, CLI arguments, or a key-value store.

    See the complete reference for the list of available options:

    1. [entryPoints]
    3.   [entryPoints.EntryPoint0]
    4.     address = ":8888"
    5.     [entryPoints.EntryPoint0.transport]
    6.       [entryPoints.EntryPoint0.transport.lifeCycle]
    7.         requestAcceptGraceTimeout = 42
    8.         graceTimeOut = 42
    9.       [entryPoints.EntryPoint0.transport.respondingTimeouts]
    10.         readTimeout = 42
    11.         writeTimeout = 42
    12.         idleTimeout = 42
    13.     [entryPoints.EntryPoint0.proxyProtocol]
    14.       insecure = true
    15.       trustedIPs = ["foobar", "foobar"]
    16.     [entryPoints.EntryPoint0.forwardedHeaders]
    17.       insecure = true
    18.       trustedIPs = ["foobar", "foobar"]
    1. entryPoints:
    3.   EntryPoint0:
    4.     address: ":8888"
    5.     transport:
    6.       lifeCycle:
    7.         requestAcceptGraceTimeout: 42
    8.         graceTimeOut: 42
    9.       respondingTimeouts:
    10.         readTimeout: 42
    11.         writeTimeout: 42
    12.         idleTimeout: 42
    13.     proxyProtocol:
    14.       insecure: true
    15.       trustedIPs:
    16.       - "foobar"
    17.       - "foobar"
    18.     forwardedHeaders:
    19.       insecure: true
    20.       trustedIPs:
    21.       - "foobar"
    22.       - "foobar"
    1. --entryPoints.EntryPoint0.address=:8888
    2. --entryPoints.EntryPoint0.transport.lifeCycle.requestAcceptGraceTimeout=42
    3. --entryPoints.EntryPoint0.transport.lifeCycle.graceTimeOut=42
    4. --entryPoints.EntryPoint0.transport.respondingTimeouts.readTimeout=42
    5. --entryPoints.EntryPoint0.transport.respondingTimeouts.writeTimeout=42
    6. --entryPoints.EntryPoint0.transport.respondingTimeouts.idleTimeout=42
    7. --entryPoints.EntryPoint0.proxyProtocol.insecure=true
    8. --entryPoints.EntryPoint0.proxyProtocol.trustedIPs=foobar,foobar
    9. --entryPoints.EntryPoint0.forwardedHeaders.insecure=true
    10. --entryPoints.EntryPoint0.forwardedHeaders.trustedIPs=foobar,foobar

    ProxyProtocol

    Traefik supports ProxyProtocol version 1 and 2.

    If proxyprotocol header parsing is enabled for the entry point, this entry point can accept connections with or without proxyprotocol headers.

    If the proxyprotocol header is passed, then the version is determined automatically.Enabling Proxy Protocol with Trusted IPs

    1. [entryPoints]
    2.   [entryPoints.web]
    3.     address = ":80"
    5.     [entryPoints.web.proxyProtocol]
    6.       trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
    1. entryPoints:
    2.   web:
    3.     address: ":80"
    4.     proxyProtocol:
    5.       trustedIPs:
    6.       - "127.0.0.1/32"
    7.       - "192.168.1.7"
    1. --entryPoints.web.address=:80
    2. --entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,192.168.1.7

    IPs in trustedIPs only will lead to remote client address replacement: Declare load-balancer IPs or CIDR range here.Insecure Mode — Testing Environment OnlyIn a test environments, you can configure Traefik to trust every incoming connection.Doing so, every remote client address will be replaced (trustedIPs won't have any effect)

    1. [entryPoints]
    2.   [entryPoints.web]
    3.     address = ":80"
    5.     [entryPoints.web.proxyProtocol]
    6.       insecure = true
    1. entryPoints:
    2.   web:
    3.     address: ":80"
    4.     proxyProtocol:
    5.       insecure: true
    1. --entryPoints.web.address=:80
    2. --entryPoints.web.proxyProtocol.insecure

    Queuing Traefik behind Another Load Balancer

    When queuing Traefik behind another load-balancer, make sure to configure Proxy Protocol on both sides.Not doing so could introduce a security risk in your system (enabling request forgery).

    Forwarded Header

    You can configure Traefik to trust the forwarded headers information (X-Forwarded-*)Trusting Forwarded Headers from specific IPs

    1. [entryPoints]
    2.   [entryPoints.web]
    3.     address = ":80"
    5.     [entryPoints.web.forwardedHeaders]
    6.       trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
    1. entryPoints:
    2.   web:
    3.     address: ":80"
    4.     forwardedHeaders:
    5.       trustedIPs:
    6.       - "127.0.0.1/32"
    7.       - "192.168.1.7"
    1. --entryPoints.web.address=:80
    2. --entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,192.168.1.7

    Insecure Mode — Always Trusting Forwarded Headers

    1. [entryPoints]
    2.   [entryPoints.web]
    3.     address = ":80"
    5.     [entryPoints.web.forwardedHeaders]
    6.       insecure = true
    1. entryPoints:
    2.   web:
    3.     address: ":80"
    4.     forwardedHeaders:
    5.       insecure: true
    1. --entryPoints.web.address=:80
    2. --entryPoints.web.forwardedHeaders.insecure