我的书签
添加书签
移除书签Migration Guide: From v1 to v2
The version 2 of Traefik introduces a number of breaking changes, which require one to update their configuration when they migrate from v1 to v2. The goal of this page is to recapitulate all of these changes, and in particular to give examples, feature by feature, of how the configuration looked like in v1, and how it now looks like in v2.
Migration Helper
We created a tool to help during the migration: traefik-migration-tool
This tool allows to:
- convert to Traefik
IngressRouteresources. - convert
acme.jsonfile from v1 to v2 format. - migrate the static configuration contained in the file
traefik.tomlto a Traefik v2 file.
… Long Live Routers, Middlewares, and Services
During the transition from v1 to v2, a number of internal pieces and components of Traefik were rewritten and reorganized. As such, the combination of core notions such as frontends and backends has been replaced with the combination of , services, and .
Typically, a router replaces a frontend, and a service assumes the role of a backend, with each router referring to a service. However, even though a backend was in charge of applying any desired modification on the fly to the incoming request, the router defers that responsibility to another component. Instead, a dedicated middleware is now defined for each kind of such modification. Then any router can refer to an instance of the wanted middleware.
One frontend with basic auth and one backend, become one router, one service, and one basic auth middleware.
v1
Docker
K8s Ingress
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata:name: traefiknamespace: kube-systemannotations:kubernetes.io/ingress.class: traefiktraefik.ingress.kubernetes.io/rule-type: PathPrefixspec:rules:- host: test.localhosthttp:paths:- path: /testbackend:serviceName: server0servicePort: 80- path: /testbackend:serviceName: server1servicePort: 80
File (TOML)
[frontends][frontends.frontend1]entryPoints = ["http"]backend = "backend1"[frontends.frontend1.routes][frontends.frontend1.routes.route0]rule = "Host:test.localhost"[frontends.frontend1.routes.route0]rule = "PathPrefix:/test"[frontends.frontend1.auth][frontends.frontend1.auth.basic]users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/","test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",][backends][backends.backend1][backends.backend1.servers.server0]url = "http://10.10.10.1:80"[backends.backend1.servers.server1]url = "http://10.10.10.2:80"[backends.backend1.loadBalancer]method = "wrr"
v2
Docker
labels:- "traefik.http.routers.router0.rule=Host(`test.localhost`) && PathPrefix(`/test`)"- "traefik.http.routers.router0.middlewares=auth"- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
K8s IngressRoute
# The definitions below require the definitions for the Middleware and IngressRoute kinds.# https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitionsapiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:name: basicauthnamespace: foospec:basicAuth:users:- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/- test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- httproutes:- match: Host(`test.localhost`) && PathPrefix(`/test`)kind: Ruleservices:- name: server0port: 80- name: server1port: 80middlewares:- name: basicauthnamespace: foo
File (YAML)
http:routers:router0:rule: "Host(`test.localhost`) && PathPrefix(`/test`)"service: my-servicemiddlewares:- authservices:my-service:loadBalancer:servers:- url: http://10.10.10.1:80- url: http://10.10.10.2:80middlewares:auth:basicAuth:users:- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
File (TOML)
[http.routers][http.routers.router0]rule = "Host(`test.localhost`) && PathPrefix(`/test`)"middlewares = ["auth"]service = "my-service"[http.services][[http.services.my-service.loadBalancer.servers]]url = "http://10.10.10.1:80"[[http.services.my-service.loadBalancer.servers]]url = "http://10.10.10.2:80"[http.middlewares][http.middlewares.auth.basicAuth]users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/","test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",]
TLS Configuration is Now Dynamic, per Router.
TLS parameters used to be specified in the static configuration, as an entryPoint field. With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations. Then, a can refer to one of the TLS configurations defined at the root, hence defining the for that router.
TLS on websecure entryPoint becomes TLS option on Router-1
v1
File (TOML)
# static configuration[entryPoints][entryPoints.websecure]address = ":443"[entryPoints.websecure.tls]minVersion = "VersionTLS12"cipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",][[entryPoints.websecure.tls.certificates]]certFile = "path/to/my.cert"keyFile = "path/to/my.key"
CLI
--entryPoints='Name:websecure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
v2
File (YAML)
http:routers:Router-1:rule: "Host(`example.com`)"service: service-id# will terminate the TLS requesttls:options: myTLSOptionstls:certificates:- certFile: /path/to/domain.certkeyFile: /path/to/domain.keyoptions:myTLSOptions:minVersion: VersionTLS12cipherSuites:- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
File (TOML)
# dynamic configuration[http.routers][http.routers.Router-1]rule = "Host(`example.com`)"service = "service-id"# will terminate the TLS request[http.routers.Router-1.tls]options = "myTLSOptions"[[tls.certificates]]certFile = "/path/to/domain.cert"keyFile = "/path/to/domain.key"[tls.options][tls.options.myTLSOptions]minVersion = "VersionTLS12"cipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",]
K8s IngressRoute
# The definitions below require the definitions for the TLSOption and IngressRoute kinds.# https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitionsapiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: mytlsoptionnamespace: defaultspec:minVersion: VersionTLS12cipherSuites:- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`)kind: Ruleservices:- name: whoamiport: 80tls:options:name: mytlsoptionnamespace: default
Docker
labels:# myTLSOptions must be defined by another provider, in this instance in the File Provider.# see the cross provider section- "traefik.http.routers.router0.tls.options=myTLSOptions@file"
HTTP to HTTPS Redirection is Now Configured on Routers
Previously on Traefik v1, the redirection was applied on an entry point or on a frontend. With Traefik v2 it is applied on an entry point or a .
To apply a redirection:
- on an entry point, the HTTP redirection has to be configured.
- on a router, one of the redirect middlewares, or RedirectScheme, has to be configured and added to the router middlewares list.
Global HTTP to HTTPS redirection
v1
File (TOML)
# static configurationdefaultEntryPoints = ["web", "websecure"][entryPoints.web]address = ":80"[entryPoints.web.redirect]entryPoint = "websecure"[entryPoints.websecure]address = ":443"
CLI
--entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure--entryPoints='Name:websecure Address::443 TLS'
v2
File (YAML)
# traefik.yml## static configurationentryPoints:web:address: ":80"http:redirections:entrypoint:to: websecurescheme: httpswebsecure:address: ":443"
File (TOML)
# traefik.toml## static configuration[entryPoints.web]address = ":80"[entryPoints.web.http.redirections.entryPoint]to = "websecure"scheme = "https"[entryPoints.websecure]address = ":443"
CLI
## static configuration--entrypoints.web.address=:80--entrypoints.web.http.redirections.entrypoint.to=websecure--entrypoints.web.http.redirections.entrypoint.scheme=https--entrypoints.websecure.address=:443--providers.docker=true
HTTP to HTTPS redirection per domain
File (TOML)
[entryPoints][entryPoints.web]address = ":80"[entryPoints.websecure]address = ":443"[entryPoints.websecure.tls][file][frontends][frontends.frontend1]entryPoints = ["web", "websecure"][frontends.frontend1.routes][frontends.frontend1.routes.route0]rule = "Host:example.net"[frontends.frontend1.redirect]entryPoint = "websecure"
v2
Docker
labels:traefik.http.routers.app.rule: Host(`example.net`)traefik.http.routers.app.entrypoints: webtraefik.http.routers.app.middlewares: https_redirecttraefik.http.routers.appsecured.rule: Host(`example.net`)traefik.http.routers.appsecured.entrypoints: websecuretraefik.http.routers.appsecured.tls: truetraefik.http.middlewares.https_redirect.redirectscheme.scheme: httpstraefik.http.middlewares.https_redirect.redirectscheme.permanent: true
K8s IngressRoute
File (YAML)
## dynamic configuration# dynamic-conf.ymlhttp:routers:router0:rule: "Host(`example.net`)"entryPoints:- webmiddlewares:- https_redirectservice: my-servicerouter1:rule: "Host(`example.net`)"entryPoints:- websecureservice: my-servicetls: {}middlewares:https-redirect:redirectScheme:scheme: httpspermanent: true
File (TOML)
## dynamic configuration# dynamic-conf.toml[http.routers][http.routers.router0]rule = "Host(`example.net`)"service = "my-service"entrypoints = ["web"]middlewares = ["https_redirect"][http.routers.router1]rule = "Host(`example.net`)"service = "my-service"entrypoints = ["websecure"][http.routers.router1.tls][http.middlewares][http.middlewares.https_redirect.redirectScheme]scheme = "https"permanent = true
Strip and Rewrite Path Prefixes
With the new core notions of v2 (introduced earlier in the section “Frontends and Backends Are Dead… Long Live Routers, Middlewares, and Services”), transforming the URL path prefix of incoming requests is configured with , after the routing step with router rule PathPrefix.
Use Case: Incoming requests to http://example.org/admin are forwarded to the webapplication “admin”, with the path /admin stripped, e.g. to http://<IP>:<port>/. In this case, you must:
- First, configure a router named
adminwith a rule matching at least the path prefix with thePathPrefixkeyword, - Then, define a middleware of type , which removes the prefix
/admin, associated to the routeradmin.
Strip Path Prefix When Forwarding to Backend
v1
Docker
labels:- "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
Kubernetes Ingress
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata:name: traefikannotations:kubernetes.io/ingress.class: traefiktraefik.ingress.kubernetes.io/rule-type: PathPrefixStripspec:rules:- host: example.orghttp:paths:- path: /adminbackend:serviceName: admin-svcservicePort: admin
File (TOML)
[frontends.admin][frontends.admin.routes.admin_1]rule = "Host:example.org;PathPrefixStrip:/admin"
v2
Docker
labels:- "traefik.http.routers.admin.rule=Host(`example.org`) && PathPrefix(`/admin`)"- "traefik.http.routers.admin.middlewares=admin-stripprefix"- "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
Kubernetes IngressRoute
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: http-redirect-ingressroutenamespace: admin-webspec:entryPoints:- webroutes:- match: Host(`example.org`) && PathPrefix(`/admin`)kind: Ruleservices:- name: admin-svcport: adminmiddlewares:- name: admin-stripprefix---apiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:name: admin-stripprefixspec:stripPrefix:prefixes:- /admin
File (YAML)
## Dynamic Configuration# dynamic-conf.yml# As YAML Configuration Filehttp:routers:admin:service: admin-svcmiddlewares:- "admin-stripprefix"rule: "Host(`example.org`) && PathPrefix(`/admin`)"middlewares:admin-stripprefix:stripPrefix:prefixes:- "/admin"# ...
File (TOML)
## Dynamic configuration# dynamic-conf.toml[http.routers.router1]rule = "Host(`example.org`) && PathPrefix(`/admin`)"service = "admin-svc"entrypoints = ["web"]middlewares = ["admin-stripprefix"][http.middlewares][http.middlewares.admin-stripprefix.stripPrefix]prefixes = ["/admin"]# ...
What About Other Path Transformations?
Instead of removing the path prefix with the stripprefix middleware, you can also:
- Add a path prefix with the
- Replace the complete path of the request with the
replacepathmiddleware - ReplaceRewrite path using Regexp with the
- And a lot more on the
HTTP middlewarespage
is now a certificate resolver (under a certificatesResolvers section) but remains in the static configuration.
ACME from provider to a specific Certificate Resolver
v1
File (TOML)
# static configurationdefaultEntryPoints = ["websecure","web"][entryPoints.web]address = ":80"[entryPoints.web.redirect]entryPoint = "webs"[entryPoints.websecure]address = ":443"[entryPoints.websecure.tls][acme]email = "your-email-here@example.com"storage = "acme.json"entryPoint = "websecure"onHostRule = true[acme.tlsChallenge]
CLI
--defaultentrypoints=websecure,web--entryPoints=Name:web Address::80 Redirect.EntryPoint:websecure--entryPoints=Name:websecure Address::443 TLS--acme.email=your-email-here@example.com--acme.storage=acme.json--acme.entryPoint=websecure--acme.onHostRule=true--acme.tlschallenge=true
v2
File (YAML)
entryPoints:web:address: ":80"websecure:address: ":443"http:tls:certResolver: myresolvercertificatesResolvers:myresolver:acme:storage: acme.jsontlsChallenge: {}
File (TOML)
# static configuration[entryPoints][entryPoints.web]address = ":80"[entryPoints.websecure]address = ":443"[entryPoints.websecure.http.tls]certResolver = "myresolver"[certificatesResolvers.myresolver.acme]email = "your-email@example.com"storage = "acme.json"[certificatesResolvers.myresolver.acme.tlsChallenge]
CLI
--entrypoints.web.address=:80--entrypoints.websecure.address=:443--certificatesresolvers.myresolver.acme.email=your-email@example.com--certificatesresolvers.myresolver.acme.storage=acme.json--certificatesresolvers.myresolver.acme.tlschallenge=true
Traefik Logs
In the v2, all the remains in the static part but are unified under a log section. There is no more log configuration at the root level.
Simple log configuration
v1
File (TOML)
# static configurationlogLevel = "DEBUG"[traefikLog]filePath = "/path/to/traefik.log"format = "json"
CLI
--logLevel=DEBUG--traefikLog.filePath=/path/to/traefik.log--traefikLog.format=json
v2
File (YAML)
# static configurationlog:level: DEBUGfilePath: /path/to/log-file.logformat: json
File (TOML)
# static configuration[log]level = "DEBUG"filePath = "/path/to/log-file.log"format = "json"
CLI
--log.level=DEBUG--log.filePath=/path/to/traefik.log--log.format=json
Access Logs
But all request headers are now filtered out by default in Traefik v2. So during migration, you might want to consider enabling some needed fields (see ).
Tracing
Traefik v2 retains OpenTracing support. The backend root option from the v1 is gone, you just have to set your .
Simple Jaeger tracing configuration
v1
File (TOML)
CLI
--tracing.backend=jaeger--tracing.servicename=tracing--tracing.jaeger.localagenthostport=12.0.0.1:6831--tracing.jaeger.samplingparam=1.0--tracing.jaeger.samplingserverurl=http://12.0.0.1:5778/sampling--tracing.jaeger.samplingtype=const
v2
File (YAML)
# static configurationtracing:servicename: tracingjaeger:samplingParam: 1samplingServerURL: 'http://12.0.0.1:5778/sampling'samplingType: constlocalAgentHostPort: '12.0.0.1:6831'
File (TOML)
# static configuration[tracing]servicename = "tracing"[tracing.jaeger]samplingParam = 1.0samplingServerURL = "http://12.0.0.1:5778/sampling"samplingType = "const"localAgentHostPort = "12.0.0.1:6831"
CLI
--tracing.servicename=tracing--tracing.jaeger.localagenthostport=12.0.0.1:6831--tracing.jaeger.samplingparam=1.0--tracing.jaeger.samplingserverurl=http://12.0.0.1:5778/sampling--tracing.jaeger.samplingtype=const
The v2 retains metrics tools and allows metrics to be configured for the entrypoints and/or services. For a basic configuration, the metrics configuration remains the same.
Simple Prometheus metrics configuration
v1
File (TOML)
# static configuration[metrics.prometheus]buckets = [0.1,0.3,1.2,5.0]entryPoint = "traefik"
CLI
--metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]--metrics.prometheus.entrypoint=traefik
v2
File (YAML)
# static configurationmetrics:prometheus:buckets:- 0.1- 0.3- 1.2- 5entryPoint: metrics
File (TOML)
# static configuration[metrics.prometheus]buckets = [0.1,0.3,1.2,5.0]entryPoint = "metrics"
CLI
--metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]--metrics.prometheus.entrypoint=metrics
No More Root Level Key/Values
To avoid any source of confusion, there are no more configuration at the root level. Each root item has been moved to a related section or removed.
From root to dedicated section
v1
File (TOML)
# static configurationcheckNewVersion = falsesendAnonymousUsage = truelogLevel = "DEBUG"insecureSkipVerify = truerootCAs = [ "/mycert.cert" ]maxIdleConnsPerHost = 200providersThrottleDuration = "2s"AllowMinWeightZero = truedebug = truedefaultEntryPoints = ["web", "websecure"]keepTrailingSlash = false
CLI
--checknewversion=false--sendanonymoususage=true--loglevel=DEBUG--insecureskipverify=true--rootcas=/mycert.cert--maxidleconnsperhost=200--providersthrottleduration=2s--allowminweightzero=true--debug=true--defaultentrypoints=web,websecure--keeptrailingslash=true
v2
File (YAML)
# static configurationglobal:checkNewVersion: truesendAnonymousUsage: truelog:level: DEBUGserversTransport:insecureSkipVerify: truerootCAs:- /mycert.certmaxIdleConnsPerHost: 42providers:providersThrottleDuration: 42
File (TOML)
# static configuration[global]checkNewVersion = truesendAnonymousUsage = true[log]level = "DEBUG"[serversTransport]insecureSkipVerify = truerootCAs = [ "/mycert.cert" ]maxIdleConnsPerHost = 42[providers]providersThrottleDuration = 42
CLI
--global.checknewversion=true--global.sendanonymoususage=true--log.level=DEBUG--serverstransport.insecureskipverify=true--serverstransport.rootcas=/mycert.cert--serverstransport.maxidleconnsperhost=42--providers.providersthrottleduration=42
Dashboard
You need to activate the API to access the .
To activate the dashboard, you can either:
- use the secure mode with the
api@internalservice like in the following examples - or use the
Activate and access the dashboard
v1
File (TOML)
## static configuration# traefik.toml[entryPoints.websecure]address = ":443"[entryPoints.websecure.tls][entryPoints.websecure.auth][entryPoints.websecure.auth.basic]users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"][api]entryPoint = "websecure"
CLI
--entryPoints='Name:websecure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'--api
v2
Docker
# dynamic configurationlabels:- "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"- "traefik.http.routers.api.entrypoints=websecure"- "traefik.http.routers.api.service=api@internal"- "traefik.http.routers.api.middlewares=myAuth"- "traefik.http.routers.api.tls"- "traefik.http.middlewares.myAuth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
File (YAML)
## static configuration# traefik.ymlentryPoints:websecure:address: ':443'api: {}providers:file:directory: /path/to/dynamic/config##---------------------#### dynamic configuration# /path/to/dynamic/config/dynamic-conf.ymlhttp:routers:api:rule: Host(`traefik.docker.localhost`)entrypoints:- websecureservice: api@internalmiddlewares:- myAuthtls: {}middlewares:myAuth:basicAuth:users:- 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
File (TOML)
## static configuration# traefik.toml[entryPoints.websecure]address = ":443"[api][providers.file]directory = "/path/to/dynamic/config"##---------------------#### dynamic configuration# /path/to/dynamic/config/dynamic-conf.toml[http.routers.api]rule = "Host(`traefik.docker.localhost`)"entrypoints = ["websecure"]service = "api@internal"middlewares = ["myAuth"][http.routers.api.tls][http.middlewares.myAuth.basicAuth]users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
Providers
- Azure Service Fabric
- Consul
- Consul Catalog
- Docker
- DynamoDB
- ECS
- Etcd
- Eureka
- File
- Kubernetes Ingress
- Kubernetes IngressRoute
- Marathon
- Mesos
- Rancher
- Redis
- Rest
- Zookeeper
- Different sources of static configuration (file, CLI flags, …) cannot be .
- Now, configuration elements can be referenced between different providers by using the provider namespace notation:
@<provider>. For instance, a router namedmyrouterin a File Provider can refer to a service namedmyservicedefined in Docker Provider with the following notation:myservice@docker. - If you have any questions feel free to join our community forum.
