我的书签
添加书签
移除书签Overview
Let’s zoom in on Traefik’s architecture and talk about the components that enable the routes to be created.
First, when you start Traefik, you define entrypoints (in their most basic forms, they are port numbers). Then, connected to these entrypoints, analyze the incoming requests to see if they match a set of rules. If they do, the router might transform the request using pieces of before forwarding them to your services.
- Providers discover the services that live on your infrastructure (their IP, health, …)
- listen for incoming traffic (ports, …)
- Routers analyse the requests (host, path, headers, SSL, …)
- forward the request to your services (load balancing, …)
- Middlewares may update the request or make decisions based on the request (authentication, rate limiting, headers, …)
Below is an example of a full configuration file for the file provider that forwards http://example.com/whoami/ requests to a service reachable on http://private/whoami-service/. In the process, Traefik will make sure that the user is authenticated (using the ).
Static configuration:
File (YAML)
File (TOML)
[entryPoints][entryPoints.web]# Listen on port 8081 for incoming requestsaddress = ":8081"[providers]# Enable the file provider to define routers / middlewares / services in file[providers.file]directory = "/path/to/dynamic/conf"
CLI
# Listen on port 8081 for incoming requests--entryPoints.web.address=:8081# Enable the file provider to define routers / middlewares / services in file--providers.file.directory=/path/to/dynamic/conf
Dynamic configuration:
YAML
# http routing sectionhttp:routers:# Define a connection between requests and servicesto-whoami:rule: "Host(`example.com`) && PathPrefix(`/whoami/`)"# If the rule matches, applies the middlewaremiddlewares:- test-user# If the rule matches, forward to the whoami service (declared below)service: whoamimiddlewares:# Define an authentication mechanismtest-user:basicAuth:users:- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/services:# Define how to reach an existing service on our infrastructurewhoami:loadBalancer:servers:- url: http://private/whoami-service
TOML
# http routing section[http][http.routers]# Define a connection between requests and services[http.routers.to-whoami]rule = "Host(`example.com`) && PathPrefix(`/whoami/`)"# If the rule matches, applies the middlewaremiddlewares = ["test-user"]service = "whoami"[http.middlewares]# Define an authentication mechanism[http.middlewares.test-user.basicAuth]users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]# Define how to reach an existing service on our infrastructure[http.services.whoami.loadBalancer][[http.services.whoami.loadBalancer.servers]]url = "http://private/whoami-service"
In this example, we use the file provider. Even if it is one of the least magical way of configuring Traefik, it explicitly describes every available notion.
HTTP / TCP
In this example, we’ve defined routing rules for http requests only. Traefik also supports TCP requests. To add and TCP services, declare them in a TCP section like in the following.
Adding a TCP route for TLS requests on whoami-tcp.example.com
Static Configuration
File (YAML)
entryPoints:web:# Listen on port 8081 for incoming requestsaddress: :8081providers:# Enable the file provider to define routers / middlewares / services in filefile:directory: /path/to/dynamic/conf
File (TOML)
[entryPoints][entryPoints.web]# Listen on port 8081 for incoming requestsaddress = ":8081"[providers]# Enable the file provider to define routers / middlewares / services in file[providers.file]directory = "/path/to/dynamic/conf"
# Listen on port 8081 for incoming requests--entryPoints.web.address=:8081# Enable the file provider to define routers / middlewares / services in file--providers.file.directory=/path/to/dynamic/conf
Dynamic Configuration
YAML
# http routing sectionhttp:routers:# Define a connection between requests and servicesto-whoami:rule: Host(`example.com`) && PathPrefix(`/whoami/`)# If the rule matches, applies the middlewaremiddlewares:- test-user# If the rule matches, forward to the whoami service (declared below)service: whoamimiddlewares:# Define an authentication mechanismtest-user:basicAuth:users:- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/services:# Define how to reach an existing service on our infrastructurewhoami:loadBalancer:servers:- url: http://private/whoami-servicetcp:to-whoami-tcp:service: whoami-tcprule: HostSNI(`whoami-tcp.example.com`)tls: {}services:whoami-tcp:loadBalancer:- address: xx.xx.xx.xx:xx
TOML
Most of what happens to the connection between the clients and Traefik, and then between Traefik and the backend servers, is configured through the entrypoints and the .
In addition, a few parameters are dedicated to configuring globally what happens with the connections between Traefik and the backends. This is done through the serversTransport section of the configuration, which features these options:
Optional, Default=false
insecureSkipVerify disables SSL certificate verification.
File (YAML)
## Static configurationserversTransport:insecureSkipVerify: true
File (TOML)
## Static configuration[serversTransport]insecureSkipVerify = true
CLI
## Static configuration--serversTransport.insecureSkipVerify=true
Optional
rootCAs is the list of certificates (as file paths, or data bytes) that will be set as Root Certificate Authorities when using a self-signed TLS certificate.
File (YAML)
## Static configurationserversTransport:rootCAs:- foo.crt- bar.crt
File (TOML)
## Static configuration[serversTransport]rootCAs = ["foo.crt", "bar.crt"]
CLI
## Static configuration--serversTransport.rootCAs=foo.crt,bar.crt
Optional, Default=2
If non-zero, maxIdleConnsPerHost controls the maximum idle (keep-alive) connections to keep per-host.
File (YAML)
## Static configurationserversTransport:maxIdleConnsPerHost: 7
## Static configuration[serversTransport]maxIdleConnsPerHost = 7
CLI
forwardingTimeouts is about a number of timeouts relevant to when forwarding requests to the backend servers.
forwardingTimeouts.dialTimeout
Optional, Default=30s
dialTimeout is the maximum duration allowed for a connection to a backend server to be established. Zero means no timeout.
File (YAML)
## Static configurationserversTransport:forwardingTimeouts:dialTimeout: 1s
File (TOML)
## Static configuration[serversTransport.forwardingTimeouts]dialTimeout = "1s"
CLI
## Static configuration--serversTransport.forwardingTimeouts.dialTimeout=1s
forwardingTimeouts.responseHeaderTimeout
Optional, Default=0s
responseHeaderTimeout, if non-zero, specifies the amount of time to wait for a server’s response headers after fully writing the request (including its body, if any). This time does not include the time to read the response body. Zero means no timeout.
File (YAML)
## Static configurationserversTransport:forwardingTimeouts:responseHeaderTimeout: 1s
File (TOML)
## Static configuration[serversTransport.forwardingTimeouts]responseHeaderTimeout = "1s"
CLI
## Static configuration--serversTransport.forwardingTimeouts.responseHeaderTimeout=1s
forwardingTimeouts.idleConnTimeout
Optional, Default=90s
idleConnTimeout, is the maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. Zero means no limit.
File (YAML)
## Static configurationserversTransport:forwardingTimeouts:idleConnTimeout: 1s
File (TOML)
## Static configurationidleConnTimeout = "1s"
CLI
Using Traefik for Business Applications?
Traefik Enterprise enables centralized access management, distributed Let’s Encrypt, and other advanced capabilities. Learn more in this 15-minute technical walkthrough.
