Traefik Hub

    This agent can:

    • get the Traefik metrics to display them in the Traefik Hub UI
    • secure the Traefik routers
    • provide ACME certificates to Traefik
    • transfer requests from the SaaS Platform to Traefik (and then avoid the users to expose directly their infrastructure on the internet)

    Traefik Hub Entrypoints

    When the Traefik Hub feature is enabled, Traefik exposes some services meant for the Traefik Hub Agent on dedicated entrypoints (on ports 9900 and 9901 by default). Given their sensitive nature, those services should not be publicly exposed. Also those dedicated entrypoints, regardless of how they are created (default, or user-defined), should not be used by anything other than the Hub Agent.

    Learn More About Traefik Hub

    This section is intended only as a brief overview for Traefik users who are not familiar with Traefik Hub. To explore all that Traefik Hub has to offer, please consult the .

    Prerequisites

    • Traefik Hub is compatible with Traefik Proxy 2.7 or later.
    • The Traefik Hub Agent must be installed to connect to the Traefik Hub platform.
    • Activate this feature in the experimental section of the static configuration.

    Minimal Static Configuration to Activate Traefik Hub for Docker

    File (YAML)

    File (TOML)

    1. [experimental]
    2.   hub = true
    4. [hub]
    5.   [hub.tls]
    6.     insecure = true
    8. [metrics]
    9.   [metrics.prometheus]
    10.     addRoutersLabels = true

    CLI

    1. --experimental.hub
    2. --hub.tls.insecure
    3. --metrics.prometheus.addrouterslabels

    Minimal Static Configuration to Activate Traefik Hub for Kubernetes

    File (YAML)

    1. experimental:
    2.   hub: true
    4. hub: {}
    6. metrics:
    7.   prometheus:
    8.     addRoutersLabels: true

    File (TOML)

    1. [experimental]
    2.   hub = true
    4. [hub]
    6. [metrics]
    7.   [metrics.prometheus]
    8.     addRoutersLabels = true

    CLI

    1. --experimental.hub
    2. --hub
    3. --metrics.prometheus.addrouterslabels

    Configuration

    traefikhub-api

    This entrypoint is used to communicate between the Hub agent and Traefik. It allows the Hub agent to create routing.

    This dedicated Traefik Hub entryPoint should not be used by anything other than Traefik Hub.

    The default port is 9900. To change the port, you have to define an entrypoint named traefikhub-api.

    File (YAML)

    1.   traefikhub-api: ":8000"

    File (TOML)

    1. [entryPoints.traefikhub-api]
    2.   address = ":8000"
    1. --entrypoints.traefikhub-api.address=:8000

    traefikhub-tunl

    This entrypoint is used to communicate between Traefik Hub and Traefik. It allows to create secured tunnels.

    This dedicated Traefik Hub entryPoint should not be used by anything other than Traefik Hub.

    The default port is 9901. To change the port, you have to define an entrypoint named traefikhub-tunl.

    File (YAML)

    File (TOML)

    2.   address = ":8000"

    CLI

    1. --entrypoints.traefikhub-tunl.address=:8000

    tls

    Optional, Default=None

    This section is required when using the Hub agent for Docker.

    This section allows configuring mutual TLS connection between Traefik Proxy and the Traefik Hub Agent. The key and the certificate are the credentials for Traefik Proxy as a TLS client. The certificate authority authenticates the Traefik Hub Agent certificate.

    Certificate Domain

    The certificate must be valid for the proxy.traefik domain.

    Certificates Definition

    Certificates can be defined either by their content or their path.

    Insecure Mode

    The insecure option is mutually exclusive with any other option.

    File (YAML)

    1. hub:
    2.   tls:
    3.     ca: /path/to/ca.pem
    4.     cert: /path/to/cert.pem
    5.     key: /path/to/key.pem

    File (TOML)

    1. [hub.tls]
    2.   ca= "/path/to/ca.pem"
    3.   cert= "/path/to/cert.pem"
    4.   key= "/path/to/key.pem"

    CLI

    1. --hub.tls.ca=/path/to/ca.pem
    2. --hub.tls.cert=/path/to/cert.pem
    3. --hub.tls.key=/path/to/key.pem

    The certificate authority authenticates the Traefik Hub Agent certificate.

    1. hub:
    2.   tls:
    3.     ca: |-
    4.       -----BEGIN CERTIFICATE-----
    5.       MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
    6.       DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
    7.       WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
    8.       ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
    9.       x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
    10.       CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w
    11.       CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
    12.       aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=
    13.       -----END CERTIFICATE-----

    File (TOML)

    1. [hub.tls]
    2.   ca = """-----BEGIN CERTIFICATE-----
    3. MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
    4. DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
    5. WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
    6. ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
    7. x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
    8. CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w
    9. CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
    10. aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=
    11. -----END CERTIFICATE-----"""

    CLI

    1. --hub.tls.ca=-----BEGIN CERTIFICATE-----
    2. MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
    3. DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
    4. WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
    5. ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
    6. x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
    7. CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
    8. aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=

    tls.cert

    The TLS certificate for Traefik Proxy as a TLS client.

    Certificate Domain

    The certificate must be valid for the proxy.traefik domain.

    File (YAML)

    File (TOML)

    1. [hub.tls]
    2.   cert = """-----BEGIN CERTIFICATE-----
    3. MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
    4. DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
    5. WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
    6. ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
    7. x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
    8. CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w
    9. CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
    10. aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=
    11. -----END CERTIFICATE-----"""

    CLI

    1. --hub.tls.cert=-----BEGIN CERTIFICATE-----
    2. MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
    3. DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
    4. WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
    5. ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
    6. x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
    7. CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w
    8. CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
    9. aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=
    10. -----END CERTIFICATE-----

    The TLS key for Traefik Proxy as a TLS client.

    File (YAML)

    1. hub:
    2.   tls:
    3.     key: |-
    4.       -----BEGIN PRIVATE KEY-----
    5.       MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgm+XJ3LVrTbbirJea
    6.       O+Crj2ADVsVHjMuiyd72VE3lgxihRANCAARlopg+PYbweeaO7qNse3684PAqo0NV
    7.       AwfmfGG0CBJRlLrWYtbBm+9SEhgs0/AfPxrHwLv5y6KEQLpPO+fwN4Z4
    8.       -----END PRIVATE KEY-----

    File (TOML)

    1. [hub.tls]
    2.   key = """-----BEGIN PRIVATE KEY-----
    3. MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgm+XJ3LVrTbbirJea
    4. O+Crj2ADVsVHjMuiyd72VE3lgxihRANCAARlopg+PYbweeaO7qNse3684PAqo0NV
    5. AwfmfGG0CBJRlLrWYtbBm+9SEhgs0/AfPxrHwLv5y6KEQLpPO+fwN4Z4
    6. -----END PRIVATE KEY-----"""

    CLI

    1. --hub.tls.key=-----BEGIN PRIVATE KEY-----
    2. MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgm+XJ3LVrTbbirJea
    3. O+Crj2ADVsVHjMuiyd72VE3lgxihRANCAARlopg+PYbweeaO7qNse3684PAqo0NV
    4. AwfmfGG0CBJRlLrWYtbBm+9SEhgs0/AfPxrHwLv5y6KEQLpPO+fwN4Z4
    5. -----END PRIVATE KEY-----

    tls.insecure

    Optional, Default=false

    Enables an insecure TLS connection that uses default credentials, and which has no peer authentication between Traefik Proxy and the Traefik Hub Agent. The insecure option is mutually exclusive with any other option.

    Security Consideration

    Do not use this setup in production. This option implies sensitive data can be exposed to potential malicious third-party programs.

    File (YAML)

    1. hub:
    2.   tls:
    3.     insecure: true

    File (TOML)

    1. [hub.tls]
    2.   insecure = true

    CLI

    1. --hub.tls.insecure=true