Traefik v3 File Provider

Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service.

Each request must eventually be handled by a service, which is why each router definition should include a service target, which is basically where the request will be passed along to. HTTP routers can only target HTTP services (not TCP services).

If not specified, HTTP routers will accept requests from all defined entry points. If you want to limit the router scope to a set of entry points, set the entryPoints option.

In Traefik v3 a new rule syntax has been introduced (migration guide). ruleSyntax option allows to configure the rule syntax to be used for parsing the rule on a per-router basis. This allows to have heterogeneous router configurations and ease migration.

To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of 0 for the priority is ignored: priority = 0 means that the default rules length sorting is used.

You can attach a list of middlewares to each HTTP router. The middlewares will take effect only if the rule matches, and before forwarding the request to the service. Middlewares are applied in the same order as their declaration in router.

When a TLS section is specified, it instructs Traefik that the current router is dedicated to HTTPS requests only (and that the router should ignore HTTP (non TLS) requests). Traefik will terminate the SSL connections (meaning that it will send decrypted data to the services). If you need to define the same route for both HTTP and HTTPS requests, you will need to define two different routers: one with the tls section, one without.

Servers declare a single instance of your program.

When sticky sessions are enabled, a cookie is set on the initial request and response to let the client know which server handles the first response. On subsequent requests, to keep the session alive with the same server, the client should resend the same cookie.

Configure health check to remove unhealthy servers from the load balancing rotation. Traefik will consider your servers healthy as long as they return status codes between 2XX and 3XX to the health check requests (carried out every interval). Traefik keeps monitoring the health of unhealthy servers. If a server has recovered (returning 2xx -> 3xx responses again), it will be added back to the load balancer rotation pool.

The passHostHeader allows to forward client Host header to server. By default, passHostHeader is true.

Defines how Traefik forwards the response from the backend server to the client.

When sticky sessions are enabled, a cookie is set on the initial request and response to let the client know which server handles the first response. On subsequent requests, to keep the session alive with the same server, the client should resend the same cookie.

maxBodySize is the maximum size allowed for the body of the request. If the body is larger, the request is not mirrored. Default value is -1, which means unlimited size.

prefix is the string to add before the current path in the requested URL. It should include the leading slash (/).

The users option is an array of authorized users. Each user will be declared using the name:hashed-password format.

The usersFile option is the path to an external file that contains the authorized users for the middleware.

The file content is a list of name:hashed-password.

You can customize the realm for the authentication with the realm option. The default value is traefik.

You can define a header field to store the authenticated user using the headerField option.

Set the removeHeader option to true to remove the authorization header before forwarding the request to your service. (Default value is false.)

With the maxRequestBodyBytes option, you can configure the maximum allowed body size for the request (in Bytes).

If the request exceeds the allowed size, it is not forwarded to the service and the client gets a 413 (Request Entity Too Large) response.

You can configure a threshold (in Bytes) from which the request will be buffered on disk instead of in memory with the memRequestBodyBytes option.

With the maxResponseBodyBytes option, you can configure the maximum allowed response size from the service (in Bytes).

If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 413 (Request Entity Too Large) response instead.

You can configure a threshold (in Bytes) from which the response will be buffered on disk instead of in memory with the memResponseBodyBytes option.

You can have the Buffering middleware replay the request with the help of the retryExpression option.

You can specify an expression that, once matched, will trigger the circuit breaker (and apply the fallback mechanism instead of calling your services).

The interval between successive checks of the circuit breaker condition (when in standby state)

The duration for which the circuit breaker will wait before trying to recover (from a tripped state).

The duration for which the circuit breaker will try to recover (as soon as it is in recovering state).

The status code that the circuit breaker will return while it is in the open state.

excludedContentTypes specifies a list of content types to compare the Content-Type header of the incoming requests to before compressing.

The requests with content types defined in excludedContentTypes are not compressed.

Content types are compared in a case-insensitive, whitespace-ignored manner.

specifies the minimum amount of bytes a response body must have to be compressed.

defaultEncoding specifies the default encoding if the Accept-Encoding header is not in the request or contains a wildcard (*).

includedContentTypes specifies a list of content types to compare the Content-Type header of the responses before compressing.

The responses with content types defined in includedContentTypes are compressed.

Content types are compared in a case-insensitive, whitespace-ignored manner.

encodings specifies the list of supported compression encodings. At least one encoding value must be specified, and valid entries are zstd (Zstandard), br (Brotli), and gzip (Gzip). The order of the list also sets the priority, the top entry has the highest priority.

autoDetect specifies whether to let the Content-Type header, if it has not been set by the backend, be automatically set to a value derived from the contents of the response.

The users option is an array of authorized users. Each user will be declared using the name:realm:encoded-password format.

The usersFile option is the path to an external file that contains the authorized users for the middleware.

The file content is a list of name:realm:encoded-password.

You can customize the realm for the authentication with the realm option. The default value is traefik.

You can customize the header field for the authenticated user using the headerField option.

Set the removeHeader option to true to remove the authorization header before forwarding the request to your service. (Default value is false.)

The status that will trigger the error page.

The status code ranges are inclusive (500-599 will trigger with every code between 500 and 599, 500 and 599 included). You can define either a status code like 500 or ranges with a syntax like 500-599.

The service that will serve the new requested error page.

The URL for the error page (hosted by service). You can use {status} in the query, that will be replaced by the received status code.

The address option defines the authentication server address.

The tls option is the TLS configuration from Traefik to the authentication server.

Set the trustForwardHeader option to true to trust all the existing X-Forwarded-* headers.

The authResponseHeaders option is the list of the headers to copy from the authentication server to the request.

The authResponseHeadersRegex option is the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.

The authRequestHeaders option is the list of the headers to copy from the request to the authentication server.

The addAuthCookiesToResponse option is the list of cookies to copy from the authentication server to the response, replacing any existing conflicting cookie from the forwarded response.

Sets the forwardBody option to true to send the Body. As body is read inside Traefik before forwarding, this breaks streaming.

Sets the maxBodySize to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized).

Sets the maxResponseBodySize to limit the response body size from the authentication server in bytes.

Defines a header field to store the authenticated user.

Defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server.

Defines whether to preserve the original request method while forwarding the request to the authentication server.

The allowOrigins contains the list of allowed origins. A wildcard origin * can also be configured to match all requests.

The customRequestHeaders option lists the Header names and values to apply to the request.

The customResponseHeaders option lists the Header names and values to apply to the response.

The accessControlAllowCredentials indicates whether the request can include user credentials.

The accessControlAllowHeaders indicates which header field names can be used as part of the request.

The accessControlAllowMethods indicates which methods can be used during requests.

The accessControlAllowOriginList indicates whether a resource can be shared by returning different values.

A wildcard origin * can also be configured, and will match all requests. If this value is set by a backend server, it will be overwritten by Traefik

This value can contain a list of allowed origins.

The accessControlAllowOriginListRegex option is the counterpart of the accessControlAllowOriginList option with regular expressions instead of origin values.

The accessControlExposeHeaders indicates which headers are safe to expose to the api of a CORS API specification.

The accessControlMaxAge indicates how long (in seconds) a preflight request can be cached.

The addVaryHeader is used in conjunction with accessControlAllowOriginList to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.

The allowedHosts option lists fully qualified domain names that are allowed.

The hostsProxyHeaders option is a set of header keys that may hold a proxied hostname value for the request.

The sslRedirect is set to true, then only allow https requests.

Set the sslTemporaryRedirect to true to force an SSL redirection using a 302 (instead of a 301).

The sslHost option is the host name that is used to redirect http requests to https.

The sslProxyHeaders option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: "X-Forwarded-Proto": "https".

Set sslForceHost to true and set SSLHost to forced requests to use SSLHost even the ones that are already using SSL.

The stsSeconds is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.

The stsIncludeSubdomains is set to true, the includeSubDomains directive will be appended to the Strict-Transport-Security header.

Set stsPreload to true to have the preload flag appended to the Strict-Transport-Security header.

Set forceSTSHeader to true, to add the STS header even when the connection is HTTP.

Set frameDeny to true to add the X-Frame-Options header with the value of DENY.

The customFrameOptionsValue allows the X-Frame-Options header value to be set with a custom value. This overrides the FrameDeny option.

Set contentTypeNosniff to true to add the X-Content-Type-Options header with the value nosniff.

Set browserXssFilter to true to add the X-XSS-Protection header with the value 1; mode=block.

The customBrowserXssValue option allows the X-XSS-Protection header value to be set with a custom value. This overrides the BrowserXssFilter option.

The contentSecurityPolicy option allows the Content-Security-Policy header value to be set with a custom value.

The contentSecurityPolicyReportOnly option allows the Content-Security-Policy-Report-Only header value to be set with a custom value.

The publicKey implements HPKP to prevent MITM attacks with forged certificates.

The referrerPolicy allows sites to control when browsers will pass the Referer header to other sites.

The featurePolicy allows sites to control browser features.

The permissionsPolicy allows sites to control browser features.

Set isDevelopment to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain. If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.

The depth option tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right). If depth is greater than the total number of IPs in X-Forwarded-For, then the client IP will be empty. depth is ignored if its value is lesser than or equal to 0.

excludedIPs tells Traefik to scan the X-Forwarded-For header and pick the first IP not in the list. If depth is specified, excludedIPs is ignored.

The sourceRange option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).

The ipStrategy option defines parameters that set how Traefik will determine the client IP.

The sourceRange option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).

RejectStatusCode defines the HTTP status code used for refused requests. If not set, the default is 403 (Forbidden).

The ipStrategy option defines parameters that set how Traefik will determine the client IP.

The ipStrategy option defines parameters that set how Traefik will determine the client IP.

Requests having the same value for the given header are grouped as coming from the same source.

Whether to consider the request host as the source.

The amount option defines the maximum amount of allowed simultaneous in-flight request. The middleware will return an HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy).

SourceCriterion defines what criterion is used to group requests as originating from a common source. The precedence order is ipStrategy, then requestHeaderName, then requestHost. If none are set, the default is to use the requestHost.

The pem option sets the X-Forwarded-Tls-Client-Cert header with the escape certificate.

The info option select the specific client certificate details you want to add to the X-Forwarded-Tls-Client-Cert-Info header. The value of the header will be an escaped concatenation of all the selected certificate details.

average is the maximum rate, by default in requests by second, allowed for the given source.

It defaults to 0, which means no rate limiting.

The rate is actually defined by dividing average by period. So for a rate below 1 req/s, one needs to define a period larger than a second.

period, in combination with average, defines the actual maximum rate.

It defaults to 1 second.

burst is the maximum number of requests allowed to go through in the same arbitrarily small period of time.

It defaults to 1.

SourceCriterion defines what criterion is used to group requests as originating from a common source. The precedence order is ipStrategy, then requestHeaderName, then requestHost. If none are set, the default is to use the requestHost.

Set the permanent option to true to apply a permanent redirection.

The regex option is the regular expression to match and capture elements from the request URL.

The replacement option defines how to modify the URL to have the new target URL. Care should be taken when defining replacement expand variables: $1x is equivalent to ${1x}, not ${1}x (see Regexp.Expand), so use ${1} syntax.

Set the permanent option to true to apply a permanent redirection.

The scheme option defines the scheme of the new url.

The port option defines the port of the new url. Port in this configuration is a string, not a numeric value.

The path option defines the path to use as replacement in the request url.

The regex option is the regular expression to match and capture the path from the request URL.

The replacement option defines how to modify the path to have the new target path. Care should be taken when defining replacement expand variables: $1x is equivalent to ${1x}, not ${1}x (see Regexp.Expand), so use ${1} syntax.

The attempts option defines how many times the request should be retried.

The initialInterval option defines the first wait time in the exponential backoff series.

The prefixes option defines the prefixes to strip from the request URL

The forceSlash option makes sure that the resulting stripped path is not the empty string, by replacing it with / when necessary.

This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.

It's recommended to explicitly set forceSlash to false.

The regex option is the regular expression to match the path prefix from the request URL.

It is important to note that the Server Name Indication is an extension of the TLS protocol. Hence, only TLS routers will be able to specify a domain name with that rule. However, non-TLS routers will have to explicitly use that rule with * (every domain) to state that every non-TLS request will be handled by the router.

You must attach a TCP service per TCP router. Services are the target for the router. TCP routers can only target TCP services (not HTTP services).

If not specified, TCP routers will accept requests from all defined entry points. If you want to limit the router scope to a set of entry points, set the entry points option.

In Traefik v3 a new rule syntax has been introduced (migration guide). ruleSyntax option allows to configure the rule syntax to be used for parsing the rule on a per-router basis. This allows to have heterogeneous router configurations and ease migration.

To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of 0 for the priority is ignored: priority = 0 means that the default rules length sorting is used.

When a TLS section is specified, it instructs Traefik that the current router is dedicated to TLS requests only (and that the router should ignore non-TLS requests).

By default, a router with a TLS section will terminate the TLS connections, meaning that it will send decrypted data to the services.

Servers declare a single instance of your program.

As a proxy between a client and a server, it can happen that either side (e.g. client side) decides to terminate its writing capability on the connection (i.e. issuance of a FIN packet). The proxy needs to propagate that intent to the other side, and so when that happens, it also does the same on its connection with the other side (e.g. backend side).

However, if for some reason (bad implementation, or malicious intent) the other side does not eventually do the same as well, the connection would stay half-open, which would lock resources for however long.

To that end, as soon as the proxy enters this termination sequence, it sets a deadline on fully terminating the connections on both sides.

The termination delay controls that deadline. It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the connection is never fully terminated by the proxy itself).

There must be one (and only one) UDP service referenced per UDP router. Services are the target for the router.

If not specified, UDP routers will accept packets from all defined (UDP) entry points. If one wants to limit the router scope to a set of entry points, one should set the entry points option.

The servers field defines all the servers that are part of this load-balancing group, i.e. each address (IP:Port) on which an instance of the service's program is deployed.