primal/traefik
1
0
Fork 0
mirror of https://github.com/traefik/traefik synced 2026-02-03 05:20:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge current v3.6 into master

Browse Source
This commit is contained in:
mmatur
2026-01-16 11:26:25 +01:00
parent 77af7e4dea 3315a9fbec
commit 08b1336af0
423 changed files with 10392 additions and 5265 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/validate.yaml
+1 -1
View File
@@ -7,7 +7,7 @@ on:
env:
GO_VERSION: '1.24'
GOLANGCI_LINT_VERSION: v2.0.2
GOLANGCI_LINT_VERSION: v2.8.0
MISSPELL_VERSION: v0.7.0
jobs:
.golangci.yml
+20 -2
View File
@@ -36,6 +36,7 @@ linters:
- nilnil # Not relevant
- nlreturn # Not relevant
- noctx # Too strict
- noinlineerr # Too strict
- nonamedreturns # Too strict
- paralleltest # Not relevant
- prealloc # Too many false-positive.
@@ -47,6 +48,7 @@ linters:
- varnamelen # Not relevant
- wrapcheck # Too strict
- wsl # Too strict
- wsl_v5 # Too strict
settings:
depguard:
@@ -295,15 +297,31 @@ linters:
source: 'errors.New\("Nomad provider'
text: 'ST1005: error strings should not be capitalized'
- path: (.+)\.go
text: 'struct-tag: unknown option ''inline'' in JSON tag'
text: 'omitzero: Omitempty has no effect on nested struct field'
linters:
- modernize
- path: (.+)\.go
text: 'struct-tag: unknown option "inline" in json tag'
linters:
- revive
- path: (.+)\.go
text: 'struct-tag: unknown option ''omitzero'' in TOML tag'
text: 'struct-tag: unknown option "omitzero" in toml tag'
linters:
- revive
- path: (pkg/types/.+|pkg/api/.+|pkg/observability/types/.+)\.go
text: 'var-naming: avoid meaningless package names'
linters:
- revive
- path: (pkg/muxer/http/.+|pkg/provider/http/.+)\.go
text: 'var-naming: avoid package names that conflict with Go standard library package names'
linters:
- revive
- path: (.+)\.go$
text: 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
- path: (.+)\.go$
text: 'SA1019: dynamic.(TCPIPWhiteList|IPWhiteList) is deprecated: please use IPAllowList instead.'
- path: (.+)\.go$
text: 'SA1019: middlewareTCP.Spec.IPWhiteList is deprecated: please use IPAllowList instead.'
- path: (.+)\.go$
text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
- path: (.+)\.go$
CHANGELOG.md
+37
View File
@@ -1,3 +1,40 @@
## [v3.6.7](https://github.com/traefik/traefik/tree/v3.6.7) (2026-01-14)
[All Commits](https://github.com/traefik/traefik/compare/v3.6.6...v3.6.7)
**Bug fixes:**
- **[acme]** Bump github.com/go-acme/lego/v4 to v4.31.0 ([#12529](https://github.com/traefik/traefik/pull/12529) by [ldez](https://github.com/ldez))
- **[acme]** Add missing renew options ([#12467](https://github.com/traefik/traefik/pull/12467) by [ldez](https://github.com/ldez))
- **[acme]** Replace hardcoded references to LetsEncrypt in log messages ([#12464](https://github.com/traefik/traefik/pull/12464) by [schildbach](https://github.com/schildbach))
- **[k8s/ingress-nginx]** Fix use-regex nginx annotation ([#12531](https://github.com/traefik/traefik/pull/12531) by [LBF38](https://github.com/LBF38))
- **[k8s/ingress-nginx]** Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS ([#12528](https://github.com/traefik/traefik/pull/12528) by [rtribotte](https://github.com/rtribotte))
- **[k8s/ingress]** Fix panic for empty defaultBackend and defaultBackend without resources ([#12509](https://github.com/traefik/traefik/pull/12509) by [gndz07](https://github.com/gndz07))
- **[k8s]** Fix condition used for serving and fenced endpoints ([#12521](https://github.com/traefik/traefik/pull/12521) by [LBF38](https://github.com/LBF38))
- **[webui]** Validate X-Forwarded-Prefix value for dashboard redirect ([#12514](https://github.com/traefik/traefik/pull/12514) by [LBF38](https://github.com/LBF38))
- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) by [LBF38](https://github.com/LBF38))
- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) by [gndz07](https://github.com/gndz07))
**Documentation:**
- **[docker/swarm]** Update swarm.md traefik version ([#12508](https://github.com/traefik/traefik/pull/12508) by [DBouraoui](https://github.com/DBouraoui))
- **[k8s/ingress-nginx]** Fix ingress-nginx annotations documentation ([#12510](https://github.com/traefik/traefik/pull/12510) by [nmengin](https://github.com/nmengin))
- **[k8s]** Fix Kubernetes reference yml file ([#12406](https://github.com/traefik/traefik/pull/12406) by [mmatur](https://github.com/mmatur))
- Fix code copy button positioning ([#12520](https://github.com/traefik/traefik/pull/12520) by [AnuragEkkati](https://github.com/AnuragEkkati))
- Fix typo in kubernetes.md ([#12515](https://github.com/traefik/traefik/pull/12515) by [EdwardSalkeld](https://github.com/EdwardSalkeld))
- Bring back security section on API & Dashboard documentation page ([#12507](https://github.com/traefik/traefik/pull/12507) by [gndz07](https://github.com/gndz07))
- Fix link description in Traefik Proxy documentation ([#12488](https://github.com/traefik/traefik/pull/12488) by [schaerfo](https://github.com/schaerfo))
- Add product comparison matrix and features page ([#12037](https://github.com/traefik/traefik/pull/12037) by [sheddy-traefik](https://github.com/sheddy-traefik))
**Misc:**
- Merge branch v2.11 into v3.6 ([#12552](https://github.com/traefik/traefik/pull/12552) by [rtribotte](https://github.com/rtribotte))
- Merge branch v2.11 into v3.6 ([#12533](https://github.com/traefik/traefik/pull/12533) by [mmatur](https://github.com/mmatur))
- Merge branch v2.11 into v3.6 ([#12497](https://github.com/traefik/traefik/pull/12497) by [mmatur](https://github.com/mmatur))
## [v2.11.35](https://github.com/traefik/traefik/tree/v2.11.35) (2026-01-14)
[All Commits](https://github.com/traefik/traefik/compare/v2.11.34...v2.11.35)
**Bug fixes:**
- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) by [LBF38](https://github.com/LBF38))
- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) by [gndz07](https://github.com/gndz07))
## [v3.6.6](https://github.com/traefik/traefik/tree/v3.6.6) (2025-12-29)
[All Commits](https://github.com/traefik/traefik/compare/v3.6.5...v3.6.6)
cmd/configuration.go
+1
View File
@@ -10,6 +10,7 @@ import (
// TraefikCmdConfiguration wraps the static configuration and extra parameters.
type TraefikCmdConfiguration struct {
static.Configuration `export:"true"`
// ConfigFile is the path to the configuration file.
ConfigFile string `description:"Configuration file to use. If specified all other flags are ignored." export:"true"`
}
cmd/internal/gen/main.go
+1 -1
View File
@@ -83,7 +83,7 @@ func run(dest string) error {
return err
}
return os.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0o666)
return os.WriteFile(filepath.Join(dest, "marshaler.go"), fmt.Appendf(nil, marsh, destPkg), 0o666)
}
func cleanType(typ types.Type, base string) string {
cmd/traefik/traefik.go
+4 -4
View File
@@ -97,10 +97,10 @@ func runCmd(staticConfiguration *static.Configuration) error {
return fmt.Errorf("setting up logger: %w", err)
}
// Display warning to advertise for new behavior of rejecting encoded characters in the request path.
// Deprecated: this has to be removed in the next minor/major version.
log.Warn().Msg("Starting with v3.6.4, Traefik now rejects some encoded characters in the request path by default. " +
"Refer to the documentation for more details: https://doc.traefik.io/traefik/migrate/v3/#encoded-characters-in-request-path")
log.Warn().Msg("Traefik can reject some encoded characters in the request path." +
"When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986)," +
"it is recommended to set these options to `false` to avoid split-view situation." +
"Refer to the documentation for more details: https://doc.traefik.io/traefik/v3.6/migrate/v3/#encoded-characters-configuration-default-values")
http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
docs/content/assets/js/extra.js
+11 -1
View File
@@ -1,4 +1,14 @@
/* Highlight */
(function(hljs) {
hljs.initHighlightingOnLoad();
})(hljs);
})(hljs);
/* Scarf Analytics - cookieless, anonymous company-level intelligence */
(function() {
var img = document.createElement('img');
img.src = 'https://static.scarf.sh/a.png?x-pxid=1a49232a-b165-4015-8ed2-a1092f1f0d83';
img.referrerPolicy = 'no-referrer-when-downgrade';
img.loading = 'eager';
img.style.cssText = 'visibility:hidden;position:absolute;width:1px;height:1px;';
document.body.appendChild(img);
})();
docs/content/getting-started/concepts.md
+1 -1
View File
@@ -57,4 +57,4 @@ You no longer need to create and synchronize configuration files cluttered with
Traefik is able to use your cluster API to discover the services and read the attached information.
In Traefik, these connectors are called [providers](../providers/overview.md "Link to overview about Traefik providers") because they *provide* the configuration to Traefik.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/getting-started/configuration-overview.md
+1 -1
View File
@@ -92,4 +92,4 @@ All the configuration options are documented in their related section.
You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/getting-started/docker.md
+1 -1
View File
@@ -159,4 +159,4 @@ That's it! You've successfully deployed Traefik and configured routing in Docker
- [Enable Metrics](../reference/install-configuration/observability/metrics.md)
- [Learn more about Docker provider](../reference/install-configuration/providers/docker.md)
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/getting-started/faq.md
+1 -1
View File
@@ -252,4 +252,4 @@ In which case, you should make sure your infrastructure is properly set up for a
LEGO_DISABLE_CNAME_SUPPORT=true
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/getting-started/install-traefik.md
+1 -1
View File
@@ -144,4 +144,4 @@ And run it:
All the details are available in the [Contributing Guide](../contributing/building-testing.md)
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/getting-started/kubernetes.md
+1 -1
View File
@@ -331,4 +331,4 @@ That's it! You've successfully deployed Traefik and configured routing in a Kube
- [Learn more about Kubernetes CRD provider](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md)
- [Learn more about Kubernetes Gateway API provider](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md)
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/https/acme.md
+1 -1
View File
@@ -1211,4 +1211,4 @@ If Let's Encrypt is not reachable, the following certificates will apply:
!!! important
For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/https/overview.md
+1 -1
View File
@@ -20,4 +20,4 @@ That is to say, how to obtain [TLS certificates](./tls.md#certificates-definitio
either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/https/tls.md
+1 -1
View File
@@ -587,4 +587,4 @@ spec:
disableSessionTickets: true
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/middlewares/http/basicauth.md
+1 -1
View File
@@ -340,4 +340,4 @@ http:
removeHeader = true
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/middlewares/http/forwardauth.md
+1 -1
View File
@@ -785,4 +785,4 @@ http:
preserveRequestMethod = true
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/middlewares/http/headers.md
+1 -1
View File
@@ -422,4 +422,4 @@ Set `isDevelopment` to `true` when developing to mitigate the unwanted effects o
Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/middlewares/http/overview.md
+1 -1
View File
@@ -127,4 +127,4 @@ http:
Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/middlewares/http/redirectregex.md
+1 -1
View File
@@ -85,4 +85,4 @@ The `replacement` option defines how to modify the URL to have the new target UR
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/middlewares/http/stripprefix.md
+1 -1
View File
@@ -146,4 +146,4 @@ http:
forceSlash = false
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/middlewares/overview.md
+1 -1
View File
@@ -112,4 +112,4 @@ A list of HTTP middlewares can be found [here](http/overview.md).
A list of TCP middlewares can be found [here](tcp/overview.md).
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/migrate/v2-to-v3.md
+1 -1
View File
@@ -158,4 +158,4 @@ core:
- ✅ All applications functioning correctly
- ✅ Performance metrics stable
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/migrate/v3.md
+27
View File
@@ -577,6 +577,33 @@ Here is the list of the encoded characters that are rejected by default, along w
Please check out the entrypoint [encodedCharacters option](../reference/install-configuration/entrypoints.md#opt-http-encodedCharacters) documentation for more details.
## v3.6.7
### Encoded Characters Configuration Default Values
Since `v3.6.7`, the options for encoded characters now have a `true` default value.
This means that Traefik will not reject requests with a path containing a specific set of encoded characters by default.
It is now up to the users to configure the security hardening of encoded characters.
Here is the list of the encoded characters that can be configured to `false` to disallow them:
| Encoded Character | Character | Config options | Default value |
|-------------------|-------------------------|--------------------------------------------------------------------------------------|---------------|
| `%2f` or `%2F` | `/` (slash) | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSlash` | `true` |
| `%5c` or `%5C` | `\` (backslash) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedBackSlash` | `true` |
| `%00` | `NULL` (null character) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedNullCharacter` | `true` |
| `%3b` or `%3B` | `;` (semicolon) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSemicolon` | `true` |
| `%25` | `%` (percent) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedPercent` | `true` |
| `%3f` or `%3F` | `?` (question mark) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedQuestionMark` | `true` |
| `%23` | `#` (hash) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash` | `true` |
Note: This check is not done against query parameters,
but only against the request path as defined
in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
Please check out the entrypoint [encodedCharacters option](../routing/entrypoints.md#encoded-characters) documentation
for more details.
## v3.7.0
### Ingress NGINX Provider
docs/content/observability/access-logs.md
+1 -1
View File
@@ -780,4 +780,4 @@ accesslog:
--accesslog.otlp.grpc.tls.insecureSkipVerify=true
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/observability/logs.md
+1 -1
View File
@@ -644,4 +644,4 @@ log:
--log.otlp.grpc.tls.insecureSkipVerify=true
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/observe/overview.md
+1 -1
View File
@@ -77,4 +77,4 @@ additionalArguments:
!!! note
A router with its own observability configuration will override the global default.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/operations/api.md
+1 -1
View File
@@ -176,4 +176,4 @@ All the following endpoints must be accessed with a `GET` HTTP request.
| `/debug/pprof/symbol` | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation. |
| `/debug/pprof/trace` | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation. |
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/operations/dashboard.md
+1 -1
View File
@@ -168,4 +168,4 @@ api:
--api.dashboard=false
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/plugins/index.md
+1 -1
View File
@@ -31,4 +31,4 @@ The experience of implementing a Traefik plugin is comparable to writing a web b
To learn more about Traefik plugin creation, please refer to the [developer documentation](https://plugins.traefik.io/create).
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/providers/docker.md
+1 -1
View File
@@ -702,4 +702,4 @@ providers:
--providers.docker.allowEmptyServices=true
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/providers/file.md
+1 -1
View File
@@ -292,4 +292,4 @@ To illustrate, it is possible to easily define multiple routers, services, and T
{{ end }}
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/providers/kubernetes-crd.md
+2 -2
View File
@@ -16,7 +16,7 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
## Requirements
{!kubernetes-requirements.md!}
{% include-markdown "includes/kubernetes-requirements.md" %}
!!! tip "All Steps for a Successful Deployment"
@@ -365,4 +365,4 @@ providers:
For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/providers/kubernetes-gateway.md
+2 -2
View File
@@ -16,7 +16,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
## Requirements
{!kubernetes-requirements.md!}
{% include-markdown "includes/kubernetes-requirements.md" %}
!!! info "Helm Chart"
@@ -357,4 +357,4 @@ providers:
--providers.kubernetesgateway.throttleDuration=10s
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/providers/kubernetes-ingress.md
+2 -2
View File
@@ -13,7 +13,7 @@ it manages access to cluster services by supporting the [Ingress](https://kubern
## Requirements
{!kubernetes-requirements.md!}
{% include-markdown "includes/kubernetes-requirements.md" %}
## Routing Configuration
@@ -557,4 +557,4 @@ providers:
To learn more about the various aspects of the Ingress specification that Traefik supports,
many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.6/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/providers/overview.md
+1 -1
View File
@@ -227,4 +227,4 @@ List of providers that support constraints:
- [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
- [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/providers/swarm.md
+1 -1
View File
@@ -769,4 +769,4 @@ providers:
--providers.swarm.allowEmptyServices=true
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+20 -11
View File
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: ingressroutes.traefik.io
spec:
group: traefik.io
@@ -377,6 +377,7 @@ spec:
description: |-
Syntax defines the router's rule syntax.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax
Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
type: string
required:
@@ -468,7 +469,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: ingressroutetcps.traefik.io
spec:
group: traefik.io
@@ -592,6 +593,7 @@ spec:
description: |-
ProxyProtocol defines the PROXY protocol configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/service/#proxy-protocol
Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
properties:
version:
@@ -614,6 +616,7 @@ spec:
hence fully terminating the connection.
It is a duration in milliseconds, defaulting to 100.
A negative value means an infinite deadline (i.e. the reading capability is never closed).
Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
type: integer
tls:
@@ -634,6 +637,7 @@ spec:
description: |-
Syntax defines the router's rule syntax.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax
Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
enum:
- v3
@@ -728,7 +732,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: ingressrouteudps.traefik.io
spec:
group: traefik.io
@@ -844,7 +848,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: middlewares.traefik.io
spec:
group: traefik.io
@@ -1072,6 +1076,7 @@ spec:
description: |-
AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,
be automatically set to a value derived from the contents of the response.
Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option.
type: boolean
type: object
@@ -2158,7 +2163,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: middlewaretcps.traefik.io
spec:
group: traefik.io
@@ -2224,8 +2229,9 @@ spec:
description: |-
IPWhiteList defines the IPWhiteList middleware configuration.
This middleware accepts/refuses connections based on the client IP.
Deprecated: please use IPAllowList instead.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipwhitelist/
Deprecated: please use IPAllowList instead.
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
@@ -2246,7 +2252,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: serverstransports.traefik.io
spec:
group: traefik.io
@@ -2396,6 +2402,7 @@ spec:
rootCAsSecrets:
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
@@ -2429,7 +2436,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: serverstransporttcps.traefik.io
spec:
group: traefik.io
@@ -2550,6 +2557,7 @@ spec:
rootCAsSecrets:
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
@@ -2585,7 +2593,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: tlsoptions.traefik.io
spec:
group: traefik.io
@@ -2685,6 +2693,7 @@ spec:
description: |-
PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
It is enabled automatically when minVersion or maxVersion is set.
Deprecated: https://github.com/golang/go/issues/45430
type: boolean
sniStrict:
@@ -2703,7 +2712,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: tlsstores.traefik.io
spec:
group: traefik.io
@@ -2800,7 +2809,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: traefikservices.traefik.io
spec:
group: traefik.io
docs/content/reference/dynamic-configuration/kubernetes-crd.md
+1 -1
View File
@@ -26,4 +26,4 @@ Dynamic configuration with Kubernetes Custom Resource
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
-114
View File
@@ -1,114 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: tlsoptions.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: TLSOption
listKind: TLSOptionList
plural: tlsoptions
singular: tlsoption
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
More info: https://doc.traefik.io/traefik/v2.11/https/tls/#tls-options
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TLSOptionSpec defines the desired state of a TLSOption.
properties:
alpnProtocols:
description: |-
ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
More info: https://doc.traefik.io/traefik/v2.11/https/tls/#alpn-protocols
items:
type: string
type: array
cipherSuites:
description: |-
CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
More info: https://doc.traefik.io/traefik/v2.11/https/tls/#cipher-suites
items:
type: string
type: array
clientAuth:
description: ClientAuth defines the server's policy for TLS Client
Authentication.
properties:
clientAuthType:
description: ClientAuthType defines the client authentication
type to apply.
enum:
- NoClientCert
- RequestClientCert
- RequireAnyClientCert
- VerifyClientCertIfGiven
- RequireAndVerifyClientCert
type: string
secretNames:
description: SecretNames defines the names of the referenced Kubernetes
Secret storing certificate details.
items:
type: string
type: array
type: object
curvePreferences:
description: |-
CurvePreferences defines the preferred elliptic curves.
More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences
items:
type: string
type: array
maxVersion:
description: |-
MaxVersion defines the maximum TLS version that Traefik will accept.
Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
Default: None.
type: string
minVersion:
description: |-
MinVersion defines the minimum TLS version that Traefik will accept.
Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
Default: VersionTLS10.
type: string
preferServerCipherSuites:
description: |-
PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
It is enabled automatically when minVersion or maxVersion is set.
Deprecated: https://github.com/golang/go/issues/45430
type: boolean
sniStrict:
description: SniStrict defines whether Traefik allows connections
from clients connections that do not specify a server_name extension.
type: boolean
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
+2 -1
View File
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: ingressroutes.traefik.io
spec:
group: traefik.io
@@ -378,6 +378,7 @@ spec:
description: |-
Syntax defines the router's rule syntax.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax
Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
type: string
required:
docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
+4 -1
View File
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: ingressroutetcps.traefik.io
spec:
group: traefik.io
@@ -127,6 +127,7 @@ spec:
description: |-
ProxyProtocol defines the PROXY protocol configuration.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/service/#proxy-protocol
Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
properties:
version:
@@ -149,6 +150,7 @@ spec:
hence fully terminating the connection.
It is a duration in milliseconds, defaulting to 100.
A negative value means an infinite deadline (i.e. the reading capability is never closed).
Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
type: integer
tls:
@@ -169,6 +171,7 @@ spec:
description: |-
Syntax defines the router's rule syntax.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax
Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
enum:
- v3
docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml
+1 -1
View File
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: ingressrouteudps.traefik.io
spec:
group: traefik.io
docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
+2 -1
View File
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: middlewares.traefik.io
spec:
group: traefik.io
@@ -231,6 +231,7 @@ spec:
description: |-
AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,
be automatically set to a value derived from the contents of the response.
Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option.
type: boolean
type: object
docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml
+3 -2
View File
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: middlewaretcps.traefik.io
spec:
group: traefik.io
@@ -69,8 +69,9 @@ spec:
description: |-
IPWhiteList defines the IPWhiteList middleware configuration.
This middleware accepts/refuses connections based on the client IP.
Deprecated: please use IPAllowList instead.
More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipwhitelist/
Deprecated: please use IPAllowList instead.
properties:
sourceRange:
description: SourceRange defines the allowed IPs (or ranges of
docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
+2 -1
View File
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: serverstransports.traefik.io
spec:
group: traefik.io
@@ -153,6 +153,7 @@ spec:
rootCAsSecrets:
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
+2 -1
View File
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: serverstransporttcps.traefik.io
spec:
group: traefik.io
@@ -124,6 +124,7 @@ spec:
rootCAsSecrets:
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
+2 -1
View File
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: tlsoptions.traefik.io
spec:
group: traefik.io
@@ -103,6 +103,7 @@ spec:
description: |-
PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
It is enabled automatically when minVersion or maxVersion is set.
Deprecated: https://github.com/golang/go/issues/45430
type: boolean
sniStrict:
docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml
+1 -1
View File
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: tlsstores.traefik.io
spec:
group: traefik.io
docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
+1 -1
View File
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
controller-gen.kubebuilder.io/version: v0.19.0
name: traefikservices.traefik.io
spec:
group: traefik.io
docs/content/reference/install-configuration/api-dashboard.md
+1 -1
View File
@@ -255,4 +255,4 @@ rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/configuration-options.md
+7 -7
View File
@@ -89,13 +89,13 @@ THIS FILE MUST NOT BE EDITED BY HAND
| <a id="opt-entrypoints-name-forwardedheaders-notappendxforwardedfor" href="#opt-entrypoints-name-forwardedheaders-notappendxforwardedfor" title="#opt-entrypoints-name-forwardedheaders-notappendxforwardedfor">entrypoints._name_.forwardedheaders.notappendxforwardedfor</a> | Disable appending RemoteAddr to X-Forwarded-For header. Defaults to false (appending is enabled). | false |
| <a id="opt-entrypoints-name-forwardedheaders-trustedips" href="#opt-entrypoints-name-forwardedheaders-trustedips" title="#opt-entrypoints-name-forwardedheaders-trustedips">entrypoints._name_.forwardedheaders.trustedips</a> | Trust only forwarded headers from selected IPs. | |
| <a id="opt-entrypoints-name-http" href="#opt-entrypoints-name-http" title="#opt-entrypoints-name-http">entrypoints._name_.http</a> | HTTP configuration. | |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash">entrypoints._name_.http.encodedcharacters.allowencodedbackslash</a> | Defines whether requests with encoded back slash characters in the path are allowed. | false |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedhash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash">entrypoints._name_.http.encodedcharacters.allowencodedhash</a> | Defines whether requests with encoded hash characters in the path are allowed. | false |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" href="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" title="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter">entrypoints._name_.http.encodedcharacters.allowencodednullcharacter</a> | Defines whether requests with encoded null characters in the path are allowed. | false |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent">entrypoints._name_.http.encodedcharacters.allowencodedpercent</a> | Defines whether requests with encoded percent characters in the path are allowed. | false |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark">entrypoints._name_.http.encodedcharacters.allowencodedquestionmark</a> | Defines whether requests with encoded question mark characters in the path are allowed. | false |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon">entrypoints._name_.http.encodedcharacters.allowencodedsemicolon</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | false |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash">entrypoints._name_.http.encodedcharacters.allowencodedslash</a> | Defines whether requests with encoded slash characters in the path are allowed. | false |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash">entrypoints._name_.http.encodedcharacters.allowencodedbackslash</a> | Defines whether requests with encoded back slash characters in the path are allowed. | true |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedhash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash">entrypoints._name_.http.encodedcharacters.allowencodedhash</a> | Defines whether requests with encoded hash characters in the path are allowed. | true |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" href="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" title="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter">entrypoints._name_.http.encodedcharacters.allowencodednullcharacter</a> | Defines whether requests with encoded null characters in the path are allowed. | true |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent">entrypoints._name_.http.encodedcharacters.allowencodedpercent</a> | Defines whether requests with encoded percent characters in the path are allowed. | true |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark">entrypoints._name_.http.encodedcharacters.allowencodedquestionmark</a> | Defines whether requests with encoded question mark characters in the path are allowed. | true |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon">entrypoints._name_.http.encodedcharacters.allowencodedsemicolon</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | true |
| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash">entrypoints._name_.http.encodedcharacters.allowencodedslash</a> | Defines whether requests with encoded slash characters in the path are allowed. | true |
| <a id="opt-entrypoints-name-http-encodequerysemicolons" href="#opt-entrypoints-name-http-encodequerysemicolons" title="#opt-entrypoints-name-http-encodequerysemicolons">entrypoints._name_.http.encodequerysemicolons</a> | Defines whether request query semicolons should be URLEncoded. | false |
| <a id="opt-entrypoints-name-http-maxheaderbytes" href="#opt-entrypoints-name-http-maxheaderbytes" title="#opt-entrypoints-name-http-maxheaderbytes">entrypoints._name_.http.maxheaderbytes</a> | Maximum size of request headers in bytes. | 1048576 |
| <a id="opt-entrypoints-name-http-middlewares" href="#opt-entrypoints-name-http-middlewares" title="#opt-entrypoints-name-http-middlewares">entrypoints._name_.http.middlewares</a> | Default middlewares for the routers linked to the entry point. | |
docs/content/reference/install-configuration/entrypoints.md
+21 -15
View File
@@ -84,8 +84,8 @@ additionalArguments:
## Configuration Options
| Field | Description | Default | Required |
|:----------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------|
| Field | Description | Default | Required |
|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------|
| <a id="opt-address" href="#opt-address" title="#opt-address">`address`</a> | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp] | - | Yes |
| <a id="opt-asDefault" href="#opt-asDefault" title="#opt-asDefault">`asDefault`</a> | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault). | false | No |
| <a id="opt-forwardedHeaders-trustedIPs" href="#opt-forwardedHeaders-trustedIPs" title="#opt-forwardedHeaders-trustedIPs">`forwardedHeaders.trustedIPs`</a> | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
@@ -96,16 +96,16 @@ additionalArguments:
| <a id="opt-http-redirections-entryPoint-permanent" href="#opt-http-redirections-entryPoint-permanent" title="#opt-http-redirections-entryPoint-permanent">`http.redirections.`<br />`entryPoint.permanent`</a> | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`). | false | No |
| <a id="opt-http-redirections-entryPoint-priority" href="#opt-http-redirections-entryPoint-priority" title="#opt-http-redirections-entryPoint-priority">`http.redirections.`<br />`entryPoint.priority`</a> | Default priority applied to the routers attached to the `entryPoint`. | MaxInt32-1 (2147483646) | No |
| <a id="opt-http-encodedCharacters" href="#opt-http-encodedCharacters" title="#opt-http-encodedCharacters">`http.encodedCharacters`</a> | Defines which encoded characters are allowed in the request path. More information [here](#encoded-characters). | false | No |
| <a id="opt-http-encodedCharacters-allowEncodedSlash" href="#opt-http-encodedCharacters-allowEncodedSlash" title="#opt-http-encodedCharacters-allowEncodedSlash">`http.encodedCharacters.`<br />`allowEncodedSlash`</a> | Defines whether requests with encoded slash characters in the path are allowed. | false | No |
| <a id="opt-http-encodedCharacters-allowEncodedBackSlash" href="#opt-http-encodedCharacters-allowEncodedBackSlash" title="#opt-http-encodedCharacters-allowEncodedBackSlash">`http.encodedCharacters.`<br />`allowEncodedBackSlash`</a> | Defines whether requests with encoded back slash characters in the path are allowed. | false | No |
| <a id="opt-http-encodedCharacters-allowEncodedNullCharacter" href="#opt-http-encodedCharacters-allowEncodedNullCharacter" title="#opt-http-encodedCharacters-allowEncodedNullCharacter">`http.encodedCharacters.`<br />`allowEncodedNullCharacter`</a> | Defines whether requests with encoded null characters in the path are allowed. | false | No |
| <a id="opt-http-encodedCharacters-allowEncodedSemicolon" href="#opt-http-encodedCharacters-allowEncodedSemicolon" title="#opt-http-encodedCharacters-allowEncodedSemicolon">`http.encodedCharacters.`<br />`allowEncodedSemicolon`</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | false | No |
| <a id="opt-http-encodedCharacters-allowEncodedPercent" href="#opt-http-encodedCharacters-allowEncodedPercent" title="#opt-http-encodedCharacters-allowEncodedPercent">`http.encodedCharacters.`<br />`allowEncodedPercent`</a> | Defines whether requests with encoded percent characters in the path are allowed. | false | No |
| <a id="opt-http-encodedCharacters-allowEncodedQuestionMark" href="#opt-http-encodedCharacters-allowEncodedQuestionMark" title="#opt-http-encodedCharacters-allowEncodedQuestionMark">`http.encodedCharacters.`<br />`allowEncodedQuestionMark`</a> | Defines whether requests with encoded question mark characters in the path are allowed. | false | No |
| <a id="opt-http-encodedCharacters-allowEncodedHash" href="#opt-http-encodedCharacters-allowEncodedHash" title="#opt-http-encodedCharacters-allowEncodedHash">`http.encodedCharacters.`<br />`allowEncodedHash`</a> | Defines whether requests with encoded hash characters in the path are allowed. | false | No |
| <a id="opt-http-encodedCharacters-allowEncodedSlash" href="#opt-http-encodedCharacters-allowEncodedSlash" title="#opt-http-encodedCharacters-allowEncodedSlash">`http.encodedCharacters.`<br />`allowEncodedSlash`</a> | Defines whether requests with encoded slash characters in the path are allowed. | true | No |
| <a id="opt-http-encodedCharacters-allowEncodedBackSlash" href="#opt-http-encodedCharacters-allowEncodedBackSlash" title="#opt-http-encodedCharacters-allowEncodedBackSlash">`http.encodedCharacters.`<br />`allowEncodedBackSlash`</a> | Defines whether requests with encoded back slash characters in the path are allowed. | true | No |
| <a id="opt-http-encodedCharacters-allowEncodedNullCharacter" href="#opt-http-encodedCharacters-allowEncodedNullCharacter" title="#opt-http-encodedCharacters-allowEncodedNullCharacter">`http.encodedCharacters.`<br />`allowEncodedNullCharacter`</a> | Defines whether requests with encoded null characters in the path are allowed. | true | No |
| <a id="opt-http-encodedCharacters-allowEncodedSemicolon" href="#opt-http-encodedCharacters-allowEncodedSemicolon" title="#opt-http-encodedCharacters-allowEncodedSemicolon">`http.encodedCharacters.`<br />`allowEncodedSemicolon`</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | true | No |
| <a id="opt-http-encodedCharacters-allowEncodedPercent" href="#opt-http-encodedCharacters-allowEncodedPercent" title="#opt-http-encodedCharacters-allowEncodedPercent">`http.encodedCharacters.`<br />`allowEncodedPercent`</a> | Defines whether requests with encoded percent characters in the path are allowed. | true | No |
| <a id="opt-http-encodedCharacters-allowEncodedQuestionMark" href="#opt-http-encodedCharacters-allowEncodedQuestionMark" title="#opt-http-encodedCharacters-allowEncodedQuestionMark">`http.encodedCharacters.`<br />`allowEncodedQuestionMark`</a> | Defines whether requests with encoded question mark characters in the path are allowed. | true | No |
| <a id="opt-http-encodedCharacters-allowEncodedHash" href="#opt-http-encodedCharacters-allowEncodedHash" title="#opt-http-encodedCharacters-allowEncodedHash">`http.encodedCharacters.`<br />`allowEncodedHash`</a> | Defines whether requests with encoded hash characters in the path are allowed. | true | No |
| <a id="opt-http-encodeQuerySemicolons" href="#opt-http-encodeQuerySemicolons" title="#opt-http-encodeQuerySemicolons">`http.encodeQuerySemicolons`</a> | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons). | false | No |
| <a id="opt-http-sanitizePath" href="#opt-http-sanitizePath" title="#opt-http-sanitizePath">`http.sanitizePath`</a> | Defines whether to enable the request path sanitization.<br /> More information [here](#sanitizepath). | false | No |
| <a id="opt-http-maxHeaderBytes" href="#opt-http-maxHeaderBytes" title="#opt-http-maxHeaderBytes">`http.maxHeaderBytes`</a> | Set the maximum size of request headers in bytes. | 1048576 | No |
| <a id="opt-http-maxHeaderBytes" href="#opt-http-maxHeaderBytes" title="#opt-http-maxHeaderBytes">`http.maxHeaderBytes`</a> | Set the maximum size of request headers in bytes. | 1048576 | No |
| <a id="opt-http-middlewares" href="#opt-http-middlewares" title="#opt-http-middlewares">`http.middlewares`</a> | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares). | - | No |
| <a id="opt-http-tls" href="#opt-http-tls" title="#opt-http-tls">`http.tls`</a> | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generated by Traefik. <br /> We recommend to not use self signed certificates in production. | - | No |
| <a id="opt-http-tls-options" href="#opt-http-tls-options" title="#opt-http-tls-options">`http.tls.options`</a> | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption). | - | No |
@@ -221,16 +221,22 @@ it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
### Encoded Characters
You can configure Traefik to control the handling of encoded characters in request paths for security purposes.
By default, Traefik rejects requests containing certain encoded characters that could be used in path traversal or other security attacks.
By default, Traefik do not reject requests with path containing certain encoded characters that could be used in path traversal or other security attacks.
!!! warning "Security Considerations"
!!! info
This check is not done against the request query parameters,
but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
Allowing certain encoded characters may expose your application to security vulnerabilities.
!!! info "Security Considerations"
When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986) and notably decode encoded reserved characters in the requets path,
it is recommended to set these options to `false` to avoid split-view situation and helps prevent path traversal attacks or other malicious attempts to bypass security controls.
Here is the list of the encoded characters that are rejected by default:
| Encoded Character | Character |
|-------------------|-------------------------|
| Encoded Character | Character |
|------------------------------------------------------------------------------------|-------------------------|
| <a id="opt-2f-or-2F" href="#opt-2f-or-2F" title="#opt-2f-or-2F">`%2f` or `%2F`</a> | `/` (slash) |
| <a id="opt-5c-or-5C" href="#opt-5c-or-5C" title="#opt-5c-or-5C">`%5c` or `%5C`</a> | `\` (backslash) |
| <a id="opt-00" href="#opt-00" title="#opt-00">`%00`</a> | `NULL` (null character) |
docs/content/reference/install-configuration/observability/logs-and-accesslogs.md
+1 -1
View File
@@ -419,4 +419,4 @@ services:
- /var/run/docker.sock:/var/run/docker.sock
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/providers/docker.md
+1 -1
View File
@@ -427,4 +427,4 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
- [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
- [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/providers/kubernetes/knative.md
+2 -2
View File
@@ -15,7 +15,7 @@ enabling seamless integration between Traefik's networking capabilities and Knat
## Requirements
{!kubernetes-requirements.md!}
{% include-markdown "includes/kubernetes-requirements.md" %}
1. Install/update the Knative CRDs.
@@ -139,4 +139,4 @@ providers:
See the dedicated section in [routing](../../../routing-configuration/kubernetes/knative.md).
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md
+1 -1
View File
@@ -130,4 +130,4 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-
For additional information, refer to the [full example](../../../../user-guides/crd-acme/index.md) with Let's Encrypt.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md
+2 -2
View File
@@ -21,7 +21,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
## Requirements
{!kubernetes-requirements.md!}
{% include-markdown "includes/kubernetes-requirements.md" %}
1. Install/update the Kubernetes Gateway API CRDs.
@@ -137,4 +137,4 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-
and the dedicated [routing section](../../../../routing/providers/kubernetes-gateway.md)
in the Traefik documentation.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md
+1 -1
View File
@@ -176,4 +176,4 @@ providers:
See the dedicated section in [routing](../../../routing-configuration/kubernetes/ingress-nginx.md).
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md
+1 -1
View File
@@ -149,4 +149,4 @@ many examples of Ingresses definitions are located in the test
[examples](https://github.com/traefik/traefik/tree/v3.1/pkg/provider/kubernetes/ingress/fixtures)
of the Traefik repository.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/providers/others/file.md
+1 -1
View File
@@ -121,4 +121,4 @@ http:
As it is very difficult to listen to all file system notifications, Traefik uses [fsnotify](https://github.com/fsnotify/fsnotify).
If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/providers/overview.md
+1 -1
View File
@@ -160,4 +160,4 @@ List of providers that support constraints:
- [Consul Catalog](./hashicorp/consul-catalog.md#constraints)
- [Nomad](./hashicorp/nomad.md#constraints)
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/providers/swarm.md
+1 -1
View File
@@ -464,4 +464,4 @@ It allows different implementation levels of the [AAA (Authentication, Authoriza
- [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
- [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
+1 -1
View File
@@ -331,4 +331,4 @@ If Let's Encrypt is not reachable, the following certificates will apply:
!!! important
For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/install-configuration/tls/certificate-resolvers/overview.md
+1 -1
View File
@@ -17,4 +17,4 @@ The Certificates resolvers are defined in the static configuration.
Defining a certificate resolver does not imply that routers are going to use it automatically.
Each router or entrypoint that is meant to use the resolver must explicitly reference it.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/apikey.md
+1 -1
View File
@@ -53,4 +53,4 @@ stringData:
| <a id="opt-secretNonBase64Encoded" href="#opt-secretNonBase64Encoded" title="#opt-secretNonBase64Encoded">`secretNonBase64Encoded`</a> | Defines whether the secret sent by the client is base64 encoded. | false | No |
| <a id="opt-secretValues" href="#opt-secretValues" title="#opt-secretValues">`secretValues`</a> | Contain the hash of the API keys. <br /> Supported hashing algorithms are Bcrypt, SHA1 and MD5. <br /> The hash should be generated using `htpasswd`.<br />Can reference a Kubernetes Secret using the URN format: `urn:k8s:secret:[name]:[valueKey]` | [] | Yes |
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/basicauth.md
+1 -1
View File
@@ -92,4 +92,4 @@ The option `users` supports Kubernetes secrets.
Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/digestauth.md
+1 -1
View File
@@ -82,4 +82,4 @@ On Kubernetes, you dont use the `users` or `usersFile` fields. Instead, you r
- `kubernetes.io/basic-auth secret`: This secret type contains two keys—`username` and `password`—but is generally suited for a smaller number of users. Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than the other method.
- Opaque secret with a users field: Here, the secret contains a single string field (often called `users`) where each line represents a user. This approach allows you to store multiple users in one secret.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/forwardauth.md
+1 -1
View File
@@ -127,4 +127,4 @@ The following request properties are provided to the forward-auth target endpoin
| <a id="opt-Request-URI" href="#opt-Request-URI" title="#opt-Request-URI">Request URI</a> | `X-Forwarded-Uri` |
| <a id="opt-Source-IP-Address" href="#opt-Source-IP-Address" title="#opt-Source-IP-Address">Source IP-Address</a> | `X-Forwarded-For` |
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/headers.md
+1 -1
View File
@@ -323,4 +323,4 @@ It allows all origins that contain any match of a regular expression in the `acc
When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/hmac.md
+1 -1
View File
@@ -204,4 +204,4 @@ Only SHA-256 and SHA-512 checksums are supported for checksum computation.
To disable this feature and only perform authentication, set the `validateDigest` option to `false` in the middleware configuration.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/jwt.md
+1 -1
View File
@@ -230,4 +230,4 @@ The reference to a Kubernetes secret takes the form of a URN:
urn:k8s:secret:[name]:[valueKey]
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/ldap.md
+1 -1
View File
@@ -102,4 +102,4 @@ and a `bindPassword`, then the middleware runs in search mode. In this mode, a s
issued to the LDAP server before trying to bind. If result of this search returns only 1 record,
it tries to issue a bind request with this record, otherwise it aborts a `401 Unauthorized` status code.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/oauth2-client-credentials.md
+1 -1
View File
@@ -252,4 +252,4 @@ The following Redis modes are supported:
For more information about Redis, we recommend the [official Redis documentation](https://redis.io/docs/ "Link to official Redis documentation").
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/oauth2-token-introspection.md
+1 -1
View File
@@ -206,4 +206,4 @@ stringData:
-----END EC PRIVATE KEY-----
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/oidc.md
+1 -1
View File
@@ -427,4 +427,4 @@ This means that a new CSRF token will be generated and sent to the client whenev
When a request is sent and uses a non-safe method (see [RFC7231#section-4.2.1](https://datatracker.ietf.org/doc/html/rfc7231.html#section-4.2.1)),
the CSRF token value (extracted from the cookie) have to be sent to the server in the header configured with the [headerName option](#configuration-options).
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/opa.md
+1 -1
View File
@@ -69,4 +69,4 @@ spec:
| <a id="opt-allow" href="#opt-allow" title="#opt-allow">`allow`</a> | The `allow` option sets the expression to evaluate that determines if the request should be authorized. | "" | No (one of `allow` or `forwardHeaders` must be set) |
| <a id="opt-forwardHeaders" href="#opt-forwardHeaders" title="#opt-forwardHeaders">`forwardHeaders`</a> | The `forwardHeaders` option sets the HTTP headers to add to requests and populates them with the result of the given expression. | "" | No (one of `allow` or `forwardHeaders` must be set) |
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/overview.md
+1 -1
View File
@@ -48,4 +48,4 @@ Middlewares that use the same protocol can be combined into chains to fit every
Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/redirectregex.md
+1 -1
View File
@@ -85,4 +85,4 @@ The `replacement` option defines how to modify the URL to have the new target UR
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/stripprefix.md
+1 -1
View File
@@ -63,4 +63,4 @@ spec:
|:-----------------------------|:--------------------------------------------------------------|:--------|:---------|
| <a id="opt-prefixes" href="#opt-prefixes" title="#opt-prefixes">`prefixes`</a> | List of prefixes to strip from the request URL.<br />If your backend is serving assets (for example, images or JavaScript files), it can use the `X-Forwarded-Prefix` header to construct relative URLs. | [] | No |
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/middlewares/waf.md
+1 -1
View File
@@ -61,4 +61,4 @@ spec:
| <a id="opt-directives" href="#opt-directives" title="#opt-directives">`directives`</a> | List of WAF rules to enforce. | | Yes |
| <a id="opt-crsEnabled" href="#opt-crsEnabled" title="#opt-crsEnabled">`crsEnabled`</a> | Enable [CRS rulesets](https://github.com/corazawaf/coraza-coreruleset/tree/main/rules/%40owasp_crs).<br /> Once the ruleset is enabled, it can be used in the middleware. | false | False |
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/routing/multi-layer-routing.md
+1 -1
View File
@@ -185,4 +185,4 @@ Request → EntryPoint → Parent Router → Middleware → Child Router A → S
4. If `X-User-Role: admin`, `api-admin` router matches and forwards to `admin-service`
5. If `X-User-Role: user`, `api-user` router matches and forwards to `user-service`
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/routing/router.md
+2 -2
View File
@@ -103,7 +103,7 @@ labels:
|----------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------|
| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, HTTP routers are attached to all entry points. | All entry points | No |
| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service. See [Rules & Priority](./rules-and-priority.md) for details. | | Yes |
| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. Negative values are supported. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [Middlewares overview](../middlewares/overview.md) for available middlewares. | | No |
| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle HTTPS requests. | | No |
| <a id="opt-tls-certResolver" href="#opt-tls-certResolver" title="#opt-tls-certResolver">`tls.certResolver`</a> | The name of the certificate resolver to use for automatic certificate generation. See [Certificate Resolver](../tls/overview.md#certificate-resolver) for details. | | No |
@@ -118,4 +118,4 @@ labels:
- The character `@` is not authorized in the router name
- In provider-specific configurations (Docker, Kubernetes), router names are often auto-generated based on service names and rules
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/routing/rules-and-priority.md
+2
View File
@@ -225,6 +225,8 @@ The priority is directly equal to the length of the rule, and so the longest len
A value of `0` for the priority is ignored: `priority: 0` means that the default rules length sorting is used.
Negative priority values are supported.
Traefik reserves a range of priorities for its internal routers, the maximum user-defined router priority value is:
- `(MaxInt32 - 1000)` for 32-bit platforms,
docs/content/reference/routing-configuration/http/tls/overview.md
+1 -1
View File
@@ -100,4 +100,4 @@ This provides fine-grained control over certificate generation and takes precede
Every domain must have A/AAAA records pointing to Traefik.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/tls/tls-certificates.md
+1 -1
View File
@@ -155,4 +155,4 @@ labels:
}
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/http/tls/tls-options.md
+1 -1
View File
@@ -259,4 +259,4 @@ spec:
disableSessionTickets: true
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/kubernetes/crd/http/ingressroute.md
+1 -1
View File
@@ -88,7 +88,7 @@ spec:
| <a id="opt-routes" href="#opt-routes" title="#opt-routes">`routes`</a> | List of routes. | | Yes |
| <a id="opt-routesn-kind" href="#opt-routesn-kind" title="#opt-routesn-kind">`routes[n].kind`</a> | Kind of router matching, only `Rule` is allowed yet. | "Rule" | No |
| <a id="opt-routesn-match" href="#opt-routesn-match" title="#opt-routesn-match">`routes[n].match`</a> | Defines the [rule](../../../http/routing/rules-and-priority.md#rules) corresponding to an underlying router. | | Yes |
| <a id="opt-routesn-priority" href="#opt-routesn-priority" title="#opt-routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../http/routing/rules-and-priority.md#priority-calculation) to disambiguate rules of the same length, for route matching.<br />If not set, the priority is directly equal to the length of the rule, and so the longest length has the highest priority.<br />A value of `0` for the priority is ignored, the default rules length sorting is used. | 0 | No |
| <a id="opt-routesn-priority" href="#opt-routesn-priority" title="#opt-routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../http/routing/rules-and-priority.md#priority-calculation) to disambiguate rules of the same length, for route matching.<br />If not set, the priority is directly equal to the length of the rule, and so the longest length has the highest priority.<br />A value of `0` for the priority is ignored, the default rules length sorting is used.<br />Negative values are supported. | 0 | No |
| <a id="opt-routesn-middlewares" href="#opt-routesn-middlewares" title="#opt-routesn-middlewares">`routes[n].middlewares`</a> | List of middlewares to attach to the IngressRoute. <br />More information [here](#middleware). | "" | No |
| <a id="opt-routesn-middlewaresm-name" href="#opt-routesn-middlewaresm-name" title="#opt-routesn-middlewaresm-name">`routes[n].`<br />`middlewares[m].`<br />`name`</a> | Middleware name.<br />The character `@` is not authorized. <br />More information [here](#middleware). | | Yes |
| <a id="opt-routesn-middlewaresm-namespace" href="#opt-routesn-middlewaresm-namespace" title="#opt-routesn-middlewaresm-namespace">`routes[n].`<br />`middlewares[m].`<br />`namespace`</a> | Middleware namespace.<br />Can be empty if the middleware belongs to the same namespace as the IngressRoute. <br />More information [here](#middleware). | | No |
docs/content/reference/routing-configuration/kubernetes/gateway-api.md
+1 -1
View File
@@ -763,4 +763,4 @@ spec:
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/kubernetes/ingress.md
+1 -1
View File
@@ -619,4 +619,4 @@ This will allow users to create a "default router" that will match all unmatched
To do this, use the `traefik.ingress.kubernetes.io/router.priority` annotation (as seen in [Annotations on Ingress](#on-ingress)) on your ingresses accordingly.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/kubernetes/knative.md
+1 -1
View File
@@ -93,4 +93,4 @@ Use the default URL to access percentage-based routing:
Check out the Knative documentation for [HTTP/HTTPS configuration](https://knative.dev/docs/serving/encryption/external-domain-tls/#configure-external-domain-encryption).
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/tcp/routing/router.md
+2 -2
View File
@@ -90,7 +90,7 @@ labels:
|--------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|----------|
| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, TCP routers are attached to all TCP entry points. | All TCP entry points | No |
| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular connection matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the connection to the service. See [Rules & Priority](./rules-and-priority.md) for details. | | Yes |
| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid rule overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid rule overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. Negative values are supported. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [TCP Middlewares overview](../middlewares/overview.md) for available TCP middlewares. | | No |
| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle TLS connections. See [TLS configuration](../tls.md) for detailed TLS options. | | No |
| <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The name of the service that will handle the matched connections. Services can be load balancer services or weighted round robin services. See [TCP Service](../service.md) for details. | | Yes |
@@ -101,4 +101,4 @@ labels:
- Router names should be descriptive and follow your naming conventions
- In provider-specific configurations (Docker, Kubernetes), router names are often auto-generated based on service names and rules
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/tcp/routing/rules-and-priority.md
+2
View File
@@ -195,6 +195,8 @@ To avoid path overlap, routes are sorted, by default, in descending order using
The priority is directly equal to the length of the rule, and so the longest length has the highest priority.
A value of `0` for the priority is ignored: `priority: 0` means that the default rules length sorting is used.
Negative priority values are supported.
Traefik reserves a range of priorities for its internal routers, the maximum user-defined router priority value is:
- `(MaxInt32 - 1000)` for 32-bit platforms,
docs/content/reference/routing-configuration/tcp/tls.md
+1 -1
View File
@@ -123,4 +123,4 @@ This provides fine-grained control over certificate generation and takes precede
Every domain must have A/AAAA records pointing to Traefik.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/udp/routing/rules-priority.md
+1 -1
View File
@@ -109,4 +109,4 @@ labels:
There must be one (and only one) UDP [service](../service.md) referenced per UDP router.
Services are the target for the router.
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/routing-configuration/udp/service.md
+1 -1
View File
@@ -41,4 +41,4 @@ udp:
address = "xx.xx.xx.xx:xx"
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}
docs/content/reference/static-configuration/cli-ref.md
+7 -7
View File
@@ -238,25 +238,25 @@ Trust only forwarded headers from selected IPs.
HTTP configuration.
`--entrypoints.<name>.http.encodedcharacters.allowencodedbackslash`:
Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```true```)
`--entrypoints.<name>.http.encodedcharacters.allowencodedhash`:
Defines whether requests with encoded hash characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded hash characters in the path are allowed. (Default: ```true```)
`--entrypoints.<name>.http.encodedcharacters.allowencodednullcharacter`:
Defines whether requests with encoded null characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded null characters in the path are allowed. (Default: ```true```)
`--entrypoints.<name>.http.encodedcharacters.allowencodedpercent`:
Defines whether requests with encoded percent characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded percent characters in the path are allowed. (Default: ```true```)
`--entrypoints.<name>.http.encodedcharacters.allowencodedquestionmark`:
Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```true```)
`--entrypoints.<name>.http.encodedcharacters.allowencodedsemicolon`:
Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```true```)
`--entrypoints.<name>.http.encodedcharacters.allowencodedslash`:
Defines whether requests with encoded slash characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded slash characters in the path are allowed. (Default: ```true```)
`--entrypoints.<name>.http.encodequerysemicolons`:
Defines whether request query semicolons should be URLEncoded. (Default: ```false```)
docs/content/reference/static-configuration/env-ref.md
+7 -7
View File
@@ -247,25 +247,25 @@ HTTP/3 configuration. (Default: ```false```)
UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDBACKSLASH`:
Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```true```)
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH`:
Defines whether requests with encoded hash characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded hash characters in the path are allowed. (Default: ```true```)
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDNULLCHARACTER`:
Defines whether requests with encoded null characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded null characters in the path are allowed. (Default: ```true```)
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDPERCENT`:
Defines whether requests with encoded percent characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded percent characters in the path are allowed. (Default: ```true```)
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDQUESTIONMARK`:
Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```true```)
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSEMICOLON`:
Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```true```)
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH`:
Defines whether requests with encoded slash characters in the path are allowed. (Default: ```false```)
Defines whether requests with encoded slash characters in the path are allowed. (Default: ```true```)
`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEQUERYSEMICOLONS`:
Defines whether request query semicolons should be URLEncoded. (Default: ```false```)
docs/content/routing/entrypoints.md
+54 -53
View File
@@ -131,13 +131,13 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
- "192.168.0.1"
http:
encodedCharacters:
allowEncodedSlash: true
allowEncodedBackSlash: true
allowEncodedNullCharacter: true
allowEncodedSemicolon: true
allowEncodedPercent: true
allowEncodedQuestionMark: true
allowEncodedHash: true
allowEncodedSlash: false
allowEncodedBackSlash: false
allowEncodedNullCharacter: false
allowEncodedSemicolon: false
allowEncodedPercent: false
allowEncodedQuestionMark: false
allowEncodedHash: false
```
```toml tab="File (TOML)"
@@ -166,13 +166,13 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
insecure = true
trustedIPs = ["127.0.0.1", "192.168.0.1"]
[entryPoints.name.http.encodedCharacters]
allowEncodedSlash = true
allowEncodedBackSlash = true
allowEncodedNullCharacter = true
allowEncodedSemicolon = true
allowEncodedPercent = true
allowEncodedQuestionMark = true
allowEncodedHash = true
allowEncodedSlash = false
allowEncodedBackSlash = false
allowEncodedNullCharacter = false
allowEncodedSemicolon = false
allowEncodedPercent = false
allowEncodedQuestionMark = false
allowEncodedHash = false
```
```bash tab="CLI"
@@ -191,13 +191,13 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
--entryPoints.name.proxyProtocol.trustedIPs=127.0.0.1,192.168.0.1
--entryPoints.name.forwardedHeaders.insecure=true
--entryPoints.name.forwardedHeaders.trustedIPs=127.0.0.1,192.168.0.1
--entryPoints.name.http.encodedCharacters.allowEncodedSlash=true
--entryPoints.name.http.encodedCharacters.allowEncodedBackSlash=true
--entryPoints.name.http.encodedCharacters.allowEncodedNullCharacter=true
--entryPoints.name.http.encodedCharacters.allowEncodedSemicolon=true
--entryPoints.name.http.encodedCharacters.allowEncodedPercent=true
--entryPoints.name.http.encodedCharacters.allowEncodedQuestionMark=true
--entryPoints.name.http.encodedCharacters.allowEncodedHash=true
--entryPoints.name.http.encodedCharacters.allowEncodedSlash=false
--entryPoints.name.http.encodedCharacters.allowEncodedBackSlash=false
--entryPoints.name.http.encodedCharacters.allowEncodedNullCharacter=false
--entryPoints.name.http.encodedCharacters.allowEncodedSemicolon=false
--entryPoints.name.http.encodedCharacters.allowEncodedPercent=false
--entryPoints.name.http.encodedCharacters.allowEncodedQuestionMark=false
--entryPoints.name.http.encodedCharacters.allowEncodedHash=false
```
### Address
@@ -1180,20 +1180,21 @@ entryPoints:
### Encoded Characters
You can configure Traefik to control the handling of encoded characters in request paths for security purposes.
By default, Traefik rejects requests with path containing certain encoded characters that could be used in path traversal or other security attacks.
By default, Traefik do not reject requests with path containing certain encoded characters that could be used in path traversal or other security attacks.
!!! info
This check is not done against the request query parameters,
but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
!!! warning "Security Considerations"
!!! info "Security Considerations"
Allowing certain encoded characters may expose your application to security vulnerabilities.
When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986) and notably decode encoded reserved characters in the requets path,
it is recommended to set these options to `false` to avoid split-view situation and helps prevent path traversal attacks or other malicious attempts to bypass security controls.
??? info "`encodedCharacters.allowEncodedSlash`"
_Optional, Default=false_
_Optional, Default=true_
Controls whether requests with encoded slash characters (`%2F` or `%2f`) in the path are allowed.
@@ -1204,7 +1205,7 @@ By default, Traefik rejects requests with path containing certain encoded charac
address: ":80"
http:
encodedCharacters:
allowEncodedSlash: true
allowEncodedSlash: false
```
```toml tab="File (TOML)"
@@ -1214,18 +1215,18 @@ By default, Traefik rejects requests with path containing certain encoded charac
address = ":80"
[entryPoints.web.http.encodedCharacters]
allowEncodedSlash = true
allowEncodedSlash = false
```
```bash tab="CLI"
## Static configuration
--entryPoints.web.address=:80
--entryPoints.web.http.encodedCharacters.allowEncodedSlash=true
--entryPoints.web.http.encodedCharacters.allowEncodedSlash=false
```
??? info "`encodedCharacters.allowEncodedBackSlash`"
_Optional, Default=false_
_Optional, Default=true_
Controls whether requests with encoded back slash characters (`%5C` or `%5c`) in the path are allowed.
@@ -1236,7 +1237,7 @@ By default, Traefik rejects requests with path containing certain encoded charac
address: ":80"
http:
encodedCharacters:
allowEncodedBackSlash: true
allowEncodedBackSlash: false
```
```toml tab="File (TOML)"
@@ -1246,18 +1247,18 @@ By default, Traefik rejects requests with path containing certain encoded charac
address = ":80"
[entryPoints.web.http.encodedCharacters]
allowEncodedBackSlash = true
allowEncodedBackSlash = false
```
```bash tab="CLI"
## Static configuration
--entryPoints.web.address=:80
--entryPoints.web.http.encodedCharacters.allowEncodedBackSlash=true
--entryPoints.web.http.encodedCharacters.allowEncodedBackSlash=false
```
??? info "`encodedCharacters.allowEncodedNullCharacter`"
_Optional, Default=false_
_Optional, Default=true_
Controls whether requests with encoded null characters (`%00`) in the path are allowed.
@@ -1268,7 +1269,7 @@ By default, Traefik rejects requests with path containing certain encoded charac
address: ":80"
http:
encodedCharacters:
allowEncodedNullCharacter: true
allowEncodedNullCharacter: false
```
```toml tab="File (TOML)"
@@ -1278,18 +1279,18 @@ By default, Traefik rejects requests with path containing certain encoded charac
address = ":80"
[entryPoints.web.http.encodedCharacters]
allowEncodedNullCharacter = true
allowEncodedNullCharacter = false
```
```bash tab="CLI"
## Static configuration
--entryPoints.web.address=:80
--entryPoints.web.http.encodedCharacters.allowEncodedNullCharacter=true
--entryPoints.web.http.encodedCharacters.allowEncodedNullCharacter=false
```
??? info "`encodedCharacters.allowEncodedSemicolon`"
_Optional, Default=false_
_Optional, Default=true_
Controls whether requests with encoded semicolon characters (`%3B` or `%3b`) in the path are allowed.
@@ -1300,7 +1301,7 @@ By default, Traefik rejects requests with path containing certain encoded charac
address: ":80"
http:
encodedCharacters:
allowEncodedSemicolon: true
allowEncodedSemicolon: false
```
```toml tab="File (TOML)"
@@ -1310,18 +1311,18 @@ By default, Traefik rejects requests with path containing certain encoded charac
address = ":80"
[entryPoints.web.http.encodedCharacters]
allowEncodedSemicolon = true
allowEncodedSemicolon = false
```
```bash tab="CLI"
## Static configuration
--entryPoints.web.address=:80
--entryPoints.web.http.encodedCharacters.allowEncodedSemicolon=true
--entryPoints.web.http.encodedCharacters.allowEncodedSemicolon=false
```
??? info "`encodedCharacters.allowEncodedPercent`"
_Optional, Default=false_
_Optional, Default=true_
Controls whether requests with encoded percent characters (`%25`) in the path are allowed.
@@ -1332,7 +1333,7 @@ By default, Traefik rejects requests with path containing certain encoded charac
address: ":80"
http:
encodedCharacters:
allowEncodedPercent: true
allowEncodedPercent: false
```
```toml tab="File (TOML)"
@@ -1342,18 +1343,18 @@ By default, Traefik rejects requests with path containing certain encoded charac
address = ":80"
[entryPoints.web.http.encodedCharacters]
allowEncodedPercent = true
allowEncodedPercent = false
```
```bash tab="CLI"
## Static configuration
--entryPoints.web.address=:80
--entryPoints.web.http.encodedCharacters.allowEncodedPercent=true
--entryPoints.web.http.encodedCharacters.allowEncodedPercent=false
```
??? info "`encodedCharacters.allowEncodedQuestionMark`"
_Optional, Default=false_
_Optional, Default=true_
Controls whether requests with encoded question mark characters (`%3F` or `%3f`) in the path are allowed.
@@ -1364,7 +1365,7 @@ By default, Traefik rejects requests with path containing certain encoded charac
address: ":80"
http:
encodedCharacters:
allowEncodedQuestionMark: true
allowEncodedQuestionMark: false
```
```toml tab="File (TOML)"
@@ -1374,18 +1375,18 @@ By default, Traefik rejects requests with path containing certain encoded charac
address = ":80"
[entryPoints.web.http.encodedCharacters]
allowEncodedQuestionMark = true
allowEncodedQuestionMark = false
```
```bash tab="CLI"
## Static configuration
--entryPoints.web.address=:80
--entryPoints.web.http.encodedCharacters.allowEncodedQuestionMark=true
--entryPoints.web.http.encodedCharacters.allowEncodedQuestionMark=false
```
??? info "`encodedCharacters.allowEncodedHash`"
_Optional, Default=false_
_Optional, Default=true_
Controls whether requests with encoded hash characters (`%23`) in the path are allowed.
@@ -1396,7 +1397,7 @@ By default, Traefik rejects requests with path containing certain encoded charac
address: ":80"
http:
encodedCharacters:
allowEncodedHash: true
allowEncodedHash: false
```
```toml tab="File (TOML)"
@@ -1406,13 +1407,13 @@ By default, Traefik rejects requests with path containing certain encoded charac
address = ":80"
[entryPoints.web.http.encodedCharacters]
allowEncodedHash = true
allowEncodedHash = false
```
```bash tab="CLI"
## Static configuration
--entryPoints.web.address=:80
--entryPoints.web.http.encodedCharacters.allowEncodedHash=true
--entryPoints.web.http.encodedCharacters.allowEncodedHash=false
```
### SanitizePath
@@ -1722,4 +1723,4 @@ entryPoints:
--entryPoints.foo.observability.tracing=false
```
{!traefik-for-business-applications.md!}
{% include-markdown "includes/traefik-for-business-applications.md" %}

Some files were not shown because too many files have changed in this diff Show More