31 KiB
title, description
| title | description |
|---|---|
| Traefik Docker Routing Documentation | This guide will teach you how to attach labels to your containers, to route traffic and load balance with Traefik and Docker. |
Traefik & Docker
One of the best feature of Traefik is to delegate the routing configuration to the application level. With Docker, Traefik can leverage labels attached to a container to generate routing rules.
!!! warning "Labels & sensitive data"
We recommend to *not* use labels to store sensitive data (certificates, credentials, etc).
Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).
Configuration Examples
??? example "Configuring Docker & Deploying / Exposing one Service"
Enabling the docker provider
```yaml tab="Structured (YAML)"
providers:
docker: {}
```
```toml tab="Structured (TOML)"
[providers.docker]
```
```bash tab="CLI"
--providers.docker=true
```
Attaching labels to containers (in your docker compose file)
```yaml
services:
my-container:
# ...
labels:
- traefik.http.routers.my-container.rule=Host(`example.com`)
```
??? example "Specify a Custom Port for the Container"
Forward requests for `http://example.com` to `http://<private IP of container>:12345`:
```yaml
services:
my-container:
# ...
labels:
- traefik.http.routers.my-container.rule=Host(`example.com`)
# Tell Traefik to use the port 12345 to connect to `my-container`
- traefik.http.services.my-service.loadbalancer.server.port=12345
```
!!! important "Traefik Connecting to the Wrong Port: `HTTP/502 Gateway Error`"
By default, Traefik uses the first exposed port of a container.
Setting the label `traefik.http.services.xxx.loadbalancer.server.port`
overrides that behavior.
??? example "Specifying more than one router and service per container"
Forwarding requests to more than one port on a container requires referencing the service loadbalancer port definition using the service parameter on the router.
In this example, requests are forwarded for `http://example-a.com` to `http://<private IP of container>:8000` in addition to `http://example-b.com` forwarding to `http://<private IP of container>:9000`:
```yaml
services:
my-container:
# ...
labels:
- traefik.http.routers.www-router.rule=Host(`example-a.com`)
- traefik.http.routers.www-router.service=www-service
- traefik.http.services.www-service.loadbalancer.server.port=8000
- traefik.http.routers.admin-router.rule=Host(`example-b.com`)
- traefik.http.routers.admin-router.service=admin-service
- traefik.http.services.admin-service.loadbalancer.server.port=9000
```
Configuration Options
!!! info "Labels"
- Labels are case-insensitive.
!!! tip "TLS Default Generated Certificates"
To learn how to configure Traefik default generated certificate, refer to the [TLS Certificates](../http/tls/tls-certificates.md#acme-default-certificate) page.
General
Traefik creates, for each container, a corresponding service and router.
The Service automatically gets a server per instance of the container,
and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels).
Service definition
--8<-- "content/routing/providers/service-by-label.md"
??? example "Automatic assignment with one Service"
With labels in a compose file
```yaml
labels:
- "traefik.http.routers.myproxy.rule=Host(`example.net`)"
# service myservice gets automatically assigned to router myproxy
- "traefik.http.services.myservice.loadbalancer.server.port=80"
```
??? example "Automatic service creation with one Router"
With labels in a compose file
```yaml
labels:
# no service specified or defined and yet one gets automatically created
# and assigned to router myproxy.
- "traefik.http.routers.myproxy.rule=Host(`example.net`)"
```
??? example "Explicit definition with one Service"
With labels in a compose file
```yaml
labels:
- traefik.http.routers.www-router.rule=Host(`example-a.com`)
# Explicit link between the router and the service
- traefik.http.routers.www-router.service=www-service
- traefik.http.services.www-service.loadbalancer.server.port=8000
```
Routers
To update the configuration of the Router automatically attached to the container,
add labels starting with traefik.http.routers.<name-of-your-choice>. and followed by the option you want to change.
For example, to change the rule, you could add the label traefik.http.routers.my-container.rule=Host(`example.com`).
!!! warning "The character @ is not authorized in the router name <router_name>."
Configuration Options
| Label | Description | Value |
|---|---|---|
traefik.http.routers.<router_name>.rule |
See rule for more information. | Host(`example.com`) |
traefik.http.routers.<router_name>.ruleSyntax |
See ruleSyntax for more information. RuleSyntax option is deprecated and will be removed in the next major version. Please do not use this field and rewrite the router rules to use the v3 syntax. |
v3 |
traefik.http.routers.<router_name>.entrypoints |
See entry points for more information. | ep1,ep2 |
traefik.http.routers.<router_name>.middlewares |
See middlewares overview for more information. | auth,prefix,cb |
traefik.http.routers.<router_name>.service |
See service for more information. | myservice |
traefik.http.routers.<router_name>.tls |
See tls for more information. | true |
traefik.http.routers.<router_name>.tls.certresolver |
See certResolver for more information. | myresolver |
traefik.http.routers.<router_name>.tls.domains[n].main |
See domains for more information. | example.org |
traefik.http.routers.<router_name>.tls.domains[n].sans |
See domains for more information. | test.example.org,dev.example.org |
traefik.http.routers.<router_name>.tls.options |
foobar |
|
traefik.http.routers.<router_name>.observability.accesslogs |
The accessLogs option controls whether the router will produce access-logs. | true |
traefik.http.routers.<router_name>.observability.metrics |
The metrics option controls whether the router will produce metrics. | true |
traefik.http.routers.<router_name>.observability.tracing |
The tracing option controls whether the router will produce traces. | true |
traefik.http.routers.<router_name>.priority |
See priority for more information. | 42 |
Services
To update the configuration of the Service automatically attached to the container,
add labels starting with traefik.http.services.<name-of-your-choice>., followed by the option you want to change.
For example, to change the passHostHeader behavior,
you'd add the label traefik.http.services.<name-of-your-choice>.loadbalancer.passhostheader=false.
!!! warning "The character @ is not authorized in the service name <service_name>."
Configuration Options
Middleware
You can declare pieces of middleware using labels starting with traefik.http.middlewares.<name-of-your-choice>.,
followed by the middleware type/options.
For example, to declare a middleware redirectscheme named my-redirect,
you'd write traefik.http.middlewares.my-redirect.redirectscheme.scheme=https.
More information about available middlewares in the dedicated middlewares section.
!!! warning "The character @ is not authorized in the middleware name."
??? example "Declaring and Referencing a Middleware"
```yaml
services:
my-container:
# ...
labels:
# Declaring a middleware
- traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
# Referencing a middleware
- traefik.http.routers.my-container.middlewares=my-redirect
```
!!! warning "Conflicts in Declaration"
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
TCP
You can declare TCP Routers and/or Services using labels.
??? example "Declaring TCP Routers with one Service"
```yaml
services:
my-container:
# ...
labels:
- "traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)"
- "traefik.tcp.routers.my-router.tls=true"
- "traefik.tcp.services.my-service.loadbalancer.server.port=4123"
```
!!! warning "TCP and HTTP"
If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined).
You can declare both a TCP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).
TCP Routers
Configuration Options
| Label | Description | Value |
|---|---|---|
traefik.tcp.routers.<router_name>.entrypoints |
See entry points for more information. | ep1,ep2 |
traefik.tcp.routers.<router_name>.rule |
See rule for more information. | HostSNI(`example.com`) |
traefik.tcp.routers.<router_name>.ruleSyntax |
configure the rule syntax to be used for parsing the rule on a per-router basis. RuleSyntax option is deprecated and will be removed in the next major version. Please do not use this field and rewrite the router rules to use the v3 syntax. |
v3 |
traefik.tcp.routers.<router_name>.service |
See service for more information. | myservice |
traefik.tcp.routers.<router_name>.tls |
See TLS for more information. | true |
traefik.tcp.routers.<router_name>.tls.certresolver |
See certResolver for more information. | myresolver |
traefik.tcp.routers.<router_name>.tls.domains[n].main |
See TLS for more information. | example.org |
traefik.tcp.routers.<router_name>.tls.domains[n].sans |
See TLS for more information. | test.example.org,dev.example.org |
traefik.tcp.routers.<router_name>.tls.options |
mysoptions |
|
traefik.tcp.routers.<router_name>.tls.passthrough |
See Passthrough for more information. | true |
traefik.tcp.routers.<router_name>.priority |
See priority for more information. | 42 |
TCP Services
Configuration Options
| Label | Description | Value |
|---|---|---|
traefik.tcp.services.<service_name>.loadbalancer.server.port |
Registers a port of the application. | 423 |
traefik.tcp.services.<service_name>.loadbalancer.server.tls |
Determines whether to use TLS when dialing with the backend. | true |
traefik.tcp.services.<service_name>.loadbalancer.serverstransport |
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one. See serverstransport for more information. |
foobar@file |
TCP Middleware
You can declare pieces of middleware using tags starting with traefik.tcp.middlewares.{name-of-your-choice}., followed by the middleware type/options.
For example, to declare a middleware InFlightConn named test-inflightconn, you'd write traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10.
More information about available middlewares in the dedicated middlewares section.
??? example "Declaring and Referencing a Middleware"
```yaml
# ...
# Declaring a middleware
traefik.tcp.middlewares.test-inflightconn.amount=10
# Referencing a middleware
traefik.tcp.routers.my-service.middlewares=test-inflightconn
```
!!! warning "Conflicts in Declaration"
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
UDP
You can declare UDP Routers and/or Services using labels.
??? example "Declaring UDP Routers with one Service"
```yaml
services:
my-container:
# ...
labels:
- "traefik.udp.routers.my-router.entrypoints=udp"
- "traefik.udp.services.my-service.loadbalancer.server.port=4123"
```
!!! warning "UDP and HTTP"
If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined).
You can declare both a UDP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).
UDP Routers
Configuration Options
| Label | Description | Value |
|---|---|---|
traefik.udp.routers.<router_name>.entrypoints |
See entry points for more information. | ep1,ep2 |
traefik.udp.routers.<router_name>.service |
See service for more information. | myservice |
UDP Services
Configuration Options
| Label | Description | Value |
|---|---|---|
traefik.udp.services.<service_name>.loadbalancer.server.port |
Registers a port of the application. | 423 |
Specific Provider Options
| Label | Description | Value |
|---|---|---|
traefik.enable |
You can tell Traefik to consider (or not) the container by setting traefik.enable to true or false.This option overrides the value of exposedByDefault. |
true |
traefik.docker.allownonrunning |
By default, Traefik only considers containers in "running" state. This option controls whether containers that are not in "running" state (e.g., stopped, paused, exited) should still be visible to Traefik for service discovery. When this label is set to true, Traefik will: - Keep the router and service configuration even when the container is not running - Create services with empty backend server lists - Return 503 Service Unavailable for requests to stopped containers (instead of 404 Not Found) - Execute the full middleware chain, allowing middlewares to intercept requests As the traefik.docker.allownonrunning enables the discovery of all containers exposing this option disregarding their state, if multiple stopped containers expose the same router but their configurations diverge, then the routers will be dropped. |
true |
traefik.docker.network |
Overrides the default docker network to use for connections to the container. If a container is linked to several networks, be sure to set the proper network name (you can check this with docker inspect <container_id>), otherwise it will randomly pick one (depending on how docker is returning them).When deploying a stack from a compose file stack, the networks defined are prefixed with stack. |
mynetwork |