Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/traefik/traefik/llms.txt

Use this file to discover all available pages before exploring further.

HTTPS & TLS Overview

Traefik provides comprehensive support for HTTPS and TLS, enabling secure communication for your services with minimal configuration.

How It Works

HTTPS & TLS in Traefik involves two main components:
1

Router Configuration

Configure routers to handle HTTPS traffic by enabling the tls field in your router definition.
2

Certificate Management

Provide TLS certificates either through:
  • Automatic generation via Let’s Encrypt (ACME)
  • Manual configuration in dynamic configuration

Quick Start

Here’s a minimal example to enable HTTPS: 
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

certificatesResolvers:
  myresolver:
    acme:
      email: your-email@example.com
      storage: acme.json
      httpChallenge:
        entryPoint: web

Router TLS Configuration

To enable TLS on a router, add the tls configuration: 
http:
  routers:
    my-router:
      rule: "Host(`example.com`)"
      service: my-service
      tls:
        certResolver: myresolver

Certificate Sources

Traefik supports multiple ways to obtain certificates:

Automatic (ACME/Let’s Encrypt)

  • Zero configuration for common scenarios
  • Automatic renewal before expiration
  • Multiple challenge types: HTTP-01, TLS-ALPN-01, DNS-01
  • Wildcard support via DNS challenge
Learn more about ACME configuration →

Manual Configuration

  • Custom certificates from any CA
  • Self-signed certificates for development
  • Corporate PKI certificates
Learn more about TLS configuration →

Key Features

Automatic HTTPS

Traefik automatically obtains and renews certificates from Let’s Encrypt with zero downtime.

SNI Routing

Route traffic based on Server Name Indication (SNI) to serve multiple domains from a single IP.

TLS Options

Configure minimum TLS versions, cipher suites, and client authentication (mTLS).

Certificate Stores

Organize and manage certificates with built-in certificate stores.

Automatic HTTPS Redirection

Redirect HTTP traffic to HTTPS automatically: 
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

TLS Versions

Traefik supports the following TLS versions:
  • TLS 1.0 (deprecated, not recommended)
  • TLS 1.1 (deprecated, not recommended)
  • TLS 1.2 (recommended minimum)
  • TLS 1.3 (recommended)
By default, Traefik uses TLS 1.2 as the minimum version with secure cipher suites.

Security Best Practices

1

Use TLS 1.2+

Set minVersion: VersionTLS12 or higher in your TLS options to disable older, insecure protocols.
2

Enable HTTPS Redirects

Always redirect HTTP to HTTPS to prevent unencrypted traffic.
3

Use Strong Cipher Suites

Configure only modern, secure cipher suites in production.
4

Enable HSTS

Add HTTP Strict Transport Security headers to prevent protocol downgrade attacks.

Common Use Cases

Development Environment

# Use self-signed certificates for local development
tls:
  certificates:
    - certFile: /path/to/localhost.cert
      keyFile: /path/to/localhost.key

Production with Let’s Encrypt

# Automatic certificates for production
certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@example.com
      storage: /acme/acme.json
      tlsChallenge: {}

Multi-Domain Configuration

# Single certificate for multiple domains (SANs)
http:
  routers:
    my-router:
      rule: "Host(`example.com`) || Host(`www.example.com`)"
      tls:
        certResolver: myresolver
When running Traefik in a container, persist the acme.json file across restarts to avoid hitting Let’s Encrypt rate limits.

Next Steps

ACME Configuration

Configure Let’s Encrypt and other ACME providers for automatic certificate management.

TLS Configuration

Learn about TLS options, cipher suites, and client authentication.