Documentation Index
Fetch the complete documentation index at: https://mintlify.com/traefik/traefik/llms.txt
Use this file to discover all available pages before exploring further.
EntryPoints
EntryPoints define network entry points where Traefik listens for incoming connections.
What is an EntryPoint?
An EntryPoint specifies:
- Port to listen on (e.g.,
:80, :443)
- Protocol to use (TCP or UDP)
- Address to bind to (optional, defaults to all interfaces)
Every request enters Traefik through an EntryPoint before being routed to services.
EntryPoints are configured in static configuration and require a Traefik restart to change.
Basic Configuration
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
address field follows this format:
Port Only
Specific IP
TCP and UDP
Listen on all interfaces:entryPoints:
web:
address: ":80" # TCP port 80
dns:
address: ":53/udp" # UDP port 53
Listen on a specific IP address:entryPoints:
internal:
address: "192.168.1.100:8080"
ipv6:
address: "[2001:db8::1]:8080"
Use the same port for both TCP and UDP:entryPoints:
tcp-3000:
address: ":3000" # TCP
udp-3000:
address: ":3000/udp" # UDP
Create separate EntryPoints for TCP and UDP on the same port.
Common EntryPoint Configurations
HTTP and HTTPS
Standard web server setup:
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
Custom Ports
entryPoints:
api:
address: ":8080"
metrics:
address: ":9090"
admin:
address: "127.0.0.1:9000" # Localhost only
Multiple Protocols
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
mysql:
address: ":3306"
postgres:
address: ":5432"
dns:
address: ":53/udp"
HTTP Configuration
HTTP-specific options for web traffic.
Automatic HTTPS Redirect
Redirect all HTTP traffic to HTTPS:
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true # 301 redirect
websecure:
address: ":443"
TLS Configuration
Configure TLS for HTTPS:
Let's Encrypt
Custom Certificates
TLS Options
Automatic certificates with ACME:entryPoints:
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
domains:
- main: "example.com"
sans:
- "*.example.com"
Use specific TLS certificates:entryPoints:
websecure:
address: ":443"
http:
tls:
options: default
# In dynamic configuration
tls:
certificates:
- certFile: /path/to/cert.pem
keyFile: /path/to/key.pem
Configure TLS versions and ciphers:entryPoints:
websecure:
address: ":443"
http:
tls:
options: strict
# In dynamic configuration
tls:
options:
strict:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
HTTP/2 and HTTP/3
entryPoints:
websecure:
address: ":443"
http2:
maxConcurrentStreams: 250
HTTP/3 automatically creates a UDP listener on the same port as the TCP EntryPoint.
Middleware on EntryPoints
Apply middleware to all routers using an EntryPoint:
entryPoints:
web:
address: ":80"
http:
middlewares:
- global-ratelimit@file
- security-headers@file
# In dynamic configuration
http:
middlewares:
global-ratelimit:
rateLimit:
average: 100
burst: 50
security-headers:
headers:
customResponseHeaders:
X-Frame-Options: "DENY"
X-Content-Type-Options: "nosniff"
Transport Configuration
Configure connection timeouts and lifecycle.
Timeouts
entryPoints:
web:
address: ":80"
transport:
respondingTimeouts:
readTimeout: "60s"
writeTimeout: "60s"
idleTimeout: "180s"
lifeCycle:
requestAcceptGraceTimeout: "10s"
graceTimeOut: "30s"
Maximum duration for reading request including body (default: 60s).
Maximum duration for writing response (default: 0s - no timeout).
Maximum duration for idle keep-alive connections (default: 180s).
Graceful Shutdown
entryPoints:
web:
address: ":80"
transport:
lifeCycle:
requestAcceptGraceTimeout: "10s" # Wait before stopping new requests
graceTimeOut: "30s" # Wait for in-flight requests
Keep-Alive Limits
entryPoints:
web:
address: ":80"
transport:
keepAliveMaxRequests: 100 # Close after 100 requests
keepAliveMaxTime: "300s" # Close after 5 minutes
X-Forwarded-For:
Trusted IPs
Insecure Mode
Trust specific proxy IPs:entryPoints:
web:
address: ":80"
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.0/24"
- "10.0.0.0/8"
Trust all forwarded headers (development only):entryPoints:
web:
address: ":80"
forwardedHeaders:
insecure: true
Never use insecure: true in production - it allows IP spoofing.
Proxy Protocol
Support HAProxy PROXY protocol:
entryPoints:
web:
address: ":80"
proxyProtocol:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
Proxy Protocol supports versions 1 and 2. The version is auto-detected.
Default EntryPoints
Mark EntryPoints as default for routers that don’t specify entryPoints:
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
asDefault: true # Routers use this by default
admin:
address: ":9000" # Not default
If no EntryPoint has asDefault: true, routers listen on all EntryPoints by default.
Advanced Features
ReusePort
Allow multiple Traefik processes to bind to the same port (Linux only):
entryPoints:
web:
address: ":80"
reusePort: true
- Zero-downtime deployments
- Canary releases
- Load balancing across processes
Only supported on Linux, FreeBSD, OpenBSD, and Darwin. Has known kernel bugs on older Linux versions.
Encoded Characters
Control handling of encoded characters in request paths:
entryPoints:
web:
address: ":80"
http:
encodedCharacters:
allowEncodedSlash: false # Reject %2F
allowEncodedBackSlash: false # Reject %5C
allowEncodedNullCharacter: false # Reject %00
Path Sanitization
entryPoints:
web:
address: ":80"
http:
sanitizePath: true # Clean paths like /./foo/../bar to /bar
Setting sanitizePath: false can lead to security vulnerabilities. Only disable if you have a specific need.
Real-World Examples
Complete production setup with security:entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
asDefault: true
http:
tls:
certResolver: letsencrypt
middlewares:
- security-headers@file
- rate-limit@file
http2:
maxConcurrentStreams: 250
http3:
advertisedPort: 443
forwardedHeaders:
trustedIPs:
- "10.0.0.0/8" # Internal network
transport:
respondingTimeouts:
readTimeout: "60s"
writeTimeout: "60s"
idleTimeout: "180s"
Multi-service architecture
Multiple EntryPoints for different services:entryPoints:
# Public web traffic
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
# Internal API (localhost only)
api:
address: "127.0.0.1:8080"
# Database proxy
postgres:
address: ":5432"
mysql:
address: ":3306"
# Metrics
metrics:
address: "192.168.1.100:9090"
# DNS
dns:
address: ":53/udp"
Traefik behind AWS ALB or GCP Load Balancer:entryPoints:
web:
address: ":80"
forwardedHeaders:
trustedIPs:
# AWS ALB IP ranges
- "10.0.0.0/8"
proxyProtocol:
trustedIPs:
- "10.0.0.0/8"
transport:
respondingTimeouts:
readTimeout: "60s"
lifeCycle:
requestAcceptGraceTimeout: "30s"
graceTimeOut: "60s"
Next Steps
Configure Routers
Create routing rules to match and forward requests
Setup TLS
Configure HTTPS certificates and TLS options