EntryPoints
EntryPoints define network entry points where Traefik listens for incoming connections.
What is an EntryPoint?
An EntryPoint specifies:
- Port to listen on (e.g.,
:80, :443)
- Protocol to use (TCP or UDP)
- Address to bind to (optional, defaults to all interfaces)
Every request enters Traefik through an EntryPoint before being routed to services.
EntryPoints are configured in static configuration and require a Traefik restart to change.
Basic Configuration
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
address field follows this format:
Port Only
Specific IP
TCP and UDP
Listen on all interfaces:entryPoints:
web:
address: ":80" # TCP port 80
dns:
address: ":53/udp" # UDP port 53
Listen on a specific IP address:entryPoints:
internal:
address: "192.168.1.100:8080"
ipv6:
address: "[2001:db8::1]:8080"
Use the same port for both TCP and UDP:entryPoints:
tcp-3000:
address: ":3000" # TCP
udp-3000:
address: ":3000/udp" # UDP
Create separate EntryPoints for TCP and UDP on the same port.
Common EntryPoint Configurations
HTTP and HTTPS
Standard web server setup:
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
Custom Ports
entryPoints:
api:
address: ":8080"
metrics:
address: ":9090"
admin:
address: "127.0.0.1:9000" # Localhost only
Multiple Protocols
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
mysql:
address: ":3306"
postgres:
address: ":5432"
dns:
address: ":53/udp"
HTTP Configuration
HTTP-specific options for web traffic.
Automatic HTTPS Redirect
Redirect all HTTP traffic to HTTPS:
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true # 301 redirect
websecure:
address: ":443"
TLS Configuration
Configure TLS for HTTPS:
Let's Encrypt
Custom Certificates
TLS Options
Automatic certificates with ACME:entryPoints:
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
domains:
- main: "example.com"
sans:
- "*.example.com"
Use specific TLS certificates:entryPoints:
websecure:
address: ":443"
http:
tls:
options: default
# In dynamic configuration
tls:
certificates:
- certFile: /path/to/cert.pem
keyFile: /path/to/key.pem
Configure TLS versions and ciphers:entryPoints:
websecure:
address: ":443"
http:
tls:
options: strict
# In dynamic configuration
tls:
options:
strict:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
HTTP/2 and HTTP/3
entryPoints:
websecure:
address: ":443"
http2:
maxConcurrentStreams: 250
HTTP/3 automatically creates a UDP listener on the same port as the TCP EntryPoint.
Middleware on EntryPoints
Apply middleware to all routers using an EntryPoint:
entryPoints:
web:
address: ":80"
http:
middlewares:
- global-ratelimit@file
- security-headers@file
# In dynamic configuration
http:
middlewares:
global-ratelimit:
rateLimit:
average: 100
burst: 50
security-headers:
headers:
customResponseHeaders:
X-Frame-Options: "DENY"
X-Content-Type-Options: "nosniff"
Transport Configuration
Configure connection timeouts and lifecycle.
Timeouts
entryPoints:
web:
address: ":80"
transport:
respondingTimeouts:
readTimeout: "60s"
writeTimeout: "60s"
idleTimeout: "180s"
lifeCycle:
requestAcceptGraceTimeout: "10s"
graceTimeOut: "30s"
Maximum duration for reading request including body (default: 60s).
Maximum duration for writing response (default: 0s - no timeout).
Maximum duration for idle keep-alive connections (default: 180s).
Graceful Shutdown
entryPoints:
web:
address: ":80"
transport:
lifeCycle:
requestAcceptGraceTimeout: "10s" # Wait before stopping new requests
graceTimeOut: "30s" # Wait for in-flight requests
Keep-Alive Limits
entryPoints:
web:
address: ":80"
transport:
keepAliveMaxRequests: 100 # Close after 100 requests
keepAliveMaxTime: "300s" # Close after 5 minutes
X-Forwarded-For:
Trusted IPs
Insecure Mode
Trust specific proxy IPs:entryPoints:
web:
address: ":80"
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.0/24"
- "10.0.0.0/8"
Trust all forwarded headers (development only):entryPoints:
web:
address: ":80"
forwardedHeaders:
insecure: true
Never use insecure: true in production - it allows IP spoofing.
Proxy Protocol
Support HAProxy PROXY protocol:
entryPoints:
web:
address: ":80"
proxyProtocol:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
Proxy Protocol supports versions 1 and 2. The version is auto-detected.
Default EntryPoints
Mark EntryPoints as default for routers that don’t specify entryPoints:
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
asDefault: true # Routers use this by default
admin:
address: ":9000" # Not default
If no EntryPoint has asDefault: true, routers listen on all EntryPoints by default.
Advanced Features
ReusePort
Allow multiple Traefik processes to bind to the same port (Linux only):
entryPoints:
web:
address: ":80"
reusePort: true
- Zero-downtime deployments
- Canary releases
- Load balancing across processes
Only supported on Linux, FreeBSD, OpenBSD, and Darwin. Has known kernel bugs on older Linux versions.
Encoded Characters
Control handling of encoded characters in request paths:
entryPoints:
web:
address: ":80"
http:
encodedCharacters:
allowEncodedSlash: false # Reject %2F
allowEncodedBackSlash: false # Reject %5C
allowEncodedNullCharacter: false # Reject %00
Path Sanitization
entryPoints:
web:
address: ":80"
http:
sanitizePath: true # Clean paths like /./foo/../bar to /bar
Setting sanitizePath: false can lead to security vulnerabilities. Only disable if you have a specific need.
Real-World Examples
Complete production setup with security:entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
asDefault: true
http:
tls:
certResolver: letsencrypt
middlewares:
- security-headers@file
- rate-limit@file
http2:
maxConcurrentStreams: 250
http3:
advertisedPort: 443
forwardedHeaders:
trustedIPs:
- "10.0.0.0/8" # Internal network
transport:
respondingTimeouts:
readTimeout: "60s"
writeTimeout: "60s"
idleTimeout: "180s"
Multi-service architecture
Multiple EntryPoints for different services:entryPoints:
# Public web traffic
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
websecure:
address: ":443"
http:
tls:
certResolver: letsencrypt
# Internal API (localhost only)
api:
address: "127.0.0.1:8080"
# Database proxy
postgres:
address: ":5432"
mysql:
address: ":3306"
# Metrics
metrics:
address: "192.168.1.100:9090"
# DNS
dns:
address: ":53/udp"
Traefik behind AWS ALB or GCP Load Balancer:entryPoints:
web:
address: ":80"
forwardedHeaders:
trustedIPs:
# AWS ALB IP ranges
- "10.0.0.0/8"
proxyProtocol:
trustedIPs:
- "10.0.0.0/8"
transport:
respondingTimeouts:
readTimeout: "60s"
lifeCycle:
requestAcceptGraceTimeout: "30s"
graceTimeOut: "60s"
Next Steps
Configure Routers
Create routing rules to match and forward requests
Setup TLS
Configure HTTPS certificates and TLS options