The Cloud Native Application Proxy


Build Status SemaphoreCI Docs Go Report Card License Join the community support forum at Twitter

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, ...) and configures itself automatically and dynamically. Pointing Traefik at your orchestrator should be the only configuration step you need.

. Overview . Features . Supported backends . Quickstart . Web UI . Documentation .

. Support . Release cycle . Contributing . Maintainers . Credits .

⚠️ Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a v2 configuration.


Imagine that you have deployed a bunch of microservices with the help of an orchestrator (like Swarm or Kubernetes) or a service registry (like etcd or consul). Now you want users to access these microservices, and you need a reverse proxy.

Traditional reverse-proxies require that you configure each route that will connect paths and subdomains to each microservice. In an environment where you add, remove, kill, upgrade, or scale your services many times a day, the task of keeping the routes up to date becomes tedious.

This is when Traefik can help you!

Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part.

Run Traefik and let it do the work for you! (But if you'd rather configure some of your routes manually, Traefik supports that too!)



  • Continuously updates its configuration (No restarts!)
  • Supports multiple load balancing algorithms
  • Provides HTTPS to your microservices by leveraging Let's Encrypt (wildcard certificates support)
  • Circuit breakers, retry
  • See the magic through its clean web UI
  • Websocket, HTTP/2, GRPC ready
  • Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
  • Keeps access logs (JSON, CLF)
  • Fast
  • Exposes a Rest API
  • Packaged as a single binary file (made with ❤️ with go) and available as a tiny official docker image

Supported Backends


To get your hands on Traefik, you can use the 5-Minute Quickstart in our documentation (you will need Docker).

Web UI

You can access the simple HTML frontend of Traefik.

Web UI Providers


You can find the complete documentation of Traefik v2 at

If you are using Traefik v1, you can find the complete documentation at

A collection of contributions around Traefik can be found at


To get community support, you can:

  • join the Traefik community forum: Join the chat at

If you need commercial support, please contact by mail: mailto:[email protected].


./traefik --configFile=traefik.toml
docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
  • Or get the sources:
git clone

Introductory Videos

You can find high level and deep dive videos on


Information about process and maintainers


If you'd like to contribute to the project, refer to the contributing documentation.

Please note that this project is released with a Contributor Code of Conduct. By participating in this project, you agree to abide by its terms.

Release Cycle

  • We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
  • Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
  • Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).

Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).

We use Semantic Versioning.

Mailing Lists


Kudos to Peka for his awesome work on the gopher's logo!.

The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.

The gopher's logo of Traefik was inspired by the gopher stickers made by Takuya Ueda. The original Go gopher was designed by Renee French.

Traefik Labs
Makes Networking Boring
Traefik Labs
  • v2.8.2 go panic

    v2.8.2 go panic


    • [X] Yes, I've searched similar issues on GitHub and didn't find any.
    • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

    What did you do?

    Watchtower upgraded to 2.8.2, I'm sourcing latest. Upgrade should have gone smoothly as usual.

    What did you see instead?

    Go panic, can post full stack trace if necessary, its very large and hard to bound.

    What version of Traefik are you using?

    Version:      2.8.2
    Codename:     vacherin
    Go version:   go1.19
    Built:        2022-08-11T14:55:50Z
    OS/Arch:      linux/amd64

    What is your environment & configuration?

    Docker provider, cannot provide config (company/org). 2.8.1 works as expected.

    If applicable, please paste the log output in DEBUG level

     time="2022-08-11T17:16:16-03:00" level=error msg="Error in Go routine: runtime error: slice bounds out of range [2:1]"
    traefik-traefik-1  | time="2022-08-11T17:16:16-03:00" level=error msg="Stack: goroutine 29 [running]:\nruntime/debug.Stack()\n\truntime/debug/stack.go:24 +0x65\{0x36a75c0?, 0xc0007e40c0})\n\ +0xa5\\n\ +0x36\npanic({0x36a75c0, 0xc0007e40c0})\n\truntime/panic.go:884 +0x212\{{0x19?, {0x3989c0e?, 0x0?}}}, {0x2ff49c0?, 0xc0004c91f8?, 0x355146f?}, 0xc0004d86c0)\n\[email protected]/parser/element_fill.go:157 +0xaa5\

    lots more, typical go stack trace. I can't reproduce this frequently, I need to get this server back to production.

  • Add Support for Consul Connect

    Add Support for Consul Connect

    What does this PR do?

    The change set introduces support for Consul Connect enabled services.


    There is no edge proxy available that can route traffic to a connect enabled service. Consul Connect, despite being a powerful and easy to use service mesh, is useless to a lot of people who are mainly looking to route traffic from internet to private services. A service running inside Connect service mesh can only receive traffic via its sidecar, and sidecar will only communicate with a network peer using mutual TLS. The solution is easy, but haven't been implemented in any form.

    Traefik already supports Consul Catalog, it is only a matter of utilizing the certificates for upstream connection wherever applicable and it becomes the perfect edge proxy for connect mesh.


    • [ ] Added/updated tests
    • [ ] Added/updated documentation

    Additional Notes

    This PR is in progress, I need some help to figure out how to set the TLS configuration on a connection without specifying it in service tags.


    Continues consul connect integration from #6373

    Co-authored-by: Florian Apolloner [email protected]

  • Specify backend servers' weight via annotation for kubernetes

    Specify backend servers' weight via annotation for kubernetes

    What does this PR do?

    Fixes #2729. Also previous discussions.

    Provides a new ingress annotation which specifies a YAML-encoded, percentage-based weight distribution. With this annotation, we can do canary release by dynamically adjust the weight of ingress backends.

    Since that currently the weight of types.Server is integer, so I created a simple allocator to make the weight of the server as average as possible.


    Introduce weight-based canary release to kubernetes provider with minimal change.


    • [X] Added/updated tests
    • [x] Added/updated documentation

    Additional Notes

  • enable custom plugins/middlewares for Traefik

    enable custom plugins/middlewares for Traefik

    After seeing the Go1.8 new plugin feature I though that this could help a lot o people to add specific functionalities to Traefik.

    Instead of building/compiling/shipping a custom-made version of Traefik to enable a custom functionality it would be possible to write way simpler custom-made middlewares with this approach, doesn't it ?

    Try imagine creating a package that receives the request at a parameter without having to recompile the whole Traefik repository just to add a small change. Does it sounds like a middleware ? Because for me it is ! It's just a go1.8-plugin-based-middleware !

    What do you guys think ?

  • Need URL rewrite to add trailing slash

    Need URL rewrite to add trailing slash

    I have a simple app, which has the following file structure at root

    • script.js
    • style.css
    • index.html (load the other two files using relative path script.js and style.css)

    Since I want to access the app via URL http://example/app, I proxied the web app with rule PathStripPrefix:/app. The problem is when I try to access URL http://example/app (without trailing slash), it will load "index.html" fine, but not the JS and CSS file. When I look into the debugger, it tries to load:

    • http://example/script.js
    • http://exmaple/style.css

    Instead of (the correct one):

    • http://example/app/script.js
    • http://example/app/style.css

    It only works when I type the original URL with a trailing slash, so http://example/app/. This is not a big deal for me but users sometimes find it annoying since we used to use Nginx, who sends an "301 Moved Permanently" to a URL with trailing slash when it's not there. I wonder if it is possible / makes sense to implement this in Traefik?

    Thank you!

  • New web ui

    New web ui

    First of all, sorry for making PR this huge, I did read the contributing guide but in that case I believe small PR is not possible.

    Hi guys, I really like the project and I decided to help you with transition to latest version of Angular rather than using first version.

    screen shot 2017-10-08 at 18 11 30

    I also updated UI and started to working on be a slightly more modern but didn't finish things already. First, I would like to know if you guys are even interested of upgrading and improving user interface? If so, this PR is not finished yet, its a work in progress, but can be done in a day.

    I have question if there is a reason why you are sending xhr requests to server in time interval (3000ms)? I believe this is a more or less anti-pattern and should be done with websockets. All live data on Web UI should transfer data through websockets and if someone is interested of creating server I can update the frontend accordingly.


    • [x] health
    • [ ] frondend implementation of reconnecting websocket
    • [ ] e2e tests
    • [ ] karma tests

    Cheers, Jan

  • Support FastCGI protocol

    Support FastCGI protocol

    I want to use traefik as loadbalancer in front of some rok4 intances (

    Rok4 only support fastCGI. It would be nice if traefik support this protocol :)

  • #504 Initial support for Docker 1.12 Swarm Mode

    #504 Initial support for Docker 1.12 Swarm Mode

    This new provide just work with one network and traefik.port label.

    I include a provide swarm it`s quite similar with docker provider but this swarm provide watch for services data.

  • ACME HTTP-01 challenge fails by timeout

    ACME HTTP-01 challenge fails by timeout

    Do you want to request a feature or report a bug?


    What did you do?

    I am trying to fetch automatic certificates from Let's Encrypt with HTTP-01.

    What did you expect to see?

    Fetching certificates like before TLS-SNI problems.

    What did you see instead?

    No new certificates.

    Possible problems / fixes

    It looks like it has something to do with adding the http route to each domain ([token]). When visiting the same route over https I receive an 404 directly. But via http timeouts.

    Via Slack someone (maverick) tried my same configuration but with a consul backend. Maybe it has something to do with that?

    When checking de debug logs it seems it "CleansUp" token for that domain before hitting the timeout. Maybe it has something to do with that?

    Output of traefik version: (What version of Traefik are you using?)

    Traefik version v1.5.0 built on 2018-01-23_04:42:32PM

    What is your environment & configuration (arguments, toml, provider, platform, ...)?

    defaultEntryPoints = ["http", "https"]
    debug = true
    logLevel = "DEBUG"
      address = ":80"
    #    [entryPoints.http.redirect]
    #    entryPoint = "https"
      compress = true
        address = ":443"
        compress = true
      email = "[email protected]"
      caServer = ""
      # Tried it on production as well
      storage = "/etc/traefik/acme/acme.json"
      entryPoint = "https"
      OnHostRule = true
      acmeLogging = true
        entryPoint = "http"
    # Enable Docker configuration backend
      endpoint = "unix:///var/run/docker.sock"
      domain = ""
      watch = true
      swarmmode = true
      exposedbydefault = true
      entryPoint = "traefik"
      dashboard = true
      address = ":8080"
        recentErrors = 10


    version: '3'
        image: nginx:1.13
          - "../workspace:/srv"
          - "./nginx/default.conf:/etc/nginx/conf.d/default.conf"
            - "traefik.backend=rest-api"
            - "traefik.port=80"
            - ""
            - ""
            - "traefik.backend.loadbalancer.method=drr"
          - frontend
          - backend
        image: php-fpm:7.1
          - "../workspace:/srv"
          - backend
          name: rest-api
          name: frontend

    If applicable, please paste the log output in debug mode (--debug switch)

    time="2018-01-25T10:05:56Z" level=debug msg="LoadCertificateForDomains []..." 
    time="2018-01-25T10:05:56Z" level=debug msg="Looking for provided certificate to validate []..." 
    time="2018-01-25T10:05:56Z" level=debug msg="No provided certificate found for domains [], get ACME certificate." 
    time="2018-01-25T10:05:56Z" level=debug msg="Loading ACME certificates []..." 
    legolog: 2018/01/25 10:05:56 [INFO][] acme: Obtaining bundled SAN certificate
    legolog: 2018/01/25 10:05:56 [INFO][] AuthURL:[...]T_SPCiF7p5CYLFI
    legolog: 2018/01/25 10:05:56 [INFO][] acme: Could not find solver for: dns-01
    legolog: 2018/01/25 10:05:56 [INFO][] acme: Trying to solve HTTP-01
    time="2018-01-25T10:05:56Z" level=debug msg="Challenge Present" 
    time="2018-01-25T10:06:07Z" level=debug msg="Challenge CleanUp" 
    time="2018-01-25T10:06:07Z" level=error msg="map[ Error 400 - urn:acme:error:connection - Fetching[...]Bc3rmeveJd611YowU: Timeout
    Error Detail:
    	Validation for
    	Resolved to:
    	Used: ***:*:*:*::*
    time="2018-01-25T10:06:07Z" level=error msg="Error getting ACME certificates [] : cannot obtain certificates map[ Error 400 - urn:acme:error:connection - Fetching[...]eJd611YowU: Timeout
    Error Detail:
    	Validation for
    	Resolved to:
    	Used: ***:*:*:*::*
    time="2018-01-25T10:06:07Z" level=debug msg="LoadCertificateForDomains []..." 
    legolog: 2018/01/25 10:06:07 [INFO][] acme: Obtaining bundled SAN certificate
    time="2018-01-25T10:06:07Z" level=debug msg="LoadCertificateForDomains []..." 
    time="2018-01-25T10:06:07Z" level=debug msg="Looking for provided certificate to validate []..." 
    time="2018-01-25T10:06:07Z" level=debug msg="No provided certificate found for domains [], get ACME certificate." 
    time="2018-01-25T10:06:07Z" level=debug msg="Loading ACME certificates []..." 
    legolog: 2018/01/25 10:06:07 [INFO][] AuthURL:[...]MpTqEWA4ksu345xc
    legolog: 2018/01/25 10:06:07 [INFO][] acme: Could not find solver for: dns-01
    legolog: 2018/01/25 10:06:07 [INFO][] acme: Trying to solve HTTP-01
    time="2018-01-25T10:06:07Z" level=debug msg="Challenge Present" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label traefik.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label payment_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label my_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label webfrontend_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label rest-api_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label order_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label catalog_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label price_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label notifications_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Filtering container without port and no traefik.port label exceptions_php.1 : strconv.Atoi: parsing "": invalid syntax" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.whitelistSourceRange labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.entryPoints labels" 
    time="2018-01-25T10:06:09Z" level=debug msg="Could not load traefik.frontend.auth.basic labels" 
  • Sporadic 502 response only when running through traefik

    Sporadic 502 response only when running through traefik

    Do you want to request a feature or report a bug?


    What did you do?

    I have a graphql API running on NodeJS using Apollo and Express, with traefik in front.

    When proxying through traefik I get sporadic 502 responses that I have not been able to resolve.

    I does never happen when I bypass the proxy and connect directly to the backend node server.

    I am running all tests locally on my dev machine.

    My first attempt to force the error was load testing with the locust framework. However, even when sending large amounts of request through the proxy I was unable to replicate the error. It only happens when I use the frontend application in the browser.

    After reading this oxy issue I started suspecting cancelled connections.

    I added a custom HTTP header with a UUID to be able to trace all requests, which I print on the backend.

      app.use((req, res, next) => {
        const id = req.headers['x-request-id'];
        if (id) {
          console.log(`Request id: ${id}`);

    Then I also added the following event listener to the express server to detect cancelled requests

      app.use((req, res, next) => {
        req.connection.on('close', () => {
          const id = req.headers['x-request-id'];
          console.log(`Cancelled request ${id}`);

    What I can see is that I do get cancelled requests when running the application in the browser, and at some point i get a 502 response from traefik. And in the traefik log this is

    DEBU[2018-04-26T13:43:51+02:00] vulcand/oxy/forward/http: Round trip: http://localhost:6543, code: 502, Length: 11, duration: 66.352475ms 

    And the nodejs backend log looks something like this:

    Request id: 7455804b-490a-4361-98e5-43d12bf4aca8
    Request id: 737f8d9d-3300-461b-858b-07006582a937
    POST /graphql 200 83.542 ms - 310
    POST /graphql 200 16.441 ms - 682
    Request id: 096e0e39-90e6-475c-b8ad-0aa2dfd2e345
    POST /graphql 200 5.338 ms - 163
    Request id: 69f17cb2-cdf1-4db5-a9f5-08e46d795892
    Request id: 50d3aec6-5cda-4e8b-ac0e-a30a57fa94c9
    POST /graphql 200 58.596 ms - 310
    POST /graphql 200 15.526 ms - 682
    Request id: 1d051f3a-7d80-464b-b50f-6d8e733d1940
    <------------- Here I get the 502
    Cancelled request 2e0a8e14-9880-46e7-8e51-ad528d55a81d
    Cancelled request b9489e71-7fc5-4f1c-b30a-668aac4652f9
    Cancelled request 249c529c-b9cb-4b48-a491-8e38a7ee50d8
    Cancelled request a5be4a66-9d43-4e30-a92d-862b355399a0
    Cancelled request 3721fe71-fe18-4389-812a-a90cc2f4f0f1
    Cancelled request 71b74750-8078-471e-91b8-a8119e5db797
    Cancelled request 34fb6b91-9fa5-4d68-92da-c267089f5910
    Cancelled request 692770b1-61c3-49c2-8309-8e7be629dca1
    Cancelled request 05790579-8290-4787-a7b7-82596ad24520
    Cancelled request c8edcc39-30c7-4812-941c-a1899298acf7
    Cancelled request 2ba9e715-ab7c-48ee-9d35-b5609179de6e
    Cancelled request b34f4725-665f-4b27-b3e1-cefec20c2ade
    Cancelled request 04bd3718-f6aa-4318-a469-fa3e17f54a20
    Cancelled request 4aedc60c-269a-420c-b083-1ea8f2e3243e
    Cancelled request 25be7334-43f9-4135-9537-36b0e36e698c
    Cancelled request 47bc1f9f-55c7-4f31-9957-7f0ad4285314
    Cancelled request bae3237c-efc8-4831-8260-6edbcedef28f
    Cancelled request 54685ecb-4d34-4698-b956-d0602b74a2e4
    Cancelled request 965f6ff2-da91-423c-a8e4-c2f4252f25fc
    Cancelled request 95c77d5c-230d-4875-8b25-fc0673c8e595
    Cancelled request 01658960-4627-42f8-a496-d29408a9579b
    Cancelled request 38221ac3-47ed-42f2-a56e-31deacdbfd62
    Cancelled request e73bec6b-744c-47bc-b001-0d914f03e976
    Cancelled request 73fade75-a943-45df-8b21-f8c50a480170
    Cancelled request 02688ad9-e947-415f-b70c-3cda16c50cf2
    Cancelled request 5d7d26c2-8c69-4083-a2d3-f0e1ae23bd0f
    Cancelled request f81a0258-085d-462f-9fcb-8a8b47918d04

    The failed request that gets a 502 response in the browser never reach the node server backend.

    I get a whole bunch of canceled request after the 502 occurs. These request IDs have been successfully served by the nodejs application at an earlier point.

    The canceling of the request seem to indicate some kind of connection leak? Or maybe just a sideffect of having chrome developer tools open?

    Anyway I never get any error response when bypassing the traefik instance.

    As the oxy issue describes, if I just could get some other response than 502 for cancelled requests I could handle this better on the client side.

    Output of traefik version: (What version of Traefik are you using?)

    Get the problem with the docker release as well as my homebrew install

    Homebrew traefik version:

    Version:      dev
    Codename:     cheddar
    Go version:   go1.10
    Built:        I don't remember exactly
    OS/Arch:      darwin/amd64

    Docker traefik version:

    Version:      v1.5.2
    Codename:     cancoillotte
    Go version:   go1.9.4
    Built:        2018-02-12_10:56:31AM
    OS/Arch:      linux/amd64

    What is your environment & configuration (arguments, toml, provider, platform, ...)?

    debug = true
    logLevel = "DEBUG"
    defaultEntryPoints = ["http"]
      address = ":8082"
      address = ":8080"
      address = ":80"
    entryPoint = "ping"
    entryPoint = "api"
            # url = ""
            url = "http://localhost:6543"
        entryPoints = ["http"]
        backend = "bct"
      endpoint = "unix:///var/run/docker.sock"
      # domain = ""
      domain = "localhost"
      watch = true
      exposedbydefault = false
  • Docker Swarm: Support for real time event listening (connection drain support).

    Docker Swarm: Support for real time event listening (connection drain support).

    What does this PR do?

    These changes provide a support for load balancer draining for Docker Swarm. Note, the containers and services should also support graceful shutdowns.

    This change makes sure Traefik stops routing, almost instantly, traffic to containers that are not in the "running" state.

    We have backwards compatibility for Docker Swarm managers that don't offer live swarm events, by polling every 15 seconds (it's the same functionality as the current "master" branch offers).


    We require a Docker Swarm load balancer that supports connection draining.

    Related to #41 Fixes #3035

    Additional information

    These changes do not break backwards compatibility.

    These changes do not affect Traefik setups that are configured to route traffic using the internal Docker Swarm load balancing (IPVS). Traefik does not use the Docker Swarm load balancing by default (does not matter if Traefik is running with swarm mode set to true or not).

    Stress testing results

    Results from some tests I did locally on my Swarm cluster, using the official Traefik Docker image from the date of the testing (15th of March 2018), versus the patched Traefik binary. The file names describe what is being tested.

  • Router name empty in access log

    Router name empty in access log


    • [X] Yes, I've searched similar issues on GitHub and didn't find any.
    • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

    What did you do?

    I have a problem that Traefik responds with HTTP on a TCP endpoint. In order to debug the issue, I executed a request to the TCP port like this:

    $ telnet 587
    Connected to
    Escape character is '^]'.
    GET / HTTP/1.0
    HTTP/1.0 404 Not Found
    Content-Type: text/plain; charset=utf-8
    X-Content-Type-Options: nosniff
    Date: Sun, 08 Jan 2023 12:28:57 GMT
    Content-Length: 19
    404 page not found
    Connection closed by foreign host.

    And then took a look into the access log to find out which router is handling the request.

    According to the docs, the last three fields should be the interesting ones, as they should include:

    "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms

    However, the access log contains no router name.

    What did you see instead?

    From the access log:

    myswarm_traefik.1.of166iz3i553@swarm    | - - [08/Jan/2023:12:28:57 +0000] "GET / HTTP/1.0" - - "-" "-" 746 "-" "-" 0ms

    Note that the last three fields are empty, not showing the information required for debugging.

    What version of Traefik are you using?


    What is your environment & configuration?

    Here is my docker-compose.yml to reproduce the issue:

    version: "3.8"
        # Use the latest Traefik image
        image: traefik:2.9.6
          - "80:80"
          - "443:443"
          - "587:587"
              # Make the traefik service run only on the manager node,
              # as the node with it has the volume for the certificates
              - node.role == manager
            - traefik.enable=true
            - traefik.constraint-label=traefik-public
            - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
            - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
            - traefik.http.middlewares.admin-auth.basicauth.users=traefik-admin:admin-pwd
            - traefik.http.routers.traefik-dashboard-http.rule=Host(``)
            - traefik.http.routers.traefik-dashboard-http.entrypoints=http
            - traefik.http.routers.traefik-dashboard-http.middlewares=https-redirect
            - traefik.http.routers.traefik-dashboard-https.rule=Host(``)
            - traefik.http.routers.traefik-dashboard-https.entrypoints=https
            - traefik.http.routers.traefik-dashboard-https.tls=true
            - traefik.http.routers.traefik-dashboard-https.tls.certresolver=le
            - traefik.http.routers.traefik-dashboard-https.service=api@internal
            - traefik.http.routers.traefik-dashboard-https.middlewares=admin-auth
          - /var/run/docker.sock:/var/run/docker.sock:ro
          - traefik-public-certificates:/certificates
          - --log.level=DEBUG
          - --entrypoints.http.address=:80
          - --entrypoints.https.address=:443
          - --entrypoints.smtptls.address=:587
          - --providers.docker
          - --providers.docker.swarmmode
          - --providers.docker.exposedbydefault=false
          - --certificatesresolvers.le.acme.tlschallenge=true
          - --certificatesresolvers.le.acme.caserver=
          - [email protected]
          - --accesslog
          - --log
          - --api
          - --serverstransport.insecureskipverify=true
          - traefik-public
          - default
        image: knipknap/docker-simple-mail-forwarder:latest
          - traefik-public
              - node.role == manager
            - traefik.enable=true
            - traefik.tcp.routers.mail_relay.tls=true
            - traefik.tcp.routers.mail_relay.tls.certresolver=le
            - traefik.tcp.routers.mail_relay.rule=HostSNI(``)
            - traefik.tcp.routers.mail_relay.entrypoints=smtptls
            - traefik.tcp.routers.mail_relay.service=mail_relay
          - [email protected]:destination@elsewhere
      # Create a volume to store the certificates. Make sure there is a constraint to have
      # Traefik always deployed to the same Docker node with the same volume containing
      # the HTTPS certificates. (by default this is done my constraining Traefik to the
      # manager node, see above.
        driver: local
      # Use the previously created public network "traefik-public", shared with other
      # services that need to be publicly available via this Traefik
        external: true

    Docker version 20.10.12, build 20.10.12-0ubuntu4

    If applicable, please paste the log output in DEBUG level

    Already included above.

  • doc: Add info admonition about routing to k8 services

    doc: Add info admonition about routing to k8 services

    What does this PR do?

    This PR adds an admonition box to clarify that it is currently not possible to route directly to Kubernetes services.

    Screenshot 2023-01-06 at 09 25 02


    This post in the forum: and that I think it adds value for the user to mention that in the docs.


    • [ ] Added/updated tests
    • [X] Added/updated documentation

    Additional Notes

  •  The webui interface of the traefik control panel does not have the account authority management function

    The webui interface of the traefik control panel does not have the account authority management function


    • [X] Yes, I've searched similar issues on GitHub and didn't find any.
    • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

    What did you expect to see?

    The webui interface of the traefik control panel does not have the account authority management function image

  • customerrors middleware: allow preserving status code and method

    customerrors middleware: allow preserving status code and method

    What does this PR do?

    Extend customerrors middleware to support new behaviours:

    • preserveStatusCode: allow using status code returned by service serving error page.
    • preserveMethod: query the service serving the error page using the same HTTP method as the one that caused the original error.


    We've switched from NGINX Ingress controller to Traefik and that changed how OPTIONS requests are treated in the error (e.g. 503) cases. On the initial OPTIONS call, even if backend is unavailable, we want to serve Access-Control-Allow-Origin: * with 204 No Content status code.

    For more context see kubernetes/ingress-nginx#2140


    • [x] Added/updated tests
    • [x] Added/updated documentation

    Additional Notes

  • Config plugin bug with array of string

    Config plugin bug with array of string


    • [X] Yes, I've searched similar issues on GitHub and didn't find any.
    • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

    What did you do?


    I use my own plugin with config like :

    type BasicAuth struct {
    	Users        []string `json:"users,omitempty"`
    	UsersFile    string   `json:"usersFile,omitempty"`
    	Realm        string   `json:"realm,omitempty"`
    	RemoveHeader bool     `json:"removeHeader,omitempty"`
    	HeaderField  string   `json:"headerField,omitempty"`
    type IPWhiteList struct {
    	SourceRange []string `json:"sourceRange,omitempty"`
    // Config the plugin configuration.
    type Config struct {
    	BasicAuth   BasicAuth   `json:"basicAuth,omitempty"`
    	IPWhiteList IPWhiteList `json:"ipWhiteList,omitempty"`
                realm: "Test"
                useAuthCustomHeader: true
                headerField: "X-Test-Authorization"
                users: ["test:test"]
                  - ""
                  - ""

    I except a value of struct Config in func New (ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error):

            SourceRange: []string{"","}

    What did you see instead?

    I got a value of struct Config in func New (ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error):

            SourceRange: []string{"║24║║"}

    I think this issue was introduce with #8885.

    What version of Traefik are you using?

    This issue occurred since v2.8.2 and my plugin work with v2.8.1 and lower.

    What is your environment & configuration?

    static config
    accessLog: {}
      dashboard: true
      insecure: true
      checkNewVersion: false
      sendAnonymousUsage: false
      level: DEBUG
        directory: ./config
        watch: true
    dynamic config
                realm: "Test"
                useAuthCustomHeader: true
                headerField: "X-Test-Authorization"
                users: ["test:test"]
                  - ""
                  - ""
            - web
            - auth@file
          rule: "Host(`localhost`)"
          service: api@internal

    If applicable, please paste the log output in DEBUG level

    Log provided by my code:

    ERRO[2023-01-03T18:35:16+01:00] cannot parse CIDR whitelist [║24║║]: parsing CIDR trusted IPs <nil>: invalid CIDR address: ║24║║  routerName=traefik_dashboard_http@file entryPointName=web
  • Have a dedicated documentation page/section for the

    Have a dedicated documentation page/section for the "default" resources mechanism (TLSOptions, TLSStore, ServersTransport...)


    • [X] Yes, I've searched similar issues on GitHub and didn't find any.
    • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

    What did you expect to see?

    It could be great to improve the documentation of the "default" resources mechanism by creating a dedicated section/page to emphasize it.

    In v3 documentation (still in beta at the time of writing this issue), HTTP and TCP serversTransport resources will move exclusively to the dynamic configuration, and hence will be ruled by the 'default' mechanism. So there will be multiple reminder sections among the documentation that explain it with respect to the context of a specific resource, as of today for the TLSOptions resource:

    While this is necessary, having this mechanism explained in one place, could be good to understand it once and for all.

provide api for cloud service like aliyun, aws, google cloud, tencent cloud, huawei cloud and so on

cloud-fitter 云适配 Communicate with public and private clouds conveniently by a set of apis. 用一套接口,便捷地访问各类公有云和私有云 对接计划 内部筹备中,后续开放,有需求欢迎联系。 开发者社区 开发者社区文档

Dec 20, 2022
A Cloud-Native Network Proxy

Introduction ServiceCar is a cloud-native network proxy that run on cloud and edge and embraces the diversity of languages and developer frameworks. S

May 20, 2022
This is a cloud-native application that focuses on the DevOps area.

Get started Install KubeSphere via kk (or other ways). This is an optional step, basically we need a Kubernetes Cluster and the front-end of DevOps. I

Jan 5, 2023
The OCI Service Operator for Kubernetes (OSOK) makes it easy to connect and manage OCI services from a cloud native application running in a Kubernetes environment.

OCI Service Operator for Kubernetes Introduction The OCI Service Operator for Kubernetes (OSOK) makes it easy to create, manage, and connect to Oracle

Sep 27, 2022
cloud native application deploy flow
cloud native application deploy flow

Triton-io/Triton English | 简体中文 Introduction Triton provides a cloud-native DeployFlow, which is safe, controllable, and policy-rich. For more introdu

May 28, 2022
This is a cloud-native application that focuses on the DevOps area.

KubeSphere DevOps integrates popular CI/CD tools, provides CI/CD Pipelines based on Jenkins, offers automation toolkits including Binary-to-Image (B2I

Jan 5, 2023
A cloud-native application simulator for golang

Build and upload Docker images Build docker images for main application and work

Aug 10, 2022
Cloud-Z gathers information and perform benchmarks on cloud instances in multiple cloud providers.

Cloud-Z Cloud-Z gathers information and perform benchmarks on cloud instances in multiple cloud providers. Cloud type, instance id, and type CPU infor

Jun 8, 2022
Kubernetes Operator for a Cloud-Native OpenVPN Deployment.

Meerkat is a Kubernetes Operator that facilitates the deployment of OpenVPN in a Kubernetes cluster. By leveraging Hashicorp Vault, Meerkat securely manages the underlying PKI.

Jan 4, 2023
Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

Open Service Mesh (OSM) Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure,

Jan 2, 2023
Zadig is a cloud native, distributed, developer-oriented continuous delivery product.

Zadig Developer-oriented Continuous Delivery Product English | 简体中文 Table of Contents Zadig Table of Contents What is Zadig Quick start How to use? Ho

Jan 8, 2023
Zadig is a cloud native, distributed, developer-oriented continuous delivery product.

Zadig Developer-oriented Continuous Delivery Product ⁣ English | 简体中文 Table of Contents Zadig Table of Contents What is Zadig Quick start How to use?

May 12, 2021
Interactive Cloud-Native Environment Client
Interactive Cloud-Native Environment Client

Fenix-CLI:Interactive Cloud-Native Environment Client English | 简体中文 Fenix-CLI is an interactive cloud-native operating environment client. The goal i

Dec 15, 2022
Polaris is a cloud-native service discovery and governance center

It can be used to solve the problem of service connection, fault tolerance, traffic control and secure in distributed and microservice architecture.

Dec 26, 2022
Cloud Native Configurations for Kubernetes

CNCK CNCK = Cloud Native Configurations for Kubernetes Make your Kubernetes applications more cloud native by injecting runtime cluster information in

Nov 4, 2021
Enables a FaaS experience for Knative / Cloud Native Runtimes.

Function Buildpacks for Knative Enables a FaaS experience for Knative / Cloud Native Runtimes. Will soon extend func to create deployable functions vi

Nov 2, 2022
Cloud Native Electronic Trading System built on Kubernetes and Knative Eventing

Ingenium -- Still heavily in prototyping stage -- Ingenium is a cloud native electronic trading system built on top of Kubernetes and Knative Eventing

Aug 29, 2022
🔥 🔥 Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥
🔥 🔥   Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥

CVE-2021-44228 Log4J Vulnerability can be detected at runtime and attack paths can be visualized by ThreatMapper. Live demo of Log4J Vulnerability her

Jan 1, 2023
Planet Scale Robotics - Offload computation-heavy robotic operations to GPU powered world's first cloud-native robotics platform.

robolaunch ?? Planet Scale Robotics - Offload computation-heavy robotic operations to GPU powered world's first cloud-native robotics platform. robola

Jan 1, 2023