mirrors/traefik
1
0
Fork 0
mirror of https://github.com/traefik/traefik.git synced 2026-05-04 20:06:21 +02:00
Code Issues Projects Releases Wiki Activity

Service-level Middleware Documentation

Browse Source
This commit is contained in:
Sheddy 2026-05-04 12:56:05 +01:00 committed by GitHub
parent f7c0fdea57
commit edd7d2eb33
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 583 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
docs/content/expose/docker/advanced.md
View File

@ -8,6 +8,7 @@ In this advanced guide, you'll learn how to enhance your Traefik deployment with
- **Let's Encrypt** for automated certificate management
- **Sticky sessions** for stateful applications
- **Multi-layer routing** for hierarchical routing with a complex authentication based routing example
- **Service middlewares** for applying middleware at the service level
## Prerequisites
@ -382,6 +383,71 @@ You should see the response from the admin-backend service when authenticating a
For more details about multi-layer routing, see the [Multi-Layer Routing documentation](../../reference/routing-configuration/http/routing/multi-layer-routing.md).
## Service Middlewares
Service middlewares allow you to apply middleware to a service rather than to individual routers. This means the middleware takes effect for all requests handled by the service, regardless of which router forwards the request.
This is useful when you want to apply the same middleware (like headers, rate limiting, or authentication) to all traffic reaching a service without having to configure it on each router.
### When to Use Service Middlewares
Use service middlewares when:
- Multiple routers forward traffic to the same service, and all should have the same middleware applied
- You want to ensure a middleware is always applied to a service regardless of how traffic reaches it
- You're centralizing middleware configuration at the service level for easier management
### Add Service Middleware Labels
Add the following labels to your whoami service in `docker-compose.yml`:
```yaml
services:
whoami:
image: traefik/whoami
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls=true"
# Define the middleware
- "traefik.http.middlewares.service-headers.headers.customRequestHeaders.X-Service-Middleware=applied"
# Attach middleware at the SERVICE level (not the router level)
- "traefik.http.services.whoami.middlewares=service-headers"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
```
!!! info "Service-Level vs Router-Level Middlewares"
- **Router-level middleware** (`traefik.http.routers.<name>.middlewares`): Applied only when traffic matches that specific router's rule
- **Service-level middleware** (`traefik.http.services.<name>.middlewares`): Applied to all traffic reaching the service, regardless of which router forwarded it
When both are configured, router middlewares execute first, followed by service middlewares.
Apply the changes:
```bash
docker compose up -d
```
### Test Service Middleware
Verify the service middleware is working:
```bash
curl -k -H "Host: whoami.docker.localhost" https://localhost/
```
In the response from whoami, you should see the custom header that was added by the service middleware:
```text
X-Service-Middleware: applied
```
For more details on service middlewares, see the [reference documentation](../../reference/routing-configuration/http/load-balancing/service.md#middlewares).
## Conclusion
In this advanced guide, you've learned how to:
@ -390,6 +456,7 @@ In this advanced guide, you've learned how to:
- Automate certificate management with Let's Encrypt
- Implement sticky sessions for stateful applications
- Setup multi-layer routing for authentication-based routing
- Apply middlewares at the service level for centralized middleware management
These advanced capabilities allow you to build production-ready Traefik deployments with Docker. Each of these can be further customized to meet your specific requirements.

178
docs/content/expose/kubernetes/advanced.md
View File

@ -9,6 +9,7 @@ In this advanced guide, you'll learn how to enhance your Traefik deployment with
- **cert-manager** for automated certificate management (Gateway API)
- **Sticky sessions** for stateful applications
- **Multi-layer routing** for hierarchical routing with complex authentication scenarios (IngressRoute only)
- **Service middlewares** for applying middleware at the service level
## Prerequisites
@ -806,6 +807,182 @@ spec:
For more details about multi-layer routing, see the [Multi-Layer Routing documentation](../../reference/routing-configuration/http/routing/multi-layer-routing.md).
## Service Middlewares
Service middlewares allow you to apply middleware to a service rather than to individual routers. This means the middleware takes effect for all requests handled by the service, regardless of which router forwards the request.
This is useful when you want to apply the same middleware (like headers, rate limiting, or authentication) to all traffic reaching a service without having to configure it on each router.
### When to Use Service Middlewares
Use service middlewares when:
- Multiple routers forward traffic to the same service, and all should have the same middleware applied
- You want to ensure a middleware is always applied to a service regardless of how traffic reaches it
- You're centralizing middleware configuration at the service level for easier management
!!! info "Service-Level vs Router-Level Middlewares"
- **Router-level middleware**: Applied only when traffic matches that specific router's rule
- **Service-level middleware**: Applied to all traffic reaching the service, regardless of which router forwarded it
When both are configured, router middlewares execute first, followed by service middlewares.
### Using IngressRoute with Service Middlewares
With IngressRoute, you can attach middlewares directly to a service reference within a route:
```yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: service-headers
namespace: default
spec:
headers:
customRequestHeaders:
X-Service-Middleware: "applied"
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: whoami
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`whoami.docker.localhost`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: service-headers
tls: {}
```
Save this as `service-middleware-ingressroute.yaml` and apply it:
```bash
kubectl apply -f service-middleware-ingressroute.yaml
```
### Using Gateway API with Backend Filters
Gateway API supports applying filters directly to individual backends through the `backendRefs[].filters` field. This enables backend-level request modifications.
```yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: service-headers
namespace: default
spec:
headers:
customRequestHeaders:
X-Service-Middleware: "applied"
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: whoami
namespace: default
spec:
parentRefs:
- name: traefik-gateway
sectionName: websecure
hostnames:
- "whoami.docker.localhost"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: whoami
port: 80
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: service-headers
```
Gateway API also supports the native `RequestHeaderModifier` filter type for simpler header modifications:
```yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: whoami
namespace: default
spec:
parentRefs:
- name: traefik-gateway
sectionName: websecure
hostnames:
- "whoami.docker.localhost"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: whoami
port: 80
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
add:
- name: X-Backend-Header
value: "gateway-api-filter"
```
Save and apply:
```bash
kubectl apply -f service-middleware-gateway.yaml
```
### Using Kubernetes Ingress with Service Annotation
For standard Kubernetes Ingress, you can apply middlewares to a service using annotations:
```yaml
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: default
annotations:
traefik.ingress.kubernetes.io/service.middlewares: default-service-headers@kubernetescrd
spec:
selector:
app: whoami
ports:
- port: 80
```
The annotation value follows the format `<namespace>-<middleware-name>@kubernetescrd`.
### Test Service Middleware
Verify the service middleware is working:
```bash
curl -k -H "Host: whoami.docker.localhost" https://localhost/
```
In the response from whoami, you should see the custom header that was added by the service middleware:
```text
X-Service-Middleware: applied
```
For more details on service middlewares, see the [reference documentation](../../reference/routing-configuration/http/load-balancing/service.md#middlewares).
## Conclusion
In this advanced guide, you've learned how to:
@ -814,6 +991,7 @@ In this advanced guide, you've learned how to:
- Automate certificate management with Let's Encrypt (IngressRoute) and cert-manager (Gateway API)
- Implement sticky sessions for stateful applications
- Setup multi-layer routing for authentication-based routing (IngressRoute only)
- Apply middlewares at the service level for centralized middleware management
These advanced capabilities allow you to build production-ready Traefik deployments with Kubernetes. Each of these can be further customized to meet your specific requirements.

69
docs/content/expose/swarm/advanced.md
View File

@ -8,6 +8,7 @@ In this advanced guide, you'll learn how to enhance your Traefik deployment with
- **Let's Encrypt** for automated certificate management
- **Sticky sessions** for stateful applications
- **Multi-layer routing** for complex authentication scenarios
- **Service middlewares** for applying middleware at the service level
## Prerequisites
@ -382,6 +383,73 @@ You should see the response from the admin-backend service when authenticating a
For more details about multi-layer routing, see the [Multi-Layer Routing documentation](../../reference/routing-configuration/http/routing/multi-layer-routing.md).
## Service Middlewares
Service middlewares allow you to apply middleware to a service rather than to individual routers. This means the middleware takes effect for all requests handled by the service, regardless of which router forwards the request.
This is useful when you want to apply the same middleware (like headers, rate limiting, or authentication) to all traffic reaching a service without having to configure it on each router.
### When to Use Service Middlewares
Use service middlewares when:
- Multiple routers forward traffic to the same service, and all should have the same middleware applied
- You want to ensure a middleware is always applied to a service regardless of how traffic reaches it
- You're centralizing middleware configuration at the service level for easier management
### Add Service Middleware Labels
Add the following labels to your whoami service deployment section in `docker-compose.yml`:
```yaml
services:
whoami:
image: traefik/whoami
networks:
- traefik_proxy
deploy:
replicas: 2
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.swarm.localhost`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls=true"
# Define the middleware
- "traefik.http.middlewares.service-headers.headers.customRequestHeaders.X-Service-Middleware=applied"
# Attach middleware at the SERVICE level (not the router level)
- "traefik.http.services.whoami.middlewares=service-headers"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
```
!!! info "Service-Level vs Router-Level Middlewares"
- **Router-level middleware** (`traefik.http.routers.<name>.middlewares`): Applied only when traffic matches that specific router's rule
- **Service-level middleware** (`traefik.http.services.<name>.middlewares`): Applied to all traffic reaching the service, regardless of which router forwarded it
When both are configured, router middlewares execute first, followed by service middlewares.
Deploy the stack:
```bash
docker stack deploy -c docker-compose.yml traefik
```
### Test Service Middleware
Verify the service middleware is working:
```bash
curl -k -H "Host: whoami.swarm.localhost" https://localhost/
```
In the response from whoami, you should see the custom header that was added by the service middleware:
```text
X-Service-Middleware: applied
```
For more details on service middlewares, see the [reference documentation](../../reference/routing-configuration/http/load-balancing/service.md#middlewares).
## Conclusion
In this advanced guide, you've learned how to:
@ -390,6 +458,7 @@ In this advanced guide, you've learned how to:
- Automate certificate management with Let's Encrypt
- Implement sticky sessions for stateful applications
- Setup multi-layer routing for authentication-based routing
- Apply middlewares at the service level for centralized middleware management
These advanced capabilities allow you to build production-ready Traefik deployments with Docker Swarm. Each of these can be further customized to meet your specific requirements.

61
docs/content/reference/routing-configuration/http/load-balancing/service.md
View File

@ -483,6 +483,67 @@ Below are the available options for the passive health check mechanism:
| <a id="opt-failureWindow" href="#opt-failureWindow" title="#opt-failureWindow">`failureWindow`</a> | Defines the time window during which the failed attempts must occur for the server to be marked as unhealthy. It also defines for how long the server will be considered unhealthy. | 10s | No |
| <a id="opt-maxFailedAttempts" href="#opt-maxFailedAttempts" title="#opt-maxFailedAttempts">`maxFailedAttempts`</a> | Defines the number of consecutive failed attempts allowed within the failure window before marking the server as unhealthy. | 1 | No |
### Middlewares
You can attach a list of [middlewares](../middlewares/overview.md) to each HTTP service.
The middlewares will take effect for all requests handled by the service, regardless of which router forwards the request.
!!! info "Middlewares Execution Order"
When both a router and a service have middlewares configured, the router middlewares are applied first, followed by the service middlewares.
This means the request passes through router middlewares before reaching service middlewares.
!!! info "Supported Providers"
Service-level middlewares can be configured with the [File](../../../install-configuration/providers/others/file.md), [Docker](../../other-providers/docker.md), [Swarm](../../other-providers/docker.md), [Kubernetes IngressRoute](../../kubernetes/crd/http/ingressroute.md), [Kubernetes Ingress](../../kubernetes/ingress.md), and [Kubernetes Gateway API](../../kubernetes/gateway-api.md) providers.
??? example "Attaching Middlewares to a Service -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
```yaml tab="Structured (YAML)"
## Dynamic configuration
http:
services:
my-service:
middlewares:
- add-header
loadBalancer:
servers:
- url: "http://127.0.0.1:8080"
middlewares:
add-header:
headers:
customRequestHeaders:
X-Custom-Header: "service-middleware"
```
```toml tab="Structured (TOML)"
## Dynamic configuration
[http.services]
[http.services.my-service]
middlewares = ["add-header"]
[http.services.my-service.loadBalancer]
[[http.services.my-service.loadBalancer.servers]]
url = "http://127.0.0.1:8080"
[http.middlewares]
[http.middlewares.add-header.headers]
[http.middlewares.add-header.headers.customRequestHeaders]
X-Custom-Header = "service-middleware"
```
??? example "Attaching Middlewares to a Service -- Using [Docker Labels](../../other-providers/docker.md)"
```yaml
labels:
# Define the middleware
- "traefik.http.middlewares.add-header.headers.customRequestHeaders.X-Custom-Header=service-middleware"
# Attach middleware to the service (at service level, not loadBalancer level)
- "traefik.http.services.my-service.middlewares=add-header"
# Configure the service
- "traefik.http.services.my-service.loadbalancer.server.port=8080"
```
## Advanced Service Types
Advanced service types allow you to compose multiple services together for weighted distribution, consistent hashing, mirroring, or failover scenarios.

9
docs/content/reference/routing-configuration/http/middlewares/overview.md
View File

@ -5,7 +5,14 @@ description: "There are several available middleware in Traefik Proxy used to mo
# HTTP Middleware Overview
Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service (or before the answer from the services are sent to the clients).
Attached to [routers](../routing/router.md) or [services](../load-balancing/service.md), pieces of middleware are a means of tweaking the requests before they are sent to your backend servers (or before the answer is sent to the clients).
Middlewares can be attached at two levels:
- **Router-level:** Applied to all requests matching the router's rule, before forwarding to the service.
- **Service-level:** Applied to all requests handled by the service, regardless of which router forwards the request. See [service middlewares](../load-balancing/service.md#middlewares).
When both are configured, router middlewares execute first, followed by service middlewares.
There are several available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.

122
docs/content/reference/routing-configuration/kubernetes/crd/http/service.md
View File

@ -48,6 +48,10 @@ spec:
name: cookie
secure: true
strategy: wrr
# Attach middlewares to this service
middlewares:
- name: my-middleware
namespace: apps
```
```yaml tab="TraefikService"
@ -80,36 +84,39 @@ spec:
## Configuration Options
| Field | Description | Default | Required |
|:---------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
| <a id="opt-kind" href="#opt-kind" title="#opt-kind">`kind`</a> | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> **TraefikService**: Traefik Service.<br />More information [here](#externalname-service). | "Service" | No |
| <a id="opt-name" href="#opt-name" title="#opt-name">`name`</a> | Service name.<br />The character `@` is not authorized. <br />More information [here](#middleware). | | Yes |
| <a id="opt-namespace" href="#opt-namespace" title="#opt-namespace">`namespace`</a> | Service namespace.<br />Can be empty if the service belongs to the same namespace as the IngressRoute. <br />More information [here](#externalname-service). | | No |
| <a id="opt-port" href="#opt-port" title="#opt-port">`port`</a> | Service port (number or port name).<br />Evaluated only if the kind is **Service**. | | No |
| <a id="opt-responseForwarding-flushInterval" href="#opt-responseForwarding-flushInterval" title="#opt-responseForwarding-flushInterval">`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**. | 100ms | No |
| <a id="opt-scheme" href="#opt-scheme" title="#opt-scheme">`scheme`</a> | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| <a id="opt-serversTransport" href="#opt-serversTransport" title="#opt-serversTransport">`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="opt-passHostHeader" href="#opt-passHostHeader" title="#opt-passHostHeader">`passHostHeader`</a> | Forward client Host header to server.<br />Evaluated only if the kind is **Service**. | true | No |
| <a id="opt-healthCheck-scheme" href="#opt-healthCheck-scheme" title="#opt-healthCheck-scheme">`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| <a id="opt-healthCheck-mode" href="#opt-healthCheck-mode" title="#opt-healthCheck-mode">`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "http" | No |
| <a id="opt-healthCheck-path" href="#opt-healthCheck-path" title="#opt-healthCheck-path">`healthCheck.path`</a> | Server URL path for the health check endpoint. <br />The configured path must be relative URL. <br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| <a id="opt-healthCheck-interval" href="#opt-healthCheck-interval" title="#opt-healthCheck-interval">`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "100ms" | No |
| <a id="opt-healthCheck-unhealthyInterval" href="#opt-healthCheck-unhealthyInterval" title="#opt-healthCheck-unhealthyInterval">`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "100ms" | No |
| <a id="opt-healthCheck-method" href="#opt-healthCheck-method" title="#opt-healthCheck-method">`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "GET" | No |
| <a id="opt-healthCheck-status" href="#opt-healthCheck-status" title="#opt-healthCheck-status">`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**. | | No |
| <a id="opt-healthCheck-port" href="#opt-healthCheck-port" title="#opt-healthCheck-port">`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | | No |
| <a id="opt-healthCheck-timeout" href="#opt-healthCheck-timeout" title="#opt-healthCheck-timeout">`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "5s" | No |
| <a id="opt-healthCheck-hostname" href="#opt-healthCheck-hostname" title="#opt-healthCheck-hostname">`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| <a id="opt-healthCheck-followRedirect" href="#opt-healthCheck-followRedirect" title="#opt-healthCheck-followRedirect">`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | true | No |
| <a id="opt-healthCheck-headers" href="#opt-healthCheck-headers" title="#opt-healthCheck-headers">`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)). | | No |
| <a id="opt-sticky-cookie-name" href="#opt-sticky-cookie-name" title="#opt-sticky-cookie-name">`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="opt-sticky-cookie-httpOnly" href="#opt-sticky-cookie-httpOnly" title="#opt-sticky-cookie-httpOnly">`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="opt-sticky-cookie-secure" href="#opt-sticky-cookie-secure" title="#opt-sticky-cookie-secure">`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="opt-sticky-cookie-sameSite" href="#opt-sticky-cookie-sameSite" title="#opt-sticky-cookie-sameSite">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="opt-sticky-cookie-maxAge" href="#opt-sticky-cookie-maxAge" title="#opt-sticky-cookie-maxAge">`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**. | 0 | No |
| <a id="opt-strategy" href="#opt-strategy" title="#opt-strategy">`strategy`</a> | Strategy defines the load balancing strategy between the servers.<br />Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).<br />Evaluated only if the kind is **Service**. | "RoundRobin" | No |
| <a id="opt-nativeLB" href="#opt-nativeLB" title="#opt-nativeLB">`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**. | false | No |
| <a id="opt-nodePortLB" href="#opt-nodePortLB" title="#opt-nodePortLB">`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**. | false | No |
| Field | Description | Default | Required |
|:---------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
| <a id="opt-kind" href="#opt-kind" title="#opt-kind">`kind`</a> | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> **TraefikService**: Traefik Service.<br />More information [here](#externalname-service). | "Service" | No |
| <a id="opt-name" href="#opt-name" title="#opt-name">`name`</a> | Service name.<br />The character `@` is not authorized. <br />More information [here](#middleware). | | Yes |
| <a id="opt-namespace" href="#opt-namespace" title="#opt-namespace">`namespace`</a> | Service namespace.<br />Can be empty if the service belongs to the same namespace as the IngressRoute. <br />More information [here](#externalname-service). | | No |
| <a id="opt-port" href="#opt-port" title="#opt-port">`port`</a> | Service port (number or port name).<br />Evaluated only if the kind is **Service**. | | No |
| <a id="opt-responseForwarding-flushInterval" href="#opt-responseForwarding-flushInterval" title="#opt-responseForwarding-flushInterval">`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**. | 100ms | No |
| <a id="opt-scheme" href="#opt-scheme" title="#opt-scheme">`scheme`</a> | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
| <a id="opt-serversTransport" href="#opt-serversTransport" title="#opt-serversTransport">`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="opt-passHostHeader" href="#opt-passHostHeader" title="#opt-passHostHeader">`passHostHeader`</a> | Forward client Host header to server.<br />Evaluated only if the kind is **Service**. | true | No |
| <a id="opt-healthCheck-scheme" href="#opt-healthCheck-scheme" title="#opt-healthCheck-scheme">`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| <a id="opt-healthCheck-mode" href="#opt-healthCheck-mode" title="#opt-healthCheck-mode">`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "http" | No |
| <a id="opt-healthCheck-path" href="#opt-healthCheck-path" title="#opt-healthCheck-path">`healthCheck.path`</a> | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| <a id="opt-healthCheck-interval" href="#opt-healthCheck-interval" title="#opt-healthCheck-interval">`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "100ms" | No |
| <a id="opt-healthCheck-unhealthyInterval" href="#opt-healthCheck-unhealthyInterval" title="#opt-healthCheck-unhealthyInterval">`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "100ms" | No |
| <a id="opt-healthCheck-method" href="#opt-healthCheck-method" title="#opt-healthCheck-method">`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "GET" | No |
| <a id="opt-healthCheck-status" href="#opt-healthCheck-status" title="#opt-healthCheck-status">`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**. | | No |
| <a id="opt-healthCheck-port" href="#opt-healthCheck-port" title="#opt-healthCheck-port">`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | | No |
| <a id="opt-healthCheck-timeout" href="#opt-healthCheck-timeout" title="#opt-healthCheck-timeout">`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "5s" | No |
| <a id="opt-healthCheck-hostname" href="#opt-healthCheck-hostname" title="#opt-healthCheck-hostname">`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
| <a id="opt-healthCheck-followRedirect" href="#opt-healthCheck-followRedirect" title="#opt-healthCheck-followRedirect">`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | true | No |
| <a id="opt-healthCheck-headers" href="#opt-healthCheck-headers" title="#opt-healthCheck-headers">`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)). | | No |
| <a id="opt-sticky-cookie-name" href="#opt-sticky-cookie-name" title="#opt-sticky-cookie-name">`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="opt-sticky-cookie-httpOnly" href="#opt-sticky-cookie-httpOnly" title="#opt-sticky-cookie-httpOnly">`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="opt-sticky-cookie-secure" href="#opt-sticky-cookie-secure" title="#opt-sticky-cookie-secure">`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="opt-sticky-cookie-sameSite" href="#opt-sticky-cookie-sameSite" title="#opt-sticky-cookie-sameSite">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**. | "" | No |
| <a id="opt-sticky-cookie-maxAge" href="#opt-sticky-cookie-maxAge" title="#opt-sticky-cookie-maxAge">`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**. | 0 | No |
| <a id="opt-strategy" href="#opt-strategy" title="#opt-strategy">`strategy`</a> | Strategy defines the load balancing strategy between the servers.<br />Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).<br />Evaluated only if the kind is **Service**. | "RoundRobin" | No |
| <a id="opt-nativeLB" href="#opt-nativeLB" title="#opt-nativeLB">`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**. | false | No |
| <a id="opt-nodePortLB" href="#opt-nodePortLB" title="#opt-nodePortLB">`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**. | false | No |
| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | List of references to [Middleware](./middleware.md) resources to apply to the service.<br />The middlewares will take effect for all requests handled by the service, regardless of which router forwards the request.<br />Evaluated only if the kind is **Service**.<br />More information [here](#middlewares). | | No |
| <a id="opt-middlewaresn-name" href="#opt-middlewaresn-name" title="#opt-middlewaresn-name">`middlewares[n].name`</a> | Middleware name.<br />The character `@` is not authorized. | | Yes |
| <a id="opt-middlewaresn-namespace" href="#opt-middlewaresn-namespace" title="#opt-middlewaresn-namespace">`middlewares[n].namespace`</a> | Middleware namespace.<br />Can be empty if the middleware belongs to the same namespace as the IngressRoute. | | No |
### ExternalName Service
@ -419,6 +426,61 @@ spec:
...
```
### Middlewares
You can attach a list of [middlewares](./middleware.md) to each service.
The middlewares will take effect for all requests handled by the service, regardless of which router forwards the request.
For more information on service-level middlewares, see [service middlewares](../../../http/load-balancing/service.md#middlewares).
??? example "Attaching Middlewares to a Service"
```yaml tab="IngressRoute"
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test-name
namespace: default
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`example.com`)
services:
- kind: Service
name: whoami
port: 80
middlewares:
- name: add-header
namespace: default
```
```yaml tab="Middleware"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: add-header
namespace: default
spec:
headers:
customRequestHeaders:
X-Custom-Header: "service-middleware"
```
```yaml tab="Whoami Service"
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: default
spec:
ports:
- port: 80
selector:
app: whoami
```
### Configuring Backend Protocol
There are 3 ways to configure the backend protocol for communication between Traefik and your pods:

100
docs/content/reference/routing-configuration/kubernetes/gateway-api.md
View File

@ -429,6 +429,106 @@ Once everything is deployed, sending a `GET` request should return the following
X-Real-Ip: 10.42.2.1
```
#### Backend-Level Filters
In addition to route-level filters, the Gateway API also supports applying filters directly to individual backends through the `backendRefs[].filters` field.
This allows request modifications to be applied to specific backends, enabling the `HTTPRouteBackendRequestHeaderModification` extended feature.
!!! info "Supported Filter Types"
Backend-level filters support the same filter types as route-level filters:
- `RequestHeaderModifier`: Add, set, or remove HTTP request headers before forwarding to the backend.
- `ResponseHeaderModifier`: Add, set, or remove HTTP response headers.
- `RequestRedirect`: Redirect the request to a different URL.
- `URLRewrite`: Rewrite the request URL path and/or hostname.
- `ExtensionRef`: Reference a Traefik [Middleware](../kubernetes/crd/http/middleware.md) resource.
!!! info "Middlewares Execution Order"
When both route-level and backend-level filters are configured, route-level filters are applied first, followed by backend-level filters.
For more information on service-level middlewares, see [service middlewares](../http/load-balancing/service.md#middlewares).
??? example "Using RequestHeaderModifier on a Backend"
```yaml tab="HTTPRoute"
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: whoami-http
namespace: default
spec:
parentRefs:
- name: traefik
sectionName: http
kind: Gateway
hostnames:
- whoami.localhost
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: whoami
namespace: default
port: 80
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Backend-Header
value: "backend-filter"
```
??? example "Using ExtensionRef (Traefik Middleware) on a Backend"
```yaml tab="HTTPRoute"
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: whoami-http
namespace: default
spec:
parentRefs:
- name: traefik
sectionName: http
kind: Gateway
hostnames:
- whoami.localhost
rules:
- backendRefs:
- name: whoami
namespace: default
port: 80
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: add-prefix
```
```yaml tab="AddPrefix Middleware"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: add-prefix
namespace: default
spec:
addPrefix:
prefix: /api
```
### GRPC
The `GRPCRoute` is an extended resource in the Gateway API specification, designed to define how GRPC traffic should be routed within a Kubernetes cluster.

8
docs/content/reference/routing-configuration/kubernetes/ingress.md
View File

@ -85,6 +85,14 @@ spec:
| <a id="opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-maxage" href="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-maxage" title="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-maxage">`traefik.ingress.kubernetes.io/service.sticky.cookie.maxage`</a> | Sets the Max-Age attribute (in seconds) on the sticky session cookie.<br/>See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `42` |
| <a id="opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-path" href="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-path" title="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-path">`traefik.ingress.kubernetes.io/service.sticky.cookie.path`</a> | Sets the Path attribute on the sticky session cookie, defining the path that must exist in the requested URL.<br/>See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `/foobar` |
??? info "`traefik.ingress.kubernetes.io/service.middlewares`"
See [service middlewares](../http/load-balancing/service.md#middlewares) for more information.
```yaml
traefik.ingress.kubernetes.io/service.middlewares: auth@file,prefix@kubernetescrd
```
## TLS
### Enabling TLS via HTTP Options on Entrypoint