Traefik Hub

Overview

Once the Traefik Hub feature is enabled in Traefik, Traefik and its local agent communicate together.

This agent can:

  • get the Traefik metrics to display them in the Traefik Hub UI
  • secure the Traefik routers
  • provide ACME certificates to Traefik
  • transfer requests from the SaaS Platform to Traefik (and then avoid the users to expose directly their infrastructure on the internet)

Traefik Hub Entrypoints

When the Traefik Hub feature is enabled, Traefik exposes some services meant for the Traefik Hub Agent on dedicated entrypoints (on ports 9900 and 9901 by default). Given their sensitive nature, those services should not be publicly exposed. Also those dedicated entrypoints, regardless of how they are created (default, or user-defined), should not be used by anything other than the Hub Agent.

Learn More About Traefik Hub

This section is intended only as a brief overview for Traefik users who are not familiar with Traefik Hub. To explore all that Traefik Hub has to offer, please consult the Traefik Hub Documentation.

Prerequisites

  • Traefik Hub is compatible with Traefik Proxy 2.7 or later.
  • The Traefik Hub Agent must be installed to connect to the Traefik Hub platform.

Configuration Discovery

According to installation options, the Traefik Hub Agent listens to the Docker or Kubernetes API to discover containers/services.

It doesn’t support the routers discovered by Traefik Proxy using other providers, e.g., using the File provider.

Minimal Static Configuration to Activate Traefik Hub for Docker

File (YAML)

  1. hub:
  2. tls:
  3. insecure: true
  4. metrics:
  5. prometheus:
  6. addRoutersLabels: true

File (TOML)

  1. [hub]
  2. [hub.tls]
  3. insecure = true
  4. [metrics]
  5. [metrics.prometheus]
  6. addRoutersLabels = true

CLI

  1. --hub.tls.insecure
  2. --metrics.prometheus.addrouterslabels

Minimal Static Configuration to Activate Traefik Hub for Kubernetes

File (YAML)

  1. hub: {}
  2. metrics:
  3. prometheus:
  4. addRoutersLabels: true

File (TOML)

  1. [hub]
  2. [metrics]
  3. [metrics.prometheus]
  4. addRoutersLabels = true

CLI

  1. --hub
  2. --metrics.prometheus.addrouterslabels

Configuration

Entrypoints

traefikhub-api

This entrypoint is used to communicate between the Hub agent and Traefik. It allows the Hub agent to create routing.

This dedicated Traefik Hub entryPoint should not be used by anything other than Traefik Hub.

The default port is 9900. To change the port, you have to define an entrypoint named traefikhub-api.

File (YAML)

  1. entryPoints:
  2. traefikhub-api: ":8000"

File (TOML)

  1. [entryPoints.traefikhub-api]
  2. address = ":8000"

CLI

  1. --entrypoints.traefikhub-api.address=:8000

traefikhub-tunl

This entrypoint is used to communicate between Traefik Hub and Traefik. It allows to create secured tunnels.

This dedicated Traefik Hub entryPoint should not be used by anything other than Traefik Hub.

The default port is 9901. To change the port, you have to define an entrypoint named traefikhub-tunl.

File (YAML)

  1. entryPoints:
  2. traefikhub-tunl: ":8000"

File (TOML)

  1. [entryPoints.traefikhub-tunl]
  2. address = ":8000"

CLI

  1. --entrypoints.traefikhub-tunl.address=:8000

tls

Optional, Default=None

This section is required when using the Hub agent for Docker.

This section allows configuring mutual TLS connection between Traefik Proxy and the Traefik Hub Agent. The key and the certificate are the credentials for Traefik Proxy as a TLS client. The certificate authority authenticates the Traefik Hub Agent certificate.

Certificate Domain

The certificate must be valid for the proxy.traefik domain.

Certificates Definition

Certificates can be defined either by their content or their path.

Insecure Mode

The insecure option is mutually exclusive with any other option.

File (YAML)

  1. hub:
  2. tls:
  3. ca: /path/to/ca.pem
  4. cert: /path/to/cert.pem
  5. key: /path/to/key.pem

File (TOML)

  1. [hub.tls]
  2. ca= "/path/to/ca.pem"
  3. cert= "/path/to/cert.pem"
  4. key= "/path/to/key.pem"

CLI

  1. --hub.tls.ca=/path/to/ca.pem
  2. --hub.tls.cert=/path/to/cert.pem
  3. --hub.tls.key=/path/to/key.pem

tls.ca

The certificate authority authenticates the Traefik Hub Agent certificate.

File (YAML)

  1. hub:
  2. tls:
  3. ca: |-
  4. -----BEGIN CERTIFICATE-----
  5. MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
  6. DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
  7. WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
  8. ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
  9. x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
  10. CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w
  11. CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
  12. aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=
  13. -----END CERTIFICATE-----

File (TOML)

  1. [hub.tls]
  2. ca = """-----BEGIN CERTIFICATE-----
  3. MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
  4. DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
  5. WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
  6. ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
  7. x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
  8. CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w
  9. CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
  10. aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=
  11. -----END CERTIFICATE-----"""

CLI

  1. --hub.tls.ca=-----BEGIN CERTIFICATE-----
  2. MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
  3. DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
  4. WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
  5. ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
  6. x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
  7. CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w
  8. CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
  9. aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=
  10. -----END CERTIFICATE-----

tls.cert

The TLS certificate for Traefik Proxy as a TLS client.

Certificate Domain

The certificate must be valid for the proxy.traefik domain.

File (YAML)

  1. hub:
  2. tls:
  3. cert: |-
  4. -----BEGIN CERTIFICATE-----
  5. MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
  6. DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
  7. WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
  8. ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
  9. x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
  10. CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w
  11. CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
  12. aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=
  13. -----END CERTIFICATE-----

File (TOML)

  1. [hub.tls]
  2. cert = """-----BEGIN CERTIFICATE-----
  3. MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
  4. DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
  5. WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
  6. ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
  7. x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
  8. CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w
  9. CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
  10. aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=
  11. -----END CERTIFICATE-----"""

CLI

  1. --hub.tls.cert=-----BEGIN CERTIFICATE-----
  2. MIIBcjCCARegAwIBAgIQaewCzGdRz5iNnjAiEoO5AzAKBggqhkjOPQQDAjASMRAw
  3. DgYDVQQKEwdBY21lIENvMCAXDTIyMDMyMTE2MTY0NFoYDzIxMjIwMjI1MTYxNjQ0
  4. WjASMRAwDgYDVQQKEwdBY21lIENvMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
  5. ZaKYPj2G8Hnmju6jbHt+vODwKqNDVQMH5nxhtAgSUZS61mLWwZvvUhIYLNPwHz8a
  6. x8C7+cuihEC6Tzvn8DeGeKNNMEswDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
  7. CCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w
  8. CgYIKoZIzj0EAwIDSQAwRgIhAO8sucDGY+JOrNgQg1a9ZqqYvbxPFnYsSZr7F/vz
  9. aUX2AiEAilZ+M5eX4RiMFc3nlm9qVs1LZhV3dZW/u80/mPQ/oaY=
  10. -----END CERTIFICATE-----

tls.key

The TLS key for Traefik Proxy as a TLS client.

File (YAML)

  1. hub:
  2. tls:
  3. key: |-
  4. -----BEGIN PRIVATE KEY-----
  5. MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgm+XJ3LVrTbbirJea
  6. O+Crj2ADVsVHjMuiyd72VE3lgxihRANCAARlopg+PYbweeaO7qNse3684PAqo0NV
  7. AwfmfGG0CBJRlLrWYtbBm+9SEhgs0/AfPxrHwLv5y6KEQLpPO+fwN4Z4
  8. -----END PRIVATE KEY-----

File (TOML)

  1. [hub.tls]
  2. key = """-----BEGIN PRIVATE KEY-----
  3. MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgm+XJ3LVrTbbirJea
  4. O+Crj2ADVsVHjMuiyd72VE3lgxihRANCAARlopg+PYbweeaO7qNse3684PAqo0NV
  5. AwfmfGG0CBJRlLrWYtbBm+9SEhgs0/AfPxrHwLv5y6KEQLpPO+fwN4Z4
  6. -----END PRIVATE KEY-----"""

CLI

  1. --hub.tls.key=-----BEGIN PRIVATE KEY-----
  2. MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgm+XJ3LVrTbbirJea
  3. O+Crj2ADVsVHjMuiyd72VE3lgxihRANCAARlopg+PYbweeaO7qNse3684PAqo0NV
  4. AwfmfGG0CBJRlLrWYtbBm+9SEhgs0/AfPxrHwLv5y6KEQLpPO+fwN4Z4
  5. -----END PRIVATE KEY-----

tls.insecure

Optional, Default=false

Enables an insecure TLS connection that uses default credentials, and which has no peer authentication between Traefik Proxy and the Traefik Hub Agent. The insecure option is mutually exclusive with any other option.

Security Consideration

Do not use this setup in production. This option implies sensitive data can be exposed to potential malicious third-party programs.

File (YAML)

  1. hub:
  2. tls:
  3. insecure: true

File (TOML)

  1. [hub.tls]
  2. insecure = true

CLI

  1. --hub.tls.insecure=true