Skip to main content

EntryPoints

Defining Network Entry Points for Incoming Traffic EntryPoints are the network entry points into Traefik. They define the ports on which Traefik listens for incoming connections and whether to use TCP or UDP protocols.

Basic Configuration

Defining EntryPoints

EntryPoints are part of the static configuration and must be defined at startup. 
entryPoints:
  web:
    address: ":80"
  
  websecure:
    address: ":443"
  
  metrics:
    address: ":8080"

Address Format

The address format is: [host]:port[/tcp|/udp]
  • Port only: :80 - Listen on all interfaces on port 80 (TCP by default)
  • Host and port: 192.168.1.10:8080 - Listen on specific IP
  • IPv6: [::1]:80 - IPv6 localhost
  • UDP: :53/udp - Listen on UDP port 53
  • TCP (explicit): :80/tcp - Explicitly specify TCP
entryPoints:
  web:
    address: ":80"

HTTP Configuration

Automatic HTTPS Redirection

Redirect all HTTP traffic to HTTPS: 
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  
  websecure:
    address: ":443"
to
string
required
Target EntryPoint name or port (e.g., websecure or :443)
scheme
string
default:"https"
Redirection scheme (http or https)
permanent
boolean
default:"true"
Use 301 (permanent) vs 302 (temporary) redirect

TLS Configuration

Configure default TLS settings for all routers on this EntryPoint: 
entryPoints:
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
          - main: "example.org"
            sans:
              - "*.example.org"

Middlewares

Apply middlewares to all routers on this EntryPoint: 
entryPoints:
  websecure:
    address: ":443"
    http:
      middlewares:
        - security-headers@file
        - rate-limit@file

Transport Configuration

Timeouts

Configure connection timeouts: 
entryPoints:
  web:
    address: ":80"
    transport:
      respondingTimeouts:
        readTimeout: "60s"
        writeTimeout: "60s"
        idleTimeout: "180s"
      lifeCycle:
        requestAcceptGraceTimeout: "10s"
        graceTimeOut: "10s"
readTimeout
duration
default:"60s"
Maximum duration for reading the entire request including body
writeTimeout
duration
default:"0s"
Maximum duration before timing out writes of the response
idleTimeout
duration
default:"180s"
Maximum duration an idle keep-alive connection remains open
graceTimeOut
duration
default:"10s"
Duration to give active requests a chance to finish during shutdown

HTTP/2 Configuration

Configure HTTP/2 settings: 
entryPoints:
  websecure:
    address: ":443"
    http2:
      maxConcurrentStreams: 250
      maxDecoderHeaderTableSize: 4096
      maxEncoderHeaderTableSize: 4096
maxConcurrentStreams
int
default:"250"
Number of concurrent streams per connection each client can initiate

HTTP/3 Configuration

Enable HTTP/3 support: 
entryPoints:
  websecure:
    address: ":443"
    http3:
      advertisedPort: 443
HTTP/3 requires a TCP EntryPoint as HTTP/3 always starts as TCP and upgrades to UDP. The EntryPoint automatically listens on UDP for HTTP/3 traffic.

Proxy Protocol

Enable PROXY protocol support for client IP preservation: 
entryPoints:
  web:
    address: ":80"
    proxyProtocol:
      trustedIPs:
        - "192.168.1.0/24"
        - "172.16.0.0/16"
Only enable insecure: true in testing environments. In production, always specify trustedIPs to prevent IP spoofing.

Forwarded Headers

Trust X-Forwarded-* headers from specific IPs: 
entryPoints:
  web:
    address: ":80"
    forwardedHeaders:
      trustedIPs:
        - "127.0.0.1/32"
        - "192.168.1.7"

Advanced Options

AsDefault

Mark an EntryPoint as default for routers without explicit EntryPoints: 
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
    asDefault: true

ReusePort

Enable SO_REUSEPORT for multiple processes listening on the same port: 
entryPoints:
  web:
    address: ":80"
    reusePort: true
ReusePort is only supported on Linux, FreeBSD, OpenBSD, and Darwin. It’s useful for zero-downtime deployments.

Complete Example

entryPoints:
  # HTTP EntryPoint with redirect to HTTPS
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
    forwardedHeaders:
      trustedIPs:
        - "192.168.1.0/24"
  
  # HTTPS EntryPoint with TLS
  websecure:
    address: ":443"
    asDefault: true
    http:
      tls:
        certResolver: letsencrypt
      middlewares:
        - security-headers@file
    http2:
      maxConcurrentStreams: 250
    http3:
      advertisedPort: 443
    transport:
      respondingTimeouts:
        readTimeout: "60s"
        idleTimeout: "180s"
      lifeCycle:
        graceTimeOut: "30s"
  
  # Metrics EntryPoint (internal only)
  metrics:
    address: "127.0.0.1:8080"

Build docs developers (and LLMs) love

Get started for freeTalk to us