EntryPoints
What is an EntryPoint?
An EntryPoint defines a network port that Traefik listens on. It is the entry door for all incoming traffic. Every request must come through an EntryPoint.
EntryPoints are defined in static configuration (CLI flags or traefik.yml). They cannot be changed dynamically at runtime.
Basic EntryPoint Configuration
# Static configuration
entryPoints:
web:
address: ":80"
websecure:
address: ":443"Properties
| Property | Description | Default |
|---|---|---|
address | Listen address (host:port) | Required |
transport | TCP/UDP transport settings | — |
http | HTTP-specific configuration | — |
http3 | Enable HTTP/3 (QUIC) | false |
forwardedHeaders | Trusted proxies for X-Forwarded-* | — |
proxyProtocol | Proxy Protocol support | — |
Common EntryPoint Patterns
Standard Web + Web Secure
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"This is the most common setup: HTTP on port 80 redirects to HTTPS on port 443. The web entrypoint never serves actual application traffic, only redirects.
Internal Services on Dedicated Ports
entryPoints:
api:
address: ":8080"
metrics:
address: ":8082"
dashboard:
address: ":8083"
http:
middlewares:
- auth@fileTCP and UDP EntryPoints
entryPoints:
postgres:
address: ":5432"
mongodb:
address: ":27017"
dns:
address: ":53/udp"HTTP/3 (QUIC) EntryPoints
entryPoints:
websecure:
address: ":443"
http3:
advertisedPort: 443
http3:
advertisedPort: 443HTTP/3 Requirements
HTTP/3 uses UDP. You must open UDP port 443 in your firewall and load balancer. Not all cloud LBs support HTTP/3 pass-through.
EntryPoint Configuration Reference
Transport Configuration
entryPoints:
websecure:
address: ":443"
transport:
lifeCycle:
requestAcceptGraceTimeout: 5s
graceTimeOut: 10s
respondingTimeouts:
readTimeout: 30s
writeTimeout: 30s
idleTimeout: 180sForwarded Headers
entryPoints:
websecure:
address: ":443"
forwardedHeaders:
trustedIPs:
- "10.0.0.0/8"
- "172.16.0.0/12"
insecure: false # true = trust all X-Forwarded-* headersSecurity Warning
Only set forwardedHeaders.insecure: true in development. In production, always restrict with trustedIPs to avoid IP spoofing.
Proxy Protocol
entryPoints:
websecure:
address: ":443"
proxyProtocol:
trustedIPs:
- "10.0.0.0/8"Proxy Protocol is used when Traefik sits behind a load balancer that sets the protocol (like AWS NLB with Proxy Protocol v2).
EntryPoints and Routers
Once EntryPoints are defined, routers reference them:
# Dynamic configuration
http:
routers:
web-app:
rule: "Host(`example.com`)"
entryPoints:
- websecure # Only listens on the websecure entrypoint
service: appIf a router doesn't specify entryPoints, it matches all entrypoints. Specify entryPoints to restrict which ports a router listens on.
EntryPoint Middlewares
Since v3.0, you can attach middlewares directly to EntryPoints:
entryPoints:
websecure:
address: ":443"
http:
middlewares:
- rate-limit@file
- security-headers@fileEntryPoint-level middlewares run BEFORE router matching. This is useful for global rate limiting, IP allowlisting, and security headers that apply to all traffic regardless of the target router.
Port Binding in Docker
When running Traefik in Docker, map entrypoint ports:
services:
traefik:
image: traefik:v3.3
ports:
- "80:80"
- "443:443"
- "8080:8080" # API dashboard (internal)
# For UDP (HTTP/3):
- "443:443/udp"Next Chapter
Learn how to configure Routers & Rules to direct traffic from entrypoints to your services.