API

Traefik通过API处理程序公开了许多信息,例如所有路由器,服务,中间件的配置等.

与Traefik的所有功能一样,可以使用静态配置启用此处理程序.

Security

不建议在生产环境中启用API,因为它会公开所有配置元素,包括敏感数据.

在生产中,它至少应通过身份验证和授权来保护.

一套不错的默认(并非详尽无遗)的建议集将是应用以下保护机制:

  • 在传输级别:不公开公开API的端口,将其限制为内部网络使用(按照最小特权原则 ,适用于网络).

Configuration

如果启用该API,则会创建一个名为[email protected]的新特殊service ,然后可以在路由器中对其进行引用.

要启用API处理程序,请在静态配置上使用以下选项:

# Static Configuration
[api]
# Static Configuration
api: {}
--api=true

然后使用动态配置在Traefik自身上定义路由配置

# Dynamic Configuration
labels:
  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
  - "[email protected]"
  - "traefik.http.routers.api.middlewares=auth"
  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# Dynamic Configuration
deploy:
  labels:
    - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
    - "[email protected]"
    - "traefik.http.routers.api.middlewares=auth"
    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
    # Dummy service for Swarm port detection. The port can be any valid integer value.
    - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
spec:
  routes:
  - match: Host(`traefik.domain.com`)
    kind: Rule
    services:
    - name: [email protected]
      kind: TraefikService
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: auth
spec:
  basicAuth:
    secret: secretName # Kubernetes secret named "secretName"
# Dynamic Configuration
- "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
- "[email protected]"
- "traefik.http.routers.api.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
"labels": {
  "traefik.http.routers.api.rule": "Host(`traefik.domain.com`)",
  "traefik.http.routers.api.service": "[email protected]",
  "traefik.http.routers.api.middlewares": "auth",
  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
}
# Dynamic Configuration
labels:
  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
  - "traefik.http[email protected]"
  - "traefik.http.routers.api.middlewares=auth"
  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
# Dynamic Configuration
[http.routers.my-api]
  rule = "Host(`traefik.domain.com`)"
  service = "[email protected]"
  middlewares = ["auth"]

[http.middlewares.auth.basicAuth]
  users = [
    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
  ]
# Dynamic Configuration
http:
  routers:
    api:
      rule: Host(`traefik.domain.com`)
      service: [email protected]
      middlewares:
        - auth
  middlewares:
    auth:
      basicAuth:
        users:
          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
路由器的规则必须捕获对URI路径/api请求

建议通过捕获此主机域上所有传入的流量到API来使用"主机"规则. 但是,您也可以使用"路径前缀"规则或任何组合或规则.

# Matches http://traefik.domain.com, http://traefik.domain.com/api
# or http://traefik.domain.com/hello
rule = "Host(`traefik.domain.com`)"
# Matches http://api.traefik.domain.com/api or http://domain.com/api
# but does not match http://api.traefik.domain.com/hello
rule = "PathPrefix(`/api`)"
# Matches http://traefik.domain.com/api or http://traefik.domain.com/dashboard
# but does not match http://traefik.domain.com/hello
rule = "Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"

insecure

insecure模式下启用API,这意味着该API将直接在名为traefik的entryPoint上traefik .

Info

如果未配置名为traefik ,它将在端口8080上自动创建.

[api]
  insecure = true
api:
  insecure: true
--api.insecure=true

dashboard

可选,默认= true

启用仪表板. 更多关于仪表盘功能在这里 .

[api]
  dashboard = true
api:
  dashboard: true
--api.dashboard=true

启用仪表板后,路由器规则必须捕获对/api/dashboard请求

请检查仪表板文档以了解更多信息并获取示例.

debug

可选,默认= false

/debug/下启用其他用于调试和分析的端点 .

[api]
  debug = true
api:
  debug: true
--api.debug=true

Endpoints

必须使用GET HTTP请求访问以下所有端点.

Path Description
/api/http/routers 列出所有HTTP路由器信息.
/api/http/routers/{name} 返回由name指定的HTTP路由器的信息.
/api/http/services 列出所有HTTP服务信息.
/api/http/services/{name} 返回由name指定的HTTP服务的信息.
/api/http/middlewares 列出所有HTTP中间件信息.
/api/http/middlewares/{name} 返回由name指定的HTTP中间件的信息.
/api/tcp/routers 列出所有TCP路由器信息.
/api/tcp/routers/{name} 返回由name指定的TCP路由器的信息.
/api/tcp/services 列出所有TCP服务信息.
/api/tcp/services/{name} 返回由name指定的TCP服务的信息.
/api/entrypoints 列出所有入口点信息.
/api/entrypoints/{name} 返回由name指定的入口点的信息.
/api/overview 返回有关http和tcp以及已启用的功能和提供程序的统计信息.
/api/version 返回有关Traefik版本的信息.
/debug/vars 请参阅expvar Go文档.
/debug/pprof/ 请参阅pprof Index Go文档.
/debug/pprof/cmdline 请参阅pprof Cmdline Go文档.
/debug/pprof/profile 请参阅pprof Profile Go文档.
/debug/pprof/symbol 请参阅pprof Symbol Go文档.
/debug/pprof/trace 请参阅pprof Trace Go文档.