learn

Traefik HTTP/3 Configuration Tutorial

Two advancements stand out among web technologies for their potential to revolutionize how services are delivered and consumed on the internet: HTTP/3 and Traefik. Each serves a distinct purpose, but collectively, they enhance the performance, security, and scalability of web infrastructure.

HTTP/3 introduces a fundamental change in the underlying transport layer, adopting QUIC (Quick UDP Internet Connections) over UDP. This shift addresses key challenges that plagued earlier versions, especially in lossy or unstable network conditions. With HTTP/3, users can expect quicker connection times, improved latency, and enhanced robustness against packet loss—all vital for the mobile-first, high-speed internet era.

On the other hand, Traefik is a modern HTTP reverse proxy and load balancer designed for contemporary cloud-based architectures. It simplifies networking complexity by automating the task of routing requests to the appropriate backend services. With Traefik, you don’t have to adjust the network manually every time your microservice or container configurations change. 

This article explains how to configure Traefik over HTTP/3. Together, HTTP/3 and Traefik enhance web application delivery. While HTTP/3 improvesl's efficiency and reliability, Traefik offers an agile and adaptive approach to managing application traffic.

Summary of key Traefik HTTP/3 concepts

HTTP/3 Traefik
Role in web infrastructure Hypertext Transfer Protocol v3

Reverse proxy/load balancer

Routes client requests and distributes incoming traffic evenly.

Performance Reduced latency Dynamic routing
Security Improve security Automatic HTTPS
Reliability Connection resilience Service discovery
Network Efficiency Congestion control

Middleware support

Modifies requests/responses on the fly.

HTTP/3 overview

HTTP/3 is the third major version of the Hypertext Transfer Protocol. It builds upon the foundations laid by HTTP/2 but replaces TCP (Transmission Control Protocol) with QUIC. QUIC integrates transport layer security (TLS) and stream multiplexing into a single protocol that runs over UDP (User Datagram Protocol). 

This design choice avoids inherent issues with TCP, such as head-of-line blocking, where the order of packets dictates the processing sequence, causing delays if any packet is lost. By moving to QUIC, HTTP/3 also allows multiple data streams to interleave, preventing one stream's delay from affecting others for more efficient and faster request processing.

From a technical standpoint, HTTP/3 significantly enhances web performance, particularly in less stable network connections. For example, you get

  • More efficient connection establishment that requires fewer round trips than TCP used in HTTP/2, reducing overall latency.
  • Improved connection resilience even when network changes occur, such as a user's IP address change.
  • Built-in security as HTTP/3 integrates security features at the transport layer with TLS 1.3.

For a complete list, read the HTTP/2 vs. HTTP/3 chapter.

{{banner-9="/design/banners"}}

Traefik overview

Traefik is a modern HTTP reverse proxy and load balancer that integrates with the cloud-native ecosystem. It acts as a dynamic traffic manager, automatically discovering and routing requests to the most appropriate services. 

Unlike traditional static reverse proxies, Traefik updates its routing configurations automatically as services are added, removed, or changed within the environment. This automatic service discovery is supported by its integration with standard container orchestration systems like Kubernetes, Docker Swarm, and Mesos. Additionally, Traefik includes built-in support for Let's Encrypt, allowing it to automatically obtain and renew SSL certificates for encrypted traffic, enhancing security without manual intervention.

Role of Traefik in your network infrastructure(Source)

From a use case perspective, Traefik is particularly useful for handling microservices architectures. It excels in environments where infrastructure changes dynamically, such as applications deployed in containers that scale up and down in response to demand. Its ability to instantly adapt to changes makes it ideal for continuous deployment practices.

Traefik's comprehensive dashboard and monitoring features provide real-time visibility into microservice health and performance, facilitating efficient management and troubleshooting. Moreover, its middleware capabilities allow developers to modify requests and responses, implement rate limiting, or authenticate requests, among other functionalities.

Traefik installation

Grab the latest binary from the releases page and run it with the sample configuration file.

./traefik --configFile=traefik.toml

Or use the official tiny Docker image and run it with the sample configuration file:

docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik

Or get the sources and compile/build Traefik:

git clone https://github.com/traefik/traefik

Traefik HTTP/3 setup

Configuring Traefik for HTTP/3 involves understanding its two primary settings layers: the static and dynamic configurations.

Static configuration sets the foundational aspects of Traefik, such as connections to providers and the entry points Traefik will listen to, which generally remain constant. You can establish the static configuration through three methods.

  1. Configuration file: Utilize a configuration file (traefik.yml, traefik.yaml, or traefik.toml), typically located in /etc/traefik/, $XDG_CONFIG_HOME/, $HOME/.config/, or the working directory. You can specify a different file using the --configFile argument.
  2. Command-line arguments: Directly input configuration settings when launching Traefik, accessible via traefik --help or in a Docker environment using docker run traefik[:version] --help.
  3. Environment variables: Set configuration options as environment variables, detailed in the static configuration environment overview section of the documentation.

Dynamic configuration includes settings that dictate how Traefik handles requests, such as routing rules and load balancing strategies. Dynamic configurations are sourced from providers like orchestrators, service registries, or simple configuration files and can be modified on the fly without restarting Traefik or dropping connections. For instance, in Docker environments, dynamic configurations are often derived from labels in container setups. Importantly, this layer also manages HTTPS certificates, allowing for their addition, update, or removal seamlessly.

{{banner-23="/design/banners"}}

Configuration file with HTTP/3 support

To configure Traefik to support HTTP/3, you'll need to ensure that you have Traefik version 2.5 or later, as HTTP/3 support only starts with this version. Below is an example of a Traefik configuration file that includes basic HTTP and HTTPS entry points and enables HTTP/3. Please remember that QUIC is built on top of UDP.

We have given an example configuration file below.

################################################################
# Configuration sample for Traefik v2.5+
#
# For more information on Traefik with HTTP/3: https://doc.traefik.io/traefik/
#
################################################################

################################################################
# Global configuration
################################################################
[global]
  checkNewVersion = true
  sendAnonymousUsage = true

################################################################
# Entrypoints configuration
################################################################

# Entrypoints definition
#
# Enable HTTP/3 by specifying the protocol as udp on the secure entrypoint

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443/udp"  # Specify UDP for HTTP/3 support

################################################################
# TLS Configuration
################################################################

[tls]
  [[tls.certificates]]
    certFile = "/path/to/your/cert.crt"
    keyFile = "/path/to/your/key.key"

################################################################
# Providers configuration
################################################################

# Docker provider configuration
[providers.docker]
  watch = true
  endpoint = "unix:///var/run/docker.sock"
  exposedByDefault = false

################################################################
# HTTP/3 Configuration Example
################################################################

# Enabling HTTP/3 on the websecure entrypoint
[experimental.http3]
  enabled = true

Since each configuration is specific to your infrastructure choices, we invite you to refer to the official documentation for more details.

Static configurations

When Traefik starts, it first processes the static configuration (explained before) to establish connections and listening ports. For example:

# Static configuration in YAML
entryPoints:
  web:
    address: :8081

Dynamic configurations

Following the establishment of entry points, Traefik's routers begin to evaluate incoming requests against predefined rules in the dynamic configuration. If a request matches a rule, it might pass through various middleware for transformations before being forwarded to the appropriate backend service. Here's an example of how you might define these components in a configuration file:

# Dynamic HTTP routing configuration in YAML
http:
  routers:
    to-whoami:
      rule: "Host(`example.com`) && PathPrefix(`/whoami/`)"
      middlewares:
      - test-user
      service: whoami

  middlewares:
    test-user:
      basicAuth:
        users:
        - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/

  services:
    whoami:
      loadBalancer:
        servers:
        - url: http://private/whoami-service

In summary, this snippet configures Traefik to listen for HTTP requests aimed at example.com/whoami/, require basic authentication for access, and then forward the authenticated requests to a backend service defined by the whoami service, which ultimately sends the requests to http://private/whoami-service.

{{banner-15="/design/banners"}}

TCP configurations

Traefik's flexibility is evident as it supports both HTTP and TCP requests. Configurations can specify detailed transport layer settings to fine-tune how connections are managed, such as timeouts, TLS settings, etc. Here are some examples of how transport parameters can be configured for both HTTP and TCP traffic.

# Static configuration for serversTransport in YAML
serversTransport:
  insecureSkipVerify: true
  rootCAs:
    - path/to/foo.crt
  forwardingTimeouts:
    dialTimeout: 1s
    responseHeaderTimeout: 1s
    idleConnTimeout: 1s

# Static configuration for TCP serversTransport in YAML
tcpServersTransport:
  dialTimeout: 30s
  dialKeepAlive: 30s
  tls:
    insecureSkipVerify: true
    rootCAs:
      - path/to/foo.crt

This structured approach allows Traefik to be highly adaptable and efficiently manage simple and complex routing and security scenarios in dynamic environments.

Final thoughts

Quite frankly, there are many ways to configure Traefik under different environments, and reading through the documentation is almost a requirement. Despite its complexity, Traefik stands out as an essential tool for modern infrastructure, thanks to its robust capability to manage dynamic routing and load balancing with minimal overhead. Its adaptability across various deployment contexts, from small-scale setups to large, distributed systems, makes it incredibly versatile. Integrating HTTP/3 with Traefik has proven to be a game-changer, particularly in environments where speed and reliability are critical.