TLS configuration confusion

Hi I'm transition to use Traefik as my reverse proxy and have just literally read through all the documentation but I am so confused about TLS settings. For example you can set TLS settings in the static file transport configuration then in the https overview section then inrouters section and finally in entrypoints sections . Which is nice but what are the differences?

Let's assume I want TLS from client to traefik and then mTLS from traefik to all services.

For the TLS connection from the client to traefik I would use the entrypoint TLS config. But then it also needs to be defined in the routers section as well? If a router is configured to use an entrypoint that has TLS defined does it need to be ddefined in the router section as well. If seperate routers have to be defined for http and then https endpoints then why is TLS defined in both the entrypoint and the router section. Do I just choose if I want TLS configured on entrypoint or router?

Then let's say I want a mTLS connection between traefik and all my services, I assume that I would add a Root CA certificate to the static server transport config and then traefik will generate it's own certificate and then I provide all my services with their own certificates right?

Am I understanding this correctly? I've spent way too much time trying to figure this out and i've given up and need help here, it's not very clear form the documentation.


You can enable TLS directly in entrypoint like websecure. Just TLS (:{} or =true) uses static certs which you need to load from a dynamic config file via provider.file in static config.

A LetsEncrypt certresolver also needs to be defined in static config, which you can assign in entrypoint.

Alternatively you can enable TLS or assign LetsEncrypt just on a dedicated router. Then the entrypoint would also accept non TLS connections, probably not best practice.


To enable TLS with your backend services, you need to define serverTransport. You can do this globally in static config.

Alternatively you can define a serverTransport in dynamic config which you then need to assign to a service.

But I agree as a user, Traefik configuration is complicated, especially when you are starting.

Thanks for your response however I still have a few more questions.

Lets say for Backend I define server transport in static config. Does that make it the default setting for all services? If so how would I exclude specific service from requiring mTLS? Or is it just defined there but then still needs to be explicitly called out /defined for every service?

Now for frontend, assuming I have multiple domains but they are provided certificates in different ways ( one uses a letsencrypt http challenge, another letsencrypt DNS challenge and yet other use a certificate and key I provide) does that mean I can only set TLS settings on routes? Or can I break the entrypoint into someting like this and then not worry about setting tls in routes:

  options: foobar
  certResolver: leresolverA
    - main:
  certResolver: leresolverB
    - main:

Is there a difference between setting TLS on entrypoints vs routes? The documentation is great but I feel like it leaves some crucial pieces of info out.

If you define serverTransport in static config, it should be used for all internal requests to services. If you only want to use it on dedicated services, you need to define it in dynamic config and assign it to the services.

You can mix and match custom TLS with LetsEncrypt. As far as I know you can just enable TLS and LE and it will use existing certs and fallback to LE to create certs.

You can create multiple LE resolvers and assign them to individual routers, just check the correct format, your example seems wrong.