description: "For routing and load balancing in Traefik Proxy, EntryPoints define which port will receive packets and whether they are TCP or UDP. Read the technical documentation."
| <aid="opt-address"href="#opt-address"title="#opt-address">`address`</a> | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br/> It also defines the protocol to use (TCP or UDP).<br/> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp] | - | Yes |
| <aid="opt-asDefault"href="#opt-asDefault"title="#opt-asDefault">`asDefault`</a> | Mark the `entryPoint` to be in the list of default `entryPoints`.<br/>`entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br/> More information [here](#asdefault). | false | No |
| <aid="opt-allowACMEByPass"href="#opt-allowACMEByPass"title="#opt-allowACMEByPass">`allowACMEByPass`</a> | Enables handling of ACME TLS and HTTP challenges with custom routers instead of the internal ACME router. | false | No |
| <aid="opt-forwardedHeaders-connection"href="#opt-forwardedHeaders-connection"title="#opt-forwardedHeaders-connection">`forwardedHeaders.`<br/>`connection`</a> | List of Connection headers that are allowed to pass through the middleware chain before being removed. | false | No |
| <aid="opt-forwardedHeaders-insecure"href="#opt-forwardedHeaders-insecure"title="#opt-forwardedHeaders-insecure">`forwardedHeaders.`<br/>`insecure`</a> | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br/>We recommend to use this option only for tests purposes, not in production. | false | No |
| <aid="opt-forwardedHeaders-trustedIPs"href="#opt-forwardedHeaders-trustedIPs"title="#opt-forwardedHeaders-trustedIPs">`forwardedHeaders.`<br/>`trustedIPs`</a> | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
| <aid="opt-forwardedHeaders-notAppendXForwardedFor"href="#opt-forwardedHeaders-notAppendXForwardedFor"title="#opt-forwardedHeaders-notAppendXForwardedFor">`forwardedHeaders.`<br/>`notAppendXForwardedFor`</a> | When set to `true`, Traefik will not append the client's `RemoteAddr` to the `X-Forwarded-For` header. The existing header is preserved as-is. If no `X-Forwarded-For` header exists, none will be added. | false | No |
| <aid="opt-http-redirections-entryPoint-to"href="#opt-http-redirections-entryPoint-to"title="#opt-http-redirections-entryPoint-to">`http.redirections.`<br/>`entryPoint.to`</a> | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br/> The target element can be an entry point name (ex: `websecure`), or a port (`:443`). | - | Yes |
| <aid="opt-http-redirections-entryPoint-scheme"href="#opt-http-redirections-entryPoint-scheme"title="#opt-http-redirections-entryPoint-scheme">`http.redirections.`<br/>`entryPoint.scheme`</a> | The target scheme to use for (permanent) redirection of all incoming requests. | https | No |
| <aid="opt-http-redirections-entryPoint-permanent"href="#opt-http-redirections-entryPoint-permanent"title="#opt-http-redirections-entryPoint-permanent">`http.redirections.`<br/>`entryPoint.permanent`</a> | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br/> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`). | false | No |
| <aid="opt-http-redirections-entryPoint-priority"href="#opt-http-redirections-entryPoint-priority"title="#opt-http-redirections-entryPoint-priority">`http.redirections.`<br/>`entryPoint.priority`</a> | Default priority applied to the routers attached to the `entryPoint`. | MaxInt-1 (`2147483646` on 32-bit, `9223372036854775806` on 64-bit) | No |
| <aid="opt-http-encodedCharacters"href="#opt-http-encodedCharacters"title="#opt-http-encodedCharacters">`http.encodedCharacters`</a> | Defines which encoded characters are allowed in the request path. More information [here](#encoded-characters). | false | No |
| <aid="opt-http-encodedCharacters-allowEncodedSlash"href="#opt-http-encodedCharacters-allowEncodedSlash"title="#opt-http-encodedCharacters-allowEncodedSlash">`http.encodedCharacters.`<br/>`allowEncodedSlash`</a> | Defines whether requests with encoded slash characters in the path are allowed. | true | No |
| <aid="opt-http-encodedCharacters-allowEncodedBackSlash"href="#opt-http-encodedCharacters-allowEncodedBackSlash"title="#opt-http-encodedCharacters-allowEncodedBackSlash">`http.encodedCharacters.`<br/>`allowEncodedBackSlash`</a> | Defines whether requests with encoded back slash characters in the path are allowed. | true | No |
| <aid="opt-http-encodedCharacters-allowEncodedNullCharacter"href="#opt-http-encodedCharacters-allowEncodedNullCharacter"title="#opt-http-encodedCharacters-allowEncodedNullCharacter">`http.encodedCharacters.`<br/>`allowEncodedNullCharacter`</a> | Defines whether requests with encoded null characters in the path are allowed. | true | No |
| <aid="opt-http-encodedCharacters-allowEncodedSemicolon"href="#opt-http-encodedCharacters-allowEncodedSemicolon"title="#opt-http-encodedCharacters-allowEncodedSemicolon">`http.encodedCharacters.`<br/>`allowEncodedSemicolon`</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | true | No |
| <aid="opt-http-encodedCharacters-allowEncodedPercent"href="#opt-http-encodedCharacters-allowEncodedPercent"title="#opt-http-encodedCharacters-allowEncodedPercent">`http.encodedCharacters.`<br/>`allowEncodedPercent`</a> | Defines whether requests with encoded percent characters in the path are allowed. | true | No |
| <aid="opt-http-encodedCharacters-allowEncodedQuestionMark"href="#opt-http-encodedCharacters-allowEncodedQuestionMark"title="#opt-http-encodedCharacters-allowEncodedQuestionMark">`http.encodedCharacters.`<br/>`allowEncodedQuestionMark`</a> | Defines whether requests with encoded question mark characters in the path are allowed. | true | No |
| <aid="opt-http-encodedCharacters-allowEncodedHash"href="#opt-http-encodedCharacters-allowEncodedHash"title="#opt-http-encodedCharacters-allowEncodedHash">`http.encodedCharacters.`<br/>`allowEncodedHash`</a> | Defines whether requests with encoded hash characters in the path are allowed. | true | No |
| <aid="opt-http-encodeQuerySemicolons"href="#opt-http-encodeQuerySemicolons"title="#opt-http-encodeQuerySemicolons">`http.encodeQuerySemicolons`</a> | Enable query semicolons encoding. <br/> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br/> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br/> More information [here](#encodequerysemicolons). | false | No |
| <aid="opt-http-sanitizePath"href="#opt-http-sanitizePath"title="#opt-http-sanitizePath">`http.sanitizePath`</a> | Defines whether to enable the request path sanitization.<br/> More information [here](#sanitizepath). | true | No |
| <aid="opt-http-maxHeaderBytes"href="#opt-http-maxHeaderBytes"title="#opt-http-maxHeaderBytes">`http.maxHeaderBytes`</a> | Set the maximum size of request headers in bytes. | 1048576 | No |
| <aid="opt-http-middlewares"href="#opt-http-middlewares"title="#opt-http-middlewares">`http.middlewares`</a> | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br/>More information [here](#httpmiddlewares). | - | No |
| <aid="opt-http-tls"href="#opt-http-tls"title="#opt-http-tls">`http.tls`</a> | Enable TLS on every router attached to the `entryPoint`. <br/> If no certificate are set, a default self-signed certificate is generated by Traefik. <br/> We recommend to not use self signed certificates in production. | - | No |
| <aid="opt-http-tls-options"href="#opt-http-tls-options"title="#opt-http-tls-options">`http.tls.options`</a> | Apply TLS options on every router attached to the `entryPoint`. <br/> The TLS options can be overidden per router. <br/> More information in the [dedicated section](../../reference/routing-configuration/http/tls/tls-options.md). | - | No |
| <aid="opt-http-tls-certResolver"href="#opt-http-tls-certResolver"title="#opt-http-tls-certResolver">`http.tls.certResolver`</a> | Apply a certificate resolver on every router attached to the `entryPoint`. <br/> The TLS options can be overidden per router. <br/> More information in the [dedicated section](./tls/certificate-resolvers/overview.md). | - | No |
| <aid="opt-http2-maxConcurrentStreams"href="#opt-http2-maxConcurrentStreams"title="#opt-http2-maxConcurrentStreams">`http2.`<br/>`maxConcurrentStreams`</a> | Set the number of concurrent streams per connection that each client is allowed to initiate. <br/> The value must be greater than zero. | 250 | No |
| <aid="opt-http2-maxDecoderHeaderTableSize"href="#opt-http2-maxDecoderHeaderTableSize"title="#opt-http2-maxDecoderHeaderTableSize">`http2.`<br/>`maxDecoderHeaderTableSize`</a> | Set the maximum size of the decoder header compression table. This controls the maximum size of the header cache that the server is willing to maintain so the client does not need to repeatedly send the same header across requests in the same http2 connection. <br/> This value is only a maximum, the other end of the connection can use a lower size. | 4096 | No |
| <aid="opt-http2-maxEncoderHeaderTableSize"href="#opt-http2-maxEncoderHeaderTableSize"title="#opt-http2-maxEncoderHeaderTableSize">`http2.`<br/>`maxEncoderHeaderTableSize`</a> | Set the maximum size of the encoder header compression table. This controls the maximum size of the header cache that the server is willing to maintain when sending headers to the client, allowing the server to reduce the amount of duplicate headers it is sending in responses. <br/> This value is only a maximum, the other end of the connection can use a lower size. | 4096 | No |
| <aid="opt-http3"href="#opt-http3"title="#opt-http3">`http3`</a> | Enable HTTP/3 protocol on the `entryPoint`. <br/> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br/> More information [here](#http3). | - | No |
| <aid="opt-http3-advertisedPort"href="#opt-http3-advertisedPort"title="#opt-http3-advertisedPort">`http3.advertisedPort`</a> | Set the UDP port to advertise as the HTTP/3 authority. <br/> It defaults to the entryPoint's address port. <br/> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening. | - | No |
| <aid="opt-observability-accessLogs"href="#opt-observability-accessLogs"title="#opt-observability-accessLogs">`observability.`<br/>`accessLogs`</a> | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| <aid="opt-observability-metrics"href="#opt-observability-metrics"title="#opt-observability-metrics">`observability.`<br/>`metrics`</a> | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| <aid="opt-observability-tracing"href="#opt-observability-tracing"title="#opt-observability-tracing">`observability.`<br/>`tracing`</a> | Defines whether a router attached to this EntryPoint produces traces by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
| <aid="opt-observability-traceVerbosity"href="#opt-observability-traceVerbosity"title="#opt-observability-traceVerbosity">`observability.`<br/>`traceVerbosity`</a> | Defines the tracing verbosity level for routers attached to this EntryPoint. Possible values: `minimal` (default), `detailed`. Routers can override this value in their own observability configuration. <br/> More information [here](#traceverbosity). | minimal | No |
| <aid="opt-proxyProtocol-trustedIPs"href="#opt-proxyProtocol-trustedIPs"title="#opt-proxyProtocol-trustedIPs">`proxyProtocol.`<br/>`trustedIPs`</a> | Enable PROXY protocol with Trusted IPs. <br/> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br/> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br/> If the PROXY protocol header is passed, then the version is determined automatically.<br/> More information [here](#proxyprotocol-and-load-balancers). | - | No |
| <aid="opt-proxyProtocol-insecure"href="#opt-proxyProtocol-insecure"title="#opt-proxyProtocol-insecure">`proxyProtocol.`<br/>`insecure`</a> | Enable PROXY protocol trusting every incoming connection. <br/> Every remote client address will be replaced (`trustedIPs`) won't have any effect). <br/> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br/> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br/> If the PROXY protocol header is passed, then the version is determined automatically.<br/>We recommend to use this option only for tests purposes, not in production.<br/> More information [here](#proxyprotocol-and-load-balancers). | - | No |
| <aid="opt-reusePort"href="#opt-reusePort"title="#opt-reusePort">`reusePort`</a> | Enable `entryPoints` from the same or different processes listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option. <br/> It also allows the kernel to act like a load balancer to distribute incoming connections between entry points.<br/> More information [here](#reuseport). | false | No |
| <aid="opt-transport-respondingTimeouts-readTimeout"href="#opt-transport-respondingTimeouts-readTimeout"title="#opt-transport-respondingTimeouts-readTimeout">`transport.`<br/>`respondingTimeouts.`<br/>`readTimeout`</a> | Set the timeouts for incoming requests to the Traefik instance. This is the maximum duration for reading the entire request, including the body. Setting them has no effect for UDP `entryPoints`.<br/> If zero, no timeout exists. <br/>Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br/>If no units are provided, the value is parsed assuming seconds. | 60s (seconds) | No |
| <aid="opt-transport-respondingTimeouts-writeTimeout"href="#opt-transport-respondingTimeouts-writeTimeout"title="#opt-transport-respondingTimeouts-writeTimeout">`transport.`<br/>`respondingTimeouts.`<br/>`writeTimeout`</a> | Maximum duration before timing out writes of the response. <br/> It covers the time from the end of the request header read to the end of the response write. <br/> If zero, no timeout exists. <br/>Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br/>If no units are provided, the value is parsed assuming seconds. | 0s (seconds) | No |
| <aid="opt-transport-respondingTimeouts-idleTimeout"href="#opt-transport-respondingTimeouts-idleTimeout"title="#opt-transport-respondingTimeouts-idleTimeout">`transport.`<br/>`respondingTimeouts.`<br/>`idleTimeout`</a> | Maximum duration an idle (keep-alive) connection will remain idle before closing itself. <br/> If zero, no timeout exists <br/>Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br/>If no units are provided, the value is parsed assuming seconds | 180s (seconds) | No |
| <aid="opt-transport-lifeCycle-graceTimeOut"href="#opt-transport-lifeCycle-graceTimeOut"title="#opt-transport-lifeCycle-graceTimeOut">`transport.`<br/>`lifeCycle.`<br/>`graceTimeOut`</a> | Set the duration to give active requests a chance to finish before Traefik stops. <br/>Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br/>If no units are provided, the value is parsed assuming seconds <br/> In this time frame no new requests are accepted. | 10s (seconds) | No |
| <aid="opt-transport-lifeCycle-requestAcceptGraceTimeout"href="#opt-transport-lifeCycle-requestAcceptGraceTimeout"title="#opt-transport-lifeCycle-requestAcceptGraceTimeout">`transport.`<br/>`lifeCycle.`<br/>`requestAcceptGraceTimeout`</a> | Set the duration to keep accepting requests prior to initiating the graceful termination period (as defined by the `transportlifeCycle.graceTimeOut` option). <br/> This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation. <br/>Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br/>If no units are provided, the value is parsed assuming seconds | 0s (seconds) | No |
| <aid="opt-transport-keepAliveMaxRequests"href="#opt-transport-keepAliveMaxRequests"title="#opt-transport-keepAliveMaxRequests">`transport.`<br/>`keepAliveMaxRequests`</a> | Set the maximum number of requests Traefik can handle before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). <br/> Zero means no limit. | 0 | No |
| <aid="opt-transport-keepAliveMaxTime"href="#opt-transport-keepAliveMaxTime"title="#opt-transport-keepAliveMaxTime">`transport.`<br/>`keepAliveMaxTime`</a> | Set the maximum duration Traefik can handle requests before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). Zero means no limit. | 0s (seconds) | No |
| <aid="opt-udp-timeout"href="#opt-udp-timeout"title="#opt-udp-timeout">`udp.timeout`</a> | Define how long to wait on an idle session before releasing the related resources. <br/>The Timeout value must be greater than zero. | 3s (seconds) | No |
By default, Traefik do not reject requests with path containing certain encoded characters that could be used in path traversal or other security attacks.
When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986) and notably decode encoded reserved characters in the requets path,
it is recommended to set these options to `false` to avoid split-view situation and helps prevent path traversal attacks or other malicious attempts to bypass security controls.
The replacement of the remote client address will occur only for IP addresses listed in `trustedIPs`. This is where you specify your load balancer IPs or CIDR ranges.
