how-to-guide

Traefik Entry Points and Routing Priority: A Complete Configuration Guide

March 5, 2026 traefik/traefik ↗

Traefik entry points are defined in static configuration files to specify network listeners, while routing priority—either set explicitly via the priority field or computed automatically based on rule length—determines which router handles requests when multiple rules match.

Traefik entry points and routing priority control how the proxy accepts and distributes incoming traffic. This guide analyzes the traefik/traefik source code to explain how static configuration defines entry points in pkg/config/static/entrypoints.go and how the router manager in pkg/server/router/router.go resolves conflicts using priority-based sorting.

Configuring Traefik Entry Points in Static Configuration

Entry points are part of Traefik's static configuration, loaded once at startup. They define the network addresses where Traefik listens for incoming requests.

EntryPoint Struct and Key Configuration Options

The EntryPoint struct in pkg/config/static/entrypoints.go contains the following fields:

Address: Network address with optional protocol (:80, :443/tcp, :53/udp). Defaults to TCP if unspecified.
AsDefault: Boolean marking this entry point as the default for routers that don't specify one.
Transport: Low-level TCP settings including timeouts and keep-alive configurations.
ProxyProtocol: Enables Proxy Protocol support for deployments behind load balancers.
ForwardedHeaders: Trusted IP ranges for X-Forwarded-* headers.
HTTP, HTTP2, HTTP3: Protocol-specific options for TLS defaults, middlewares, and redirections.
UDP: UDP-specific idle timeout settings.
Observability: Per-entry point toggles for logging, metrics, and tracing.
ReusePort: Enables SO_REUSEPORT for multiple processes binding the same port.
AllowACMEByPass: Allows custom routers to handle ACME HTTP/TLS-01 challenges.

Basic EntryPoint Configuration Example

entryPoints:
  web:
    address: ":80"
    asDefault: true
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: myresolver
    transport:
      respondingTimeouts:
        readTimeout: 10s
        writeTimeout: 10s

How Traefik Routing Priority Works

When multiple routers match an incoming request, Traefik uses priority to determine which handler executes. Priority can be explicit (user-defined) or implicit (computed from rule specificity).

Explicit Router Priority Configuration

Routers in dynamic configuration accept an optional priority field. According to pkg/server/router/router.go (lines 45-48), explicit priorities must not exceed maxUserPriority, a safety ceiling defined in the source code. Exceeding this limit causes Traefik to reject the configuration with a validation error.

http:
  routers:
    api:
      rule: "Host(`api.example.com`)"
      priority: 200
      service: api-service
    web:
      rule: "Host(`example.com`)"
      priority: 100
      service: web-service

Higher numeric values indicate higher precedence. In this example, requests to api.example.com are handled by the api router despite both routers potentially matching if wildcards were used.

Computed Priority Based on Rule Specificity

When no explicit priority is set, Traefik calculates priority automatically using httpmuxer.GetRulePriority(rule) (see pkg/muxer/http/mux.go). The algorithm evaluates:

Rule length: Longer rule strings receive higher priority values, favoring specific paths over generic hosts.
Special cases: The wildcard HostSNI("*") receives priority -1 (lowest possible).

This ensures that Host(\example.com`) && Path(`/api/v1/users`)automatically outranksHost(`example.com`)` without manual priority assignment.

Priority Sorting and Route Selection

The HTTP muxer in pkg/muxer/http/mux.go (line 220) sorts routes using a comparator that orders by descending priority: r[i].priority > r[j].priority. When processing a request, Traefik evaluates routes in this sorted order and selects the first match.

If two routers share identical priority values, Traefik preserves configuration order. The router defined first in the dynamic configuration wins the tie because the muxer maintains stable insertion order after sorting.

Complete Configuration Examples

HTTP to HTTPS Redirection with EntryPoints

Entry points can automatically redirect traffic using the redirections field. According to pkg/config/static/entrypoints.go (lines 33-41), redirection routers automatically receive priority math.MaxInt-1, ensuring they intercept traffic before user-defined routes.

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt

Overlapping Routes with Explicit Priorities

When rules overlap, explicit priorities ensure specific handlers win:

http:
  routers:
    specific-api:
      rule: "Host(`example.com`) && PathPrefix(`/api`)"
      priority: 150
      service: api-service
    generic-web:
      rule: "Host(`example.com`)"
      priority: 50
      service: web-service

Requests to example.com/api/users are routed to api-service despite both routers matching the host.

Implicit Priority Through Rule Length

Without explicit priorities, longer rules automatically outrank shorter ones:

http:
  routers:
    user-profile:
      rule: "Host(`example.com`) && Path(`/users/{id}/profile`)"
      service: profile-service
    users-api:
      rule: "Host(`example.com`) && PathPrefix(`/users`)"
      service: users-service
    catch-all:
      rule: "Host(`example.com`)"
      service: default-service

The user-profile router handles /users/123/profile due to its longer rule string, while users-api handles /users/list, and catch-all handles the root path.

Summary

Traefik entry points are defined in static configuration (pkg/config/static/entrypoints.go) using the EntryPoint struct, which controls listening addresses, default behaviors, TLS settings, and transport options.
Routing priority can be set explicitly via the priority field in dynamic router configuration, subject to the maxUserPriority safety limit enforced in pkg/server/router/router.go.
Computed priority derives from rule string length when no explicit priority is set, with longer rules receiving higher priority via httpmuxer.GetRulePriority in pkg/muxer/http/mux.go.
Route selection sorts routers by descending priority (line 220 in pkg/muxer/http/mux.go), selecting the first match while preserving configuration order for ties.
Entry point redirections automatically receive maximum priority (math.MaxInt-1) to ensure HTTP-to-HTTPS redirects intercept traffic before user-defined routes.

Frequently Asked Questions

What is the maximum priority value allowed in Traefik?

Traefik enforces a safety ceiling called maxUserPriority in pkg/server/router/router.go (lines 45-48). If you configure a router with a priority exceeding this limit, Traefik rejects the configuration during startup with a validation error. For extremely high priority needs, use entry point redirections which automatically receive math.MaxInt-1.

How does Traefik handle multiple routers with the same priority?

When two routers share identical priority values, Traefik preserves the order in which they appear in the dynamic configuration. The HTTP muxer in pkg/muxer/http/mux.go maintains stable insertion order after sorting by priority, meaning the first router defined in your configuration wins the tie and handles the request.

Can I configure EntryPoints dynamically without restarting Traefik?

No. EntryPoints are part of Traefik's static configuration defined in pkg/config/static/entrypoints.go and are loaded once at startup. Changing entry point addresses, protocols, or default behaviors requires a Traefik restart. Only routers, services, and middlewares (dynamic configuration) can be updated without restarting.

Why does my shorter rule match instead of my longer, more specific rule?

This happens when the shorter rule has an explicit priority value higher than the computed priority of the longer rule. Traefik evaluates explicit priorities before computed ones based on rule length. To ensure specificity wins, either remove explicit priority assignments (allowing automatic calculation via httpmuxer.GetRulePriority) or set the specific router's priority higher than the generic one.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:

curl -s "https://instagit.com/install.md"

Add to your MCP client configuration:

{
  "mcpServers": {
    "instagit": {
      "command": "npx",
      "args": ["-y", "instagit@latest"]
    }
  }
}

Ask your agent:

"Use Instagit MCP to understand how traefik/traefik works."

Works with

Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →