What determines precedence when there are conflicting frontend rules?

In my traefik.toml file I have the following:

watch = true

endpoint = "consul:8500"
watch = true
prefix = "traefik"

Traefik dashboard doesn't pick up anything stored in consul if I don't include the [file] flag. (even after executing "traefik storeconfig" in the traefik-alpine container)

But this also causes a problem. If I do include the [file] flag, in the Traefik dashboard ui, File and Consul are separate providers.

When I then go and change, say, a backend url in the consul key/value store, it shows up changed in the Consul provider in the Traefik dashboard, but not in the File provider.

When I try hitting a frontend connected to that backend, it still routes to the old url (presumably to the file provider).

Is there a way to tell Traefik to give the consul provider precedence over the file provider? Or is there a way to utilize the consul provider without having to explicitly place a [File] flag in the initial config?

Hello @ratchet5000,

Can you please provide us with the full Traefik configuration (toml, and your compose file)?


Sure, here they are with the backend urls generified and auth removed


defaultEntryPoints = ["http", "https"]

  address = ":80"

endpoint = "unix:///var/run/docker.sock"
network = "traefik"
watch = true

watch = true

endpoint = "consul:8500"
watch = true
prefix = "traefik"

      url = "https://www.google.com"
      weight = 20
      url = "https://www.google.us"
      weight = 10
      expression = "NetworkErrorRatio() > 0.5"
      amount = 5

    backend = "google"
    passHostHeader = true
    rule = "Path:/maps"
      extractorFunc = "client.ip"
        period = 10
        average = 10
        burst = 20


version: '3.7'
    image: traefik:alpine
    command: --web --web.address=:81 \
      --docker --docker.watch --docker.domain=localhost \
      --debug --logLevel=DEBUG \
      --defaultentrypoints=http \
      --docker.exposedbydefault=false \
      - 80:80
      - 81:81
      - 443:443
      - 8080:8080       
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.toml:/traefik.toml
    image: consul:latest
      - "8500:8500"

Hello @ratchet5000,

Traefik has the capability to load its static configuration from a variety of sources: (https://docs.traefik.io/v1.7/basics/#static-traefik-configuration), and dynamic configuration from multiple providers.

As configured, you have static configuration coming from the Configuration file, and from Consul, and your command arguments in your compose file.

You also have Dynamic configuration coming from Docker, Consul, and the File provider. These are all independent of each other, and are not consolidated.

Let me ask a few questions:

  1. Why are you using consul? Are you using it to dynamically configure frontends and backends? If so, why would you want to use the file provider to define frontends/backends?
  2. Are you using the docker provider?
  3. What version of traefik are you using? The --web provider has been deprecated for a few versions now, so you should not use it.
  1. I'm using consul for a dynamic configuration where the key/value store can be manipulated by a separate ui, and Traefik can update its own config in real time. As I mentioned in OP, Traefik does not pick up any keys or values if the [file] flag is not present even though they show up in the Consul UI after key values are inserted into Consul (manually and with traefik storeconfig). This is also how the consul example is setup in the 1.7 documentation.

  2. I'm using the docker provider to point towards a foward auth server (and potentially the aforementioned key/value editing UI) that is deployed as a container concurrently with the Traefik and consul container.

  3. The latest Traefik:alpine image, 1.7.12, should be no problem to remove that label, it's a remnant from my earlier experiments on Traefik.


Can you add your google frontend + backend into consul? if so, there is no need for the file provider, or the configuration toml file at all...

The documentation (https://docs.traefik.io/v1.7/user-guide/kv-config/#upload-the-configuration-in-the-key-value-store) demonstrates uploading the configuration to consul, and then does NOT use the configuration file again. It only uses consul.

What I am trying to illustrate is that by mixing and duplicating configuration sources, finding out where the applied configuration is coming from is difficult.

This is why I would suggest streamlining your configuration by doing the following:

  1. Enable consul via the CLI (flags) only.
  2. Do not use toml/config file, since you are not doing anything that requires it.
  3. Move your google frontend+backend to the consul provider either by using storeconfig, or by manually creating it.

This will allow you to only have one source of configuration: consul, and will make debugging 100x easier.

1 Like

Alright thanks, was definitely thrown off by that page in the docs