Traefik

Traefik is a reverse proxy built for environments where services come and go. Rather than maintaining a static config file, it reads Docker labels or Kubernetes annotations on your containers and generates routing rules on the fly. Deploy a new container with the right labels and Traefik picks it up immediately, without a reload, without editing a file, without a restart.

SSL certificate management is handled automatically through Let’s Encrypt. Add a traefik.http.routers.myapp.tls.certresolver=letsencrypt label to a container, point your DNS to the server, and Traefik requests and renews the certificate. It works for wildcard certificates too, using DNS challenge providers for domains that don’t have a public HTTP endpoint.

The middleware system is where Traefik earns its place in more complex setups. You can attach rate limiting, HTTP basic auth, redirect chains, IP allowlists, and header manipulation to any route through labels, without modifying the service itself. This is useful for adding access controls to tools like Portainer or Grafana that you want behind authentication but don’t want to duplicate auth logic across every service.

The dashboard provides a live view of all routers, services, and middlewares with current health status. It is read-only, but useful for debugging routing mismatches.

The main friction point is the learning curve. Traefik’s label-based syntax is its own system, and a misplaced label produces a silent failure rather than a clear error. For teams running a handful of Docker services, Caddy or Nginx Proxy Manager may be simpler starting points. For anyone managing a growing set of containerised services or planning to move to Kubernetes, Traefik’s auto-discovery model pays back the upfront learning cost.

Traefik: Pros & Cons