Traefik

Self-hosted networking infrastructure, honestly reviewed. No marketing fluff, just what you need to know before putting it in front of your services.

---

TL;DR

• What it is: MIT-licensed reverse proxy and load balancer that auto-discovers your containers and configures routes dynamically — no manual config file edits when you add a new service [README].
• Who it’s for: Developers and technically-minded founders running multiple self-hosted services on a single VPS or a Kubernetes cluster. Not beginner territory.
• Cost savings: Amazon API Gateway charges per request ($3.50 per million API calls + data transfer fees). Traefik Proxy is free. If you’re routing significant traffic, the math gets dramatic fast.
• Key strength: Zero-downtime reconfiguration. Deploy a new Docker container with a label, Traefik picks it up in seconds. Let’s Encrypt HTTPS certificate provisioning happens automatically, with no certbot cron jobs [1][3].
• Key weakness: Configuration has a steep learning curve. Two config layers (static + dynamic), provider-specific label syntax, and a middleware system that’s powerful but verbose. Not the tool you hand to someone who’s never touched a terminal [2][3].

---

What is Traefik

Traefik (pronounced “traffic”) is a reverse proxy and load balancer built for container-centric infrastructure. The GitHub description calls it “The Cloud Native Application Proxy” — which is accurate but undersells what it actually does for self-hosters [README].

The core problem it solves: if you run five services on one VPS — say, a wiki, a password manager, a CRM, a scheduling tool, and a monitoring dashboard — you need something sitting on ports 80 and 443 that reads the incoming hostname and forwards the request to the right container. Traditional options like Nginx require you to write a server block for each service, reload the config, manage SSL certificates manually, and repeat the whole process every time something changes.

Traefik does it differently. You mount the Docker socket into the Traefik container, add labels to your other containers specifying their routing rules, and Traefik watches the Docker API in real time. Deploy a new container, it appears in the routing table. Remove a container, the route disappears. No config edits, no reloads, no restarts [1][README].

The project sits at 62,220 GitHub stars — one of the most-starred infrastructure projects on GitHub — under an MIT license. It’s backed by Traefik Labs, a company that sells commercial products (Traefik Hub, API Gateway, API Management) on top of the open-source core. The OSS proxy is and has remained genuinely free [README].

---

Why people choose it

The three reasons that come up consistently: automation, HTTPS, and single-binary deployment.

The automation angle. Traditional nginx or HAProxy setups require you to touch a config file every time your infrastructure changes. On a Docker Compose setup with a dozen services, that means maintaining a proxy config in parallel with your compose files — and keeping them in sync manually. Traefik eliminates that synchronization problem. The labels on each service are the proxy config. If your compose file is the source of truth for what’s running, Traefik makes it the source of truth for routing too [1][2].

The HTTPS angle. Traefik has built-in ACME client support for Let’s Encrypt. Point it at your domain, configure your email, and it handles certificate requests, renewals, and HTTPS termination automatically. The alternative — a certbot cron job, a renewal hook, nginx reload, certificate paths wired into your proxy config — is a maintenance surface that breaks in surprising ways. Traefik’s approach is one certificate configuration stanza and then silence [3][README].

The single binary. Traefik ships as a single Go binary with zero runtime dependencies. The official Docker image is tiny. Contrast this with nginx, which needs additional modules for modern auth flows, or HAProxy, which needs separate tooling for TLS cert management. On a resource-constrained VPS, that matters [README].

---

Features

What you actually get with Traefik Proxy (the free, MIT-licensed version):

Core routing:

• Automatic route discovery from Docker containers, Docker Swarm, Kubernetes, ECS, Consul, etcd, and file-based config [README]
• Host-based, path-based, and header-based routing rules
• Weighted load balancing, round-robin, sticky sessions
• Multiple load balancing algorithms [README]

TLS and security:

• Built-in ACME client for Let’s Encrypt — HTTP-01, DNS-01, and TLS-ALPN-01 challenges
• Wildcard certificate support
• TLS termination and passthrough
• Client certificate authentication [README][3]

Middleware system:

• Rate limiting, circuit breakers, retry logic [README]
• BasicAuth, DigestAuth, ForwardAuth (delegate auth to an external service)
• IP allow/deny lists
• Headers middleware (CORS, security headers, redirects)
• Compression, buffering, connection throttling

Protocols:

• HTTP/1.1, HTTP/2, gRPC, WebSocket, TCP, UDP [README]

Observability:

• Prometheus metrics endpoint
• InfluxDB 2.x, Datadog, Statsd metrics exporters
• Access logs in JSON and CLF format
• Web UI dashboard showing routes, services, and middleware [README][1]

Operational:

• Continuous configuration updates — no restarts required for routing changes [README]
• REST API for programmatic inspection and some management tasks [README]
• Single binary, official Docker image

What’s NOT in the free version:

The commercial Traefik Hub products layer on SSO/OIDC integration, API key management, distributed rate limiting across replicas, advanced WAF via Coraza, enterprise support, and an API management control plane. For a single VPS running personal or small-team tools, none of this matters. For a team running APIs in production with compliance requirements, you’d be evaluating Hub.

---

Pricing: SaaS vs self-hosted math

Traefik Proxy (OSS):

• Software: $0 (MIT license) [README]
• Infrastructure: whatever your VPS costs — Traefik itself uses roughly 50–100MB RAM idle
• Certificates: $0 (Let’s Encrypt)

Amazon API Gateway (listed SaaS competitor):

• REST API: $3.50 per million API calls
• HTTP API: $1.00 per million API calls
• Plus data transfer out: $0.09/GB after the first 10TB/month
• No self-hosting option

Nginx Proxy Manager (closest free alternative):

• Free, but different model — GUI-based, manual certificate management, no auto-discovery

Concrete numbers for a self-hoster:

Say you run 8 self-hosted services on a $6/mo Hetzner VPS. You add Traefik to the compose stack, add labels to each service, and you have routing + HTTPS for all of them. Total cost for the proxy layer: $0. Certificate renewals: automated. Adding a ninth service: one label in compose file.

The pricing comparison against Amazon API Gateway is somewhat apples-to-oranges — AWS API Gateway is a managed cloud service for APIs, not a self-hosted proxy for personal apps. The more relevant cost comparison is the operational overhead: a manual Nginx setup with certbot means someone’s time every time the infrastructure changes, plus potential downtime when cert renewal fails. Traefik removes that recurring tax [3].

---

Deployment reality check

Traefik has two configuration layers that trip up new users: static configuration (what Traefik is and how it connects to the world — entrypoints, providers, dashboard settings) and dynamic configuration (routing rules, services, middlewares, TLS options). Static config is set at startup via CLI flags, environment variables, or a YAML/TOML file. Dynamic config comes from providers (Docker labels, Kubernetes annotations, or file-based).

This split is logical once you understand it, but it’s not obvious. A common beginner mistake is putting routing rules in the static config and wondering why nothing works [2][3].

The Docker socket security question is real and often glossed over. Mounting /var/run/docker.sock into a container gives that container root-equivalent access to the host. The official docs acknowledge this and note --providers.docker.exposedbydefault=false as a best practice (require explicit opt-in on each container rather than routing everything by default) [3]. For a homelab, this is an acceptable trade-off. For production, the mitigation is using a Docker socket proxy like Tecnativa’s socket-proxy that restricts which operations Traefik can perform.

HTTPS setup is easy in the happy path. If your domain’s DNS points to your server, the Let’s Encrypt HTTP-01 challenge works automatically. DNS-01 challenges (for wildcard certs) require API credentials for your DNS provider — Traefik supports dozens of them, but the configuration is more involved [3].

Dashboard security needs explicit attention. The official quick-start guide enables --api.insecure=true for development convenience — the dashboard is accessible without authentication on port 8080. The production setup in the Docker guide generates a bcrypt password hash and adds BasicAuth middleware to the dashboard router [1][3]. It’s a 10-minute step, but it’s on you to do it.

Realistic time estimates:

• Basic HTTP routing on Docker: 15–30 minutes following the quick-start [1]
• HTTPS with Let’s Encrypt + dashboard auth: 1–2 hours [3]
• Kubernetes Ingress setup: half a day if you’re new to Kubernetes networking
• First time debugging a middleware chain that’s not working: budget an extra hour for reading docs

---

Pros and cons

Pros

• Zero-downtime reconfiguration. Routing changes take effect in real time, no restarts, no dropped connections [README]. This is the feature that makes Traefik genuinely better than manual Nginx for containerized setups.
• Automatic HTTPS. Built-in Let’s Encrypt with automatic renewal. No separate certbot, no cron jobs, no renewal webhooks [README][3].
• MIT license. You can run it, fork it, embed it in a product, run it for clients. No commercial license required for the proxy functionality [README].
• Single binary. One binary, small Docker image, no external dependencies at runtime [README].
• Auto-discovery. Labels on Docker containers = routing config. The proxy config lives with the service definition, not in a separate file [1][2].
• Protocol breadth. HTTP/1.1, HTTP/2, gRPC, WebSocket, TCP, UDP — handles almost anything [README].
• 62K+ GitHub stars and active maintenance — this isn’t a zombie project.

Cons

• Two-layer config model is confusing. Static vs. dynamic, CLI flags vs. YAML vs. labels — understanding which config type goes where takes time. The docs are good but long [2][3].
• Docker socket exposure is a real risk. The default setup mounts the full Docker socket. Fine for homelab, requires mitigation for production [3].
• Middleware syntax is verbose. A rate limiter or auth middleware requires labels across router, middleware, and service — easy to get wrong, hard to debug when something doesn’t work.
• The official docs are for OSS + Hub combined. Some docs sections describe Hub features without clearly marking them as paid. You might read about a feature and not realize it requires the commercial product.
• Not for non-technical users. There’s no GUI that abstracts the complexity. If you’re not comfortable with Docker Compose and reading technical documentation, Nginx Proxy Manager will frustrate you less.
• Dashboard is metrics-only. The web UI shows what Traefik sees (routes, services, middlewares) but doesn’t let you configure anything. Management is via config files or labels, not clicks.

---

Who should use this / who shouldn’t

Use Traefik if:

• You’re running multiple Docker containers on a VPS and want automatic routing without maintaining a separate proxy config file.
• You want HTTPS handled automatically without managing certbot separately.
• You’re comfortable with Docker Compose and can read technical documentation.
• You’re running Kubernetes and want a battle-tested ingress controller that a large chunk of the internet relies on.
• You want MIT license with no usage restrictions.

Skip it (use Nginx Proxy Manager instead) if:

• You want a GUI to manage routing and certificates without touching config files or labels.
• You’re new to self-hosting and the concept of a reverse proxy itself is new.
• You’re running two or three static services that never change — manual Nginx config is fine for that.

Skip it (use Caddy instead) if:

• You want simplicity over power. Caddy’s Caddyfile syntax is significantly cleaner than Traefik’s static+dynamic config split, and automatic HTTPS is also built in. For small setups with no orchestrator, Caddy is arguably easier.
• You don’t need Docker/Kubernetes auto-discovery.

Skip it (use Kong or evaluate Traefik Hub) if:

• You need API management features — rate limiting per API key, developer portal, subscription plans, usage analytics. The free Traefik Proxy doesn’t have these; the commercial Hub tiers do.

---

Alternatives worth considering

• Caddy — single binary like Traefik, automatic HTTPS like Traefik, but Caddyfile syntax is cleaner and the learning curve is lower. Doesn’t have Docker auto-discovery at the same depth, but has a Docker plugin. Better choice for simple setups.
• Nginx Proxy Manager — GUI-based frontend for Nginx. Much easier for non-technical users. No auto-discovery, certificates managed through the UI, but that’s exactly what some people want.
• nginx — the baseline. Maximum configurability, huge community, but no auto-discovery, no built-in cert management, requires reload on changes. Fine for static infrastructure; wrong for containerized setups.
• HAProxy — excellent for high-performance TCP and HTTP load balancing, but no built-in cert management and steeper config syntax. Common in enterprise environments, less common in homelab.
• Kong — API gateway with a management UI. Open-source version is powerful but resource-heavy compared to Traefik. The commercial tiers add the enterprise features Traefik Hub also targets. More overhead than you need for personal self-hosting.
• Amazon API Gateway / AWS ALB — managed services with no ops burden, but the per-request pricing model becomes expensive at scale and you’re locked into AWS infrastructure.

For a developer running five to fifteen services on a VPS, the realistic choice is Traefik vs. Caddy. Traefik wins if you’re running Docker Compose and want labels-based auto-discovery. Caddy wins if you want simpler config and don’t need orchestrator integration.

---

Bottom line

Traefik earned its 62,000 stars by solving a real problem: the reverse proxy configuration maintenance burden in containerized environments. Once you understand the static/dynamic config split and the label syntax, it mostly disappears into the background and does its job — routes traffic, renews certificates, picks up new services automatically. That’s the goal of infrastructure tooling, and Traefik achieves it.

The honest caveat: this is not a tool for non-technical founders who are new to self-hosting. The learning curve is real, and the Docker socket security considerations require attention. But for the developer who’s already comfortable with Docker Compose and wants to stop manually editing Nginx configs every time they add a service, Traefik is the standard answer for good reason.

If you want to self-host a stack of tools and need something to route traffic between them with zero ongoing certificate management overhead, Traefik is worth the afternoon of setup time. If that afternoon of setup is the blocker, that’s exactly the kind of work upready.dev handles for clients — one-time deployment, done.

---

Sources

1. Traefik Labs — Docker Quick Start (official documentation). https://doc.traefik.io/traefik/getting-started/quick-start/
2. Traefik Labs — Getting Started / Install Traefik (official documentation). https://doc.traefik.io/traefik/getting-started/install-traefik/
3. Traefik Labs — Setup Traefik Proxy in Docker Standalone (official documentation). https://doc.traefik.io/traefik/setup/docker/

Primary sources:

• GitHub repository and README: https://github.com/traefik/traefik (62,220 stars, MIT license)
• Official website: https://traefik.io
• Official documentation: https://doc.traefik.io/traefik/