Sign in Subscribe
By Sahil Kapoor -

Traefik

A cloud-native reverse proxy and load balancer that auto-discovers services in Docker and Kubernetes environments and configures routing dynamically — no config file restarts needed.

Traefik (pronounced "traffic") is a reverse proxy built for dynamic environments. Where Nginx requires you to restart the process after every config change, Traefik watches your Docker socket or Kubernetes API and reconfigures itself in real time as containers start and stop. This makes it the natural choice for containerized microservices.

Core Concepts

  • EntryPoints — ports Traefik listens on (80, 443)
  • Routers — rules that match incoming requests (by host, path, header) and direct them to services
  • Services — the backends receiving traffic (your containers/pods)
  • Middlewares — transformations applied to requests/responses (authentication, rate limiting, redirects, headers)
  • Providers — sources Traefik watches for configuration (Docker, Kubernetes, Consul, file)

Auto-Discovery with Docker

With the Docker provider enabled, you configure Traefik via container labels:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.myapp.rule=Host(`myapp.example.com`)"
  - "traefik.http.routers.myapp.entrypoints=websecure"
  - "traefik.http.routers.myapp.tls.certresolver=letsencrypt"

Start the container, Traefik picks up the labels, issues a TLS certificate via Let's Encrypt, and begins routing — no Traefik restart.

Kubernetes Ingress Controller

In Kubernetes, Traefik serves as an Ingress Controller, processing Ingress resources and the newer IngressRoute CRD (which supports more advanced routing rules). Deploy Traefik with Helm, configure it via CRDs, and it handles all inbound traffic routing for your cluster.

Automatic TLS

Traefik integrates with Let's Encrypt via ACME — configure a certificate resolver and it automatically issues, renews, and serves TLS certificates for any domain it routes. No certbot cron jobs, no manual cert management.

Traefik vs Nginx

  • Nginx — more mature, higher raw performance for static file serving, better support for non-HTTP protocols; requires restart for config changes
  • Traefik — dynamic reconfiguration, native Docker/Kubernetes integration, built-in Let's Encrypt, dashboard for observability; less tunable at the edge

For containerized services with frequent deployments, Traefik wins on ops efficiency. For high-performance static serving or complex nginx configs, Nginx remains strong.

  • Caddy — simpler alternative with similar auto-HTTPS; less feature-rich for dynamic environments
  • Kubernetes — primary environment where Traefik serves as Ingress Controller
  • Docker — Docker provider enables Traefik's auto-discovery
  • Cloudflare Tunnel — handles connectivity; Traefik handles routing once traffic arrives
  • Helm — standard way to deploy Traefik in Kubernetes

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon