Traefik is pretty cool, but suffers from the same, terrible problem of Ansible: there is a lot of documentation, and a lot of words written, yet you can never find anything you need.

I have used it since v1 and I routinely get lost in their docs, and get immensely frustrated. I have been using Caddy for smaller projects simply because its documentation is not as terrible (though not great by any stretch)

Technical writers: documentation by example is good only for newbies skimming through. People familiar with your product need a reference and exhaustive lists, not explanation for different fields spread over 10 tutorial pages. Focus on those that use the product day in and day out, not solely on the "onboarding" procedure.

This is my pet peeve and the reason why I hate using Ansible so damn much, and Traefik to a lesser extent.

    alias adl='ansible-doc --list'
    alias adls='ansible-doc --list | less -S'
    alias ad='ansible-doc'

We've been using Traefik in prod for 2 years. While I used NGINX in the past, I decided to migrate to Traefik mainly because of the automatic let's encrypt integration. I am sorry for that decision. Traefik's documentation does not make sense to me or my team. It is finicky and misbehaves without proper logging. As an example - when I want to recreate the certificates - it fails sporadically leaving prod down for an indefinite amount of time.

We're moving back to NGINX.

I use caddy rather traefik. It's much easier to manage the Caddyfile compared to the traefik YAML config IMO, and we just keep three separate Caddyfiles for local, production and on-prem deployments. There are a plethora of great plugins, we use the coraza WAF plugin for caddy and it works well.

Why traefik over nginx for my modest needs, a couple docker hosts and a few dozen containers. I use https://github.com/NginxProxyManager/nginx-proxy-manager, would traefik provide a benefit on such a small scale?

A couple weeks ago I was deciding between reverse proxies and eventually settled with Caddy because of its simplicity. However, Traefik's auto discovery of containers and referencing by labels is quite nice, but Caddy has a plugin to do the same.

I read the article but I'm still not convinced Traefik has anything over Caddy for me. Maybe someone else does and can chime in.

Another thing worthy of note is that Traefik is configured by default in K3s. This has allowed K3s to be the quickest way to spin up a K8s cluster for testing, essentially allowing you to treat your cluster like cattle too. Simply add your deployment and associated service using NodePort, and you can access your app without worrying about the ingress controller.

I use a shell script to spin up K3s clusters and test apps I specify as a positional parameter on demand (leveraging the ttl.sh ephemeral container registry). The same script tears down the cluster when finished.

I'm considering moving reverse proxying to Traefik for my self-hosted stuff. Unlike the article's author, I'm running containerized workloads with Docker Compose, and currently using Caddy with the excellent caddy-docker-proxy plugin. What that gets me, currently:

- Reverse proxying, with Docker labels for configuration. New workloads are picked up automatically (but I do need to attach workloads to Caddy's network bridge).

- TLS certificates

- Automatic DNS configuration (using yet another plugin, caddy-dynamicdns), so I don't have to worry too much about losing access to my stuff if my ISP decides to hand me a different IP address (which hasn't happened yet)

There are a few things I'm currently not entirely happy about my setup:

- Any new/restarting workload makes Caddy restart entirely, resulting in loss of access to my stuff (temporarily). Caddy doesn't hand off existing connections to a new instance, unfortunately.

- Using wildcard certs isn't as simple as it could/should be. As I don't want every workload to be advertised to the world through certificate transparency logs, I use wildcard certs, and that means I currently can't use simple Caddy file syntax I otherwise would with a cert per hostname. This is something I know is being worked on in Caddy, but still.

Anyway, I've used Traefik in k8s environments before, and it's been fairly pleasant, so I think I'll give it a go for my personal stuff too!

PS: Don't let this comment discourage you trying Caddy, it's actually really good!

I have used traefik a lot. But I mostly got frustrated with all the docker-compose labels and layers and so many lines just to have a rev proxy. Then I found Caddy. Never looked back.

I guess I was never the audience for Traefik. I just need an https enabled rev proxy. Or a basic-auth layer. In Caddy both are just 1 line, very concise, no layers (which I still don’t understand…)

I've been using traefik for a few years for all my self hosted things.

I abandoned the dynamic/discovery/docker labelling functionality though it was just too finicky and annoying to debug.

Instead I generate a static config file using a template engine, pretty much all my things are just a combination of host/target/port so very easy to generate the relevant sections - I don't really have any complicated middlewares other than handling TLS. It sounds like the author of the linked post has taken the same route.

The config gets generated through an ansible script and then gets copied to the machine where traefik is running - traefik watches the directory where that file is and auto-reloads on changes.

It's been working great!

I use Traefik in production (with containers), and my favorite aspect of it is that the configuration is carried via the labels on containers which means I rarely if ever need to make any modifications to the Traefik config itself. I'd say the biggest con is trying to figure out how to pronounce the name - I think it's just regular traffic, but I can't help wanting to call it "trey-feek" or something like that.

Is it any better than HAProxy? HAProxy has served me well for at least a decade and has also been modernized for the cloud age with the runtime API that allows dynamic configuration.

I use caddy wherever I can. That it can already handle automatic certificates is a big plus. Plus it's very easy to congiure.

The 37Signals/Basecamp team has been working on a small, opinionated replacement for Traefik called Thruster: https://github.com/basecamp/thruster

Would be worth checking out, if you're currently considering options.

Side question - what people use to hide (and make accessible) the internal services such as grafana, prometheus, rabbit mq (the web interface) and such?

Should they be public behind such a proxy? (seems odd) Or should they be totally internal and then setup a Wireguard VPN to reach them?

I’d stay away from it. The magical way to set it up via docker compose tags is nice but doesn’t allow for zero downtime deployment at least until recently.

Getting true zero downtime deployments only worked with their file provider but that’s a bit archaic these days.

I'll stick with caddy. It's worked for me for years.

Funnily I spend my weekend making a traefik config file to gitlab pages on a self hosted instance without pages enabled but using the artifact API. No code involved. Had to configure quite some rewriting logic and use three different plug-ins, which are mostly unmaintained. In the end probably something like nginx, Apache or caddy or a bit of code probably would have worked better, because of all the layering of different middleware. But it worked somehow. I guess it shines through still for easy SSL termination of docker and great observability. That is why at least I have been using it for the past years.

Article spends a lot of time comparing Traefik to HAProxy. Might just as well use HAProxy then :-)

For simple deployments, consider whether you need a reverse proxy at all.

I have IPv6 everywhere, with each service getting its own IPv6 address. Each service is managed in inetd-style (via systemd-socket-proxyd ), and so essentially listens directly.

For services that need to serve IPv4, I have a reverse proxy on my network edge that demuxes on TLS SNI to the corresponding IPv6 address.

The advantage here is never having to deal with complex applications, with their complex and changing configuration.

I love treafik, we use it with nomad/consul and docker to setup our whole infrastructure. The plugin system is also simple yet powerful and the dynamic configs are great for our customers custom domains, we can quickly see if a domain points to the right IP and put it in to get everything working. And of a domain no longer points to is we get a slack notification and it removes it from traefik so it no longer tries to get SSL certificates for it.

In a mirror/reverse of the OPs premise - I always wondered why so many of these open source http reverse proxies sprung up in the container era, like what did they offer that varnish or a vmod to varnish wasn't already doing or capable of? somehow varnish almost completely missed the container era, despite seemingly being the exact type of tool a bunch of teams would go on to create.

For authentication, I had good luck with authentik as forward proxy.

The one thing that bothers me with traefik is that their implementation of ACME does not work if you have some sort of DNS load balancing. I had one setup with three servers responding to the same domain. It seems the first request )to start the ACME dance) would go to one server, and if the second one (with the .well-known address) is sent to a different one, it will just return a 404 and fail the whole thing. Now I either have * to delegate the certificate management to the service itself or add Caddy as a secondary proxy just to get certificate from it.

* Of course, someone smarter than me will point me to a better solution and I will be forever grateful.

You can also use Cloud Seeder [1] which might be easier since it gives each container a dedicated IP. </shamelessplug>

[1] https://github.com/ipv6rslimited/cloudseeder

I don’t get the appeal of Traefik. If you want an easy to use reverse proxy that works well, pick nginx. Want something simple for self-hosting? Take a look as caddy. For Kubernetes, try out Envoy Gateway.

Somehow, I find myself using Caddy everywhere I would use Træfik in the past.

This is one area where I've found nixos to be really helpful. I can set this up with just adding some lines to the configuration.nix (which uses lego(1) and letsencrypt in the backend):

  security.acme = {
    acceptTerms = true;
    defaults.email = "admin-email@provider.net";
    certs."mydomain.example.com" = {
      domain = "*.mydomain.example.com";
      dnsProvider = "cloudflare";
      environmentFile = "/path/to/cloudflare/password";
    };
  };
  
  services.caddy.enable = true;
  
  services.caddy.virtualHosts."subdomain1.mydomain.example.com" = {
    extraConfig = ''
      reverse_proxy 127.0.0.1:1234
    '';
    useACMEHost = "mydomain.example.com";
  };

Configuring with nginx is also fairly similar I think.

1. https://github.com/go-acme/lego

I have moved to Traefik from NGINX aswell because of the built-in support for DNS challenge and wildcard cert. I myself spent many hours trying to get it working for my domain I use at work. I used the same config I use at home (which works perfectly) but could never get it to actually do anything, even though the setup was identical. Same domain registrar with same API based on the same docker configs etc. Had all logs enabled and still I get no information what so ever about why my certificate could not be created. It simply defaulted back to its generated cert without trying it seemed. After two troubleshooting sessions and several hours of searching and troubleshooting I had to admit defeat and just use my own self-signed cert files. Very frustrating when you get no information about why it doesn't work. Just a silent failure and fallback.

Overall that has been my biggest problem with traefik. Its awesome when it works, but when it does not I always seem to have problems troubleshooting and/or finding the information I need in the docs.

At work we will start using Traefik in prod towards the end of the year. I hope Traefik and I will become better friends before that :)

I’ve always just used go’s built in reverse proxy if I need an API gateway. You can adapt it to meet any specific need, easily find libraries to do common tasks (CORS, rate limiting, retries, etc), and the best part: no configuration language. You just write go.

> I decided to migrate to Traefik mainly because of the automatic let's encrypt integration.

You probably already know and maybe it didn't work for you, but there's quite a few Docker companion containers that automate let's encrypt certs for an nginx Docker container.

I had much of the same issues early on in my Traefik experience. Things like using TLS-01 validation but not having DNS records set before config was applied would cause a lot of frustration. Like you, I was frustrated with the amount of logging I was getting. I eventually learned that not having DNS configured appropriately would lead validation attempts to fail after N unsuccessful attempts, and LE would refuse to do another TLS-01 validation for a while, which sounds like the kind of issue you were having.

After moving to DNS-01 validation, which comes with the added benefit of letting me cut certs for services that aren't publicly exposed with way less orchestration required than with TLS-01 style validation, my experience was suddenly much better. Assuming the DNS provider is working (and if it's not, you're hopefully getting an API error from them before LE attempts to validate the record, the failure state happens well before any check failure backoffs happen at LE. At this point, regardless of whether I'm using Traefik, Caddy, Nginx, or any other reverse proxy, I'm pretty committed to only using DNS-01 based validation from LetsEncrypt from now on, or if I have to do TLS-01 based validation, to make darn sure things are right the first time with the Staging API first.

Which, speaking of, if you cut a Staging cert with LE via Traefik, there's no good way to invalidate the staging cert. You have to munge the ACME JSON to remove the cert and restart Traefik (could maybe do a SIGHUP? didn't try) to get it to pickup the changes.

All said, lots of weird silent failures and behaviors, but the biggest pains are making dependent service errors opaque.

I use NGINX and Traefik in prod at work, and for my personal stuff I only use NGINX. It's all just orchestrated containers, no ingress controllers or similar magic anywhere.

I agree with your comments about Traefik being finicky, and would like to add that my very basic inhouse solution to do automatic Let's Encrypt integration (that also works with other ACME compatible CAs) is ~30 lines of bash, which is ran by cron every day. It's rock solid simply by failing hard when standard return codes fail. Monitoring for failed certificate renewals is as easy as handshaking with the endpoint and parsing the NotAfter field in the OpenSSL output. I run this as part of my regular HTTP endpoint monitoring solution at it tells me if any certificate will expire within 14 days.

The absolute worst failures I've experienced is having new domains start with a self-signed certificate until I reloaded nginx manually, and that I had 2 weeks to jump in and sort out some error because a certificate renewal failed.

So at least in my experience it turns out that LE-integration isn't a strong selling point. Logging and ease of configuration is. NGINX is not perfect in those aspects either, but it is a bit more robust and well-documented at least.

You might be happy to know that integration between Let's Encrypt and Nginx is something that's been provided by Certbot for years. The Nginx plugin for Certbot will identify active domains from your Nginx config, create and renew certificates, automating domain validation through the web server in real-time, and will automatically update your config files with both certificate paths and HTTP redirects to HTTPS (if desired).

I've considered Traefik for that too. We had 1800+ domains, so automatic TLS would be useful. But the OSS version didn't have good options for certificate storage imo.

Ended up using nginx and adding a .well-know/certbot endpoint orso that used lua to call certbot. Some bash, rsync & nfs for config management, never had an issue with it. Not fully automated, but close enough. And very debuggable!

We’ve been using Nginx is prod for 3 years. While I used Traefik in the past, I decided to migrate to Nginx mainly because of its scriptability (Traefik plugins suck). I am sorry for that decision. Nginx’s documentation is absolute trash full of non-explanations (far worse than Traefik or Caddy. It’s finicky and misbehaves constantly. Lurking around every corner is a decision from 1995 sticking around in 2024; Nginx can barely function on the modern internet without _significant_ tuning.

On top of it, the OpenResty community must be the rudest, most entitled people in the entire internet. Have a question, “YOURE DOING IT WRONG IDIOT” is the response. Of course every terrible decision they’ve made they justify with “BUT THE PERFORMANCE” as that’s the only thing worth considering.

We’re moving back to Traefik, or Caddy, both still in POC.

If only the caddy ingress were done. I’ve been waiting years for it.

That’s exactly the situation I like Caddy in also.

I use Caddy for single-purpose hosts and the like, but I 100% would throw Traefik at the problems you're describing--and I do, it's my k8s cluster ingest and it runs in my dev environments to enable using `localtest.me` with hostnames.

It's worth kicking the tires on. Both are great at different things.

I use (rootless) docker compose + traefik. Precisely because for wildcard certs it was really painless. Although I use my own DNS server and use RFC2136 DDNS for the LE DNS challenge. No plugins needed, really. I have basically one ansible playbook to set all this up on a vm including templating out the compose files. Then another playbook that can remove everything from the server again (besides data/mounts). For backups I use restic with a custom script that can back up files, different dbs etc to multiple locations.

In the past I deployed k3s but I realized that was too much and too complicated for my self hosted stuff. I just want to deploy things quickly and not have to handle the certs myself.

I have not used Caddy, I use traefik and it discovers docker properties for configuration and TLS certificates with auto update. Not sure about dynamic DNS - I do not use it from Traefik. Adding and removing containers does not need a restart AFAIR.

I've used caddy-docker-proxy in production and it doesn't cause Caddy to drop connections when loading a new config.

I just tested it locally to check and it works fine.

Those are giant limitations. This is the first I hear of any reverse proxy that has to restart and drop connections to update configuration. That is usually the first, most fundamental part of any such server's design.

Heavy +1 on the labels thing. Reduces the scope of things to keep track of massively, even if writing them the first time is slightly harder because of the escaping and verbosity.

I think a combination of traefik and docker compose are in the sweet spot for small scale self hosters that haven't reached the point where k8s will pay off. i.e. if you have less servers than a k8s HA control plane would use.

We're also using it in production. And people might laugh, but naming something which looks fine/cool/quirky on paper, but is actually terrible in practice is a big con. The amount of frowns and laughs we got from colleagues is staggering and a hindrance to implementation and using a product.

We've called it "tray-feek" and it was half ok, then we actually had a call with the official support and they told us its pronounced same as regular "traffic". So any discussion about that proxy goes with: "so we're receiving traffic on our public load balancer which used traffic's native load balancing to send traffic to traffic's pods...". It sounds stupid because it is stupid.

I just pronounce it "traffic". I'm not playing their damn head games.

I would say the biggest con is that, if a container is not existing/running, traefik is not aware of it or its labels. Otherwise you could more easily do cool stuff like maintenance pages, bringing up containers on the first request after inactivity etc. So for me, I have been thinking about creating a plugin that is aware of where I store my compose files and can look at them instead.

ae is closest to y, or hi. So Tryfik, is my guess, otherwise is Trayfik. If it's European fik, might be feek. *Just taking a guess here.

apparently "traffic" https://github.com/traefik/traefik/issues/795

Auth forwarding[1] is normally the route. This allows you to basically zero auth your services. You can also use wireguard or tailscale[2]

[1] https://doc.traefik.io/traefik/middlewares/http/forwardauth/ [2] https://doc.traefik.io/traefik/master/https/tailscale/

Cloudflare tunnels are super convenient and provide lots of auth mechanisms. If you set up a tunnel using cloudflared and proxy the IP through cloudflare, there's nothing even exposed directly to the internet. You can even have different auth requirements for urls (like /admin) or punch holes for stuff like webhooks.

I have set up quite a few as kubernetes pods that direct to private hostnames in different namespaces and pretty happy with it for internal apps.

> what people use to hide (and make accessible) the internal services such as grafana, prometheus, rabbit mq (the web interface) and such?

Proxies or VPNs like you mentioned. You usually don't expose things if you don't have to.

We use tailscale for this exact use case and has been working flawlessly so far. You can even set up ACL lists as a firewall.

For the purposes of some of my self hosted stuff, I wanted to see how far I could go without VPN and instead use mutual tls authentication with my stuff exposed to the internet. Client certs are issued by cert manager in my k8s cluster and traefik does my TLS Auth.

From the internet? Drop them at the ingress level (if using kubernetes). You could also do some ip filtering. Then use an internal proxy (or internal ip of some kind) to reach them.

For proof of concepts, I use cloudflare tunnels which allows you to add ACLs to particular routes.

They are open to the internet but each ingress is using the “external auth” feature of nginx ingress, pointing to our internal login. There’s no vpn or magic ip addresses. Once you’re logged in, you can access whatever you need.

Serve them on a firewalled port, then: 1) VPN if you need to expose them to multiple trusted users, 2) firewall rules to make them accessible to your IP range, or (probably easiest), 3) access them by ssh tunnel.

zero trust, host firewalls, mtls, ssh tunnels, bastion hosts.