Traefik v3 — The Practical Reverse Proxy Guide for Docker in 2026

Traefik reverse proxy for Docker automating certificate management and middleware configuration

Key takeaways

• Traefik is a Docker-native reverse proxy. It reads container labels and reconfigures routes on the fly — no config reload, no nginx -s reload, no rewrites in your CI. The whole point is that adding a service is one Compose file edit, not a sysadmin ticket.

• Pick Traefik when your services churn; pick NGINX when they don’t. Container-rich workloads (microservices, multi-tenant SaaS, preview environments) win with Traefik’s automatic discovery; static, low-churn front-ends are still cheaper to run on NGINX or Caddy.

• Free Let’s Encrypt out of the box. Traefik renews certificates automatically via ACME (HTTP-01 or DNS-01 challenge). For wildcards you need DNS-01 plus a supported provider (Cloudflare, Route 53, GCloud DNS).

• Traefik v3 is the version to start on in 2026. v3 adds HTTP/3, WASM middleware, OpenTelemetry, Kubernetes Gateway API, and SPIFFE; the v2→v3 migration is gentle — Docker labels mostly stay the same, the static config gets a few renames.

• This guide ships the full config. You’ll leave with a working traefik.yml + docker-compose.yml, automated TLS, the dashboard, basic-auth middleware, and a wildcard-cert resolver — the same patterns we ship in real Fora Soft projects.

Why Fora Soft wrote this guide

Fora Soft has shipped real-time video, AI, and SaaS products since 2005, with 625+ delivered software products and a 100% job-success score on Upwork. Behind every one of those products there’s a reverse proxy doing the boring, important work: TLS termination, routing, rate-limiting, basic auth, header rewrites. This article is the Traefik configuration we actually run — not a Hello World.

The original version of this post won the 2022 HackerNoon Noonies for Containers (proof). What you’re reading is the 2026 update: Traefik v3, HTTP/3, wildcard certificates, OpenTelemetry tracing, and the security middleware we add as a default in production. If you want the engineers who run that stack on real customer-facing products, jump to the closing CTA.

Stuck on Traefik, NGINX, or your container infra in general?

We do backend, DevOps and real-time video infrastructure for clients across SaaS, surveillance and edutainment. Bring your config and we’ll review it — or build it for you.

Book a 30-min call → WhatsApp → Email us →

What Traefik is, in one paragraph

Traefik is a cloud-native reverse proxy and load balancer that watches your service registry (Docker, Kubernetes, Consul, Nomad, ECS) and configures routes from labels — with no static nginx.conf. You declare a Docker container with a label like traefik.http.routers.api.rule=Host(`api.example.com`), the container starts, Traefik picks it up, requests a Let’s Encrypt certificate, and starts routing traffic. Service stops → route disappears. That’s the entire mental model.

Traefik vs NGINX vs Caddy — pick by churn, not by hype

Dimension	Traefik v3	NGINX	Caddy
Service discovery	Native (Docker, K8s, Consul, ECS, Nomad)	Manual or via plus/Kubernetes Ingress	Plugin-based, smaller ecosystem
Auto TLS (Let’s Encrypt)	Built-in (HTTP-01, DNS-01, TLS-ALPN-01)	Via certbot or NGINX Plus	Built-in (best in class)
HTTP/3 & QUIC	v3 native	Yes (recent)	Yes
Raw RPS / latency	Good (∼ 30–50k RPS/core)	Best (∼ 50–100k RPS/core)	Good
Config style	Static YAML/TOML + dynamic labels	Imperative `nginx.conf`	Caddyfile (declarative, terse)
Dashboard / observability	Built-in dashboard, OTel, metrics	Plus only / external	Limited
Best fit	Microservices, multi-tenant SaaS, preview envs	High-RPS static front, raw performance	Small static sites, hobby servers

Reach for Traefik when: your services come and go (microservices, preview environments, multi-tenant deploys), you want auto-TLS without scripting certbot, and you can spend a single-digit % of CPU on the proxy in exchange for the operational simplicity.

A minimal production-shaped `traefik.yml`

This is the static config we start every project from. It defines the entry points (HTTP and HTTPS), redirects HTTP→HTTPS, enables the Docker provider, sets up an ACME certificate resolver against Let’s Encrypt, and turns on the dashboard. Comments use #.

# traefik.yml — static config

log:
  level: INFO

api:
  dashboard: true
  insecure: true   # only safe behind ssh-tunnel; lock down in prod

providers:
  docker:
    network: traefik
    exposedByDefault: false   # opt-in per service via labels

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
          permanent: true
  https:
    address: ":443"
    http3: {}                 # enable HTTP/3 in v3

certificatesResolvers:
  simple-resolver:
    acme:
      email: ops@example.com
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: http

accessLog: true
metrics:
  prometheus: {}              # /metrics endpoint for Prometheus

Companion `docker-compose.yml`

services:
  traefik:
    image: traefik:v3.1
    container_name: traefik
    restart: always
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"                       # HTTP/3 needs UDP 443
      - "127.0.0.1:8080:8080"               # dashboard, ssh-tunnel only
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - /data/letsencrypt:/letsencrypt
    networks:
      - traefik

  whoami:
    image: traefik/whoami
    restart: always
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik
      - traefik.http.routers.whoami.rule=Host(`example.com`)
      - traefik.http.routers.whoami.entrypoints=https
      - traefik.http.routers.whoami.tls.certresolver=simple-resolver
      - traefik.http.services.whoami.loadbalancer.server.port=80
    networks:
      - traefik

networks:
  traefik:
    external: true

Run docker network create traefik once, then docker compose up -d. Hit https://example.com — you should see the whoami output and a green padlock.

Reaching the dashboard safely

The dashboard is bound to 127.0.0.1:8080 on the host, so it’s not exposed to the internet. Open it via SSH port-forward:

ssh -L 8080:localhost:8080 root@example.com
# then open http://localhost:8080 in your browser

For dashboards that need to be available remotely without SSH, expose it through Traefik itself behind a basic-auth middleware (next section).

Useful middlewares we ship by default

Three middlewares cover 90% of real-world needs: basic auth, security headers, and rate limiting.

# add to a service’s labels in docker-compose.yml

# 1) basic auth on the dashboard
- traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$apr1$$Cyl...   # use htpasswd

# 2) security headers (HSTS, X-Frame, content-type)
- traefik.http.middlewares.sec-headers.headers.stsSeconds=31536000
- traefik.http.middlewares.sec-headers.headers.stsIncludeSubdomains=true
- traefik.http.middlewares.sec-headers.headers.contentTypeNosniff=true
- traefik.http.middlewares.sec-headers.headers.browserXssFilter=true
- traefik.http.middlewares.sec-headers.headers.frameDeny=true

# 3) rate limit
- traefik.http.middlewares.api-rl.ratelimit.average=50
- traefik.http.middlewares.api-rl.ratelimit.burst=100

# attach two middlewares to a router
- traefik.http.routers.api.middlewares=sec-headers,api-rl

Note the doubled $$ in the basic-auth string — Compose interpolates a single $, so you have to escape it. Generate the hash with htpasswd -nb admin yourPassword.

Need a Traefik / Kubernetes review?

We’ll audit your reverse-proxy + ingress setup, fix the silent misconfigurations, and leave you with a runbook. Useful before any production launch or migration.

Book a 30-min review → WhatsApp → Email us →

Wildcard certificates with DNS-01

For multi-tenant SaaS where every customer gets a subdomain — acme.example.com, tenant42.example.com — you don’t want a separate cert per tenant. Use a wildcard via DNS-01.

# traefik.yml — add a second resolver
certificatesResolvers:
  wildcard-resolver:
    acme:
      email: ops@example.com
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

# docker-compose.yml — add Cloudflare API token + wildcard router
services:
  traefik:
    environment:
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_token
    secrets:
      - cf_token

  api:
    labels:
      - traefik.enable=true
      - traefik.http.routers.api.rule=HostRegexp(`{tenant:[a-z0-9-]+}.example.com`)
      - traefik.http.routers.api.entrypoints=https
      - traefik.http.routers.api.tls.certresolver=wildcard-resolver
      - traefik.http.routers.api.tls.domains[0].main=example.com
      - traefik.http.routers.api.tls.domains[0].sans=*.example.com

secrets:
  cf_token:
    file: ./cloudflare-token.txt

Cloudflare, Route 53, GCloud DNS, DigitalOcean, OVH and a long list of others are supported. The provider list is in the official docs.

Migrating from Traefik v2 to v3

Traefik v3 is the version we run on new projects in 2026. The migration is gentle: Docker labels mostly stay the same, and the dynamic-config syntax remains backward-compatible during the transition.

What changes: a small set of static-config option renames, plugin manifests, and the experimental flags promoted to GA. What stays the same: your Docker labels, your routers/services/middlewares model, your ACME storage. Read the official v2→v3 migration guide before bumping the image tag.

Why upgrade: HTTP/3, OpenTelemetry, WASM middleware, Kubernetes Gateway API, SPIFFE for workload identity. The performance ceiling is also higher in v3.

HTTP/3 and QUIC, in three lines

Add http3: {} to your HTTPS entry point and open UDP 443 on the host. Browsers will negotiate HTTP/3 automatically; existing HTTP/1.1 and HTTP/2 clients keep working as before. Real-time-video and edge-served apps benefit most because QUIC tolerates packet loss without TCP-level head-of-line blocking. We default it on for edge-AI surveillance and mobile streaming deployments.

Observability: logs, metrics, and OpenTelemetry traces

Three things we always wire in:

1. Access logs. JSON-formatted, shipped to Loki or CloudWatch. Request ID, latency, status, route name — the basics. Set accessLog.format: json.

2. Prometheus metrics. Enable metrics.prometheus; scrape /metrics. Watch traefik_router_request_duration_seconds_bucket and tail latencies per route.

3. OpenTelemetry traces (v3 native). Point Traefik at your OTLP collector and you get end-to-end traces from edge through your services. Replaces the v2 Jaeger/Zipkin/Datadog drivers with a single OTLP target.

Five Traefik pitfalls we see most often

1. Exposing the dashboard with api.insecure: true on a public port. The dashboard reveals all your routes and certificates. Always bind it to 127.0.0.1 or hide it behind basic-auth + a router with api@internal.

2. Forgetting the Docker network. If your service container is on a different network than Traefik, no labels in the world will route to it. Add traefik.docker.network=traefik and put both on the same network.

3. Hitting Let’s Encrypt rate limits. ACME has hard rate limits (50 certificates per registered domain per week). Use caServer: https://acme-staging-v02.api.letsencrypt.org/directory for testing.

4. Not persisting acme.json. If you don’t mount /letsencrypt as a volume, every container restart re-issues certificates and you hit the rate limit fast. Mount it; chmod 600.

5. Routing collisions across stacks. Two services with the same Host() rule will fight non-deterministically. Use unique router names and explicit priority labels (traefik.http.routers.X.priority=10) when overlapping rules are unavoidable.

Scaling Traefik beyond a single host

Single-host Traefik is fine up to 10–30k RPS depending on hardware. Beyond that you have three options: (a) run multiple Traefik instances behind a Layer-4 load balancer (HAProxy, AWS NLB) with shared ACME storage; (b) run Traefik on Kubernetes as the cluster Ingress controller; (c) run Traefik Hub for managed multi-cluster ingress. We default to option (b) on K8s and (a) on Compose-based fleets. We covered scale architecture more broadly in our scalable VMS guide.

Cost and effort to wire Traefik into a real product

Scope	Effort	Typical cost (Fora Soft)	Outcome
Bootstrap config + dashboard	1–2 days	$0.5–1.5k	Working reverse proxy + Let’s Encrypt
Wildcard certs + multi-tenant routing	2–4 days	$1–3k	Tenant-subdomain SaaS ready
Security middlewares + WAF integration	2–5 days	$1.5–4k	Hardened edge with rate limit + CSP
Observability stack (Prometheus, OTel)	3–5 days	$2–5k	Latency dashboards + tracing
Migration from NGINX or v2→v3	1–2 weeks	$5–15k	Zero-downtime cutover

Our quotes come in below legacy SI vendors for the same scope because we use Agent Engineering to compress the rote configuration and audit phases. The hard parts — security review, ACME edge cases, observability wiring — still take human attention.

When you should NOT pick Traefik

Three honest cases. 1. A single-tenant, low-churn front-end where you already run NGINX and the team knows it — the migration cost will exceed the operational gain. 2. Extreme RPS at a single edge box (50k+ RPS/core); NGINX still wins on raw throughput. 3. Environments where you cannot mount the Docker socket or grant the Kubernetes API permissions Traefik needs — air-gapped or strictly-zero-trust shops sometimes hit this.

FAQ

What is Traefik used for?

It’s a cloud-native reverse proxy and HTTP load balancer that integrates with Docker, Kubernetes, Consul, ECS, and Nomad. It auto-discovers services, terminates TLS via Let’s Encrypt, runs middlewares (auth, rate limit, headers), and exposes a dashboard, Prometheus metrics, and OpenTelemetry traces.

Traefik vs NGINX — which is better in 2026?

NGINX wins on raw throughput; Traefik wins on operational simplicity for container-rich workloads. If your services churn (microservices, preview envs, multi-tenant SaaS), Traefik saves real time per week. If your edge is a static front-end at high RPS, NGINX is still the right answer.

Does Traefik support free TLS certificates?

Yes — ACME / Let’s Encrypt is built in. HTTP-01 challenge for single domains, DNS-01 for wildcards (Cloudflare, Route 53, GCloud DNS, DigitalOcean and more). Persist acme.json on a volume so you don’t hit rate limits.

Should I use Traefik v2 or v3 for a new project?

v3. It adds HTTP/3, native OpenTelemetry, WASM middleware, the Kubernetes Gateway API, and SPIFFE. The Docker labels and the routers/services/middlewares model stay backward-compatible during the transition; only the static config has minor renames.

How do I expose the Traefik dashboard safely?

Don’t expose api.insecure: true on a public port. Bind the dashboard to 127.0.0.1:8080 and reach it via SSH port-forward, or route api@internal through a basic-auth + IP-allowlist middleware.

How do I avoid Let’s Encrypt rate limits?

Persist acme.json on a volume. Test against the staging endpoint (acme-staging-v02.api.letsencrypt.org). For multi-tenant SaaS use one wildcard cert via DNS-01 instead of a per-tenant cert.

Can Traefik handle WebSocket and HTTP/3 streaming traffic?

Yes — WebSocket upgrades work transparently and HTTP/3 / QUIC is a one-line entry-point flag in v3. We use it as the edge in front of WebRTC signaling and HLS endpoints across our streaming projects.

Is Traefik safe to put on the public internet?

Yes if you (a) keep the dashboard private, (b) attach security-headers and rate-limit middlewares, (c) keep the image up to date and (d) consider a CDN/WAF (Cloudflare, AWS WAF) in front for L7 attack mitigation. Traefik is designed for that role.

What to Read Next

Stack

Agora.io Alternative in 2026

Custom WebRTC behind Traefik — when the math beats CPaaS.

Stack

Twilio Video Alternatives

When and how to replace a CPaaS with custom infra.

Engineering

Scalable Video Management Systems in 2026

Where Traefik fits in a horizontally scalable VMS.

Architecture

Edge AI vs Cloud AI for Video Surveillance

Latency math that ends up driving HTTP/3 and edge proxy choices.

Mobile

10 Ways to Optimize Android Apps for Smooth Video Streaming

QUIC, HTTP/3, ABR — what your edge proxy should support.

Need a backend, DevOps or video-infra partner who actually ships?

Traefik is a small piece of the picture — the harder questions are usually about service decomposition, observability, secret management, real-time streaming, and what to put on the edge. Those are the questions we answer for clients across SaaS, surveillance, edutainment, and creator monetization.

If you want a quick second opinion on your reverse-proxy / ingress setup, or a partner to build the backend behind it, the fastest way to start is a 30-minute call with our engineering lead.

Let’s talk about your edge

Bring your topology and your traffic numbers. We’ll bring 21 years of real-time video and SaaS delivery experience and a quote we can defend.

Book a 30-min call → WhatsApp → Email us →

Technologies

Comments

Thank you for comment

Refresh the page to see it

Cообщение не отправлено, что-то пошло не так при отправке формы. Попробуйте еще раз.

e-learning-software-development-how-to

Jayempire

9.10.2024

Cool

simulate-slow-network-connection-57

Samrat Rajput

27.7.2024

The Redmi 9 Power boasts a 6000mAh battery, an AI quad-camera setup with a 48MP primary sensor, and a 6.53-inch FHD+ display. It is powered by a Qualcomm Snapdragon 662 processor, offering a balance of performance and efficiency. The phone also features a modern design with a textured back and is available in multiple color options.

how-to-implement-rabbitmq-delayed-messages-with-code-examples-1214

Ali

9.4.2024

this is defenetely what i was looking for. thanks!

how-to-implement-screen-sharing-in-ios-1193

liza

25.1.2024

Can you please provide example for flutter as well . I'm having issue to screen share in IOS flutter.

guide-to-software-estimating-95

Nikolay Sapunov

10.1.2024

Thank you Joy! Glad to be helpful :)

Joy Gomez

I stumbled upon this guide from Fora Soft while looking for insights into making estimates for software development projects, and it didn't disappoint. The step-by-step breakdown and the inclusion of best practices make it a valuable resource. I'm already seeing positive changes in our estimation accuracy. Thanks for sharing your expertise!

free-axure-wireframe-kit-1095

Harvey

15.1.2024

Please, could you fix the Kit Download link?. Many Thanks in advance.

Fora Soft Team

We fixed the link, now the library is available for download! Thanks for your comment

grebulon

3.1.2024

Do you have the source code for download?

mobytap-testimonial-on-software-development-563

Naseem

Meri jaa naseem

what-is-done-during-analytical-stage-of-software-development-1066

2.1.2024

how-to-make-a-custom-android-call-notification-455

Hadi

28.11.2023

Could you share full code? Could you consider adding ringing sound when notification arrives ?