Traefik Reverse Proxy: Complete Guide for Self-Hosters
How to set up Traefik as a reverse proxy. Automatic HTTPS, Docker integration, load balancing, and advanced routing. Complete tutorial for self-hosters.
Traefik is the reverse proxy that makes self-hosting practical. Automatic HTTPS, Docker-native service discovery, and configuration that updates without restarts. Here's everything you need to know.
Why Traefik?
| Feature | Nginx | Traefik |
|---|---|---|
| Config reload | Manual (nginx -s reload) | Automatic (watches Docker/files) |
| HTTPS certificates | Certbot + cron | Built-in Let's Encrypt |
| Docker integration | Manual upstream config | Automatic via labels |
| Dashboard | None (third-party tools) | Built-in web UI |
| Learning curve | Familiar to most devs | Different paradigm — worth learning |
Core Concepts
Entrypoints
Where traffic enters Traefik. Typically port 80 (HTTP) and 443 (HTTPS).
Routers
Rules that match incoming requests to services. Match on host, path, headers, etc.
Services
The backend applications that handle requests. Defined by Docker labels or file config.
Middlewares
Transformations applied between router and service: redirects, rate limiting, authentication, headers, etc.
Providers
Where Traefik discovers its configuration: Docker (labels), file (YAML/TOML), Kubernetes, etc.
Minimal Docker Compose Setup
services:
traefik:
image: traefik:v3
command:
- --api.dashboard=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.le.acme.tlschallenge=true
- --certificatesresolvers.le.acme.email=you@domain.com
- --providers.docker=true
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./acme.json:/acme.json
myapp:
image: nginx
labels:
- traefik.http.routers.myapp.rule=Host(`app.example.com`)
- traefik.http.routers.myapp.tls.certresolver=leThat's it. Traefik sees the Docker container, creates a router, provisions a Let's Encrypt certificate, and starts proxying. No config files to edit, no nginx reload.
Advanced Patterns
File Provider (For Non-Docker Services)
Not everything runs in Docker. Use file-based configuration for external services, VMs, or legacy apps. Traefik watches the file and hot-reloads on changes.
Middlewares
- redirectScheme — HTTP → HTTPS redirect
- stripPrefix — remove path prefixes before forwarding
- rateLimit — protect against abuse
- basicAuth — simple password protection
- headers — add security headers (HSTS, CSP, etc.)
Priority-Based Routing
When multiple routers match the same path, priority determines which wins. Higher number = higher priority. Essential when running multiple services on the same domain (e.g., main site + blog).
Read how we use Traefik in production at QuikCue →
Need Help With Your Infrastructure?
QuikCue runs 15+ production services behind Traefik on self-hosted infrastructure. We can set up, optimise, or troubleshoot your Traefik deployment.
We build autonomous systems for charities.
Pledge collection, payment processing, WhatsApp automation, analytics dashboards, and the infrastructure that lets a small team do the work of fifty. Free tools. Fractional technology leadership. No fluff.
Get the next deep dive in your inbox.
No spam. No weekly roundups. Just the occasional piece when we have something worth saying.
Related articles
Self-Hosted Deployment Architecture: Our Production Stack
How QuikCue runs 15+ production services on self-hosted infrastructure. Architecture decisions, tooling, costs, and lessons learned.
Why We Self-Host Everything (And You Should Consider It Too)
QuikCue runs 6+ production applications on a single £40/month server. Here's why we chose self-hosting over managed cloud — and when it makes sense for you.
Dokploy: The Self-Hosted Deployment Platform (Review & Guide)
A comprehensive review of Dokploy — the self-hosted Heroku/Vercel alternative. Setup guide, real-world usage, and why we chose it for production infrastructure.