IT Get in touch

Traefik 2.0: cloud-native reverse proxy with service discovery

Traefik 2.0 (September 2019) by Containous (later Traefik Labs): reverse proxy and load balancer with auto-configuration from Docker/Kubernetes/Consul, composable middlewares, TCP/UDP routing, automatic Let's Encrypt.

Open SourceWeb
Open SourceWeb TraefikReverse ProxyCloud NativeService DiscoveryLet's EncryptOpen Source
Linux Services & Systems

Linux Services & Systems

Domains, hosting, certified email, email infrastructure, network services and Linux systems. Open Source infrastructure support and management.

Discover →

A self-configuring reverse proxy

Manually configuring Nginx or HAProxy in dynamic environments — containers that come and go, services changing port or host — is burdensome. Traefik, launched in 2015 by Emile Vauge (company Containous, later Traefik Labs), solves this with an alternative approach: integrated service discovery reading configuration from external providers.

Version 2.0 of 16 September 2019 is a major rewrite. MIT licence.

Providers

Traefik connects to dynamic configuration sources:

  • Docker — container labels define routing
  • Kubernetes — via Ingress or Traefik-specific IngressRoute CRD
  • Consul Catalog, etcd, ZooKeeper — service discovery
  • File provider — static YAML/TOML config
  • AWS ECS, Nomad, Kubernetes Gateway API

When a container starts with label traefik.http.routers.api.rule=Host('api.example.com'), Traefik automatically exposes it at that host, without manual reload.

Middlewares

Key 2.0 novelty: composable middlewares. A middleware is a request transformation layer:

  • Auth — BasicAuth, DigestAuth, ForwardAuth
  • Rate limit, circuit breaker, retries
  • Compress (gzip), buffering
  • Headers (CORS, security headers, PII removal)
  • IPWhiteList, IPAllowList
  • StripPrefix, AddPrefix, ReplacePath, Redirect
  • Defined and reused middleware chains

TCP and UDP routing

2.0 adds routing for TCP (beyond HTTP) and UDP, with SNI routing for TLS. Enables Traefik as frontend not only for web applications but also databases, MQTT, DNS, QUIC.

Automatic Let’s Encrypt

Traefik is among the first proxies to natively integrate ACME/Let’s Encrypt. Minimal configuration:

certificatesResolvers:
  myresolver:
    acme:
      email: admin@example.com
      storage: acme.json
      httpChallenge:
        entryPoint: web

Traefik obtains, renews, distributes certificates without intervention. Supports HTTP-01, DNS-01, TLS-ALPN-01.

Dashboard

A built-in web dashboard shows active routers, services, middlewares — useful for debugging. Prometheus metrics exposed for monitoring.

Comparison

  • Nginx — more performant, but static configuration or via Nginx Plus / OpenResty
  • HAProxy — very strong TCP/HTTP load balancer, static configuration
  • Envoy — powerful data plane, less user-friendly
  • Caddy — similar philosophy (auto HTTPS), less service discovery
  • Traefik — best when auto-configuration and Kubernetes/Docker-native are needed

In the Italian context

Traefik is adopted in Italy by:

  • Companies with self-hosted K8s clusters
  • SaaS wanting multi-tenant with dynamic subdomain routing
  • Hosting providers as option for Docker clients

References: Traefik 2.0 (16 September 2019). Containous (later Traefik Labs), Emile Vauge. MIT licence. Docker, Kubernetes, Consul providers. Composable middlewares. Let’s Encrypt/ACME integration.

Need support? Under attack? Service Status
Need support? Under attack? Service Status