lang: vi slug: traefik title: ‘Traefik: 63,229 GitHub Stars’ description: ‘Traefik is a cloud-native application proxy and edge router with automatic service discovery. Compatible with Docker, Kubernetes, Consul, and Docker Compose. Covers installation, middleware, TLS, monitoring, and production hardening.’ tags: [“automation”, “ci-cd”, “github”, “guide”, “open-source”, “reference”, “tutorial”] date: 2026-05-19 00:00:00+08:00 lastmod: 2026-05-19 00:00:00+08:00 tech_stack: [] application_domain: Dev Utils source_version: ’' licensing_model: Open Source license_type: MIT file_size: ’' file_md5: ’' download_url: ’' backup_url: ’' github_repo: ‘https://github.com/traefik/traefik' last_maintained: ‘2026-05-19’ draft: false categories: [‘dev-utils’] aliases:- /posts/traefik/ faqs:

  • q: ‘Does Traefik need to be restarted when I add a new service?’ a: ‘No. Traefik watches your Docker socket or Kubernetes API and updates its routing table in real time. New containers carrying Traefik labels are detected within seconds and traffic is routed immediately with no config reload.’
  • q: ‘How do I use Traefik with multiple Docker Compose projects?’ a: ‘Create an external Docker network with docker network create proxy, then attach Traefik and every application service to it. Each project keeps its own docker-compose.yml with Traefik labels, and Traefik auto-discovers them as long as they share that network.’
  • q: ‘What is the difference between Kubernetes Ingress and Traefik’’s IngressRoute?’ a: ‘Standard Kubernetes Ingress is a generic resource with limited routing options. Traefik’’s IngressRoute CRD adds middleware chaining, TCP/UDP routing, weighted load balancing, traffic mirroring, and direct TLS configuration without relying on annotations.’
  • q: ‘How fast is Traefik compared to Nginx and HAProxy?’ a: ‘In a community wrk2 benchmark on a 4 vCPU server, Traefik v3.2 handled about 18,291 requests/sec versus 25,367 for Nginx and 24,263 for HAProxy. Enabling Traefik’’s experimental FastProxy engine raised throughput to about 20,795 requests/sec, roughly a 50% gain over the standard engine.’
  • q: ‘Is it safe to expose the Traefik dashboard?’ a: ‘Only with authentication. The dashboard reveals your complete routing configuration and backend services, so always protect it with a BasicAuth, ForwardAuth (Authelia/Authentik), or IP-whitelist middleware. Never use --api.insecure=true in production.’

featureImage: /images/articles/7e31e3d0-traefik-63229-github-stars.png —{{< resource-info >}}Managing ingress traffic in containerized environments is a persistent headache. Every time a new microservice spins up, someone has to update the reverse proxy configuration, reload the service, and pray nothing breaks. In a world where deployments happen dozens of times per day, this manual approach collapses under its own weight. Traefik, the open-source edge router built for cloud-native infrastructure, solves this by watching your container orchestrator and updating routes automatically — no config reloads, no downtime, no human intervention.This Traefik tutorial walks through a production-grade Traefik setup: Docker Compose deployment, Kubernetes ingress configuration, TLS automation, middleware hardening, and observability. Whether you are exploring Traefik vs Nginx for your stack or need a complete edge router setup, every config in this guide is copy-paste ready.## What Is Traefik?Traefik is an open-source HTTP reverse proxy and load balancer designed for dynamic, cloud-native environments. Originally released in 2015 by Containous (now Traefik Labs), it has grown to 63,229 GitHub stars and become the default ingress choice for Docker and Kubernetes operators who value automation over manual configuration. Unlike traditional proxies that rely on static config files, Traefik connects directly to your orchestrator’s API — Docker, Kubernetes, Consul, ECS, and more — and builds its routing table in real time as containers start and stop.

Traefik Logo
## How Traefik WorksTraefik’s architecture splits configuration into two layers: static configuration (loaded at startup, defines entrypoints, providers, and global settings) and dynamic configuration (discovered from your orchestrator, updated without restarts).### Architecture Overview``` ┌─────────────────────────────────────────────────────────┐ │ Clients │ └─────────────────────────────────────────────────────────┘ │ ┌──────▼──────┐ │ 80/443 │ │ EntryPoints │ └──────┬──────┘ │ ┌──────▼──────┐ │ Routers │◄──── Dynamic Rules │ (Rules) │ (Host, Path, Headers) └──────┬──────┘ │ ┌──────▼──────┐ │ Middlewares │◄──── Rate Limit, Auth, Headers │ (Transform)│ └──────┬──────┘ │ ┌──────▼──────┐ │ Services │◄──── Load Balancing, Health Check │ (Upstream) │ └──────┬──────┘ │ ┌────────────┼────────────┐ ▼ ▼ ▼ ┌────────┐ ┌────────┐ ┌────────┐ │ Service│ │ Service│ │ Service│ │ A │ │ B │ │ C │ └────────┘ └────────┘ └────────┘

|-----------|---------|---------|
| EntryPoint | Listening port for incoming traffic | `:80`, `:443`, `:8080` |
| Router | Matches requests against rules | `Host("api.example.com")` |
| Middleware | Modifies requests/responses | BasicAuth, RateLimit, RedirectScheme |
| Service | Forwards to upstream backends | LoadBalancer across 3 replicas |
| Provider | Discovers services from orchestrator | Docker, Kubernetes CRD, Consul |## Installation & Setup### Docker Compose (Single Node, ≤5 Minutes)Create a dedicated directory and the main Traefik configuration:```
bas
h
mkdir -p ~/traefik/{data,configs}
cd ~/traefik
touch data/acme.json && chmod 600 data/acme.json
```T
h
e
`acme.json` file stores Let's Encrypt certificates. It must have restrictive permissions (`600`) or Let's Encrypt will refuse to write to it.**`docker-compose.yml`** — Traefik v3.x production-ready:```
yam
l
services:
  traefik:
    image: traefik:v3.2
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    read_only: true
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/acme.json:/acme.json
      - ./data/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./configs:/configs:ro
      - ./data/logs:/logs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.com`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
      - "traefik.http.routers.traefik.middlewares=traefik```
bas
h
mkdir -p ~/traefik/{data,configs}
cd ~/traefik
touch data/acme.json && chmod 600 data/acme.json
```or
k
s
:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.services.whoami.loadbala```
yam
l
services:
  traefik:
    image: traefik:v3.2
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    read_only: true
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/acme.json:/acme.json
      - ./data/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./configs:/configs:ro
      - ./data/logs:/logs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.com`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
      - "traefik.http.routers.traefik.middlewares=traefik-auth"

  whoami:
    image: traefik/whoami
    container_name: whoami
    restart: unless-stopped
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"

networks:
  proxy:
    external: true
```t
a
r
-xzf traefik_v3.2.0_linux_amd64.tar.gz
sudo mv traefik /usr/local/bin/
sudo chmod +x /usr/local/bin/traefik
```### Kubernetes with HelmFor Traefik Kubernetes deployments, Helm is the standard method for installing the ingress controller on clusters:```
bas
h
helm repo add traefik https://traefik.github.io/charts
helm repo update
kubectl create namespace traefik
helm install traefik traefik/traefik \
  --namespace traefik \
  --set ingressRoute.dashboard.enabled=true \
  --set ports.websecure.tls.enabled=true \
  --set certResolvers.letsencrypt.acme.email=admin@yourdomain.com \
  --set certResolvers.letsencrypt.acme.storage=/data/acme.json \
  --set certResolvers.letsencrypt.acme.tlsChallenge=true
```Ver
i
f
y
the deployment:```
bas
h
kubectl get pods -n traefik
kubectl port-forward -n traefik svc/traefik 9000:9000
# Open http://localhost:9000/dashboard/
```## Integration with Docker, Kubernetes, Consul, and Docker Compose### Docker Provider (Auto-Discovery)The Docker provider is Traefik's killer feature. Any container with Traefik labels gets registered automatically:```
yam
l
services:
  api:
    image: myapp/api:latest
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`api.example.com`) && PathPrefix(`/v2`)"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      - "traefik.http.routers.```
bas
h
docker network create proxy
docker compose up -d
```p
.middlewares.api-ratelimit.ratelimit.average=100"
      - "traefik.http.middlewares.api-ratelimit.rate```
yam
l
global:
  sendAnonymousUsage: false

api:
  dashboard: true
  insecure: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ":443"
  traefik:
    address: ":8080"

providers:
  docker:
    exposedByDefault: false
    network: proxy
    watch: true
  file:
    directory: /configs
    watch: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@yourdomain.com
      storage: /acme.json
      tlsChallenge: {}

log:
  level: INFO
  format: json
  filePath: "/logs/traefik.log"

accessLog:
  format: json
  filePath: "/logs/access.log"

metrics:
  prometheus:
    addEntryPointsLabels: true
    addRoutersLabels: true
    addServicesLabels: true
```f
i
k
's native `IngressRoute` CRD provides more control than standard Kubernetes `Ingress`:```
yam
l
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: api-route
  namespace: production
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`api.example.com`) && PathPrefix(`/v2`)
      kind: Rule
      middlewares:
        - name: rate-limit
        - name: strip-prefix
      services:
        - name: api-service
          port: 8080
          healthCheck:
            path: /health
            intervalSeconds: 10
    - match: Host(`api.example.com`) && PathPrefix(`/v1`)
      kind: Rule
      services:
        - name: api-v1-service
          port: 8080
  tls:
    certResolver: letsencrypt
```Cre
a
t
e
the middleware separately:```
yam
l
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: rate-limit
  namespace: production
spec:
  rateLimit:
    average: 100
    burst: 50
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: strip-prefix
  namespace: production
spec:
  stripPrefix:
    prefixes:
      - /v2
```### Consul Service DiscoveryFor H```
bas
h
wget https://github.com/traefik/traefik/releases/download/v3.2.0/traefik_v3.2.0_linux_amd64.tar.gz
tar -xzf traefik_v3.2.0_linux_amd64.tar.gz
sudo mv traefik /usr/local/bin/
sudo chmod +x /usr/local/bin/traefik
```i
n
t
:
      address: "127.0.0.1:8500"
      token: "your-consul-token"
```Regis
t
e
r
a service in Consul with Traefik tags:```
bas
h
curl -X PUT http://localhost:8500/v1/agent/service/register \
  -d '{
    "Name": "payments-api",
    "Tags": ["traefik.enable=true", "traefik.http.routers.payments.rule=Host(`payments.example.com`)"],
    "Port": 8080,
    "Ch```
bas
h
helm repo add traefik https://traefik.github.io/charts
helm repo update
kubectl create namespace traefik
helm install traefik traefik/traefik \
  --namespace traefik \
  --set ingressRoute.dashboard.enabled=true \
  --set ports.websecure.tls.enabled=true \
  --set certResolvers.letsencrypt.acme.email=admin@yourdomain.com \
  --set certResolvers.letsencrypt.acme.storage=/data/acme.json \
  --set certResolvers.letsencrypt.acme.tlsChallenge=true
```aef
i
k
.http.routers.api.rule=Host(`api.example.com`)"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      - "traefik.http.services.api.loadbalancer.server.port=3000"
    environment:
      - DATABASE_URL=postgres://db:5432/api  db:
    image: postgres:16
    networks:
      - internal
    environment:
      - POSTGRES_DB=apinetworks:
  proxy:
    external: true
  internal:
    driver: bridge
a
s
h
kubectl get pods -n traefik
kubectl port-forward -n traefik svc/traefik 9000:9000
# Open http://localhost:9000/dashboard/
``` Performance BenchmarksCommunity benchmarks on a 4 vCPU AMD server with 16GB RAM show Traefik holds its own against established proxies:| Metric | Nginx | HAProxy | Traefik v3.2 | Traefik v3.2 + FastProxy | Caddy |
|--------|-------|---------|-------------|-------------------------|-------|
| Requests/sec | 25,367 | 24,263 | 18,291 | **20,795*```
yam
l
services:
  api:
    image: myapp/api:latest
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`api.example.com`) && PathPrefix(`/v2`)"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      - "traefik.http.routers.api.middlewares=api-ratelimit,api-cors"
      - "traefik.http.middlewares.api-ratelimit.ratelimit.average=100"
      - "traefik.http.middlewares.api-ratelimit.ratelimit.burst=50"
      - "traefik.http.middlewares.api-cors.headers.accesscontrolallowmethods=GET,POST,PUT,DELETE,OPTIONS"
      - "traefik.http.middlewares.api-cors.headers.accesscontrolalloworiginlist=https://app.example.com"
      - "traefik.http.services.api.loadbalancer.server.port=8080"
      - "traefik.http.services.api.loadbalancer.healthcheck.path=/health"
      - "traefik.http.services.api.loadbalancer.healthcheck.interval=10s"
```t
i
n
g
communities. Automatic Let's Encrypt certificates, combined with the simple label-based config, make adding a new service a copy-paste operation.3. **Multi-Tenant SaaS Platform**: Using `HostRegexp` rules, a SaaS platform routes `{tenant}.app.example.com` to the correct namespace or service automatically:```
yam
l
- "traefik.http.routers.app.rule=HostRegexp(`{tenant:[a-z0-9-]+}.app.example.com`)"
- "traefik.http.routers.app.service=app-service"
```## Advanced Usage and Production Hardening### Security Checklist1. **Disable exposed by default** — Only register containers explicitly:
```y
a
m
l
providers:
  docker:
    exposedByDefault: false
```2. **Run read-only with no-new-privileges**:
```y
a
m
l
security_opt:
  - no-new-privileges:true
read_only: true
```3. **Protect the Docker socket** — Use a socket proxy instead of mounting `/var/run/docker.sock` directly:
```y
a
m
l
services:
  socket-proxy:
    image: tecnativa/docker-socket-proxy
    environment:
      - CONTAINERS=1
      - SERVICES=1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
```4. **Add security headers globally**:
```y
a
m
l
# configs/security.yml
http:
  middlewares:
    security-headers:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 31536000

yam l apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: api-route namespace: production spec: entryPoints: - websecure routes: - match: Host(api.example.com) && PathPrefix(/v2) kind: Rule middlewares: - name: rate-limit - name: strip-prefix services: - name: api-service port: 8080 healthCheck: path: /health intervalSeconds: 10 - match: Host(api.example.com) && PathPrefix(/v1) kind: Rule services: - name: api-v1-service port: 8080 tls: certResolver: letsencrypt

a
m
l
metrics:
  prometheus:
    addEntryPointsLabels: true
    addRoutersLabels: true
    addServicesLabels: true
    buckets:
      - 0.005
      - 0.01
      - 0.025
      - 0.05
      - 0.1
      - 0.25
      - 0.5
      - 1.0
      - 2.5
      - 5.0
      - 10.0
```Prometh
e
u
s
scrape config:```
yam
l
scrape_configs:
  - job_name: 'traefik'
    scrape_interval: 15s
    static_configs:
      - targets: ['traefik:8080']
```![Traefik Grafana Dashboard](https://grafana.com/api/dashboards/17346/images/14185/image)
*The official Traefik Grafana dashboard (ID 17346) visualizes request rates, error rates, and response latencies.*Import the official Traefik da```
yam
l
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: rate-limit
  namespace: production
spec:
  rateLimit:
    average: 100
    burst: 50
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: strip-prefix
  namespace: production
spec:
  stripPrefix:
    prefixes:
      - /v2
Certificate expiry (alert when < 7 days) #

traefik_tls_certs_not_after - time() < 7 * 86400 ### Scaling Beyond a Single NodeFor high availability, run multiple Traefik replicas behind a Layer 4 load balancer: yam l

docker-compose.yml (Swarm mode) #

services: traefik: image: traefik:v3.2 deploy: replicas: 3 placement: constraints: - node.role == manager update_config:``` yam l

traefik.yml snippet #

providers: consulCatalog: prefix: “traefik” exposedByDefault: false refreshInterval: “5s” endpoint: address: “127.0.0.1:8500” token: “your-consul-token”

u
r
e
| Traefik | Nginx | HAProxy | Caddy |
|---------|---------|-------|---------|-------|
| **Auto Service Discovery** | Yes (Docker, K8s, Consul) | No (requires reload) | No (requires reload) | Partial (via config) |
| **Config Reload Without Downtime** ```
bas
h
curl -X PUT http://localhost:8500/v1/agent/service/register \
  -d '{
    "Name": "payments-api",
    "Tags": ["traefik.enable=true", "traefik.http.routers.payments.rule=Host(`payments.example.com`)"],
    "Port": 8080,
    "Check": {
      "HTTP": "http://localhost:8080/health",
      "Interval": "10s"
    }
  }'
```R
P
S
)** | ~18K (v3.2) / ~21K (FastProxy) | ~25K | ~24K | ~14K |
| **Memory Footprint** | Medium (~80-120MB) | Low (~20-40MB) | Low (~20-50MB) | Low (~30-60MB) |
| **Learning Curve** | Medium | Steep | Medium | Low |
| **Plugin Ecosystem** | Rich (30+ plugins) | Rich (modules) | Limited | Growing |
| **HTTP/3 Support** | Yes (experimental) | Yes (module) | No | Yes |
| **Config Format** | YAML / TOML / Labels | Custom syntax | Custom syntax | Caddyfile (JSON) |## Limitations and Honest Assessment
```y
a
m
l
# ~/projects/api/docker-compose.yml
services:
  app:
    image: myapi:latest
    networks:
      - proxy
      - internal
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`api.example.com`)"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      - "traefik.http.services.api.loadbalancer.server.port=3000"
    environment:
      - DATABASE_URL=postgres://db:5432/api

  db:
    image: postgres:16
    networks:
      - internal
    environment:
      - POSTGRES_DB=api

networks:
  proxy:
    external: true
  internal:
    driver: bridge
```xplici
t
l
y
does not support HTTP/2 backends. If your services require H2C communication, you must use the standard (slower) engine.5. **Resource usage**: Traefik consumes 2-3x more memory than Nginx or HAProxy. On resource-constrained edge devices, this matters.![Traefik Dashboard Preview](https://doc.traefik.io/traefik/assets/img/webui-dashboard.png)
*Traefik's built-in dashboard shows routers, services, middlewares, and health status in real time.*Choose Traefik when you value **dynamic configuration and operational simplicity** over raw performance. Choose Nginx or HAProxy when you need maximum throughput with static configurations.## Frequently Asked Questions### Do```
bas
h
cd ~/projects/api && docker compose up -d
```?No. Traefik watches your Docker socket or Kubernetes API and updates routes in real time. New containers with Traefik labels are detected within seconds and traffic is routed immediately. This is the primary advantage over traditional proxies.### Can I use Traefik with multiple Docker Compose projects?Yes. Create an external Docker network (`docker network create proxy`) and attach Traefik and all application services to it. Each project can define its own `docker-compose.yml` with Traefik labels — Traefik will discover them automatically as long as they share the network.### How does Traefik handle Let's Encrypt rate limits?Traefik stores certificates in the `acme.json` file and only requests new ones when they are missing or expiring. For environments with frequent container recreations, mount `acme.json` as a persistent volume. Let's Encrypt produ```
yam
l
experimental:
  fastProxy: {}
```ste
r
e
d
domain per week.### Is Traefik's dashboard safe to expose?Only with authentication. The dashboard shows your complete routing configuration, including backend services. Always apply a middleware with BasicAuth, ForwardAuth (to Authelia/Authentik), or IP whitelist before exposing it. Never use `--api.insecure=true` in production.### What is the difference between standard Ingress and Traefik's IngressRoute?Standard Kubernetes `Ingress` is a generic resource with limited routing options. Traefik's `IngressRoute` CRD adds middleware chaining, TCP/UDP routing, weighted load balancing, traffic mirroring, and direct TLS option configuration — all without annotations.### Can I migrate from Traefik v2 to v3 without downtime?Traefik v3 introduces breaking changes in CRD versions (`traefik.containo.us` → `traefik.io`) ```
yam
l
- "traefik.http.routers.app.rule=HostRegexp(`{tenant:[a-z0-9-]+}.app.example.com`)"
- "traefik.http.routers.app.service=app-service"
``` decommissioning v2. The Traefik documentation provides a detailed migration guide.## ConclusionTraefik earns its 63,229 GitHub stars by solving a real operational problem: dynamic service discovery in containerized environments. The combination of automatic Docker/Kubernete```
yam
l
providers:
  docker:
    exposedByDefault: false
```r
t
, and a functional dashboard makes it the pragmatic choice for teams running microservices.For ```
yam
l
security_opt:
  - no-new-privileges:true
read_only: true
```js
o
n
"footer-cta-legacy" "DigitalOcean" >}} provides a straightforward platform with managed Kubernetes and load balancers that integrate cleanly with Traefik. For dedicated```
yam
l
services:
  socket-proxy:
    image: tecnativa/docker-socket-proxy
    environment:
      - CONTAINERS=1
      - SERVICES=1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
```g
e
routing.**Next steps:**
1. Clone the official repository: `git clone https://github.com/traefik/traefik.git`
2. Deploy the Docker Compose setup from this guide
3. Add your first service with Traefik labels
4. Join the [Traefik c```
yam
l
# configs/security.yml
http:
  middlewares:
    security-headers:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 31536000
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          Permissions-Policy: "camera=(), microphone=(), geolocation=()"
```li
n
k
s
help support the creation of free, in-depth technical guides.*







## Recommended Hosting & InfrastructureBefore you deploy any of the tools above into production, you'll need solid infrastructure. Two options dibi8 actually uses and recommends:- **DigitalOcean
** — $200 free credit for 60 days across 14+ global regions. The default option for indie devs running open-source AI tools.
- **HTStack
** — Hong Kong```
yam
l
http:
  middlewares:
    api-ratelimit:
      rateLimit:
        average: 100
        burst: 50
        period: 1m
    
    api-circuitbreaker:
      circuitBreaker:
        expression: "LatencyAtQuantileMS(50.0) > 100"
        checkPeriod: "10s"
        fallbackDuration: "10s"
        recoveryDuration: "10s"
```u
b
Repository](https://github.com/traefik/traefik)
- [Traefik v3.2 Release Notes — FastProxy Engine](https://traefik.io/blog/traefik-proxy-v3-2-a-munster-release)
- [Traefik v3.3 Observability Improvements](https://www.infoq.com/news/2025/02/traefik-observability-docs/)
- [Traefik FastProxy Experimental Configuration](https://doc.traefik.io/traefik/reference/install-configuration/experimental/fastpr```
yam
l
metrics:
  prometheus:
    addEntryPointsLabels: true
    addRoutersLabels: true
    addServicesLabels: true
    buckets:
      - 0.005
      - 0.01
      - 0.025
      - 0.05
      - 0.1
      - 0.25
      - 0.5
      - 1.0
      - 2.5
      - 5.0
      - 10.0
```s
Traefik vs HAProxy Comparison — Loft.sh](https://www.loft.sh/blog/nginx-vs-traefik-vs-haproxy-comparing-kubernetes-ingress-controllers)
- [Caddy vs Traefik vs HAProxy vs Nginx — BigMike.help](https://bigmike.help/en/posts/102/)
```y
a
m
l
scrape_configs:
  - job_name: 'traefik'
    scrape_interval: 15s
    static_configs:
      - targets: ['traefik:8080']

promq l

Request rate by router #

rate(traefik_router_requests_total[5m])

Error rate #

rate(traefik_router_requests_total{code=~“5..”}[5m])

95th percentile response time #

histogram_quantile(0.95, rate(traefik_service_request_duration_seconds_bucket[5m]))

Certificate expiry (alert when < 7 days) #

traefik_tls_certs_not_after - time() < 7 * 86400

yam
l
# docker-compose.yml (Swarm mode)
services:
  traefik:
    image: traefik:v3.2
    deploy:
      replicas: 3
      placement:
        constraints:
          - node.role == manager
      update_config:
        parallelism: 1
        delay: 10s
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
```

💬 Bình luận & Thảo luận