Traefik

A cloud-native reverse proxy and load balancer that auto-configures itself from Docker, Kubernetes, and other orchestrators — zero manual routing required.

62.1Kstars
5.9Kforks
MIT License
Go

Traefik is a modern HTTP reverse proxy and load balancer designed to make deploying and managing microservices seamless. Instead of maintaining static route configuration files, Traefik integrates directly with your infrastructure — Docker, Kubernetes, Consul, Etcd, Amazon ECS, and others — and automatically discovers services and generates routing rules in real time, without requiring a restart.

Built in Go and distributed as a single binary or official Docker image, Traefik handles HTTP, TCP, and UDP traffic with support for modern protocols including HTTP/2, gRPC, and WebSockets. It issues and renews TLS certificates automatically through Let’s Encrypt, applies middleware chains for authentication, rate limiting, compression, and circuit breaking, and exposes comprehensive observability data via Prometheus, Datadog, OpenTelemetry tracing, and structured access logs.

Traefik supports GitOps workflows through declarative configuration via TOML, YAML files, and Kubernetes Custom Resource Definitions. Its provider model is extensible, and a built-in Web UI dashboard gives operators real-time visibility into routers, services, and middleware state. An active community of over 416 contributors and a rapid release cadence with maintained v2 and v3 branches ensure long-term reliability for production deployments.

What You Get

  • Automatic Service Discovery - Connects to Docker, Kubernetes, Consul, Etcd, Amazon ECS, Nomad, and Tailscale to detect running services and generate routes without any manual configuration.
  • Let’s Encrypt TLS Automation - Requests, issues, and renews TLS certificates including wildcard certificates automatically for all exposed services, with support for DNS and HTTP challenges.
  • Middleware Pipeline - Compose authentication (Basic, Digest, Forward Auth, OIDC), rate limiting, compression, circuit breakers, retry logic, headers manipulation, and IP whitelisting into reusable chains attached to any router.
  • Multi-Protocol Load Balancing - Routes HTTP, HTTPS, TCP, UDP, and gRPC traffic with round-robin, weighted, and sticky session load balancing algorithms and configurable health checks.
  • Real-Time Dashboard - Browser-based UI shows live state of all routers, services, middleware, and their relationships with no extra configuration beyond enabling the API.
  • OpenTelemetry Observability - Exports distributed traces to Datadog, Jaeger, Zipkin, and OTLP-compatible backends, and metrics to Prometheus, InfluxDB 2.x, Statsd, and Datadog — all configurable per-router.
  • Kubernetes Gateway API Support - Implements the Kubernetes Gateway API specification alongside legacy Ingress and CRD-based configuration, allowing adoption of the standard API without lock-in.
  • WASM Plugin System - Extends Traefik with custom middleware written in any language that compiles to WebAssembly, loaded at runtime without recompilation or restarts.

Common Use Cases

  • Kubernetes Ingress Controller - Platform teams deploy Traefik as the cluster ingress controller to handle external traffic routing, TLS termination, and authentication for all services using Kubernetes Ingress or Gateway API resources.
  • Docker Compose Development Environments - Developers add Traefik to docker-compose.yml to automatically expose local services via subdomain routing and HTTPS without editing /etc/hosts or managing nginx configs.
  • API Gateway for Microservices - Engineering teams route traffic to multiple backend services from a single entry point, applying per-route authentication, rate limiting, and circuit breaking through Traefik’s middleware system.
  • Multi-Tenant SaaS Routing - SaaS providers use Traefik’s wildcard TLS and routing rules to dynamically route tenant subdomains to isolated backend services with per-tenant configuration via labels or CRDs.
  • Zero-Downtime Blue-Green Deployments - DevOps teams implement canary releases by configuring weighted routing between service versions and gradually shifting traffic without service interruption.
  • Edge Proxy for Distributed Systems - Infrastructure engineers run Traefik at network edges to consolidate observability, enforce security policies, and centralize certificate management across multi-cloud or hybrid deployments.

Under The Hood

Architecture Traefik is structured around a clean three-layer architecture: a static bootstrap layer that loads initial configuration, a dynamic provider layer that polls or watches external systems for service changes, and a runtime routing layer that applies the resulting configuration to live traffic without downtime. The provider abstraction is a small Go interface — two methods — that any external system can implement, and the aggregator combines updates from all registered providers into a single merged configuration. Routers, services, and middleware are composed as independent objects connected by reference, meaning changes to any layer propagate atomically through the configuration watcher without service interruption. Entrypoints for TCP, UDP, and HTTP are managed as separate subsystems with their own goroutine pools, keeping protocol handling concerns isolated.

Tech Stack Traefik is written entirely in Go, built as a single statically-linked binary with no runtime dependencies. The core depends on well-established libraries: gorilla/mux for HTTP routing, vulcand/oxy for reverse proxy primitives, go-acme/lego for ACME certificate management, and quic-go for HTTP/3 and QUIC support. Kubernetes integration covers the native Ingress API, Traefik’s own CRD-based IngressRoute, and the Gateway API specification. Configuration is accepted in TOML and YAML via the traefik/paerser library. The Web UI is a separately built TypeScript and Vue application packaged inside the binary. OpenTelemetry instrumentation is applied at the middleware and transport layers for end-to-end tracing. No external database is required; all state is held in memory and refreshed from providers.

Code Quality The codebase contains over 250 test files across unit and integration suites. Unit tests cover individual middleware components, provider logic, and TLS handling with table-driven patterns and expressive assertion helpers. The integration test suite runs full Docker Compose stacks and validates behavior against live Kubernetes, Consul, Etcd, and ACME endpoints. Error handling is explicit throughout: errors are returned rather than panicked, wrapped with context using fmt.Errorf, and logged with structured zerolog fields. CI enforces code formatting, linting via golangci-lint with custom rules for dependency hygiene, and test coverage gating. TypeScript in the Web UI is typed and linted separately. The combination of strong typing, comprehensive integration tests, and automated enforcement produces a codebase that is reliable to modify.

What Makes It Unique Traefik’s core differentiator is provider-driven dynamic configuration — routes are discovered and applied automatically as infrastructure changes, without any human operator involvement or proxy restart. This is architecturally distinct from traditional reverse proxies that treat configuration as a static file. The provider abstraction is genuinely open: the same interface serves Docker labels, Kubernetes CRDs, Consul KV, and file-based config, and the aggregator merges all sources concurrently. The WASM plugin system allows custom middleware to be loaded at runtime from any language targeting WebAssembly, enabling extensibility without forking. Gateway API conformance positions Traefik as a portable ingress solution that follows the evolving Kubernetes standard rather than proprietary annotations.

Self-Hosting

Traefik is released under the MIT License, which imposes no restrictions on commercial use, modification, redistribution, or sublicensing. You can deploy it in production, embed it in commercial products, or modify the source without any licensing obligations beyond preserving the copyright notice. There are no open-core or source-available provisions — the version on GitHub is the complete product.

Running Traefik yourself means taking full ownership of availability, certificate renewal, and upgrade management. Traefik is stateless and deployed as a single binary or container, which simplifies horizontal scaling — you can run multiple replicas behind a cloud load balancer without shared storage. Certificate state from Let’s Encrypt is written to disk by default and needs to be shared across replicas using a distributed KV store (Consul, Etcd, or Redis) or a shared volume. Upgrades between major versions (v2 to v3) involve migration steps documented in the official guides; patch releases are frequent and generally safe to apply. Monitoring and alerting are the operator’s responsibility, though Traefik’s Prometheus and OpenTelemetry integrations make this straightforward with standard tooling.

Traefik Labs (the company behind Traefik) offers Traefik Hub, a managed platform that adds centralized API management, access control policies, API catalog, and multi-cluster management on top of open-source Traefik. For teams that need SLAs, paid support, or commercial add-ons such as advanced API gateway features, Traefik Labs provides enterprise agreements. Self-hosters give up centralized policy management, the API portal UI, and vendor-backed support in exchange for full infrastructure control and no licensing cost.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search