Video tutorial coming soon.
Deploy Traefik on Ubuntu as a dynamic reverse proxy that automatically discovers Docker containers, provisions HTTPS certificates via Let's Encrypt, and requires zero manual reloads.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/networking/traefik/traefik-ubuntu.sh
chmod +x traefik-ubuntu.sh
sudo bash traefik-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/networking/traefik/traefik-ubuntu.shchmod +x traefik-ubuntu.shThe script installs Docker if needed, then deploys Traefik with Let's Encrypt ACME and the Traefik dashboard configured.
sudo bash traefik-ubuntu.shOpen your browser and navigate to the Traefik dashboard to see all discovered routers, services, and middlewares.
http://<your-server-ip>:8080Add Traefik Docker labels to any container to expose it automatically — no config file reload needed.
| Port | Purpose |
|---|---|
| 80 | HTTP Entrypoint (redirects to HTTPS) |
| 443 | HTTPS Entrypoint (your services) |
| 8080 | Traefik Dashboard (internal — restrict access) |
Traefik is a cloud-native reverse proxy and load balancer designed to integrate tightly with Docker and Kubernetes. It automatically discovers running containers via Docker labels, configures routing rules dynamically, and provisions and renews Let's Encrypt TLS certificates without any manual intervention. Unlike Nginx Proxy Manager (which uses a GUI), Traefik is configured entirely via Docker labels and YAML/TOML files — making it ideal for infrastructure-as-code workflows.
Traefik eliminates the two most painful parts of self-hosting with a reverse proxy: manual config file editing and certificate management. Add a container with the right labels and it's automatically routed with HTTPS — no nginx reload, no certbot cron, no GUI clicks. For teams running many containers, Traefik scales effortlessly.
Traefik uses port 80 for HTTP (redirects to HTTPS for Let's Encrypt challenges), port 443 for HTTPS (all your services), and port 8080 for the Traefik dashboard (internal only — never open externally). Open 80 and 443 publicly; keep 8080 internal and protected with authentication.
Nginx Proxy Manager (GUI-based, easier for beginners), Caddy (simpler config, automatic HTTPS), HAProxy (pure load balancing, no auto-discovery), Nginx (most control, most complexity). Traefik is the best choice for Docker-heavy environments where automation and infrastructure-as-code matter.
If you prefer a GUI over Docker labels for configuration, Nginx Proxy Manager is friendlier. If you have a simple setup with 2–3 services, Traefik's learning curve isn't worth it — NPM gets you there faster. Traefik shines when you're managing 10+ containers and want zero manual intervention.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Nginx Proxy Manager provides a graphical web UI for configuring reverse proxy routes — great for beginners. Traefik uses Docker labels and config files — everything is code. Traefik auto-discovers containers and auto-provisions certificates with no clicks; NPM requires manual configuration for each service. Traefik is better for automation; NPM is better for ease of use.
Traefik integrates with Let's Encrypt via the ACME protocol. When a container with a `traefik.http.routers.myapp.tls.certresolver=letsencrypt` label appears, Traefik automatically requests a certificate for that domain, completes the HTTP-01 or DNS-01 challenge, stores the certificate in acme.json, and renews it before expiry — all without any manual steps.
No. Traefik watches the Docker API for container events. When you run `docker compose up` for a new container with Traefik labels, Traefik detects it and adds the route dynamically within seconds — no restart or reload needed.
Middlewares are processing steps applied to requests before they reach your service. Examples: redirect HTTP to HTTPS, add security headers, require Basic Auth, rate-limit by IP, strip path prefixes. You define middlewares once and apply them to routers via labels. Authelia and Authentik also integrate as Traefik middlewares.
Yes. If you run `docker compose up --scale myapp=3`, Traefik discovers all three replicas automatically and load-balances across them using round-robin. Health checks can be configured to remove unhealthy replicas from the rotation.
Yes. Traefik has a Kubernetes Ingress controller and its own IngressRoute CRD. It's a popular alternative to nginx-ingress in Kubernetes clusters, providing the same auto-HTTPS and middleware features. K3s ships with Traefik as the default ingress controller.
Add a `traefik.http.middlewares.auth.basicauth.users` label with a hashed username:password pair (generated with `htpasswd`). Apply the middleware to the dashboard router. Alternatively, restrict access by IP using the IPAllowList middleware, or keep port 8080 unmapped and access it only via SSH tunnel.
Run `docker compose pull && docker compose up -d`. Your acme.json certificates, traefik.yml config, and dynamic configs are mounted as volumes — they persist across updates. Check the Traefik migration guide before major version upgrades as label syntax sometimes changes.