# Traefik — Cloud Native Reverse Proxy & Load Balancer > Traefik is an open-source edge router that auto-discovers services, handles HTTPS certificates, and routes traffic — designed for Docker, Kubernetes, and microservices. ## Install Save as a script file and run: ## Quick Use ```bash docker run -d --name traefik -p 80:80 -p 443:443 -p 8080:8080 -v /var/run/docker.sock:/var/run/docker.sock traefik:latest --api.insecure=true --providers.docker=true --entrypoints.web.address=:80 --entrypoints.websecure.address=:443 ``` Open `http://localhost:8080` — view the Traefik dashboard with auto-discovered services. ## Intro **Traefik** is an open-source cloud-native reverse proxy and load balancer designed for modern infrastructure. Unlike traditional reverse proxies (Nginx, HAProxy) that require manual configuration, Traefik automatically discovers services from Docker, Kubernetes, and other orchestrators — and configures routing, load balancing, and HTTPS certificates without restart. With 62.6K+ GitHub stars and MIT license, Traefik is the most popular modern reverse proxy, handling billions of requests daily across production environments worldwide. ## What Traefik Does - **Auto-Discovery**: Automatically detect Docker containers, Kubernetes services, and configure routes - **Automatic HTTPS**: Request and renew Let's Encrypt certificates without manual intervention - **Load Balancing**: Round-robin, weighted, and sticky session load balancing across backends - **Middleware**: Chain middleware for auth, rate limiting, headers, compression, circuit breaker - **Multi-Protocol**: HTTP, HTTPS, TCP, UDP, gRPC, and WebSocket routing - **Hot Reload**: Configuration changes apply instantly without restart or dropped connections - **Dashboard**: Real-time monitoring dashboard with route and service visualization - **Metrics**: Built-in Prometheus, DataDog, and InfluxDB metrics export ## Architecture ``` Internet │ ┌───┴───────────┐ │ Traefik │ │ Entry Points │ ← :80, :443 │ Routers │ ← Host/Path matching │ Middleware │ ← Auth, Rate Limit, Headers │ Services │ ← Load Balanced Backends └───┬───────────┘ │ ┌───┴───────────────────────┐ │ Docker / Kubernetes │ │ ┌─────┐ ┌─────┐ ┌─────┐ │ │ │App 1│ │App 2│ │App 3│ │ │ └─────┘ └─────┘ └─────┘ │ └───────────────────────────┘ ``` ## Docker Setup ### Docker Compose with Auto-Discovery ```yaml services: traefik: image: traefik:latest command: - "--api.dashboard=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true" - "--certificatesresolvers.letsencrypt.acme.email=admin@yourdomain.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - letsencrypt:/letsencrypt labels: - "traefik.enable=true" - "traefik.http.routers.dashboard.rule=Host(`traefik.yourdomain.com`)" - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt" # Example: Auto-discovered web app myapp: image: nginx:alpine labels: - "traefik.enable=true" - "traefik.http.routers.myapp.rule=Host(`app.yourdomain.com`)" - "traefik.http.routers.myapp.tls.certresolver=letsencrypt" volumes: letsencrypt: ``` ### How Auto-Discovery Works Simply add Docker labels to your containers: ```yaml labels: - "traefik.enable=true" - "traefik.http.routers.myapp.rule=Host(`app.example.com`)" - "traefik.http.routers.myapp.tls.certresolver=letsencrypt" - "traefik.http.services.myapp.loadbalancer.server.port=8080" ``` Traefik watches Docker events, sees new containers, and automatically: 1. Creates a route based on labels 2. Requests a TLS certificate from Let's Encrypt 3. Starts forwarding traffic — zero downtime ## Key Features ### Middleware Stack ```yaml labels: # Basic auth - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$..." # Rate limiting - "traefik.http.middlewares.ratelimit.ratelimit.average=100" - "traefik.http.middlewares.ratelimit.ratelimit.burst=50" # IP whitelist - "traefik.http.middlewares.ipallow.ipallowlist.sourcerange=192.168.1.0/24" # Compress responses - "traefik.http.middlewares.compress.compress=true" # Chain middlewares - "traefik.http.routers.myapp.middlewares=auth,ratelimit,compress" ``` ### Provider Support | Provider | Auto-Discovery | |----------|---------------| | Docker | Labels | | Kubernetes | Ingress / CRD | | Docker Swarm | Labels | | Consul Catalog | Tags | | File | Static config | | ECS | AWS tasks | ## Traefik vs Alternatives | Feature | Traefik | Nginx | Caddy | HAProxy | |---------|---------|-------|-------|---------| | Auto-discovery | Yes | No | No | No | | Auto HTTPS | Let's Encrypt | Certbot addon | Built-in | No | | Hot reload | Yes | nginx -s reload | Yes | Yes | | Docker native | Yes | Manual | Manual | Manual | | K8s Ingress | Yes | Ingress Controller | Ingress | Ingress | | Dashboard | Built-in | Paid (Plus) | No | Stats page | | Config style | Labels/YAML | Config files | Caddyfile | Config files | ## 常见问题 **Q: Traefik 和 Nginx 选哪个?** A: 如果你用 Docker/Kubernetes 并且经常添加新服务,Traefik 的自动发现是杀手级功能。如果你管理少量静态站点,Nginx 更简单直接。性能方面两者差距不大。 **Q: Traefik v2 和 v3 有什么区别?** A: v3 增加了 HTTP/3 (QUIC) 支持、OpenTelemetry 原生集成、WASM 插件、和 SPIFFE 身份集成。从 v2 迁移需要调整部分配置语法但整体平滑。 **Q: 适合高流量生产环境吗?** A: 适合。Traefik 在大量生产环境中处理每秒数万请求。性能与 Nginx 和 HAProxy 在同一数量级,原生 Prometheus 指标便于监控。 ## 来源与致谢 - GitHub: [traefik/traefik](https://github.com/traefik/traefik) — 62.6K+ ⭐ | MIT - 官网: [traefik.io](https://traefik.io) --- Source: https://tokrepo.com/en/workflows/e8afc2f9-34a9-11f1-9bc6-00163e2b0d79 Author: Script Depot