Traefik

Traefik is a cloud-native reverse proxy and load balancer from Traefik Labs with a focus on dynamic configuration through service discovery. It reads service definitions from Docker labels, Docker Swarm services, Kubernetes Ingress and Gateway API resources, Consul, and other providers, and routes traffic to backends without manual config edits.

What it does

Traefik terminates TLS at the edge (with automatic Let's Encrypt certificate issuance and renewal), routes requests through a middleware chain for rewriting, rate limiting, authentication, and header manipulation, and forwards to backends selected via service discovery. HTTP/2, HTTP/3, WebSocket, and gRPC are all supported natively.

The ForwardAuth middleware delegates authentication decisions to a separate service, commonly an OIDC proxy such as oauth2-proxy or Pomerium, which validates tokens against an identity provider and returns headers indicating the authenticated user. This pattern adds SSO in front of any service routed by Traefik without requiring the service itself to speak OIDC.

Observability integrations cover Prometheus metrics, OpenTelemetry traces, and structured access logs. Configuration hot-reloads without dropping active connections.

Licensing

Traefik Proxy core is MIT. Traefik Labs offers a commercial Traefik Enterprise edition adding a native OIDC authentication middleware, WAF, distributed caching, and commercial support. Many Traefik deployments use the open-source core plus oauth2-proxy via ForwardAuth in place of the Enterprise OIDC middleware.

Deployment

Single Go binary or Docker container, no external dependencies for basic reverse proxy use. The Docker and Docker Swarm providers auto-discover services by label; the Kubernetes providers reconcile Ingress, IngressRoute CRDs, and Gateway API resources.

Limitations

• Native OIDC middleware is in Traefik Enterprise; the open-source path uses ForwardAuth plus a separate OIDC proxy container.
• Middleware configuration uses Traefik-specific label or YAML syntax with a learning curve.
• Configuration schemas differ between Traefik v2 and v3; documentation and provider configs must match the running version.
• Traefik is a routing proxy, not an edge security appliance — WAF, DDoS mitigation, and advanced threat detection are not part of the open-source feature set.