Traefik: Production-Grade Reverse Proxy for Self-Hosted Infrastructure
Learn how to deploy Traefik as a production reverse proxy for Docker-based self-hosted services. Covers automatic TLS, security headers, middleware chains, and Cloudflare Tunnel integration.
REVERSE PROXY
Why Every Self-Hosted Stack Needs a Reverse Proxy
Running multiple services on a single server creates an immediate problem: each service wants to listen on a different port, certificates need to be managed per service, and security headers must be configured in each application individually. Without a reverse proxy, every service is a separate island — independently configured, independently exposed, and independently vulnerable.
A reverse proxy solves all of this from a single point. Every incoming request passes through the proxy, which routes it to the correct service based on hostname or path, enforces TLS termination, and applies security policies globally. Services behind the proxy never need to handle certificates or security headers themselves.
Traefik is purpose-built for containerized environments. Unlike Nginx or Caddy, Traefik discovers your services automatically through Docker labels — no configuration files to update when you add or remove a service. The proxy reconfigures itself in real time as containers start and stop.
Traefik vs Traditional Reverse Proxies
Traditional reverse proxies like Nginx require manual configuration updates every time a service changes. Traefik's Docker provider reads container labels and builds its routing table dynamically. A new service becomes routable the moment its container starts — no proxy restart, no config reload, no manual intervention. Cloudflare Tunnel guide
Traefik Request Routing Architecture
Every request enters through a single entrypoint, passes through middleware chains, and is forwarded to the correct service container based on routing rules defined in Docker labels.
From Cloudflare Tunnel to service container — Traefik's complete request pipeline
Label-Based Discovery
Services register themselves with Traefik via Docker labels. No central configuration file — each service defines its own routing rules.
Middleware Chains
Security headers, rate limiting, authentication, and redirects are applied as composable middleware — reusable across multiple services.
Automatic TLS
Traefik manages certificate issuance and renewal via Let's Encrypt. Behind Cloudflare Tunnel, certificates are handled at the edge instead.
Single Entry Point
All traffic enters through one port. Services never expose ports directly — they are only reachable through Traefik's routing layer.
Traefik Deployment Process
From initial deployment to a fully hardened production configuration serving multiple services.
Deploy Traefik as a Docker container with access to the Docker socket. Define entrypoints for HTTP and HTTPS traffic.
Create a shared Docker network. All services that Traefik should route must be connected to this network.
Configure the Docker provider. Traefik watches the Docker socket for containers with routing labels and builds its routing table automatically.
Define middleware. Create reusable security header and redirect middleware that can be applied to any service via labels.
Add services. Each new service needs only four labels: enable Traefik, define the hostname rule, attach the middleware, and set the internal port.
CONFIGURATION
Production Configuration Patterns
Docker Socket Security
Traefik requires read access to the Docker socket to discover services. The Docker socket grants significant privileges — a compromised Traefik instance with socket access could control other containers. Mitigate this by using a Docker socket proxy: a minimal container that exposes only the read-only endpoints Traefik needs, with write operations blocked entirely.
Middleware Architecture
Define middleware once and reference it by name in service labels. A global security headers middleware applies HSTS, CSP, X-Frame-Options, and other headers to every service that includes it. A separate HTTPS redirect middleware forces HTTP traffic to HTTPS. Services that have special header requirements — like Grafana, which conflicts with strict CSP — get their own middleware variant. Grafana guide CrowdSec guide
Network Isolation
Traefik bridges two Docker networks: the external network shared with Cloudflare Tunnel, and individual service networks. Services that do not need to communicate with each other are placed on separate networks. Traefik is the only container that spans multiple networks — all other containers are isolated to their own network and reachable only through Traefik's routing layer.
Dashboard Security
Traefik's dashboard exposes routing configuration and should never be publicly accessible. Restrict it to internal access only by binding the dashboard to a separate entrypoint on a non-standard port, accessible only from your local network. Never expose the dashboard through Cloudflare Tunnel without authentication middleware.
Security Hardening for Traefik
A default Traefik installation routes traffic correctly but requires additional hardening before it is production-ready.
- Use a socket proxy container instead of direct Docker socket mount • Restrict socket proxy to read-only endpoints only • Traefik never needs write access to the Docker API • Eliminates container escape risk via compromised proxy
- HSTS with long max-age and includeSubDomains • Content-Security-Policy scoped per service type • X-Frame-Options: SAMEORIGIN • Referrer-Policy: strict-origin-when-cross-origin • Permissions-Policy blocking unused browser APIs
- Dashboard bound to internal-only entrypoint • Non-standard port not exposed through tunnel • IP allowlist middleware restricting to local network range • API endpoint disabled in production if not needed
- Behind Cloudflare Tunnel: TLS handled at edge, internal traffic uses HTTP between tunnel and proxy • For direct exposure: Let's Encrypt with DNS challenge via Cloudflare API • Certificate storage in persistent Docker volume • HSTS preload ready configuration
Common Traefik Middleware Patterns
Reusable middleware configurations that cover the most common self-hosted service requirements.
Global Security Headers
Applied to all public-facing services. Enforces HSTS, CSP, clickjacking protection, and referrer policy in a single reusable middleware definition.
Relaxed Headers for Dashboards
Services like Grafana, monitoring tools, and admin interfaces require relaxed CSP. A separate middleware variant drops the strict CSP while keeping all other headers intact.
HTTPS Redirect
Forces all HTTP traffic to HTTPS at the proxy level. Applied globally so individual services never need to handle redirects themselves.
IP Allowlist
Restricts access to internal-only services by source IP. Applied to admin interfaces, the Traefik dashboard, and any service not intended for public access.
Traefik Production Checklist
Verify each item before considering your Traefik deployment production-ready.