Traefik Reverse Proxy on an Offshore VPS

Nginx is the workhorse of self-hosted reverse proxying, and it does the job well. The configuration is text-based, well-documented, and very flexible. The downside is that every new backend service requires a new server block in the nginx config and a manual certificate setup. For a homelab or self-hosted stack that grows over time, this becomes administrative overhead. Traefik flips the model. You run Traefik once with a base config, and every Docker container with the right labels (or every Kubernetes service with the right annotations) becomes a routable backend automatically. New service comes up, Traefik picks it up within seconds, generates the route, requests a TLS cert from Let's Encrypt, and starts serving traffic. No config edit, no reload. For developers running multiple services on a single VPS - a personal Nextcloud, a self-hosted Bitwarden, a wiki, a media server - Traefik turns a couple hours of nginx setup into a one-time `docker-compose up` plus a few labels per service. The dashboard shows all active routes, certificates, and metrics in real time. The dynamic configuration also means rolling deployments with Docker Compose just work - new container starts, Traefik routes to it, old container stops, traffic is on the new version with zero downtime.

The most common Traefik deployment is as a container in a Docker Compose stack, alongside your application services. Traefik listens on ports 80 and 443 on the host, and every other service on the same Docker network is reachable only through Traefik. This pattern gives you one ingress, automatic TLS for every service, and a single port-mapping surface to manage. The basic setup needs three files. A `docker-compose.yml` for Traefik itself with port mappings (80:80, 443:443, optionally 8080:8080 for the dashboard), a volume for the certificate storage, and labels for the dashboard router. A `traefik.yml` static config with providers (docker), entrypoints (web, websecure), and the ACME resolver for Let's Encrypt. A separate Docker Compose for each application service with Traefik labels declaring the host rule, the entrypoint, and the TLS resolver. This pattern works on any VPS with Docker installed. A 2 GB RAM VPS easily hosts Traefik plus 5 to 10 application services. The CPU and memory cost of Traefik itself is minimal - it is a single Go binary handling reverse proxying. The bottleneck is usually the application services themselves.

Install Docker: `curl -fsSL https://get.docker.com | sh && apt install -y docker-compose-plugin`. Create the Traefik directory: `mkdir -p /opt/traefik && cd /opt/traefik`. Write a `docker-compose.yml`: `services: traefik: image: traefik:v2.11 restart: always ports: ["80:80", "443:443"] volumes: ["/var/run/docker.sock:/var/run/docker.sock:ro", "./traefik.yml:/traefik.yml:ro", "./acme.json:/acme.json"] networks: [traefik] networks: traefik: external: true`. Create the external network: `docker network create traefik`. Write `traefik.yml` with the providers, entrypoints, and ACME setup: `entryPoints: web: address: ":80" http: redirections: entryPoint: to: websecure scheme: https websecure: address: ":443" providers: docker: exposedByDefault: false network: traefik certificatesResolvers: le: acme: email: [email protected] storage: /acme.json httpChallenge: entryPoint: web`. Create the empty acme storage file with restricted perms: `touch /opt/traefik/acme.json && chmod 600 /opt/traefik/acme.json`. Start: `docker compose up -d`. Add a sample service - any container connected to the `traefik` network with labels like `traefik.enable=true`, `traefik.http.routers.myapp.rule=Host(\`app.yourdomain.tld\`)`, `traefik.http.routers.myapp.tls.certresolver=le` will get a route and a Let's Encrypt cert automatically. Hit the URL and Traefik handles the rest.