Traefik is a dynamic reverse proxy designed for containers. Unlike classic servers, Traefik can connect to the Docker API to detect when your containers start or stop, creating routing rules automatically and without restarting the proxy.
In the previous article, we learned how to use Nginx as a Reverse Proxy. It was a big step: we managed to host multiple applications on the same server, eliminating port collisions.
But if you have put it into practice, you may have noticed a rather annoying problem: maintenance. Every time you want to add a new service (an API, a dashboard, a blog), you have to open the nginx.conf file, write a new server block manually, save the file, and run a command for Nginx to reload the configuration.
In a modern environment where containers are constantly starting, stopping, and scaling, editing files manually becomes quite cumbersome.
We need something that reacts instantly. That role is filled by Traefik 👇.
The End of Configuration Files
Traefik’s secret lies in its ability for “Auto-discovery”.
Instead of giving Traefik a text file with routes, we are going to give it access to the Docker socket (the internal communication channel of the Docker engine). By doing this, Traefik silently watches.
When you run docker compose up to launch a new application, Traefik notices immediately and inspects that new container. If the container has the right instructions, Traefik opens the door to the internet for it in milliseconds.
The Power of Labels
If there is no configuration file, how does Traefik know which domain a container should respond to? The answer lies in the Labels.
Labels are simple metadata that we can add to any container in our docker-compose.yml. Instead of centralizing the configuration in the proxy, we decentralize it. Each application declares its own routing rules independently.
Let’s see how to set up this architecture:
services:
# 1. Our Dynamic Gatekeeper (Traefik)
traefik:
image: traefik:v3.5
command:
- "--api.insecure=true" # Enables the web dashboard
- "--providers.docker=true" # Tells it to listen to Docker
- "--providers.docker.exposedbydefault=false" # For security, don't expose everything
- "--entrypoints.web.address=:80" # Listens for normal HTTP traffic
ports:
- "80:80" # Web traffic
- "8080:8080" # Traefik dashboard (development only)
volumes:
# Gives it read-only access to the Docker engine
- /var/run/docker.sock:/var/run/docker.sock:ro
# 2. Our Web Application
my_web:
image: nginx:alpine
# We don't expose ports, we use Labels
labels:
- "traefik.enable=true" # Authorizes Traefik to route this container
- "traefik.http.routers.myweb.rule=Host(`web.mydomain.com`)" # The domain rule
- "traefik.http.services.myweb.loadbalancer.server.port=80" # Internal service port
Mounting /var/run/docker.sock into a container gives a lot of visibility into Docker. Although we mount it as read-only, Traefik will be able to inspect containers and labels. Use it with trusted images and don’t expose the dashboard carelessly on the internet.
Analyzing How It Works
If you start the file above with docker compose up -d, the following sequence will occur:
Traefik starts and hooks into the Docker socket (/var/run/docker.sock).
The my_web container starts.
Traefik sees my_web and reads its labels.
Traefik processes the Host(`web.mydomain.com`) label and creates an internal rule: “any request to web.mydomain.com must go to the my_web container”.
Everything in real-time. Zero interruptions.
If, 5 minutes later, you decide to add another service to that same file (for example, an API), you only need to add two label lines to it with the host api.mydomain.com. When it starts, Traefik will route it without the proxy even knowing anything has changed and without taking down your main website.
The Integrated Dashboard
Traefik comes with a built-in visual dashboard. In the example above, we exposed it on port 8080.
If you go to your server’s IP on port 8080, you’ll see a graphical interface that will show you in real-time which containers Traefik has discovered, which domains they are assigned, and the status of the internal network. It’s a very useful tool for debugging when something isn’t routing correctly.
