β Blog Β· May 23, 2026 Β· http, infrastructure
Reverse Proxy in 2026: Nginx vs Caddy vs Traefik
Short answer β Caddy if you have a few services and want automatic Let's Encrypt with no config. Traefik if your services live in Docker, Kubernetes, or any orchestrator with labels. Nginx if you need 1M+ req/s, granular module control, or you already know it. All three terminate TLS, do HTTP/2 and HTTP/3, and reverse-proxy upstream apps.
The 30-second comparison
| Nginx | Caddy | Traefik | |
|---|---|---|---|
| First release | 2004 | 2015 | 2015 |
| Written in | C | Go | Go |
| Config format | Nginx DSL | Caddyfile (or JSON) | YAML / TOML / labels |
| Auto HTTPS | No (use certbot) | Yes (default on) | Yes (with cert resolver block) |
| HTTP/3 | Yes (since 1.25) | Yes (default) | Yes |
| Native Docker/K8s | No (manual config) | Plugins available | Yes β auto-discovery via labels / CRDs |
| Peak throughput (single box) | ~1.2M req/s | ~400k req/s | ~350k req/s |
| Memory at rest | ~5 MB | ~25 MB | ~40 MB |
| Dashboard / UI | 3rd party only | 3rd party | Built-in |
| Learning curve | Steep | Easy | Medium |
Hello world, all three
Reverse-proxying a single Node app on :3000 to example.com with HTTPS.
Nginx β ~12 lines plus a separate certbot run:
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}Caddy β 2 lines, certificates handled automatically:
example.com {
reverse_proxy 127.0.0.1:3000
}Traefik β zero static config when running via Docker labels:
# docker-compose.yml
services:
app:
image: my-app
labels:
- "traefik.http.routers.app.rule=Host(`example.com`)"
- "traefik.http.routers.app.tls.certresolver=letsencrypt"The decision tree
- You run 1β10 services on a VPS or two. Use Caddy. Automatic HTTPS, minimal config, fast enough for almost any workload below 50k req/s.
- You run Docker Compose or Kubernetes. Use Traefik. Discovers services from container labels or K8s Ingress. The dashboard is genuinely useful for debugging routing.
- You need 200k+ req/s sustained, fine-grained caching, or you're a shop that already knows Nginx. Stay with Nginx. Pair with certbot for ACME, and consider Nginx Unit or OpenResty for advanced use cases.
- You're behind Cloudflare or another CDN already. Any of the three. The CDN absorbs the traffic spikes; your origin just needs to terminate mTLS or trust the CDN's source IPs.
Things people get wrong
"Caddy is too slow for production." Caddy at 400k req/s on a single 4-core box is more than enough for 99% of internet services. The Nginx throughput advantage matters at hyperscale, not at startup scale.
"Traefik is just for Kubernetes." Traefik works great with bare Docker, Consul, ECS, Nomad, or even static file config. K8s is one of seven providers it supports.
"Nginx is dead now that F5 owns it." Nginx open source is still actively maintained. The community fork (freenginx) and OpenResty exist as backstops. There's no "Nginx is going proprietary" emergency.
"Just run a service mesh." Istio / Linkerd are not reverse proxies. They handle east-west service-to-service traffic inside a cluster. You still need a north-south ingress at the edge β usually Traefik, Envoy, or NGINX Ingress Controller.
The honest tier list
- Beginner / hobbyist / homelab β Caddy. Don't overthink it.
- SaaS startup, mostly Docker β Traefik. The labels approach scales nicely.
- Mature company with ops team β Nginx. The expertise already exists in-house.
- Edge / CDN-scale β Nginx, OpenResty, or HAProxy. Caddy and Traefik aren't in this league yet.