Best for dynamic Docker stacks
Best for simple readable config
Best for beginners via UI
👍 What we like
- ✓Traefik offers automatic Docker discovery via labels, ideal for dynamic stacks
- ✓Nginx Proxy Manager provides a beginner-friendly web interface for visual management
- ✓Caddy features minimal configuration with native automatic HTTPS support
- ✓All three tools support wildcard certificates and DNS providers
👎 What to watch
- ✕Traefik has a steep learning curve with complex middleware and routing concepts
- ✕Nginx Proxy Manager lacks automatic Docker discovery, requiring manual UI setup
- ✕Caddy lacks a native web interface for management
- ✕Traefik configuration can be overkill for simple, static service setups
📑 Contents ▾
- 01 Comparison Table
- 02 Traefik: The Cloud-Native Reverse Proxy
- 03 Nginx Proxy Manager: Nginx for Humans
- 04 Caddy: Automatic HTTPS by Default
- 05 Use Cases: Which One for You?
- 06 HTTPS and Certificates: The Common Ground
- 07 Performance: What Really Matters
- 08 Security: Common Rules
- 09 Verdict
- 10 FAQ
- · Can you run two reverse proxies on the same machine?
- · Caddy or Traefik to automatically discover my Docker containers?
- · Can Nginx Proxy Manager manage wildcard certificates?
- · Which one consumes the least resources?
- · Do I need to know Nginx to use Nginx Proxy Manager?
- · Do these tools replace a firewall?
- 17 Related Topics
As soon as you self-host more than one application, the question of a reverse proxy arises. How do you expose nextcloud.mondomaine.fr, vaultwarden.mondomaine.fr, and jellyfin.mondomaine.fr on the same machine, over HTTPS, without opening a port per service or managing certificates by hand? The reverse proxy receives all requests on ports 80 and 443, checks the requested domain name, and routes each request to the correct container. It is the traffic director of your infrastructure.
In 2026, three tools dominate this niche in the self-hosting world, with radically different philosophies: Traefik, the cloud-native reverse proxy designed for Docker and automation; Nginx Proxy Manager (NPM), the web interface that democratizes Nginx; and Caddy, the server that has made automatic HTTPS its central selling point. All three can obtain free Let’s Encrypt certificates and route your traffic—but the way they achieve this makes all the difference.
We deployed them on real homelabs and tested them against tricky edge cases (WebSocket, wildcard certificates, services outside Docker). Here is a sharp comparison to help you choose the traffic director that fits your workflow.
Comparison Table
| Criterion | Traefik | Nginx Proxy Manager | Caddy |
|---|---|---|---|
| Language / Tech | Go | Node.js + Nginx | Go |
| Philosophy | Cloud-native, automatic | UI on Nginx, simplicity | Auto HTTPS, minimal config |
| Automatic HTTPS | Yes (Let’s Encrypt) | Yes (Let’s Encrypt) | Yes (default, native) |
| Docker Discovery | Yes (labels, core feature) | No (manual via UI) | Via plugin (caddy-docker-proxy) |
| Configuration | Labels / YAML/TOML files | Web interface | Caddyfile (very readable) |
| Web Interface | Dashboard (read-only) | Yes (full management) | Not native |
| Wildcard / DNS Certs | Yes (many providers) | Yes (DNS providers) | Yes (DNS modules) |
| RAM Footprint | ~50-100 MB | ~80-150 MB | ~20-40 MB |
| Middlewares / Auth | Rich (auth, rate limit, headers) | Limited (basic auth, ACL) | Modules + directives |
| Learning Curve | Steep | Very low | Low to medium |
| License | MIT | MIT | Apache 2.0 |
| Ideal For | Dynamic Docker stacks | Beginners, visual management | Simple, readable config |
Traefik: The Cloud-Native Reverse Proxy
Traefik was designed from the ground up for the container world. Its founding idea is automatic discovery: it connects to the Docker socket, observes containers starting and stopping, and reconfigures its routing in real-time using the labels you place on each service. You add a few lines of labels to your compose.yml, and Traefik creates the route, requests the HTTPS certificate, and exposes the service—without you touching a central configuration file.
Its strength is this dynamism. In an environment where containers come and go, and new services are deployed weekly, Traefik shines: no manual reloads, no configuration files to edit with every addition. It also features a very rich middleware system: authentication (basic, forward-auth to Authelia or Authentik), rate limiting, header manipulation, redirects, IP whitelisting, all composable and reusable. For those who think in terms of “infrastructure as code,” Traefik is the natural choice.
The downside is a steep learning curve. The distinction between routers, services, middlewares, and entrypoints, the coexistence of static and dynamic configuration, and Docker label syntax all require an initial investment. To expose three services once and for all, Traefik might seem overkill. But as soon as the stack becomes alive, it pays off that learning time with interest.
Tip: Traefik thrives on a well-organized Docker server. If you are building a stack that will grow, choose a VPS with enough RAM and a good network, such as Hetzner Cloud or Scaleway, so you aren’t limited as containers accumulate.
Nginx Proxy Manager: Nginx for Humans
Nginx Proxy Manager starts from a pragmatic observation: Nginx is a formidable reverse proxy, but its text-file configuration deters many beginner self-hosters. NPM wraps Nginx in a clear web interface where you create a “proxy host” by filling out a form: domain name, target service address and port, and a click to activate the Let’s Encrypt certificate. In five minutes, without a single command line, your service is exposed over HTTPS.
This is its huge advantage: accessibility. NPM is likely the fastest way for a beginner to understand and set up a reverse proxy. The interface shows certificate status, manages automatic renewal, offers basic access rules (IP lists, HTTP authentication), redirects, and stream hosts for TCP/UDP. For a family homelab where you expose Jellyfin, Nextcloud, and a few services to a small circle, NPM does the job effortlessly.
Its limits appear when needs become sophisticated. NPM does not perform automatic Docker discovery: each service is added manually, which becomes repetitive on a moving stack. Advanced middlewares (forward-auth, fine-grained rate limiting, complex headers) are not native and require manual configuration injection, which slightly breaks the “all in UI” promise. NPM remains excellent for its target audience: those who want visual simplicity.
Caddy: Automatic HTTPS by Default
Caddy popularized a revolutionary idea for its time: HTTPS must be automatic and enabled by default, without configuration. You write the domain name in your configuration file, and Caddy obtains, installs, and renews the certificate on its own, including OCSP stapling. No checkboxes to tick, no TLS configuration block to write: it is the default behavior. This “secure by default” philosophy has attracted a large community.
Another asset of Caddy is the readability of the Caddyfile. Where an equivalent Nginx configuration spans dozens of lines, a Caddy reverse proxy fits in two or three lines: a domain, a reverse_proxy directive pointing to the container, and that’s it. Caddy is also the lightest of the three (20 to 40 MB of RAM), written in Go, with no external dependencies, distributed as a single binary. It handles DNS modules for wildcard certificates, HTTP/3, and compression.
Its main limitation in a dynamic Docker environment: Caddy alone does not automatically discover containers. There is an excellent community module, caddy-docker-proxy, which adds Traefik-like label logic, but you need to compile it into a custom image. Its native middlewares are also less numerous than Traefik’s for enterprise authentication, although the module ecosystem fills much of the gap. Caddy is the choice for balance: simple, lightweight, secure.
Tip: Since Caddy is ultra-lightweight, it runs perfectly on a micro-VPS. For a modest homelab exposing a few services, a small server from OVHcloud or Vultr is more than enough, and Caddy will barely nibble into your RAM.
Use Cases: Which One for You?
You are a beginner and want to expose your services without touching the terminal. Nginx Proxy Manager. The web interface, guided forms, and one-click HTTPS activation make it the most accessible tool and the best starting point.
You manage a dynamic Docker stack with frequent deployments. Traefik. Automatic discovery via labels eliminates manual configuration with every service addition. The more your infrastructure moves, the more it gains the upper hand.
You want simple, readable configuration and an ultra-lightweight server. Caddy. The minimalist Caddyfile and default automatic HTTPS make it the ideal tool to cleanly expose a reasonable number of services.
You need advanced authentication and composable middlewares. Traefik. Its integration with Authelia/Authentik via forward-auth and its rate-limiting middlewares make it the most powerful for fine-grained security needs.
HTTPS and Certificates: The Common Ground
All three tools can obtain free Let’s Encrypt certificates, and this has become the norm. The real difference lies in two points.
First, the validation mode. The HTTP-01 challenge (the simplest) requires port 80 to be accessible from the Internet. The DNS-01 challenge allows obtaining wildcard certificates (*.mondomaine.fr) and works even without exposing port 80, but requires configuring a supported DNS provider. Traefik and Caddy support a wide range of DNS providers via modules; NPM handles many via its interface. First check if your DNS registrar is supported if you aim for a wildcard.
Second, the automation of renewal. All three renew automatically before expiration. Caddy pushes the “default” furthest (nothing to configure), while Traefik and NPM require initial configuration of the certificate resolver, then handle the rest on their own.
Performance: What Really Matters
For self-hosting use, all three are more than performant enough: they handle the traffic of a homelab or small production service without breaking a sweat. Differences in raw throughput on synthetic benchmarks exist, but your backend application or bandwidth will saturate long before the proxy does.
Where differences are visible is in memory footprint. Caddy is the most frugal (20 to 40 MB), followed by Traefik (50 to 100 MB depending on the number of routes), and then NPM which bundles Nginx plus a Node.js layer and a database (80 to 150 MB). On a 1 GB RAM micro-VPS shared with other services, these tens of megabytes count. Do not choose based on raw performance: choose based on how you configure it.
Security: Common Rules
The reverse proxy is your public entry point: it is what receives all Internet traffic. As such, a few rules apply regardless of the tool.
- Force HTTPS and redirect from HTTP. Verify it is active, and enable HSTS to forbid any plaintext connection.
- Only expose what needs to be exposed. Keep administration interfaces (Traefik dashboard, NPM UI) behind authentication or a VPN.
- Add an authentication layer in front of sensitive services. Coupling the proxy with an SSO like Authelia or Authentik protects your applications even if one of them has a vulnerability—very simple with Traefik’s forward-auth.
- Keep the tool updated. An exposed reverse proxy must receive security patches quickly.
A well-configured proxy protects everything behind it; poorly configured, it becomes the entry point for a compromise.
Verdict
Three excellent tools, three philosophies, none is universally “the best.”
- Traefik is the choice for the Docker self-hoster who wants automation: dynamic discovery, rich middlewares, SSO integration. The most powerful for a living stack.
- Nginx Proxy Manager is the best entry point for beginners and anyone who prefers a visual interface to configuration files. The most accessible, ideal for a family homelab.
- Caddy is our favorite for balance: automatic HTTPS by default, exemplary Caddyfile readability, tiny footprint. The easiest to keep clean.
Our advice: start with Caddy or NPM if you are exposing a few services and want simplicity; switch to Traefik as soon as your Docker stack becomes dynamic and automation becomes a priority.
FAQ
Can you run two reverse proxies on the same machine?
Not on the same ports. Ports 80 and 443 can only be held by a single process. If you want to test a second proxy, do so on other ports or in an isolated environment. In production, choose only one as the single entry point, even if you chain other internal proxies behind it on different ports.
Caddy or Traefik to automatically discover my Docker containers?
Traefik does Docker discovery natively; it is its core business. Caddy can do it via the community module caddy-docker-proxy, but you need to compile a custom Caddy image. If automatic discovery is your absolute priority, Traefik is the most direct choice; if you mostly want simplicity, Caddy with explicit configuration remains very pleasant.
Can Nginx Proxy Manager manage wildcard certificates?
Yes, via a DNS-01 challenge if your DNS provider is supported in its interface. You provide a DNS API key, and NPM obtains a certificate covering all your subdomains. It is slightly less flexible than Traefik or Caddy regarding the list of providers, but it covers the most common registrars.
Which one consumes the least resources?
Caddy, significantly, with 20 to 40 MB of RAM thanks to its single Go binary. Traefik follows around 50 to 100 MB. Nginx Proxy Manager is the heaviest (80 to 150 MB) because it combines Nginx, a Node.js layer, and a database. On a micro-VPS, Caddy is the obvious choice.
Do I need to know Nginx to use Nginx Proxy Manager?
No, that’s the whole point: NPM hides Nginx configuration behind forms. You can expose your services without ever writing a line of configuration. However, for advanced cases (custom headers, complex rules), manual Nginx configuration injection is sometimes necessary, and there, a minimum of knowledge helps.
Do these tools replace a firewall?
No, they are complementary. The reverse proxy handles routing and HTTPS at the application level (layer 7), but does not replace a network firewall that filters ports. The best practice is to open only ports 80 and 443, let the reverse proxy be the only HTTP/HTTPS entry point, and protect administration behind a VPN.
Related Topics
- Automatic HTTPS reverse proxy with Caddy and Docker
- Caddy vs Nginx vs Traefik: The web server showdown
- Authentik vs Authelia vs Keycloak: Which self-hosted SSO
- Portainer vs Dockge vs Komodo: Managing your Docker containers
Choosing a reverse proxy is choosing a way to manage your infrastructure’s entry point: automatic, visual, or minimalist. Whatever your choice, force HTTPS, protect your administration interfaces, and keep the tool updated. To follow new versions of Traefik, Caddy, and NPM, security vulnerabilities, and self-hosting best practices, subscribe to our Telegram watch bot.