Back to the curriculum
Part 2 · Lesson 05
Routing the Internet to Your Server

Reverse Proxies & SSL

Traefik vs nginx vs Caddy. Automatic Let's Encrypt everywhere.

intermediate12 min readUpdated 2026-04-11

What a reverse proxy actually does

A reverse proxy is a single process that listens on ports 80 and 443 and hands requests off to your app containers based on the incoming hostname. It is the one thing that owns TLS, the one thing that terminates HTTPS, and the one thing that lets you run four apps on one VPS without conflicts on port 80. Without a reverse proxy, every app fights for port 443 and loses.

Traefik: Docker-native, labels-driven

Traefik discovers your containers automatically via Docker labels. You add three lines to a service in compose.yml and Traefik routes example.com to it and issues a Let's Encrypt cert without any manual config:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.app.rule=Host(`example.com`)"
  - "traefik.http.routers.app.tls.certresolver=le"

For anyone deploying multiple apps that come and go, Traefik is the right default. Downside: the labels-as-config model is unusual and the docs assume you already know what you want.

Caddy: dead simple, HTTPS by default

Caddy has the shortest possible config. A three-line Caddyfile gets you automatic HTTPS on a custom domain:

example.com {
  reverse_proxy app:3000
}

Caddy requests and renews Let's Encrypt certs automatically — you never touch certbot. For fewer than five apps with stable names, Caddy is the lowest-friction choice on the market.

nginx: the old standard

nginx is battle-tested, blindingly fast, and what every older tutorial assumes. The tradeoff: manual certbot renewals, hand-written config files, and no automatic Docker integration. Pick nginx when you already know nginx, or when you need advanced routing nothing else handles. For a fresh self-hosting setup in 2026, Traefik or Caddy will save you hours every week.

The 80→443 redirect

Every reverse proxy needs to redirect plain HTTP to HTTPS — otherwise old links leak, search engines flag you, and browsers throw mixed-content warnings. Traefik does it with a middleware, Caddy does it by default, nginx needs an explicit return 301 https://$host$request_uri;. Test it with curl -I http://yoursite.com — a 301 in the response is the goal.

Key takeaways

  • A reverse proxy is what lets you run many apps on one VPS
  • Traefik auto-discovers Docker containers via labels
  • Caddy has the shortest possible config and automatic HTTPS
  • Every proxy must redirect port 80 to 443 — test with curl -I

Related documentation

Understanding SSL Certificates

How Server Compass manages SSL certificates automatically with Let's Encrypt.

Adding a Domain to Your App

Configure a custom domain with automatic SSL certificate for your deployed application.

Configuring Trust Proxy Headers

Configure Traefik to trust forwarded headers from upstream proxies so your apps see real visitor IPs.