Caddy vs Traefik vs Nginx Proxy Manager: Reverse Proxies in 2026

TL;DR

A reverse proxy handles SSL termination, routing, and load balancing in front of your applications. Caddy is the simplest with automatic HTTPS — you write two lines of config, point a domain at your server, and SSL certs are issued and renewed automatically. Traefik is the Kubernetes-native choice — it discovers services from Docker labels, Kubernetes annotations, and cloud APIs dynamically, making it the best choice for container orchestration environments. Nginx Proxy Manager is the GUI option — a web interface that wraps Nginx, ideal for self-hosters who want visual configuration without touching config files. For simple VPS deployments: Caddy. For Docker Swarm/Kubernetes service discovery: Traefik. For GUI-based management: Nginx Proxy Manager.

Key Takeaways

• Caddy handles HTTPS automatically — Let's Encrypt cert issuance and renewal with zero configuration
• Traefik discovers Docker services from labels — no manual proxy config when containers start/stop
• Nginx Proxy Manager GitHub stars: ~23k — the most popular reverse proxy for home labs and small teams
• Caddy GitHub stars: ~60k — the most starred modern reverse proxy project
• Traefik GitHub stars: ~52k — the dominant choice in container environments
• All three support Docker — the difference is how they handle service discovery
• Caddy's Caddyfile is 3-5x shorter than Nginx config for equivalent functionality

Why You Need a Reverse Proxy

Deploying multiple apps to one server requires a reverse proxy to:

• SSL termination — HTTPS on port 443, decrypted and forwarded to apps on :3000, :8080, etc.
• Virtual hosts — app1.example.com → port 3000, app2.example.com → port 8080
• Load balancing — distribute traffic across multiple instances
• Security headers — add HSTS, X-Frame-Options once, before all services
• Rate limiting — protect backend services from abuse

Caddy: Automatic HTTPS for Everyone

Caddy is written in Go and designed around one principle: HTTPS should be automatic. It handles certificate issuance, renewal, OCSP stapling, and HTTP→HTTPS redirects without any configuration.

Installation

# Docker
docker run -d \
  --name caddy \
  -p 80:80 -p 443:443 \
  -v caddy_data:/data \
  -v ./Caddyfile:/etc/caddy/Caddyfile \
  caddy:latest

# macOS
brew install caddy

# Ubuntu
apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
apt update && apt install caddy

Caddyfile Examples

# Caddyfile — minimal config for HTTPS reverse proxy

# Proxy to local app — Caddy handles cert automatically
app.yourdomain.com {
  reverse_proxy localhost:3000
}

# Multiple apps
api.yourdomain.com {
  reverse_proxy localhost:8080
}

dashboard.yourdomain.com {
  reverse_proxy localhost:8501
}

# Static files + API
yourdomain.com {
  # Serve Next.js
  reverse_proxy localhost:3000

  # API routes to a different service
  handle /api/* {
    reverse_proxy localhost:4000
  }
}

Docker Compose with Caddy

# docker-compose.yml
version: "3.8"

services:
  caddy:
    image: caddy:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - proxy

  app:
    image: node:22-alpine
    working_dir: /app
    command: node server.js
    expose:
      - "3000"  # Only expose to internal network
    networks:
      - proxy

  api:
    image: node:22-alpine
    working_dir: /api
    command: node index.js
    expose:
      - "8080"
    networks:
      - proxy

volumes:
  caddy_data:
  caddy_config:

networks:
  proxy:
    name: proxy_network

# Caddyfile for Docker Compose services
app.yourdomain.com {
  reverse_proxy app:3000  # Reference by service name
}

api.yourdomain.com {
  reverse_proxy api:8080
}

Advanced Caddyfile Features

# Load balancing
api.yourdomain.com {
  reverse_proxy api-1:8080 api-2:8080 api-3:8080 {
    lb_policy round_robin
    health_uri /health
    health_interval 10s
  }
}

# Rate limiting (Caddy plugin)
app.yourdomain.com {
  rate_limit {
    zone static {
      key    {remote_host}
      events 10
      window 1m
    }
  }
  reverse_proxy localhost:3000
}

# Authentication via forward auth
protected.yourdomain.com {
  forward_auth authservice:4181 {
    uri /auth/verify
    copy_headers Remote-User Remote-Email
  }
  reverse_proxy app:3000
}

# WebSocket support (automatic — no special config needed)
ws.yourdomain.com {
  reverse_proxy localhost:3001  # WebSocket connections work automatically
}

# Custom headers
api.yourdomain.com {
  header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Frame-Options DENY
    X-Content-Type-Options nosniff
    -Server  # Remove Server header
  }
  reverse_proxy localhost:8080
}

Caddy API (Dynamic Config)

# Caddy's JSON API allows runtime configuration changes
# No service restart needed

# Add a new host
curl -X POST https://localhost:2019/config/apps/http/servers/srv0/routes \
  -H "Content-Type: application/json" \
  -d '{
    "match": [{"host": ["newapp.yourdomain.com"]}],
    "handle": [{
      "handler": "reverse_proxy",
      "upstreams": [{"dial": "localhost:4000"}]
    }]
  }'

Traefik: Dynamic Service Discovery

Traefik discovers services automatically from Docker labels, Kubernetes Ingress annotations, and cloud APIs. When a container starts with the right labels, Traefik automatically creates a route — no proxy restart, no manual config.

Docker Compose Setup

# docker-compose.yml with Traefik
version: "3.8"

services:
  traefik:
    image: traefik:v3.0
    command:
      # API dashboard (disable in production)
      - "--api.insecure=true"
      # Docker provider — watch for container events
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      # Entrypoints
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      # Let's Encrypt
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=you@yourdomain.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      # HTTP → HTTPS redirect
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"  # Dashboard
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"

  app:
    image: myapp:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`app.yourdomain.com`)"
      - "traefik.http.routers.app.entrypoints=websecure"
      - "traefik.http.routers.app.tls.certresolver=myresolver"
      - "traefik.http.services.app.loadbalancer.server.port=3000"

  api:
    image: myapi:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`api.yourdomain.com`)"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.tls.certresolver=myresolver"
      - "traefik.http.services.api.loadbalancer.server.port=8080"
      # Middleware
      - "traefik.http.routers.api.middlewares=api-ratelimit"
      - "traefik.http.middlewares.api-ratelimit.ratelimit.average=100"
      - "traefik.http.middlewares.api-ratelimit.ratelimit.burst=50"

Kubernetes Ingress

# k8s/ingress.yml — Traefik Kubernetes IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: app-ingress
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`app.yourdomain.com`)
      kind: Rule
      services:
        - name: app-service
          port: 3000
    - match: Host(`api.yourdomain.com`)
      kind: Rule
      services:
        - name: api-service
          port: 8080
  tls:
    certResolver: myresolver

Traefik Middlewares

# Traefik middleware via labels — add security headers, auth, etc.
labels:
  - "traefik.http.middlewares.security-headers.headers.stsSeconds=31536000"
  - "traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true"
  - "traefik.http.middlewares.security-headers.headers.frameXdenied=true"
  - "traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true"
  - "traefik.http.middlewares.basic-auth.basicauth.users=admin:$$apr1$$..."

Nginx Proxy Manager: The Visual Interface

Nginx Proxy Manager (NPM) provides a web dashboard for creating proxy hosts, SSL certificates, and access control — no config files required. Built on top of Nginx under the hood.

Docker Compose Setup

version: "3.8"

services:
  npm:
    image: jc21/nginx-proxy-manager:latest
    ports:
      - "80:80"
      - "443:443"
      - "81:81"  # Admin dashboard
    volumes:
      - ./npm-data:/data
      - ./npm-letsencrypt:/etc/letsencrypt
    environment:
      DISABLE_IPV6: "true"

  db:
    image: jc21/mariadb-aria:latest
    environment:
      MYSQL_ROOT_PASSWORD: "npm-db-password"
      MYSQL_DATABASE: "npm"
      MYSQL_USER: "npm"
      MYSQL_PASSWORD: "npm"
    volumes:
      - ./npm-db:/var/lib/mysql

# Dashboard access: http://your-server:81
# Default login: admin@example.com / changeme
# Change password on first login!

# In the GUI you can:
# 1. Add Proxy Hosts: domain → internal IP:port
# 2. Request SSL certificates (Let's Encrypt, one click)
# 3. Set up access control lists
# 4. Add custom Nginx config snippets
# 5. View Nginx error/access logs

Custom Nginx Config via NPM

# Custom config snippet added via NPM GUI (Advanced tab)
# Goes into server block, gives access to raw Nginx directives

# WebSocket support
location /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_pass http://app_backend:3001;
}

# Cache static assets
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 30d;
    add_header Cache-Control "public, no-transform";
}

Feature Comparison

Feature	Caddy	Traefik	Nginx Proxy Manager
Automatic HTTPS	✅ Native	✅ Via ACME	✅ Let's Encrypt GUI
Config interface	Caddyfile / JSON API	Docker labels / YAML	Web GUI
Docker service discovery	Manual	✅ Automatic	Manual
Kubernetes native	Partial	✅ CRDs + Ingress	❌
Dynamic config (no restart)	✅ JSON API	✅	❌
WebSocket support	✅ Automatic	✅	✅
Load balancing	✅	✅	✅ Basic
Dashboard UI	Plugin	✅ Built-in	✅ Full GUI
Rate limiting	Plugin	✅ Built-in	❌ (raw Nginx)
Auth middleware	Plugin	✅	✅ Basic auth
Config complexity	Low	Medium	Very Low (GUI)
GitHub stars	60k	52k	23k
Language	Go	Go	Node.js (wrapper)
Memory footprint	~30 MB	~50 MB	~200 MB (Nginx + Node)

Ecosystem and Community

Caddy has a vibrant community with an extensive plugin ecosystem. The xcaddy build tool lets you compile a custom Caddy binary with any combination of community plugins — rate limiting, authentication, S3 file serving, PHP support, and dozens more. The Caddy community forums are active and the official documentation is among the best in the reverse proxy space. Caddy's Go-based plugin API makes it straightforward to write custom middleware, and the JSON API is powerful for programmatic configuration management.

Traefik is backed by Traefik Labs (formerly Containous), a company that has built enterprise support, Traefik Hub (a managed networking platform), and commercial offerings around the open-source project. This gives Traefik strong long-term sustainability. The Traefik community on GitHub and the community forum is large, particularly among Kubernetes and Docker Swarm operators. Traefik v3 brought significant performance improvements and better Kubernetes Gateway API support, making it a strong choice for cloud-native environments.

Nginx Proxy Manager sits in the home lab and self-hosting space. Its 23k GitHub stars come primarily from the r/selfhosted and r/homelab communities, where it's recommended as the most beginner-accessible reverse proxy. The project is maintained by a single primary developer (jc21) with community contributions — this means updates can lag behind security patches compared to the commercially-backed options. For production use, the dependency on MariaDB for configuration storage is a concern some administrators flag.

Real-World Adoption

Caddy is used extensively by small to medium engineering teams deploying to VPS infrastructure. Companies running 5-50 services on a single server or a small cluster frequently choose Caddy for its zero-maintenance HTTPS. It is the default reverse proxy recommendation for many self-hosted application deployments including Gitea, Nextcloud, and other self-hosted SaaS alternatives. The Caddy Server is also used as an embedded proxy in development tools and platforms. For securing access to your self-hosted services, see Infisical vs Doppler vs HashiCorp Vault for secrets management.

Traefik dominates in Kubernetes environments and Docker Swarm deployments. It ships as the default ingress controller in K3s (the lightweight Kubernetes distribution from Rancher), which means anyone deploying K3s on a VPS or Raspberry Pi cluster is already running Traefik. Large engineering teams deploying dozens or hundreds of microservices find Traefik's label-based configuration eliminates the need for a central proxy management process — each team configures their own service's routing via Kubernetes annotations.

Nginx Proxy Manager processes millions of proxy hosts across the self-hosted community. Its adoption is concentrated in home labs, small businesses, and by individuals running Plex, Home Assistant, Nextcloud, and other consumer-oriented self-hosted software. The GUI dramatically lowers the barrier to entry — users who would be intimidated by Caddyfile syntax can configure a fully TLS-terminated multi-domain proxy through a web interface in under ten minutes. For the application layer behind your reverse proxy, Middy vs AWS Lambda Powertools vs Serverless HTTP covers serverless handler patterns that pair with these proxy setups.

Developer Experience Deep Dive

Caddy's developer experience is outstanding for teams that keep configuration in version control. The Caddyfile is human-readable and remarkably concise — a complete multi-service HTTPS configuration fits on one screen. The JSON API enables programmatic configuration management from CI/CD pipelines, and the Admin API documentation is comprehensive. One friction point is the plugin system: adding rate limiting or other advanced features requires compiling a custom Caddy binary with xcaddy, which adds a build step that Docker Compose deployments must manage.

Traefik's developer experience shines in container environments because configuration co-locates with services. Adding a new service is a matter of adding labels to a docker-compose.yml file — no separate proxy configuration file to update. The Traefik dashboard provides real-time visibility into routers, services, and middleware configurations. The complexity grows significantly in multi-provider environments or when customizing middleware chains — the label-based syntax can become verbose, and debugging requires understanding Traefik's internal routing model.

Nginx Proxy Manager has the most accessible user experience for operators who prefer GUIs over text configuration. The interface is intuitive and the one-click SSL certificate flow works reliably. The limitation is that NPM exposes only a subset of Nginx's capabilities through the GUI — advanced configurations require adding raw Nginx config snippets in the "Advanced" tab, which somewhat defeats the purpose of using a GUI tool.

Performance and Benchmarks

In raw throughput benchmarks, all three tools perform within a few percent of each other for typical reverse proxy workloads. The Go-based implementations (Caddy and Traefik) handle concurrent connections efficiently with goroutine-based concurrency. Nginx Proxy Manager's performance is limited only by the underlying Nginx, which remains one of the highest-throughput web servers available.

Memory footprint differs significantly at idle: Caddy uses approximately 30 MB, Traefik approximately 50 MB, and Nginx Proxy Manager approximately 200 MB (due to the Node.js management interface running alongside Nginx). For resource-constrained environments like Raspberry Pi clusters or minimal VPS instances, Caddy's memory efficiency is an advantage.

SSL handshake performance is equivalent across all three since they all use Go's TLS stack (Caddy and Traefik natively, NPM via OpenSSL on Nginx). Caddy's OCSP stapling is automatic and on by default, reducing SSL handshake latency for clients that verify certificate status.

Migration Guide

Migrating from Nginx to Caddy: The main translation work is converting server {} blocks to Caddyfile site blocks. A Caddy reverse_proxy directive replaces proxy_pass, and security headers that required multiple add_header directives become a single header block. The biggest win is eliminating certbot — Caddy handles Let's Encrypt automatically, removing cron jobs and renewal scripts.

Migrating from Nginx Proxy Manager to Traefik: Export your proxy host list from NPM and recreate them as Docker labels or Kubernetes annotations. The main configuration shift is from a centralized GUI model to a decentralized label-per-service model. Plan for the migration to happen service by service to minimize risk. DNS changes can be managed with short TTLs during cutover.

Common Traefik pitfalls: The most frequent issue is forgetting --providers.docker.exposedbydefault=false — without this, all Docker containers are automatically exposed, which is a security risk. The second most common issue is incorrect router priority when multiple rules could match the same request. Traefik resolves conflicts by rule specificity, but custom priorities can be set via the priority label when needed.

Final Verdict 2026

For solo developers and small teams deploying to VPS infrastructure, Caddy is the best choice in 2026. The automatic HTTPS eliminates an entire category of operational concerns, the Caddyfile is maintainable, and the memory footprint is minimal. For container-heavy environments with Docker Compose or Kubernetes where services are deployed and removed regularly, Traefik is clearly superior — its automatic service discovery eliminates the proxy configuration toil that Caddy and NPM both require. Nginx Proxy Manager remains the right choice for home lab operators and non-technical administrators who need a visual interface and are not operating at a scale where Traefik's automation becomes necessary.

When to Use Each

Choose Caddy if:

• You're deploying to a VPS and want HTTPS to "just work"
• Your config is straightforward and you want to maintain it as code (Caddyfile in git)
• You want a lightweight proxy without Docker label magic
• You need dynamic config updates without restarts via the JSON API

Choose Traefik if:

• You're using Docker Compose, Docker Swarm, or Kubernetes
• Services come and go dynamically (CI/CD deploys, autoscaling)
• You want the proxy config to live in the app's docker-compose.yml via labels
• Kubernetes Ingress resources are your team's standard

Choose Nginx Proxy Manager if:

• You want zero config file editing — GUI-only management
• You're running a home lab or small self-hosted stack
• Non-technical users need to manage proxy routes
• You want a quick visual dashboard and are comfortable with some limitations

Methodology

Data sourced from GitHub repositories (star counts as of February 2026), official documentation, Docker Hub image pull counts, and community reports from r/selfhosted, r/homelab, and the self-hosted Discord. Memory footprint measured from Docker stats on idle containers. Feature availability verified against official documentation.

Related: Podman vs Docker Desktop vs OrbStack for container runtime tools that work alongside reverse proxies, Tailscale vs NetBird vs Headscale for securing access to your self-hosted infrastructure, and best WebSocket libraries for Node.js 2026 for real-time services that need to be proxied.