Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/traefik/traefik/llms.txt

Use this file to discover all available pages before exploring further.

Deployment Best Practices

Guidelines for deploying Traefik in production environments with reliability, security, and performance in mind.

Overview

Traefik is designed to be deployed in various environments, from bare metal servers to container orchestrators. This guide covers essential deployment strategies and best practices for production use.

Deployment Strategies

1

Choose Your Deployment Model

Select the deployment model that best fits your infrastructure:
  • Standalone: Single Traefik instance for simple workloads
  • High Availability: Multiple Traefik instances behind a load balancer
  • Edge Router: Traefik as entry point to your infrastructure
  • Service Mesh: Traefik integrated with service mesh solutions
2

Configure Static Configuration

Set up your static configuration using one of the supported methods:
# traefik.yml
entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  docker:
    exposedByDefault: false
  file:
    directory: "/etc/traefik/dynamic"
3

Enable Monitoring and Observability

Configure metrics, access logs, and health checks for production monitoring.
4

Deploy and Test

Deploy Traefik to your target environment and verify functionality.

Docker Deployment

Docker Compose

Deploy Traefik using Docker Compose for container-based environments:
docker-compose.yml
version: '3.8'

services:
  traefik:
    image: traefik:v3.2
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml:ro
      - ./acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$..."
Mount the Docker socket (/var/run/docker.sock) only if using the Docker provider. For production, consider using Docker Swarm mode or Kubernetes instead.

Docker Swarm

docker-stack.yml
version: '3.8'

services:
  traefik:
    image: traefik:v3.2
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    deploy:
      mode: replicated
      replicas: 3
      placement:
        constraints:
          - node.role == manager
      update_config:
        parallelism: 1
        delay: 10s
      restart_policy:
        condition: on-failure
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-certificates:/certificates
    command:
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443

volumes:
  traefik-certificates:

Kubernetes Deployment

Using Helm

# Add Traefik Helm repository
helm repo add traefik https://traefik.github.io/charts
helm repo update

# Install Traefik
helm install traefik traefik/traefik \
  --namespace traefik \
  --create-namespace \
  --values values.yaml

Example Helm Values

values.yaml
deployment:
  replicas: 3

service:
  type: LoadBalancer

ports:
  web:
    port: 80
    exposedPort: 80
  websecure:
    port: 443
    exposedPort: 443

ingressRoute:
  dashboard:
    enabled: true
    matchRule: Host(`traefik.example.com`)
    entryPoints:
      - websecure

persistence:
  enabled: true
  size: 1Gi

resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 500m
    memory: 512Mi

Production Best Practices

Security

1

Disable API Exposure

Never expose the API publicly in production. Use authentication and restrict access to internal networks.
api:
  dashboard: true
  # Never use insecure mode in production
  insecure: false
2

Use TLS Everywhere

Configure automatic HTTPS with Let’s Encrypt or provide your own certificates.
certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@example.com
      storage: acme.json
      httpChallenge:
        entryPoint: web
3

Set Resource Limits

Configure appropriate resource limits to prevent resource exhaustion.
# Limit maximum idle connections
serversTransport:
  maxIdleConnsPerHost: 200

High Availability

For high availability deployments, run at least 3 Traefik instances across different availability zones. Use a load balancer or DNS round-robin to distribute traffic.
Key considerations:
  • Shared State: Use a distributed key-value store (Consul, etcd) for shared configuration
  • Certificate Storage: Store ACME certificates in a shared volume or distributed storage
  • Health Checks: Enable the ping endpoint for load balancer health checks
  • Graceful Shutdown: Configure appropriate termination grace periods

Performance Tuning

# Optimize connection pooling
serversTransport:
  maxIdleConnsPerHost: 200
  forwardingTimeouts:
    dialTimeout: 30s
    responseHeaderTimeout: 0s
    idleConnTimeout: 90s

# TCP transport settings  
tcpServersTransport:
  dialTimeout: 30s
  dialKeepAlive: 15s

Monitoring and Logging

Enable comprehensive monitoring: 
metrics:
  prometheus:
    buckets:
      - 0.1
      - 0.3
      - 1.0
      - 3.0
      - 10.0
    entryPoint: metrics

Environment-Specific Configurations

Development

log:
  level: DEBUG

api:
  insecure: true
  dashboard: true

providers:
  docker:
    exposedByDefault: true

Staging

log:
  level: INFO

api:
  dashboard: true

providers:
  docker:
    exposedByDefault: false

certificatesResolvers:
  letsencrypt-staging:
    acme:
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      email: admin@example.com
      storage: acme.json

Production

log:
  level: WARN
  format: json

api:
  dashboard: false

global:
  checkNewVersion: false
  sendAnonymousUsage: false

providers:
  docker:
    exposedByDefault: false

metrics:
  prometheus: {}

accessLog:
  format: json
  
certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@example.com
      storage: acme.json
      tlsChallenge: {}

Troubleshooting

Common Issues

Port Conflicts
error
Ensure ports 80 and 443 are available and not used by other services.
# Check port availability
sudo netstat -tlnp | grep -E ':80|:443'
Certificate Issues
warning
Verify ACME storage permissions and Let’s Encrypt rate limits.
# Check acme.json permissions
chmod 600 acme.json
Docker Socket Access
error
Ensure Traefik container has access to Docker socket.
# Verify socket mount
docker inspect traefik | grep docker.sock

Additional Resources