Traefik Cloud

Best Self Hosted Alternatives to Traefik Cloud

A curated collection of the 14 best self hosted alternatives to Traefik Cloud.

Managed SaaS for operating Traefik proxy and Kubernetes ingress, providing API gateway/ingress management, routing and load-balancing, TLS/certificate automation, access control, metrics and security controls for cloud-native traffic.

Alternatives List

#1
Caddy

Caddy

Caddy is a fast, extensible Go web server and reverse proxy with automatic HTTPS (ACME), HTTP/1.1, HTTP/2, and HTTP/3 support, and a JSON config API.

Caddy screenshot

Caddy is a modern, extensible web server platform commonly used as an HTTPS server and reverse proxy. It automates TLS certificate provisioning and renewal by default and supports HTTP/1.1, HTTP/2, and HTTP/3.

Key Features

  • Automatic HTTPS with certificate issuance and renewal (ACME)
  • HTTP/1.1, HTTP/2, and HTTP/3 support
  • Reverse proxy with load balancing, health checks, retries, and pluggable transports
  • Native JSON configuration with an admin REST API for dynamic, online config changes
  • Caddyfile configuration format plus config adapters for other formats
  • Built-in support for internal PKI use cases (local CA, internal names and IPs)
  • Modular, plugin-based architecture with statically compiled extensions

Use Cases

  • Securely serve static websites and web applications with minimal TLS setup
  • Act as an edge reverse proxy for microservices with health checks and load balancing
  • Automate certificate management for multi-tenant and customer-domain SaaS deployments

Limitations and Considerations

  • Advanced deployments (dynamic config, clustering, custom modules) may require JSON config/API familiarity
  • Some capabilities depend on selecting/building the appropriate modules for your environment

Caddy is a strong fit when you want a production-grade server that simplifies HTTPS and scales to many sites. Its configuration API and modular architecture make it suitable for both simple single-host setups and automated, large-scale environments.

69.2kstars
4.6kforks
View Details
#2
Traefik Proxy

Traefik Proxy

Traefik Proxy is a dynamic reverse proxy and load balancer that auto-discovers services from Docker, Kubernetes, and other providers, with HTTPS, routing, and observability built in.

Traefik Proxy screenshot

Traefik Proxy is a modern HTTP reverse proxy and load balancer designed for dynamic, cloud-native environments. It discovers services from your orchestrator or service registry and automatically configures routing without requiring manual updates for each change.

Key Features

  • Automatic service discovery and dynamic configuration from providers such as Docker and Kubernetes
  • Layer 7 routing based on hostnames, paths, headers, and other request attributes
  • Built-in HTTPS with automatic certificate provisioning and renewal via ACME
  • Load balancing with multiple strategies plus health checks
  • Support for WebSocket, HTTP/2, and gRPC traffic
  • Observability features including metrics, structured access logs, and a web dashboard
  • Exposes an administrative API for inspecting configuration and runtime state

Use Cases

  • Ingress controller for Kubernetes clusters with dynamic routing to services
  • Reverse proxy for Docker or Docker Compose stacks with automatic route updates
  • Central edge proxy in microservice architectures to standardize TLS and traffic management

Limitations and Considerations

  • Major version upgrades can introduce breaking configuration changes and may require migration steps

Traefik Proxy is well-suited for teams running frequently changing workloads that need reliable routing, TLS automation, and visibility. It fits both small homelab deployments and production platform engineering environments where dynamic service discovery is essential.

61.1kstars
5.8kforks
View Details
#3
Nginx Proxy Manager

Nginx Proxy Manager

Nginx Proxy Manager is a web-based admin panel for managing Nginx reverse proxy hosts, redirects, streams, and Let’s Encrypt SSL certificates via Docker.

Nginx Proxy Manager screenshot

Nginx Proxy Manager is a web application packaged as a Docker image that provides an easy way to configure Nginx as a reverse proxy for your services. It focuses on simplifying SSL termination, host forwarding, and access control without requiring deep Nginx expertise.

Key Features

  • Web-based admin interface for managing proxy hosts and related Nginx configuration
  • Simple setup of forwarding domains, redirects, custom 404 hosts, and TCP/UDP streams
  • Built-in Let’s Encrypt certificate issuance and automatic renewals, plus support for custom certificates
  • Per-host access lists and basic HTTP authentication
  • Advanced Nginx configuration fields for power users
  • Multi-user management with permissions and an audit log

Use Cases

  • Publish home-lab and internal web apps securely behind a single reverse proxy
  • Centralize TLS certificate management and SSL termination for multiple services
  • Add basic authentication and access restrictions in front of existing web applications

Limitations and Considerations

  • Primarily intended to manage Nginx through its own UI; complex, highly customized Nginx setups may not map cleanly to the UI model

Nginx Proxy Manager is well-suited for homelabs and small deployments that want a straightforward, UI-driven approach to reverse proxying and TLS. It balances ease of use with optional advanced controls for users who need deeper Nginx customization.

31.1kstars
3.5kforks
View Details
#4
HAProxy

HAProxy

HAProxy is a fast, reliable reverse proxy and load balancer for TCP and HTTP applications, providing high availability, TLS termination, health checks, and traffic routing.

HAProxy screenshot

HAProxy is a high-performance reverse proxy and load balancer designed to improve availability and scalability of TCP and HTTP-based services. It is widely used as an edge proxy to route traffic, terminate TLS, and enforce traffic policies for web applications and APIs.

Key Features

  • Layer 4 (TCP) and Layer 7 (HTTP) proxying with flexible routing rules
  • Load balancing algorithms and active health checks for backend pools
  • TLS termination and modern HTTPS features (including HTTP/2 support)
  • High availability options, including multi-process support and state synchronization features
  • Rich observability via detailed logs, statistics, and runtime control interfaces
  • Extensibility via Lua scripting and advanced traffic processing mechanisms

Use Cases

  • Reverse proxy in front of web apps and microservices with TLS termination
  • High-availability load balancer for clustered services and databases exposing TCP
  • Traffic shaping, access control, and DDoS resilience at the edge

Limitations and Considerations

  • Configuration is powerful but can be complex for advanced Layer 7 routing policies
  • Some advanced features are version-dependent; production setups typically follow stable branches

HAProxy is a proven choice for performance-critical traffic management, combining efficient proxying with mature load-balancing capabilities. It fits well as a core component in both homelab and enterprise edge architectures where reliability and control are priorities.

6.3kstars
898forks
View Details
#5
Zoraxy

Zoraxy

A general-purpose HTTP reverse proxy and forwarding tool for homelabs, offering web UI, ACME/TLS, stream proxy, plugins and realtime monitoring.

Zoraxy screenshot

Zoraxy is a general-purpose HTTP reverse-proxy and forwarding gateway designed for homelab and self-hosted services. It provides a web UI for configuring proxies, TLS, routing and runtime utilities so users can expose and manage services from a single gateway. (github.com)

Key Features

  • HTTP reverse proxy supporting virtual directories, alias hostnames and custom headers. (github.com)
  • Automatic WebSocket proxying and stream proxy support for TCP/UDP forwarding.
  • TLS/SSL management with ACME (Let's Encrypt) support, auto-renew and SNI/SAN certificate handling; includes DNS challenge integrations. (github.com)
  • Load balancing, basic auth, redirection rules and blacklist/whitelist controls (IP/CIDR/country). (github.com)
  • Real-time analytics and uptime monitoring with instant network/visitor statistics and no-reload access control. (zoraxy.aroz.org)
  • Plugin system and built-in utilities (mDNS scanner, Wake-on-LAN, IP/port scanners, debug forward proxy). (github.com)
  • Web-based SSH terminal for in-browser administration. (github.com)

Use Cases

  • Expose and route multiple self-hosted web apps (home server, NAS, media servers) behind a single, manageable reverse proxy. (github.com)
  • Provide TLS/ACME certificate automation and DNS-challenge workflows for services without manual cert management. (github.com)
  • Monitor service availability and traffic in real time, and run network utilities (scans, WOL) from the gateway UI. (zoraxy.aroz.org)

Limitations and Considerations

  • Some advanced modules are community-maintained or seeking maintainers (notably ACME integration improvements and an extended logging/analysis module), which may affect feature completeness for large-scale deployments. (github.com)

Zoraxy is lightweight and targeted at homelab users and small deployments that need a single gateway for routing, TLS and basic observability. It is distributed with prebuilt binaries and Docker artifacts and can be built from source with Go, making it suitable for ARM/SBC and x86 environments. (zoraxy.aroz.org)

4.8kstars
270forks
View Details
#6
SWAG

SWAG

LinuxServer.io SWAG is a Docker image bundling Nginx reverse proxy, ACME certificate automation (Let’s Encrypt/ZeroSSL), optional PHP, and fail2ban intrusion prevention.

SWAG screenshot

SWAG (Secure Web Application Gateway) is a LinuxServer.io-maintained container image that provides an Nginx web server and reverse proxy with automated TLS certificate issuance and renewal via an embedded ACME client. It is commonly used as a front door for self-hosted applications, handling HTTPS termination and reusable proxy configurations.

Key Features

  • Nginx web server and reverse proxy for routing multiple apps behind one domain
  • Automated certificate issuance and renewal using Certbot (ACME) with Let’s Encrypt or ZeroSSL
  • Supports HTTP and DNS-based validation, including wildcard certificates (via DNS plugins)
  • Includes preset reverse proxy configuration templates for many popular services
  • Optional PHP support for serving dynamic web content
  • Built-in fail2ban for intrusion prevention (with optional firewall rule integration)

Use Cases

  • Expose multiple self-hosted services securely over HTTPS with subdomains
  • Terminate TLS centrally and share generated certificates with other containers
  • Host a small web site or landing page alongside reverse-proxied applications

Limitations and Considerations

  • Certificate issuance depends on correct inbound port forwarding (HTTP validation) or supported DNS provider credentials (DNS validation)
  • Some Certbot DNS plugins may require additional packages/mods if not included in the base image

SWAG is a practical choice when you want a repeatable, containerized Nginx reverse proxy setup with integrated ACME automation and extra security tooling. It fits especially well in Docker-based homelabs that rely on subdomains and standardized proxy templates.

3.6kstars
280forks
View Details
#7
GoDoxy

GoDoxy

High-performance reverse proxy and container orchestrator with Web UI, automatic Docker/Podman route discovery, idle-sleep, access control, and automated Let's Encrypt support.

GoDoxy screenshot

GoDoxy is a high-performance reverse proxy and lightweight container orchestrator designed for self-hosters. It automatically discovers containerized services, creates routes, and exposes a Web UI for configuration, monitoring and logs.

Key Features

  • Automatic route discovery from Docker/Podman containers and container labels
  • Idle-sleep: stop idle containers and wake them on incoming traffic
  • Connection- and request-level access control (IP/CIDR/GeoIP-based rules)
  • Built-in server monitoring and system metrics (uptime, CPU, memory, disk)
  • Access logging and periodic access summary notifications
  • Automated TLS certificate management using DNS-01 (Let's Encrypt)
  • HTTP reverse proxy and TCP/UDP port forwarding with rule-based routing
  • Authentication integrations: OpenID Connect, ForwardAuth, CAPTCHA middleware
  • Web UI with app dashboard, config editor, Docker logs viewer and metrics

Use Cases

  • Host and route multiple self-hosted web apps on a single server with automatic Docker label-based routing
  • Reduce resource use by putting little-used services to sleep and auto-waking them on demand
  • Provide centralized access control, TLS automation and monitoring for home or small lab infrastructures

Limitations and Considerations

  • GoDoxy is designed to run in host network mode; changing network mode is not supported and may break routing
  • GeoIP-based ACL features require a MaxMind account and GeoIP database configuration to function fully
  • Official builds target linux/amd64 and linux/arm64; other OS/architectures are not supported out of the box
  • Some application patterns (e.g., containers exposing multiple unrelated ports) may not be handled automatically and require manual routing configuration

GoDoxy combines reverse-proxy features with lightweight container orchestration and an integrated Web UI to simplify routing, access control and monitoring for self-hosted environments. It is intended for users who want automatic container-aware routing, TLS automation and resource-saving idle-sleep capabilities.

2.7kstars
104forks
View Details
#8
GoDoxy

GoDoxy

High-performance reverse proxy for self-hosted apps with Web UI, Docker/Podman auto-routing, HTTPS via Let's Encrypt, access control, and OIDC/ForwardAuth support.

GoDoxy is a lightweight, performance-focused reverse proxy designed for self-hosters, with automatic routing based on container metadata and a built-in Web UI. It can manage HTTPS certificates, apply access controls, and proxy traffic to services across single or multiple nodes.

Key Features

  • Reverse proxy for HTTP services plus TCP/UDP port forwarding
  • Automatic route discovery from Docker/Podman containers via labels, with hot-reload on changes
  • Web UI with app dashboard, configuration editor, uptime and system metrics, and container log viewing
  • Automatic TLS certificate management with Let's Encrypt (including DNS-01 challenge support)
  • Access control lists (ACL) with request/connection level rules (for example IP/CIDR)
  • SSO options via OpenID Connect and ForwardAuth integration
  • Optional idle-sleep behavior to stop and wake workloads based on traffic (including support for Docker containers and Proxmox LXCs)

Use Cases

  • Publish and secure multiple self-hosted web apps behind a single gateway with automated HTTPS
  • Centralize routing and basic access control for homelab services using container labels
  • Reduce resource usage by auto-sleeping seldom-used services and waking them on demand

Limitations and Considerations

  • Some ACL features rely on MaxMind configuration for geo/timezone-based rules
  • Designed to run in host network mode, which may constrain certain deployment patterns

GoDoxy fits well in homelab and small-server environments where container-driven routing, a convenient UI, and automated TLS are priorities. It combines reverse proxying, basic orchestration-like automation, and authentication integration to simplify operating self-hosted services.

2.7kstars
104forks
View Details
#9
NPMplus

NPMplus

NPMplus is a Nginx Proxy Manager fork that adds HTTP/3 (QUIC), OIDC auth, stronger TLS defaults, and extra security and logging features in a web UI.

NPMplus is a community fork of Nginx Proxy Manager that provides a web-based UI to manage Nginx as a reverse proxy for self-hosted services. It focuses on modern protocol support, stronger security defaults, and additional integrations while keeping a familiar NPM workflow.

Key Features

  • Web UI to manage reverse proxy hosts and TLS certificates
  • HTTP/3 (QUIC) support for HTTPS endpoints
  • ACME profile support and improved handling of alternative ACME servers and options like OCSP and must-staple
  • OIDC authentication support
  • Hardened TLS settings, plus modern compression support (zstd and brotli)
  • Optional integrations for CrowdSec and openappsec
  • Built-in access logging analytics via GoAccess
  • Additional hosting options such as file serving and optional PHP-FPM support

Use Cases

  • Central reverse proxy for multiple homelab or internal services with automated certificates
  • Adding OIDC-based login in front of protected services
  • Running a hardened, modern Nginx proxy with HTTP/3 enabled

Limitations and Considerations

  • Database backends beyond SQLite may work but are not recommended or supported by the project
  • Requires exposing UDP on 443 to use HTTP/3 (QUIC)
  • Supported CPU architectures are limited compared to upstream

NPMplus is a practical choice for users who like Nginx Proxy Manager’s UI but want more modern protocol support and additional security-focused features. It is especially suited for homelabs and small environments that need convenient TLS and proxy management with optional advanced integrations.

1.7kstars
92forks
View Details
#10
CaddyManager

CaddyManager

Manage Caddy 2 servers from a modern web dashboard with Caddyfile editing, authentication, audit logs, API keys, and SQLite or MongoDB storage.

CaddyManager is a web-based management interface for administering Caddy 2 servers from a single dashboard. It helps you organize multiple servers, edit and validate Caddyfiles, and control access for teams.

Key Features

  • Multi-server dashboard to add, remove, and monitor multiple Caddy 2 instances
  • Caddyfile configuration editor with syntax highlighting, templates, and validation workflows
  • Authentication with JWT-based sessions and role-based access control
  • API key management for programmatic access
  • Audit logging to track user and system actions
  • Dual database support: SQLite (default) or MongoDB
  • Integrated API documentation via Swagger UI
  • Runtime and application metrics endpoints suitable for Prometheus scraping

Use Cases

  • Manage several Caddy reverse proxies across environments from one UI
  • Maintain Caddyfile configurations with safer editing and validation
  • Provide controlled access and traceability for teams operating Caddy infrastructure

Limitations and Considerations

  • The project is in early development; configuration and data backups are strongly recommended before using in production

CaddyManager is a practical option for operators who prefer a graphical interface for Caddy administration while retaining API access, auditability, and flexible storage options. It is suited for homelabs and small-to-medium deployments, with MongoDB support for larger setups.

833stars
30forks
View Details
#11
Cert Warden

Cert Warden

Open-source centralized ACME client to manage TLS certificates with automated renewals, API-key retrieval for clients, http-01/dns-01 challenge support, Go backend and React UI.

Cert Warden screenshot

Cert Warden is a centralized ACME client that provides a REST API and web UI to create, manage, and automatically renew TLS certificates. It centralizes ACME account handling and exposes a scoped API-keyed GET interface so consumers can fetch individual keys and certificates without implementing ACME themselves.

Key Features

  • Centralized ACME orchestration: manage ACME accounts, keys, and certificates from a single service.
  • REST API for consumers: authenticated GET endpoint with scoped API keys to retrieve keys/certificates programmatically.
  • Automated renewals: background automation for certificate issuance and renewal using RFC 8555-compliant ACME providers.
  • Challenge support: built-in HTTP server for http-01 and integrated support for many DNS providers for dns-01 challenges.
  • Frontend and backend: React-based web UI with a Go backend providing the API and ACME logic.
  • Deployment options: official Docker images and docker-compose examples plus binary releases for multiple platforms.
  • Robust logging and debugging options: detailed access and debug logs to track who or what is accessing key material.

Use Cases

  • Centralize TLS management across a home lab or small infrastructure to avoid running ACME clients on each endpoint.
  • Provide short-lived scoped certificate access to services or devices that cannot run a full ACME client.
  • Automate certificate renewals for services that require a simple API to fetch X.509 material.

Limitations and Considerations

  • Intended for small/home-lab use; the project is primarily maintained by a single developer and does not include commercial support.
  • Stores private key material in a local database file; compromise of that database compromises the entire PKI and requires strong operational safeguards (backups, access controls, encryption at rest as appropriate).
  • The project bundles a frontend and backend and the documentation notes there is limited support for running them separately.

Cert Warden is a practical option for users who want a single service to manage ACME interactions and make certificates available via an API. It emphasizes automation and simple client retrieval, but users should evaluate the operational security trade-offs before storing sensitive key material in its database.

475stars
16forks
View Details
#12
traefik-kop

traefik-kop

Publishes Docker container label-based service definitions into Redis so a central Traefik instance can discover and route services across multiple Docker hosts.

traefik-kop is a small Go-based discovery agent that reads Docker container labels on a local node and publishes equivalent service definitions to Redis so a single central Traefik instance (configured with a Redis provider) can route to services running on multiple Docker hosts.

Key Features

  • Mirrors Traefik Docker provider logic: reads container labels and translates them into Traefik service/route definitions
  • Publishes service definitions into Redis so a remote Traefik instance can consume them
  • Flexible IP binding: explicit bind-ip, interface-derived IP, container networking overrides, or auto-detection
  • Namespace and label-prefix filtering to target or isolate sets of containers
  • Load balancer merging option to combine endpoints from multiple nodes for the same service
  • Configurable via CLI flags or environment variables; supports redis auth, TTL, and poll interval

Use Cases

  • Expose services from multiple non-swarm Docker hosts through a single public Traefik reverse proxy
  • Centralized ingress routing for heterogenous Docker hosts where Traefik cannot run locally on every node
  • Multi-tenant or environment separation using namespaces or custom label prefixes to control which containers are published

Limitations and Considerations

  • Requires a reachable Redis instance and a Traefik instance configured to use the Redis provider
  • Needs access to the Docker socket on each node; running with this access has security implications
  • If redis-ttl is not used or load balancer merging is enabled, stale/backing IP entries can persist when node IPs change
  • Some deployment modes (host networking, multiple port bindings) require explicit labels or host networking for correct port selection

traefik-kop is a pragmatic solution when you need Traefik-style label-driven routing across multiple Docker hosts without Swarm or Kubernetes. It is lightweight, configurable, and designed to integrate with existing Traefik Docker-provider semantics.

431stars
24forks
View Details
#13
Middleware Manager

Middleware Manager

Microservice with a web UI to create, assign, and manage Traefik middlewares, routers, and custom services; supports Traefik v2/v3 and Pangolin API with SQLite persistence.

Middleware Manager screenshot

The Middleware Manager is a microservice that provides a web-based interface for defining, assigning, and managing Traefik middlewares, router settings, custom services, and plugins. It watches resources from either a Pangolin API or a direct Traefik API and generates Traefik dynamic configuration files to apply overrides and customizations.

Key Features

  • Dual data-source support: integrate with a Pangolin API or connect directly to a Traefik API
  • Middleware management: create, update, delete and attach Traefik middlewares with explicit priorities
  • Service management: define custom Traefik services (LoadBalancer, Weighted, Mirroring, Failover) and assign them to resources
  • Advanced router configuration: configure entrypoints, TLS SANs, TCP SNI rules, custom request headers, and router priorities
  • Plugin hub: discover, install, and manage Traefik plugins from the UI
  • Generates Traefik provider files (file-based dynamic configuration) and ensures correct cross-provider references
  • Template libraries: pre-configured middleware and service templates for common patterns
  • Real-time synchronization with the chosen data source and a responsive web UI (dark mode available)
  • Persistence: stores configuration and state in an SQLite database
  • Broad middleware support: ForwardAuth, BasicAuth, Headers, RateLimit, IP whitelisting, path manipulation, and more

Use Cases

  • Enforce authentication, security headers, and access controls across services behind Traefik
  • Apply rate limiting, IP allowlists, or custom routing rules without editing Traefik provider files manually
  • Manage complex router/service overrides and install plugins centrally in Traefik or Pangolin-based stacks

Limitations and Considerations

  • Persists to SQLite by default, which may not be optimal for very large or highly concurrent deployments
  • Relies on file-based dynamic configuration and network access to the Traefik/Pangolin APIs; proper file mounts and API connectivity are required
  • Plugin management depends on the Traefik plugin ecosystem and compatible Traefik versions

The Middleware Manager simplifies applying consistent middleware and routing policies across Traefik-managed resources, providing a central UI and template-driven workflow for common proxy configuration tasks.

419stars
14forks
View Details
#14
Mantræ

Mantræ

Web UI to manage Traefik routers, middleware, services and DNS entries, with an optional agent for container label syncing and DNS automation.

Mantræ screenshot

Mantræ is a web-based configuration manager that generates Traefik dynamic configuration through a clean UI. It focuses on creating and editing routers, middlewares, and services so Traefik can fetch the resulting dynamic configuration instead of editing YAML/TOML by hand.

Key Features

  • Visual editor for Traefik routers, services, entrypoints, rules, and middleware
  • Middleware management including rate limiting, authentication, headers, and other common middleware types
  • Agent mode to collect container labels from remote hosts and sync resources into a central configuration store
  • DNS automation integrations for providers such as Cloudflare, PowerDNS, Technitium and Pi-hole to manage DNS records for routers
  • Generates Traefik-compatible dynamic configuration files (YAML/TOML) for Traefik to consume
  • Lightweight Go backend with a TypeScript/Svelte frontend designed for easy deployment (Docker images available)

Use Cases

  • Centralize Traefik dynamic configuration across multiple hosts using agents to collect container labels
  • Quickly create and manage routers and middleware without directly editing Traefik YAML/TOML files
  • Automate DNS record creation for services exposed through Traefik using supported DNS providers

Limitations and Considerations

  • Mantræ is not a monitoring dashboard and does not display Traefik runtime status or metrics; it only provides configuration management
  • The project is under active development and may introduce breaking changes; evaluate stability before production deployment
  • DNS provider support and agent features depend on available integrations and may require provider credentials and additional configuration

Mantræ is intended for teams that want a UI-first approach to building Traefik dynamic configuration and automating DNS. It simplifies repetitive configuration tasks while leaving Traefik as the runtime reverse proxy.

404stars
13forks
View Details

Why choose an open source alternative?

  • Data ownership: Keep your data on your own servers
  • No vendor lock-in: Freedom to switch or modify at any time
  • Cost savings: Reduce or eliminate subscription fees
  • Transparency: Audit the code and know exactly what's running