Traefik's 10-year anniversary

Original Article ↗ Hacker News Discussion ↗

Open Core Model and Enterprise-Only Features

  • Strong criticism that important production features (JWT auth, caching, some middleware) are only in Traefik’s paid/closed products, similar to Varnish and NGINX “enterprise” models.
  • Some see this as incompatible with “true” open source ideals and object to marketing that leans on OSS while paywalling core functionality.
  • Others defend open core as the only viable model for a sustainable, for‑profit infra company, arguing that “heavy” users who need advanced features should pay.
  • One user notes they simply switched away from Traefik when they hit those limits; another notes source access under commercial license would matter a lot to them.
  • A maintainer clarifies: TLS (including ACME and mTLS) is in OSS; features like official cache middleware and Vault integration are enterprise via Traefik Hub, with community plugins as OSS alternatives.

Auth, JWTs, and Security at the Edge

  • Complaint that JWT support is often enterprise-only in Traefik/NGINX/Varnish.
  • Disagreement on design:
    • One side: validating JWTs at the proxy is “security at the edge” and offloads slow runtimes (Python/Node).
    • Other side: proxy auth is an anti-pattern that can hide missing app-level auth and create double validation or misconfiguration risk; apps should handle OIDC/JWT directly.

Comparisons: Caddy, HAProxy, Envoy, NGINX, Kong

  • Many users say they’ve migrated or are planning to migrate to Caddy: simpler config, auto-HTTPS “just works,” good docs, easier debugging, especially for self-hosted/small setups.
  • HAProxy is seen as more configurable and battle-tested but harder to learn due to poor, option-heavy docs and lack of examples; Traefik praised for clearer docs (by some) and autoconfig from providers.
  • Envoy is frequently called the de facto modern OSS proxy standard, especially in CNCF/Kubernetes and service mesh ecosystems; some see Traefik’s “standard” marketing as overreaching.
  • Kong, Envoy-based gateways, and cloud vendor gateways are common alternatives in production.

Documentation, Configuration, and UX

  • Very split opinions:
    • Some say Traefik is “easy, intuitive, great docs,” especially when used via Docker/Kubernetes labels and auto-discovery.
    • Others report extremely confusing setup, static vs dynamic config pitfalls, scattered options, and weak examples; mTLS and ACME/HA setups are called out as painful.
  • A maintainer acknowledges historic doc issues and describes a recent full rewrite; detailed user feedback suggests docs are still too dense, mix reference/tutorial material, and over-explain non-Traefik tools.

Kubernetes, Ecosystem, and “Standard” Claim

  • Traefik is popular in k3s and homelab setups as the default ingress; some immediately disable it in k3s due to distrust of the marketing/style.
  • Several commenters argue that with Envoy/Contour, Istio, Linkerd, Emissary, etc., calling Traefik “the standard” is unjustified.
  • There’s meta-discussion that bold “we’re the standard” branding is partly SEO/LLM-era positioning, continuing older SEO-style hype tactics.

Real-World Usage Experiences

  • Homelab and small deployments: Traefik is often praised for Docker/Kubernetes integration, auto-discovery, dashboard, low footprint, and “set and forget” behavior.
  • Production/large setups: mixed. Some report years of flawless use; others hit opinionated limitations, missing features (e.g., unique request IDs in older versions), or ended up forking/migrating to HAProxy/Envoy.
  • Repeated theme: Traefik shines if your needs match its model (dynamic, provider-driven routing); if you diverge, it can be frustrating.