By the time your homelab is running a handful of services, you’re juggling a spreadsheet of IP addresses and port numbers: 10.0.0.20:3000 for Grafana, 10.0.0.21:8080 for something else, none of them on HTTPS. A reverse proxy fixes all of that. This post explains what a reverse proxy is, why Traefik is a great fit for homelabs, and how the pieces fit together. A hands-on Traefik deployment guide is the next post in this series.
The problem a reverse proxy solves
Without a reverse proxy, every service is a different IP:port, each with its own untrusted certificate warning (or no HTTPS at all). You memorise ports, browsers nag, and nothing has a real name.
With a reverse proxy, everything lives behind one HTTPS endpoint and gets routed by name.
Why Traefik for a homelab
There are three common choices — all good, with different strengths:
- Traefik — discovers services automatically. Add a Docker container with a few labels and Traefik starts routing to it instantly, no config reload. Perfect when you add services often.
- Nginx Proxy Manager — a friendly web GUI for people who’d rather click than edit YAML.
- Caddy — the simplest static config file, HTTPS on by default.
Traefik’s edge is that dynamic discovery. Because your Docker apps declare their own routing via labels, the proxy config effectively maintains itself. That pairs naturally with a Docker host, which is why it’s the reverse proxy this series sets up.
You don’t write a route for each app — the app describes itself. A container just adds labels like these and Traefik does the rest:
labels:
- "traefik.enable=true"
- "traefik.http.routers.wiki.rule=Host(`wiki.homelab.lan`)"
- "traefik.http.routers.wiki.tls.certresolver=letsencrypt"
The three pieces you need
To go from “IP and port” to https://service.homelab.lan, three things work together:
Your devices need to know that wiki.homelab.lan points at the proxy. That’s exactly what Pi-hole local DNS records provide — point every service hostname at the Traefik host’s IP.
Traefik receives every request on port 443 and forwards it to the correct backend based on the Host() rule — the routing layer in the diagram above.
Let’s Encrypt issues free, browser-trusted certificates so there are no more security warnings. Traefik requests and renews them automatically via its ACME/Let’s Encrypt integration.
What’s next
Now that you understand the why, the next post in this series puts it into practice: deploying Traefik, wiring up automatic certificates, and routing your first service to a clean HTTPS URL. In the meantime, the official Traefik documentation is the best reference.
Related posts:
- Docker on Proxmox: LXC vs VM, Done Right — the host Traefik discovers services on.
- Pi-hole on Proxmox LXC — the local DNS names Traefik routes.
- Proxmox Firewall: Zone-Based Rules — the layer a reverse proxy complements, not replaces.
- Tailscale Subnet Router — reach your proxied services securely from anywhere.
- Vaultwarden on Proxmox LXC — a great first service to put behind Traefik.