Reverse Proxy Setup
A reverse proxy sits in front of all your services, routes incoming requests by hostname, and handles TLS termination so individual services do not need to manage certificates.
What this page covers
- Choosing between Traefik and nginx
- Traefik setup: Docker Compose and K3s Helm chart configurations
- nginx setup: Docker Compose and static config for the Docker track
- Routing rules: how requests for
gitea.example.comreach the Gitea container
Choosing a reverse proxy
| Traefik | nginx | |
|---|---|---|
| Auto-discovery | Yes — detects Docker/K8s services automatically | No — requires manual config per service |
| Let's Encrypt | Built-in ACME support | Via certbot or cert-manager |
| K3s integration | Ships as the default K3s ingress controller | Available as an ingress controller |
| Complexity | Medium (labels-based config) | Lower for simple cases |
Traefik is the recommended choice for both tracks. It is the default ingress controller in K3s and integrates naturally with Docker labels.
Traefik on Docker (Docker-only track)
A minimal Traefik Docker Compose configuration with Let's Encrypt will be documented here, including:
- Static config (
traefik.yml) enabling the dashboard and ACME resolver - Dynamic config via Docker label-based routing
- Volume for persisting the ACME certificate store
Traefik on K3s (K3s track)
K3s ships Traefik as its default ingress controller. Configuration via HelmChartConfig CRD will be documented here.