Traefik wins when the backends are dynamic — Kubernetes, Docker Compose, Consul — and you want routing rules to follow services automatically. Nginx wins when the backend list is stable, raw performance matters, or you need its long-tail of modules (auth, caching, mod-security, Lua).
Both reverse-proxy HTTP. The difference is the model. Traefik watches a service registry and rebuilds its router on the fly. Nginx loads a config file and reloads on change. For a Kubernetes shop, Traefik feels native. For a long-running monolith or a static fleet, Nginx is the easier story. And if you searched Nginx vs Traefik rather than the other way round, same page — the order does not change the answer.
Dynamic discovery. Reads Docker labels, Kubernetes Ingress/IngressRoute, Consul catalog, file providers. Reconfigures the router live without restart.
Static configuration file (nginx.conf, optional includes). Templated by Ansible, Helm, or Consul-template. Reload is fast (graceful, no dropped connections) but explicit.
Built-in ACME (Let's Encrypt, ZeroSSL). HTTP-01, DNS-01, TLS-ALPN-01 challenges. Cluster mode shares certs via Redis or Consul.
Native TLS termination, no built-in ACME. Pair with certbot, cert-manager, or your own pipeline.
Solid. Plenty fast for most workloads. About 10-30% slower than nginx at extreme concurrency in head-to-head reverse-proxy benchmarks.
Reference point. Event-driven worker model, sendfile, sendfile + tls_sendfile, very small per-connection memory. The performance ceiling.
Middleware concept built in: rate limit, IP allowlist, basic auth, retries, circuit breaker, compress. Plugin system (Yaegi-based) for custom Go middleware.
Modules compiled in (or loaded). ModSecurity, mod_substitute, image_filter, http_secure_link, plus the OpenResty / Lua ecosystem for arbitrary logic.
Built-in dashboard, Prometheus metrics, OpenTelemetry tracing, access logs in many formats. Zero extra components.
Access log to file (or syslog). Prometheus exporter exists as a third party. Tracing requires nginx-otel module. Commercial nginx-plus has a dashboard.
HTTP/3 via QUIC since v3.x. WebSockets, gRPC, TCP/UDP routing as first-class. The roadmap is cloud-native.
HTTP/3 since 1.25 (mainline, experimental). WebSockets, gRPC supported. UDP via stream module.
14k+ stars, 7 years old, Traefik Labs sells enterprise. Cloud-native focus, healthy community, active development.
~20+ years. Powers a huge fraction of the internet. Massive Stack Overflow corpus. F5 stewardship sometimes makes the community nervous; the freenginx fork (2024) is one response.
OSS Proxy is free. Traefik Enterprise / Hub for multi-cluster, distributed rate limit, OIDC pipelines.
OSS nginx is free. F5 Nginx Plus adds JWT auth, monitoring dashboard, advanced load balancing — paid per instance.
wrk benchmark, 8 connections, 4 threads, c5.xlarge upstream, target serving fixed 1 KB body. Default tuning on both. Two backends, round-robin. Numbers reproduced from Sysbench + the Traefik vs Nginx public test suite.
On Kubernetes you are not choosing between the raw proxies anymore. You are choosing between ingress controllers, and the names are a trap.
Three products get collapsed into "nginx ingress" in conversation. ingress-nginx is the community controller the Kubernetes project maintained for years, built on open-source nginx and configured through annotations. NGINX Ingress Controller is F5's separate product, also built on nginx (optionally NGINX Plus). And Traefik runs as an ingress controller natively, with its own CRDs. The first two share a name and almost nothing else — different annotations, different config, different maintainers.
The operating model changes inside a cluster. Nobody edits nginx.conf or a Traefik config file by hand; routes come from Ingress resources, Gateway API objects, or Traefik's IngressRoute CRD, and the controller turns them into live proxy config. Certificates usually move to cert-manager, since they need to live in Secrets that survive pod restarts. Traffic splitting is canary annotations on ingress-nginx versus a weighted TraefikService on Traefik. And the raw-performance gap between the two proxies matters less here, because kube-proxy and the CNI add their own overhead either way.
The field has also tilted. The Kubernetes project retired ingress-nginx — the retirement announcement on the Kubernetes blog ends best-effort maintenance, with no further releases or security fixes, and points users at Gateway API as the way forward (the ingress2gateway tool converts existing resources). Traefik implements Gateway API alongside its own CRDs, which makes it a natural landing spot for clusters leaving ingress-nginx. F5's NGINX Ingress Controller continues and makes sense if you are paying for NGINX Plus features anyway. Starting a new cluster on ingress-nginx is the one clearly wrong answer left.
The mechanical part of an nginx to Traefik migration is translating server and location blocks into routers, services, and middlewares. Run both side by side, point one low-stakes hostname at Traefik, and move the rest as confidence builds — there is no cutover day. Let Traefik's ACME take over each certificate as its hostname moves.
What actually stops migrations is the config that does not translate: Lua scripts, proxy_cache, ModSecurity, and the long tail of nginx modules have no Traefik equivalent. Inventory those first. If your nginx.conf is mostly proxy_pass and TLS, the move is a weekend. If it is a small application written in config, stay put.
Kubernetes cluster with dozens of microservices
IngressRoute objects map directly to Traefik's model. Auto-discovery, ACME, dashboard, OTel — all in box.
High-traffic public website serving static content + CDN origin
Nginx's proxy_cache + sendfile + worker model is the canonical answer here. Plenty of operational lore.
Docker Compose dev environment with a handful of services
Add a Traefik service + labels on the others. No nginx.conf templating, no reloads.
Legacy monolith on a small set of stable VMs
Nginx + a templated config is the lowest-surprise option. Operationally familiar.
You need a programmable edge with custom auth, body rewriting, request shaping
OpenResty + Lua is the path. Traefik plugins exist but the depth is not comparable.
You're building a service mesh and need an L7 data plane
Both Istio and Linkerd lean on Envoy for the data plane. Different shape of tool entirely.