Best Traefik Plugins for Home Lab and Production (My Top Picks)

Traefik is one of my favorite reverse proxies and it stands out for a number of reasons, including how easy it is to use it with infrastructure as code and have your certs as part of your general docker configuration. However, one of the other things that is very cool about it is that there is a large number of community plugins that you can use with Traefik to extend its functionality for both home lab and production. Let’s take a look at my picks for plugins that I recommend you use with Traefik.

Why Plugins with Traefik?

You may wonder why you would need or want to use plugins with Traefik if you are already using it as a reverse proxy to do things like SSL termination. Well, maybe you don’t need any plugins with your use case, but also, you may not be aware of very helpful plugins that you could be using.

There are many plugins that help to add advanced security filtering as an example. This is especially useful with self-hosting if you are exposing your home lab services to the Internet. Also, there are plugins that help with external authentication or customizing how requests are rewritten as they come in.

Traefik plugins allow you to just drop in this functionality and power up your Traefik config. Let’s look at my list of the best Traefik plugins categorized by what they do.

Just a word of caution

Plugins by the community can be old or outdated and may not even function correctly. What I like to do is look at the official GitHub site for the Traefik plugin and see how much activity it has and when it was last updated. This is a good indicator of the developer keeping pace with things and that it may be a stable plugin to use.

Best Traefik plugins for security

At the top of my list of reasons to use plugins with Traefik, security is at the top. Here are my top picks.

Fail2Ban

Fail2Ban is probably a service that you are already familiar with to implement brute-force protection. With the Fail2Ban Traefik plugin, you get this functionality right in your reverse proxy layer. I like the idea of my proxy stopping this request rather than it making it all the way to the backend service to detect and have to deal with a failed login or suspicious activity.

Instead, with the plugin, you can auto-ban IPs at the proxy level. In a home lab, it helps keep your self-hosted services from being spammed with login attempts. In production, it’s a good way to cut down on malicious traffic before it ever hits your application servers.

CrowdSec Bouncer

There is another great security plugin for Traefik called CrowdSec Bouncer. It provides crowd-sourced threat detection for your Traefik reverse proxy. It can check incoming requests against CrowdSec’s detection engine. Then it can block known bad actors coming from these IPs.

The good thing about this is that CrowdSec learns from a global network of installations. So, if someone is attacking other servers, your Traefik instance benefits from that intelligence as part of the solution in real-time. This plugin is a good fit if you want a more advanced, community-driven approach to blocking attackers, without needing to manually manage IP blocklists.

Rate Limit

It is also a good idea to rate limit incoming requests, especially for a home lab. DDoS attacks and scraping attempts with all the bots on the Internet can overwhelm small services. The Rate Limit plugin lets you limit how many requests a client can make over a certain period of time.

For a home lab, if one of your self-hosted services get targeted, your Internet connection and other apps can still be responsive. In production, it is a lightweight guardrail against noisy clients or bots.

Best Traefik plugins for authentication

Authentication is another area where there are some very helpful plugins you can download. Traefik has basic ForwardAuth support that is built into the platform. However, plugins help to expand what you can do in terms of modern authentication.

Using ForwardAuth with Authelia or Authentik

There are two very popular self-hosted options for SSO and MFA in Authelia and Authentik. Both are very widely used and popular. Both don’t need a plugin to be used with Traefik as they are both supported directly using Traefik’s built-in ForwardAuth middleware. The ForwardAuth middleware means Traefik can delegate authentication to an external provider.

What this means for you is that instead of every backend app handling logins, Traefik can forward the requests to Authelia or Authentik that can issue a token for login. In the home lab this is super useful. You can put every service behind a single login screen without needing to modify the apps outside of integrating them with the OIDC provider offered by Authentik or Authelia.

Two of the most popular authentication services for self-hosters and enterprises alike are Authelia and Authentik. Both provide single sign-on (SSO), multifactor authentication (MFA), and centralized identity management.

Read documentation on their integration here:

• Traefik | authentik
• Traefik | Integration | Authelia

OAuth2 and OIDC Plugins

There are two types of modern authentication that are mainstream, OAuth2 and OpenID Connect (OIDC). There are many Traefik plugins that allow you to integrate these protocols into your services with authentication providers like Google, GitHub, etc.

Below, on the Traefik plugins site, just doing a search for “oidc”.

These plugins take the heavy lifting of OAuth/OIDC off your apps and put it into Traefik where it’s easier to manage.

Basic Auth with LDAP

For environments where LDAP directories are still in use, there are plugins that enable basic auth tied to your directory. This is helpful for older apps that don’t support LDAP natively, but you still want centralized identity management.

Best Traefik plugins for observability

Observability plugins extend Traefik to help capture more metrics and logs for visbility.

Prometheus Metrics

Traefik has built-in Prometheus support, but plugins extend this with richer metrics. These plugins can expose additional data about request latency, response codes, and even custom labels you define. For Kubernetes or Docker Swarm clusters already running Prometheus and Grafana, this is a no-brainer.

Logging plugins

There are quite a few “logging” type plugins that have to do with logging and having more verbose logging or for certain types of traffic. Note the following on the list:

• Console Logger
• HTTP Logger Plugin
• HTTP Log
• Log4Shell
• Logger
• Logger2
• Login Authorization
• Request Logger

Best Middleware Plugins

Middleware plugins give you control over how requests are modified, redirected, or rewritten before they hit your apps.

Rewrite Body

Some applications return responses that you may need to modify on the fly. An example of this is changing hardcoded URLs or updating headers. The Rewrite Body plugin allows Traefik to search and replace content in HTTP responses. This is probably not something you need every day, it can save you from having to modify legacy apps directly.

Block Regex URLs

A really useful regex plugin is the Block Regex URLs by Blueshift. It allows you to block access to certain URLs and return a specific status code which is handy.

This is handy in both home labs and production, especially when migrating apps or consolidating services behind Traefik.

Other Useful Plugins

Finally, there are a few extra plugins worth calling out that don’t fit neatly into one category but are still extremely useful.

Real IP from Cloudflare Proxy/Tunnel

If Traefik is behind a Cloudflare Proxy/Tunnel, you won’t be able to get the real IP from the external client as well as other information that you may need. This is where this plugin comes in. It overwrites the X-Real-IP and X-Forwarded-For with an IP from the CF-Connecting-IP header.

Geo-Blocking

If you only want to allow traffic from certain countries, or block high-risk regions, the GeoBlock plugin can make this easy in Traefik. This adds another layer of defense, particularly for services you don’t want accessible globally.

IP Whitelist

For internal services, sometimes the simplest solution is to whitelist only certain IP ranges. The IP Whitelist Shaper plugin allows you to define trusted IPs or subnets that can access a service. Everything else is denied. This is perfect for securing your dashboards or services that you only want meant for specific networks.

Wrapping Up

I am very happy running Traefik in the home lab and in production environments I manage. It is one of the most flexible reverse proxies you can run, but as we have seen, the plugins help to take it to the next level.

Specific to home labs, plugins like Fail2Ban, Rate Limit, and Real IP from Cloudflare Proxy/Tunnel, make it easy to run secure self-hosted services. For production admins, plugins like CrowdSec Bouncer, GeoBlock, and IP whitelist provide enterprise-grade security right at the proxy layer. Do you run Traefik along with any plugins in your production or home lab environment? Let me know in the comments which ones you have tried and that you use.