Caddy, Nginx, Traefik: Picking a Reverse Proxy in 2026

· 5 min read

There is a kind of infrastructure question that never really gets settled, just re-litigated every couple of years as the surrounding ecosystem moves. “Which reverse proxy?” is one of those questions.

The shortlist hasn’t changed much: Caddy, Nginx, Traefik. The context around them has changed a lot. The community ingress-nginx project reached end-of-life in March 2026. RKE2 v1.36 flipped to Traefik as the default ingress. Caddy quietly shipped 2.11 with better health-checking and ECH rotation. Nginx is on 1.31 mainline / 1.30.1 stable and treats HTTP/3 as a first-class but still-evolving feature.

Three good tools. Three very different shapes. Let’s go through them.

Caddy

Caddy 2.11 is, to my eye, the most opinionated reverse proxy in mainstream use — and it’s opinionated in mostly the right places. Automatic HTTPS is the default. HTTP/3 over QUIC is on once you have TLS. The Caddyfile is short enough to fit in your head.

Where it wins:

  • Automatic TLS by default. ACME, renewals, OCSP stapling, and now automatic ECH key rotation in 2.11 — all without you writing a line of cert plumbing.
  • HTTP/3 and QUIC out of the box. No experimental flag, no separate build, no patched OpenSSL. Just works.
  • Small surface area. A two-line example.com { reverse_proxy ... } block gets you a production-quality proxy with valid TLS in seconds.
  • Reasonable performance. Benchmarks in 2026 put it around 30k+ req/s on commodity hardware — not Nginx-fast, but more than enough for the vast majority of workloads people actually run.

Where it doesn’t shine:

  • Ecosystem. Nginx has twenty years of Stack Overflow answers and every config snippet under the sun. Caddy has good docs and a small, friendly community — but you will sometimes be the first person Googling your exact problem.
  • Kubernetes story. There is a Caddy ingress controller, but it is not in the same league as Traefik or NIC for cluster use.
  • Raw throughput on huge static workloads. If you are saturating 10GbE serving static files, Nginx in C still wins.

Nginx

Nginx is the default mental model for what a reverse proxy is. There is a reason the community project that retired in March was called “ingress-nginx” — for years, that name was synonymous with “how Kubernetes does HTTP.” The engine itself is still excellent in 2026: low memory, low latency, very high throughput.

Where it wins:

  • Raw performance. Independent 2026 benchmarks show Nginx 1.26+ pushing 140k+ RPS on 10GbE for static content, with the lowest memory footprint of the three. The C codebase still pays dividends.
  • HTTP/3 has matured. QUIC and HTTP/3 have been in mainline since 1.25, are stable enough for production, and 1.30.1 / 1.31 patched the recent address-spoofing CVE (CVE-2026-40460).
  • Knowledge gravity. Every WAF, every CDN, every load-balancing recipe assumes Nginx unless told otherwise. That has real operational value.
  • Still alive in Kubernetes — just not under the old name. The community ingress-nginx is EOL, but F5’s NGINX Ingress Controller (NIC) is actively maintained, OSS, and a clean migration target.

Where it doesn’t shine:

  • Dynamic configuration. Nginx is a static-config engine at heart. For containers and Kubernetes you end up adding a controller on top of it that handles the dynamism. Doable, but more parts.
  • TLS ergonomics. ACME is bolted on via certbot or similar. Compared to Caddy, the experience is still configuration-heavy.
  • The ingress reshuffle. If you ran community ingress-nginx, you owe yourself a migration plan in 2026, not 2027. InGate, the planned official successor, didn’t make it.

Traefik

Traefik has always been the Kubernetes-and-Docker-native choice, and 3.7.1 (May 2026) leans further into that role. The dashboard, the provider model, the CRDs — every design choice assumes service discovery is the normal case, not the exception.

Where it wins:

  • Service discovery is free. Point it at Docker, Consul, Kubernetes, or ECS and it builds the routing table itself. No reload, no template engine.
  • Kubernetes-native CRDs. IngressRoute, Middleware, TraefikService — these are real Kubernetes resources with validation, GitOps, and kubectl explain. The 3.7 line added multi-layer routing, service failover in CRDs, and cipher-suite config in ServersTransport.
  • The new RKE2 default. Starting with RKE2 v1.36, Traefik is the default ingress; in v1.37, ingress-nginx is removed entirely. If you run SUSE/Rancher Kubernetes on-prem, this is the path of least resistance.
  • Automatic TLS, like Caddy. Built-in ACME with multiple resolvers and DNS challenges.

Where it doesn’t shine:

  • Performance per core. The community benchmark line in 2026 is consistent: Traefik trails Nginx by ~30%+ on raw throughput and uses more memory, mostly because it keeps provider state and the routing table in process. For 99% of workloads this doesn’t matter — but if you are CPU-bound on a proxy tier, it matters.
  • Configuration sprawl. The flexibility cuts both ways. A team unfamiliar with Traefik can spend a surprising amount of time figuring out which provider, which middleware, and which CRD owns a given behavior.
  • Outside Kubernetes/Docker, it’s just a proxy. Nothing wrong with that, but on a static VM you’re not using its best feature.

When to pick which

A few clean scenarios:

  • You’re on RKE2 v1.36+, K3s, or any Rancher-flavored cluster: use Traefik. It’s the default for a reason, and the migration guide from ingress-nginx is now official.
  • You’re on managed Kubernetes (EKS/GKE/AKS) and want to leave community ingress-nginx behind: evaluate F5 NIC if you want to stay on Nginx, or Traefik / a Gateway API implementation if you want to modernise. Don’t wait — the community project is EOL.
  • You’re running a handful of services on a VM or homelab box and you want TLS to just exist: Caddy. The two-line config and automatic HTTPS are not a gimmick.
  • You’re terminating millions of requests per second on dedicated edge nodes, or you have a deep Nginx-based stack already: Nginx. The C engine still has the best ceiling.
  • You’re standing up something new and unsure: Caddy for VMs, Traefik for clusters. You can always switch later — these are proxies, not databases.

TL;DR

  • Caddy 2.11 — simplest TLS story in the business, HTTP/3 by default, great for VMs and small clusters.
  • Nginx 1.30/1.31 — still the throughput and memory champion; community ingress-nginx is EOL March 2026, but F5 NIC is the supported continuation.
  • Traefik 3.7 — Kubernetes-native, service-discovery-first, default in RKE2 v1.36 and the only ingress option in v1.37.
  • Don’t agonise. All three are good. Match the tool to where you actually run things, not to which one wins synthetic benchmarks.