Traefik API Gateway setup for web application

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and maintenance of all types of websites:
Informational websites or web applications
Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators
E-commerce websites or web applications
Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers
Business process management web applications
CRM systems, ERP systems, corporate portals, production management systems, information parsers
Electronic service websites or web applications
Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 2065 services
Traefik API Gateway setup for web application
Medium
~2-3 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1161
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1041
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    822
  • image_crm_chasseurs_493_0.webp
    CRM development for Chasseurs
    847
  • image_website-sbh_0.png
    Website development for SBH Partners
    999
  • image_website-_0.png
    Website development for Red Pear
    451
Show more works

API Gateway Setup (Traefik) for Web Application

Traefik is a cloud-native reverse proxy and API Gateway written in Go with automatic service discovery via Docker, Kubernetes, and Consul. Zero-configuration integration with orchestrators — Traefik automatically reads container labels.

Basic Installation via Docker Compose

version: '3.8'
services:
  traefik:
    image: traefik:v3.1
    command:
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - [email protected]
      - --certificatesresolvers.letsencrypt.acme.storage=/acme.json
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
      - --log.level=INFO
      - --accesslog=true
      - --metrics.prometheus=true
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"  # Dashboard (restrict in production)
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./acme.json:/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.dashboard.rule=Host(`traefik.company.com`)
      - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
      - traefik.http.routers.dashboard.middlewares=auth
      - traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$hash

  api-users:
    image: company/users-api:latest
    labels:
      - traefik.enable=true
      - traefik.http.routers.users-api.rule=Host(`api.company.com`) && PathPrefix(`/v1/users`)
      - traefik.http.routers.users-api.entrypoints=websecure
      - traefik.http.routers.users-api.tls.certresolver=letsencrypt
      - traefik.http.services.users-api.loadbalancer.server.port=3000

Static Configuration (traefik.yml)

api:
  dashboard: true
  insecure: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

providers:
  docker:
    exposedByDefault: false
    network: traefik
  file:
    directory: /etc/traefik/dynamic
    watch: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: [email protected]
      storage: /acme.json
      tlsChallenge: {}

log:
  level: INFO
  format: json

accessLog:
  filePath: /var/log/traefik/access.log
  format: json

metrics:
  prometheus:
    addEntryPointsLabels: true
    addServicesLabels: true
    addRoutersLabels: true

Dynamic Configuration for External Services

# /etc/traefik/dynamic/services.yml
http:
  routers:
    legacy-api:
      rule: "Host(`api.company.com`) && PathPrefix(`/v0`)"
      service: legacy-backend
      middlewares: [strip-prefix-v0, rate-limit, add-headers]
      tls: {}

  services:
    legacy-backend:
      loadBalancer:
        servers:
          - url: "http://192.168.1.10:8080"
          - url: "http://192.168.1.11:8080"
        healthCheck:
          path: /health
          interval: 10s
          timeout: 3s

  middlewares:
    strip-prefix-v0:
      stripPrefix:
        prefixes: ["/v0"]

    rate-limit:
      rateLimit:
        average: 100
        burst: 50
        period: 1s

    add-headers:
      headers:
        customRequestHeaders:
          X-Internal-Source: traefik
        customResponseHeaders:
          X-Frame-Options: DENY
          X-Content-Type-Options: nosniff
        accessControlAllowMethods: [GET, POST, PUT, DELETE, OPTIONS]
        accessControlAllowHeaders: [Authorization, Content-Type]
        accessControlAllowOriginList:
          - https://app.company.com

    circuit-breaker:
      circuitBreaker:
        expression: "LatencyAtQuantileMS(50.0) > 100 || NetworkErrorRatio() > 0.30"

JWT Forward Auth

Traefik doesn't validate JWT itself — it delegates authentication to an external service:

# dynamic/middlewares.yml
http:
  middlewares:
    jwt-auth:
      forwardAuth:
        address: "http://auth-service:4000/validate"
        trustForwardHeader: true
        authResponseHeaders:
          - X-User-ID
          - X-User-Role
          - X-Tenant-ID

The authentication service receives the request with the same headers and returns 200 (allow) or 401 (deny). Response headers are forwarded upstream.

Canary Deployments via Weighted Load Balancer

http:
  services:
    api-weighted:
      weighted:
        services:
          - name: api-v1
            weight: 90
          - name: api-v2
            weight: 10

    api-v1:
      loadBalancer:
        servers:
          - url: "http://api-v1:3000"

    api-v2:
      loadBalancer:
        servers:
          - url: "http://api-v2:3000"

Kubernetes IngressRoute

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: users-api
  namespace: production
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`api.company.com`) && PathPrefix(`/v1/users`)
      kind: Rule
      services:
        - name: users-service
          port: 3000
          weight: 1
      middlewares:
        - name: rate-limit
        - name: jwt-auth
  tls:
    certResolver: letsencrypt
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: rate-limit
  namespace: production
spec:
  rateLimit:
    average: 200
    burst: 100

Monitoring

Traefik automatically exports Prometheus metrics:

traefik_router_requests_total{code="200",method="GET",router="users-api"}
traefik_service_request_duration_seconds_bucket{service="users-api"}
traefik_entrypoint_requests_total{code="200",entrypoint="websecure"}

Grafana dashboard ID 17347 is the official Traefik v3 dashboard.

Timeline

Setting up Traefik with Docker service auto-discovery, Let's Encrypt, and basic middleware — 1 business day. Full Kubernetes configuration with ForwardAuth and canary deployments — 2–3 days.