Reverse proxies compared: nginx, Caddy, Traefik, HAProxy, Apache, Envoy, nginx Proxy Manager, Cloudflare Tunnel

What is a reverse proxy?

A reverse proxy sits in front of one or more application servers and accepts incoming HTTP requests instead of having the applications themselves face the internet directly. It handles central tasks: SSL termination, routing by domain or path, load balancing, caching, rate limiting, logging, security headers. Without a reverse proxy, every application would have to implement these features itself – at the risk of doing them differently or incompletely.

For SMEs with multiple services (main site, API, admin, perhaps mail server), a reverse proxy is not optional but mandatory. Whoever hosts 5 services on a server without a reverse proxy either has conflicts over port 443 or burdens customers with port-number URLs (`https://api.example.ch:3001/`) – both unprofessional. With a reverse proxy each service runs on an internal port, and the proxy distributes by hostname to the right service.

As of May 2026 eight tools dominate the market. They differ on four axes: auto-SSL (Lets Encrypt integration), config language, container integration, performance. Anyone needing a service mesh for Kubernetes picks differently than someone configuring a home server for three small apps.

Why the choice matters

Three points decide the right reverse proxy: auto-SSL, team config experience, container setup.

Auto-SSL: as of May 2026 HTTPS is mandatory – no browser accepts unencrypted public sites without a warning. Lets Encrypt provides free certificates that must be renewed every 90 days. With nginx and Apache, Certbot must be installed and configured separately. With Caddy, Traefik, and nginx Proxy Manager it happens automatically without an extra step. For SMEs without dedicated DevOps, auto-SSL is a 100-hours-per-year saver.

Config experience: nginx config syntax is widespread in web hosting – almost every experienced sysadmin can read nginx. Caddy uses its own Caddyfile syntax, simpler than nginx but with less sysadmin knowledge in the market. Traefik primarily configures itself through YAML or Docker labels – feels different but feels natural in the container world. HAProxy has its own language, fewer web features than nginx, but tops the TCP load-balancing field.

Container setup: anyone using Docker or k8s benefits from container-aware proxies. Traefik reads Docker labels automatically and reconfigures as soon as a container starts or stops. Caddy v2 has similar auto-discovery via plugins. nginx and HAProxy need either manual reloads or external tools like nginx-proxy or consul-template – works, but more effort.

There is a fourth axis: performance. nginx is still the gold standard in raw per-server throughput as of May 2026. Caddy reaches 80–90% of it, Traefik 70–80%, Envoy similar to nginx depending on workload. For 99% of SME setups performance is not a limiting factor – only above 50,000 req/sec does the choice become performance-critical.

The eight options in detail

nginx (BSD-2-Clause): the industry standard since 2005. C-based, very performant, huge community. Config in own syntax (`server { listen 443; server_name ...; }`). SSL via Certbot, no built-in auto-SSL. As of May 2026 still the default for server setups with an experienced sysadmin.

Caddy (Apache 2.0): Go-based, active since 2015. Auto-SSL out of the box – a Caddyfile with `example.com { reverse_proxy localhost:3000 }` is enough, Caddy fetches the certificate automatically. Modern default, HTTP/3 native, simple syntax. A bit fewer web features than nginx in edge cases.

Traefik (MIT): container-aware, reads Docker and k8s labels automatically. Config via YAML or labels. As of May 2026 in version 3, with HTTP/3, gRPC, WebSocket support. Popular in Docker Compose and Kubernetes worlds. Steeper learning curve than Caddy but more powerful.

HAProxy (GPL): very performant, focused on load balancing. Own config language, fewer web features than nginx. Ideal for TCP load balancing, database proxies, backend pools. As of May 2026 in HAProxy 3.0 with better HTTP/3 support. In the web-frontend space today behind nginx and Caddy.

Apache (Apache 2.0): the oldest web server (since 1995), with mod_proxy also a reverse proxy. As of May 2026 well behind nginx in performance but with a huge module catalogue for auth, mod_rewrite, mod_wsgi. Maintained in legacy setups, rarely chosen for new projects.

Envoy (Apache 2.0): built by Lyft, service-mesh default for Istio. Config in YAML, hot reload, observability built in. As of May 2026 the industry standard for microservice mesh. Complex for a single reverse-proxy use-case – overkill when no service mesh stands behind it.

nginx Proxy Manager (MIT): web UI on top of nginx. Click configuration, built-in auto-SSL, stream support. As of May 2026 very popular with SMEs and homelabs without config experience. Productive in a Docker container in 5 minutes.

Cloudflare Tunnel (Proprietary): cloud tunnel service that connects outbound from the server to Cloudflare. No open port on the server required – Cloudflare is the public front. Very secure (no direct attack on the server possible), free at small volumes. Vendor binding to Cloudflare, US hosting in the Cloudflare network.

Selection workflow in 6 steps

1. 01Count services: 1 service → no proxy needed, 2+ services → proxy mandatory.
2. 02Check team experience: nginx experience in the team? → nginx. None? → Caddy or nginx Proxy Manager.
3. 03Check container setup: Docker/k8s? → Traefik or Caddy with plugins. Classic Linux VMs? → nginx/Caddy.
4. 04Clarify SSL needs: auto-SSL desired? → Caddy, Traefik, nginx Proxy Manager. Manual acceptable? → nginx, HAProxy.
5. 05Clarify data location: CH/EU mandatory? → Cloudflare Tunnel out or with TIA. Hetzner/Exoscale hosting with Caddy/nginx.
6. 06PoC with one site: set up the chosen tool, route one test domain through, verify SSL, check logs. Effort 1–4 hours.

Recommendation by use-case

Standard SME with experienced sysadmin: nginx. Industry-tested, huge community, every Stack Overflow answer fits. Certbot for SSL, done. Mandatory pick when the team already knows nginx.

SME without sysadmin, wants simple config + auto-SSL: Caddy. Three Caddyfile lines per site, SSL automatic. As of May 2026 the right choice for solo devs and small teams. Learning curve under two hours.

Docker or Kubernetes setup: Traefik. Container labels instead of config files, new services land in the proxy automatically. In the Docker Compose world almost a standard. At a k8s cluster with ingress requirements, a similarly good choice.

Pure load balancing, high TCP load (DB pools, MQTT brokers): HAProxy. Web features secondary, top in connection pooling and TCP routing. Standard choice in database setups.

Legacy Apache setup, no migration possible: Apache with mod_proxy. Works if the config is already there. Not recommended for new projects.

Microservice mesh setup with Istio or Linkerd: Envoy. Industry standard for service mesh, tightly integrated with Istio. Overkill for a simple reverse proxy without a mesh.

SME/homelab without config experience, wants click config: nginx Proxy Manager. Browser UI, auto-SSL, done. Productive in a Docker container in 5 minutes. Top for 1–10 sites.

Server behind NAT or without public IP, max security: Cloudflare Tunnel. No open port, no firewall config, no SSL worries. Vendor binding to Cloudflare acceptable if you use CF anyway. Free at small volumes, good for internal tools that should not be publicly indexed.

Swiss client with revDSG requirements and web traffic: nginx or Caddy on Hetzner Falkenstein/Exoscale Zurich. Cloudflare Tunnel is delicate due to US hosting of the tunnel endpoints – at professional-secrecy data document at least with a TIA.

When a reverse proxy is wrong

If you run only a single service on a server and need no own domain routing, a reverse proxy is overkill. A directly started Express server with built-in TLS on port 443 does the job – the extra proxy complicates the setup without benefit.

Envoy is the wrong choice for a simple 3-site setup. As of May 2026 we regularly see SMEs install Envoy "because k8s is modern", then use 90% of its features not at all and despair over the config complexity. For simple reverse-proxy needs: Caddy, not Envoy.

Apache is the wrong choice for a new project in May 2026. Performance behind nginx, no built-in auto-SSL, config syntax dated. Only sensible if you inherit existing Apache config and migration is too expensive.

HAProxy is the wrong choice when web features matter (URL rewrites, mod_security, complex auth). Top in TCP load balancing, weak in web-server features.

Cloudflare Tunnel is the wrong choice with professional-secrecy data without a clean TIA. The tunnel endpoint sits in the Cloudflare cloud (US company), SSL terminates there, traffic flows through their infrastructure. For a pure law-firm tool used by internal staff that is problematic. For a public marketing website without sensitive data, uncritical.

If you have a 50,000-req/sec setup and must scale beyond nginx, do not switch proxies – scale horizontally. Load-balancer pool plus multiple application servers. The reverse proxy itself is rarely the bottleneck.

Trade-offs

FAQ

Related topics

Sources

1. nginx Documentation · 2026-05
2. Caddy Documentation – Automatic HTTPS · 2026-04
3. Traefik v3 Documentation · 2026-05
4. HAProxy 3.0 Release Notes · 2026-03
5. Cloudflare Tunnel Documentation · 2026-04