A reverse proxy is the front door to a homelab — it puts clean hostnames and automatic HTTPS in front of all your services. Three names dominate the choice in 2026: Caddy, Nginx Proxy Manager (NPM), and Traefik. They’re all free, all open source, and all solve the same problem — but they have genuinely different personalities, and picking well is mostly about matching one to how you like to work. Here’s how they compare, verified against each project’s own repos and docs.

At a glance

CaddyNginx Proxy ManagerTraefik
LicenseApache 2.0MITMIT (open-core add-ons)
InterfaceCaddyfile (config-as-code)Web GUIConfig + Docker labels
Auto HTTPSMost automatic (LE + ZeroSSL)Per-host, via UICert resolvers (config)
Docker auto-discoveryPlugin onlyNoYes (native)
Learning curveModerateLowestSteepest
Written inGonginx + UI (TS/JS)Go
GitHub stars (approx)~73k~33k~64k
Best forConfig-as-code, easiest TLSBeginners, GUI loversDocker/K8s dynamic labs

Star counts are GitHub’s rounded display values as of mid-2026 and drift over time.

Caddy: the simplest automatic HTTPS

Caddy is a Go-based web server and reverse proxy under Apache 2.0, fully open source with no paid tier. Its headline feature is automatic HTTPS: the moment Caddy knows a hostname, it obtains and renews certificates in the background — using Let’s Encrypt and ZeroSSL with automatic failover — redirects HTTP to HTTPS, and even issues self-signed certs from an internal CA for local names. A working HTTPS reverse proxy can be about two lines of Caddyfile.

The trade-offs: there’s no built-in GUI (config is a text file), and Caddy core doesn’t natively auto-discover Docker containers — the third-party caddy-docker-proxy plugin adds that if you want it. One bit of history worth knowing: Caddy briefly sold commercial licenses in 2017–2019, but permanently moved everything to open source under Apache 2.0 in October 2019, so today it’s unambiguously free. It’s the most-starred of the three (~73k) and actively maintained.

Pick Caddy if you like config-as-code, want the least-fuss automatic HTTPS on the market, and don’t need a GUI.

Nginx Proxy Manager: the beginner’s favorite

NPM is a web GUI wrapped around nginx + OpenResty + Certbot, distributed as a Docker image, under the MIT license (verified against its raw LICENSE file — despite some secondhand claims that it’s GPL, it is not). You add proxy hosts in a browser, click to request a Let’s Encrypt cert, and it generates the nginx config for you. It has the lowest learning curve of the three by universal consensus, which is why it’s the standard “start here” recommendation.

Two honest caveats. First, its state lives in a database and generated config rather than portable code, so it isn’t naturally version-controlled — keep your own backups. Second, because NPM bundles its own nginx/OpenResty stack, that stack can lag upstream security fixes; there have been notable CVEs (including a 2025 CORS-misconfiguration issue, CVE-2025-50579) and recurring community questions about patch timeliness. The fix is discipline: keep it updated and never expose the admin UI publicly. Recent releases added TOTP two-factor auth and more DNS challenge plugins.

Pick NPM if you want a point-and-click workflow for a handful of services and would rather not touch config files.

Traefik: dynamic discovery for Docker labs

Traefik (MIT) is a modern, dynamic reverse proxy built for containers. Its defining trait: it auto-discovers services and builds routes at runtime by reading provider APIs. Add a few Docker labels to a container and Traefik creates the route instantly, no restart — and it does the same for Kubernetes (including the Gateway API), Consul, Nomad, and more. This is the capability NPM lacks entirely and Caddy needs a plugin for.

The cost is complexity. Traefik splits configuration into static (startup: entrypoints, providers, certificate resolvers) and dynamic (hot-reloaded routers, services, middlewares), and you need to understand that model plus “label discipline.” It’s the steepest learning curve here. On licensing, Traefik runs open-core: the proxy is fully free — including its OWASP Coraza WAF integration added in v3 — while Traefik Labs sells optional Hub/Enterprise API-management tiers you’ll never need at home. Traefik v3 (GA 2024) also brought HTTP/3, WebAssembly middleware plugins, and OpenTelemetry.

Pick Traefik if your lab is Docker- or Kubernetes-heavy and you want services to register themselves as you deploy them, and you’re comfortable with the configuration model.

Which should you run?

The most useful framing from the 2026 community: people rarely pick the wrong proxy — they pick one whose operating style doesn’t match their skill level. So match it to yourself:

  • Beginner, few services, wants a GUI → Nginx Proxy Manager. Start here.
  • Wants config-as-code and the easiest automatic HTTPS, no GUI → Caddy.
  • Docker/Kubernetes-heavy, wants dynamic auto-registration → Traefik.

A common growth path is to learn on NPM, then migrate to Caddy (for config-as-code) or Traefik (for Docker discovery) as the lab matures. If you’re building out that Docker layer, the Docker Compose starter stack guide pairs naturally, and if you’re also choosing how to manage those containers, see Komodo vs Portainer vs Dockge.

On performance — don’t overthink it

There is no single authoritative benchmark that declares a homelab winner, and you should distrust any that claims to. For typical homelab loads, all three are “fast enough” and the difference is negligible — choose on configuration experience, not throughput. (You’ll see blog figures like ~30/50/80 MB idle RAM for Caddy/NPM/Traefik; treat those as rough, unverified ballparks, since methodology and versions aren’t standardized.) The bottleneck in your lab will be your services, not the proxy in front of them.

Sources

Frequently asked questions

Which reverse proxy is easiest for a homelab beginner?
Nginx Proxy Manager (NPM), by near-universal community consensus. It’s a web GUI over nginx — you add a ‘Proxy Host’ in the browser, click to request a Let’s Encrypt certificate, and you’re done, with no config files or YAML. Caddy is the next easiest if you’re comfortable editing a short text file (its Caddyfile is famously concise), and Traefik is the steepest because of its router/middleware/provider model. Most people start on NPM and graduate to Caddy or Traefik as their lab grows.
What's the difference in how each handles automatic HTTPS?
All three automate Let’s Encrypt, but differently. Caddy is the most automatic: HTTPS turns on implicitly whenever it knows a hostname, using Let’s Encrypt and ZeroSSL with automatic failover, plus an internal CA for local names. NPM walks you through requesting and renewing a cert per host in its UI (HTTP or DNS challenge). Traefik uses ‘certificate resolvers’ defined in its static config (HTTP-01, TLS-ALPN-01, or DNS-01), which is more setup up front but fully automatic once configured.
Which reverse proxy auto-discovers Docker containers?
Traefik — this is its defining feature. It reads Docker labels on your containers and creates routes at runtime with no restart, so a service registers itself the moment you deploy it (it does the same with Kubernetes, Consul, Nomad, and more). NPM does NOT auto-discover; you manually point each proxy host at an IP and port. Caddy doesn’t natively either, but the third-party caddy-docker-proxy plugin adds Traefik-style label discovery. If dynamic Docker discovery is your priority, Traefik is the natural choice.
Are Caddy, Nginx Proxy Manager, and Traefik all free and open source?
Yes, all three are free and open source. Caddy is Apache 2.0, NPM is MIT, and Traefik Proxy is MIT. Traefik follows an open-core model: the proxy is fully free (including its OWASP Coraza WAF integration), while Traefik Labs sells optional Traefik Hub and Enterprise add-ons for API management — you never need them for a homelab. Caddy briefly sold commercial licenses around 2017–2019 but moved everything permanently to open source under Apache 2.0 in October 2019.
Is Nginx Proxy Manager secure enough to use?
It’s widely used and fine for most homelabs, but with one caveat to know: because NPM bundles its own nginx/OpenResty and Certbot, the bundled stack can lag upstream security releases, and there have been notable CVEs (for example a 2025 CORS-misconfiguration issue, CVE-2025-50579, and questions about how quickly bundled OpenResty picks up nginx fixes). Keep NPM updated, don’t expose its admin UI to the internet, and follow its releases. Caddy and Traefik, being single self-contained binaries, tend to ship security fixes more directly.
Caddy vs Traefik vs NPM — which is fastest?
There’s no single authoritative benchmark that crowns a winner for homelab use, and you should be skeptical of anyone who claims one. For typical homelab loads (well under thousands of requests per second on one node), all three are effectively ‘fast enough’ and the performance difference is negligible. Choose based on how you want to configure it — GUI (NPM), config-as-code (Caddy), or dynamic auto-discovery (Traefik) — not on raw throughput, which won’t be your bottleneck.