How to Install and Configure Traefik Reverse Proxy on RHEL 9

Traefik is a modern, cloud-native reverse proxy and load balancer that discovers routing rules dynamically from configuration files, Docker labels, or Kubernetes annotations — eliminating most of the manual virtual host configuration required by Nginx or Apache. Version 3 introduces improved middleware composition, better gRPC support, and enhanced ACME (Let’s Encrypt) certificate management. On RHEL 9, Traefik runs as a single statically linked binary managed by systemd, with no dependencies to install beyond the binary itself. This tutorial installs Traefik v3, configures static and dynamic routing, enables the dashboard, and sets up automatic TLS certificates via Let’s Encrypt.

Prerequisites

• RHEL 9 server with root or sudo access
• A domain name pointed at the server’s public IP (required for Let’s Encrypt TLS)
• Ports 80, 443, and 8080 open in firewalld
• At least one backend application running locally (e.g., on port 3000 or 8000)
• curl and jq installed for verification

Step 1 — Downloading and Installing the Traefik Binary

Traefik distributes a single statically compiled binary for Linux. Download the latest v3 release from GitHub, verify the checksum, and install it to /usr/local/bin.

# Set the desired version
TRAEFIK_VERSION="v3.3.4"

# Download the binary and checksum
curl -LO "https://github.com/traefik/traefik/releases/download/${TRAEFIK_VERSION}/traefik_${TRAEFIK_VERSION}_linux_amd64.tar.gz"
curl -LO "https://github.com/traefik/traefik/releases/download/${TRAEFIK_VERSION}/traefik_${TRAEFIK_VERSION}_checksums.txt"

# Verify integrity
sha256sum --check --ignore-missing traefik_${TRAEFIK_VERSION}_checksums.txt

# Extract and install
tar -xzf traefik_${TRAEFIK_VERSION}_linux_amd64.tar.gz
sudo install -o root -g root -m 0755 traefik /usr/local/bin/traefik

# Verify
traefik version

Step 2 — Creating the Traefik System User and Directories

Create a dedicated, non-privileged system account for Traefik, along with the directories for configuration and the ACME certificate storage file. Traefik needs write access to the ACME file to store Let’s Encrypt certificates.

sudo useradd --system --no-create-home --shell /sbin/nologin traefik

sudo mkdir -p /etc/traefik
sudo touch /etc/traefik/acme.json
sudo chmod 600 /etc/traefik/acme.json
sudo chown -R traefik:traefik /etc/traefik

# Allow Traefik to bind to privileged ports (80/443) as non-root
sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik

Step 3 — Creating the Static Configuration

The static configuration (traefik.yml) defines entry points, the API dashboard, providers, and certificate resolvers. This file is loaded once at startup; changes require a service restart. Replace [email protected] and yourdomain.com with your actual values.

sudo tee /etc/traefik/traefik.yml <<'EOF'
# Static configuration

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

api:
  dashboard: true
  insecure: false

log:
  level: INFO
  filePath: /var/log/traefik/traefik.log

accessLog:
  filePath: /var/log/traefik/access.log

providers:
  file:
    filename: /etc/traefik/dynamic.yml
    watch: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: [email protected]
      storage: /etc/traefik/acme.json
      httpChallenge:
        entryPoint: web
EOF

sudo mkdir -p /var/log/traefik
sudo chown traefik:traefik /var/log/traefik

Step 4 — Creating the Dynamic Routing Configuration

The dynamic configuration (dynamic.yml) defines HTTP routers, services, and middleware. Because it is watched by the file provider, changes take effect immediately without restarting Traefik. This example routes app.yourdomain.com to a backend running on port 3000 and secures the dashboard behind HTTP Basic Auth.

sudo tee /etc/traefik/dynamic.yml <<'EOF'
http:
  routers:
    # Route traffic for your app
    myapp-router:
      rule: "Host(`app.yourdomain.com`)"
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      service: myapp-service

    # Secure Traefik dashboard
    dashboard-router:
      rule: "Host(`traefik.yourdomain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      middlewares:
        - dashboard-auth
      service: api@internal

  services:
    myapp-service:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:3000"

  middlewares:
    dashboard-auth:
      basicAuth:
        users:
          # Generate with: htpasswd -nb admin yourpassword
          - "admin:$apr1$xyz$hashedpasswordhere"
EOF

Step 5 — Creating the systemd Service

Create a systemd unit file so Traefik starts automatically at boot and is managed like any other service. The AmbientCapabilities setting grants the ability to bind to low-numbered ports without running as root.

sudo tee /etc/systemd/system/traefik.service <<'EOF'
[Unit]
Description=Traefik Reverse Proxy
Documentation=https://doc.traefik.io/traefik/
After=network-online.target
Wants=network-online.target

[Service]
User=traefik
Group=traefik
ExecStart=/usr/local/bin/traefik --configFile=/etc/traefik/traefik.yml
Restart=on-failure
RestartSec=5s
LimitNOFILE=1048576
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable --now traefik
sudo systemctl status traefik

Step 6 — Opening Firewall Ports and Testing

Open the required ports in firewalld and verify that routing is working. The dashboard is available on port 8080 if you enable api.insecure: true during testing, or via the secure router defined above in production.

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

# Check Traefik logs for certificate issuance
sudo journalctl -u traefik -f

# Test routing to backend (replace with your actual domain)
curl -I https://app.yourdomain.com/

# Query the Traefik API for registered routers
curl -s http://127.0.0.1:8080/api/http/routers | jq '.[] | {name: .name, rule: .rule}'

Conclusion

You have installed Traefik v3 on RHEL 9 as a systemd service, configured entry points with automatic HTTP-to-HTTPS redirection, set up dynamic file-based routing to a backend application, and enabled Let’s Encrypt automatic TLS. Compared to Nginx, Traefik’s file-provider watch mode means adding a new service requires only editing dynamic.yml with no reload required, making it well-suited for environments where routing rules change frequently. Nginx remains preferable for its mature module ecosystem and fine-grained HTTP processing controls.

Next steps: How to Set Up a Highly Available Web Stack with Keepalived on RHEL 9, How to Configure HAProxy for TCP and HTTP Load Balancing on RHEL 9, and How to Secure Traefik with Middleware Rate Limiting and IP Whitelisting on RHEL 9.