A reverse proxy like Caddy or Nginx is like a bouncer for your web services. It sits out front, deciding who gets in and where they’re allowed to go. It’s great for stuff you want to expose to the internet – like a website or web app – because it hides your actual servers, can handle HTTPS for you, and lets you set up some basic access rules.

A VPN is more like a secret underground tunnel between you and your server. Everything that goes through it is locked down to only members of the VPN. This is what you want when you’re dealing with private stuff you don’t want exposed to the open internet, like your home lab dashboard or some internal tools. The beauty of a VPN is that it works for everything–not just web traffic. SSH, file transfers, databases. All of it gets the same protection.

I use both. Caddy on a VPS that reaches into my Tailscale network and proxies services hosted on a computer in my basement.

I’ll admit I’ve not tried Traefik yet, but I see Caddy as being to web servers (and reverse proxies), what WireGuard is to VPNs.

It does what it needs to well, with a minimal config file. And if I learn and get comfortable with Caddy, then I know it can do anything I will ever need of a web server down the line with no need for me to ever change setup.

I switched to Traefik as it has auto-configuring for containers for effortless deployment to any of your environments (dev, test, staging, production, etc.) either manually or straight from CI/CD.

The way it works is that you put any configuration in your compose file which is then picked-up by Traefik when its deployed - it reads the config, re-configures itself accordingly, and you’re done! So all your reverse-proxy config, cert config, etc. is all with the project so aren’t going to get out-of-sync.

Just keeps things really clean and simple. Plus it’s a great reverse proxy of course with tons of features, nice admin dashboard, logging, etc.

I spin a new service, add a few human understandable labels and traefik makes the connection automatically.

I have not tried Traefik, tho looking at what it does, it’s pretty amazing. Caddy seems to fit what I do, and as OP stated, Caddy is pretty easy to master, even tho it took me an embarrassingly long time to get it through my dim brain. Traefik does seem like a very polished app tho and is very integrated in with docker.

I use both, since they do different stuff. I actually remote into my servers with wireguard, but I like to install tailscale as well as a backup. Since each device gets a unique tailnet ip, I can usually still connect even if I’ve fucked up some network config that breaks wireguard. ((If this is a security risk, someone let me know because I have no clue what I’m doing tbh.))

Plus tailscale lets you easily see what devices are connected to the internet at a given time.

Others have already mentioned the question makes no sense but for others that are curious.

Headscale is a self hosted tailacale alternative and for a small number of devices plain wireguard is as well. I use plain wireguard on my router to allow LAN access from my mobile devices.

I want rock solid stability and simplicity since I use this for to debug issues if they crop up while I’m away.