What is the difference between Traefik static and dynamic config?

Static config sets up entry points, providers, and the Traefik process itself and is read once at startup. Dynamic config — what this tool builds — defines routers, services, and middleware and can be reloaded on the fly without restarting Traefik.

How does a router rule like Host and PathPrefix work?

Rules are boolean matchers. Host(`app.example.com`) matches the domain, and combining it with PathPrefix(`/api`) using and means both must be true for the router to handle the request. Backticks around values are required by Traefik's rule syntax.

What does the certResolver do?

It tells Traefik to obtain and renew a TLS certificate automatically, typically from Let's Encrypt via ACME. The resolver itself is configured in static config; the dynamic router just references it by name to enable HTTPS for that route.

How does the rate limit middleware count requests?

average sets the sustained requests per second allowed per client, and burst allows a short spike above that before throttling kicks in. Traefik uses a token-bucket so brief bursts pass while sustained floods are slowed.

Why are services and routers separate?

A router decides which requests match and which middleware to apply, then forwards to a service. The service is the load balancer that holds the backend server URLs. Splitting them lets multiple routers share one service or one router fan out to several.

Traefik Dynamic Config Builder

A Traefik dynamic config builder that generates a v3 file-provider YAML with a router, a load-balancer service, optional TLS, and a stack of middleware. Describe the host, backends, and the protections you want, and copy a config Traefik can hot-reload — no process restart required.

How it works

Traefik’s dynamic configuration is organized under an http key into three sections. A router carries a rule (built from matchers like Host() and PathPrefix(), joined with &&), the entryPoints it listens on, the service it forwards to, an optional tls.certResolver, and an ordered list of middlewares. A service defines a loadBalancer with one or more backend servers by URL. Middlewares are reusable request transformers.

The builder wires these together: it generates the rule from your host and path, lists each backend URL, attaches only the middleware you enable, and emits matching middleware definitions — a token-bucket rateLimit, a basicAuth stub, a redirectScheme to force HTTPS, and a compress block. Backticks in rule values and correct indentation are handled for you.

Tips and notes

The certResolver name must match one defined in your static config (the ACME section). This tool only references it; it cannot provision the resolver itself.
Middleware order matters. Putting https-redirect early means the redirect happens before auth or rate limiting, which is usually what you want.
Replace the generated basicAuth user hash with a real htpasswd value (htpasswd -nbB user pass). The placeholder will not authenticate anyone.
Set the rateLimit average to your steady-state traffic and burst to absorb legitimate spikes; too low a burst will throttle normal page loads that fire several requests at once.

Traefik Dynamic Config Builder

Email me this result

How it works

Tips and notes