I don’t think this is representative of the majority of traefik’s users. Most of us use it as an HTTP entrypoint for a container stack (docker compose, in my case) or for local development, and the FOSS version works great for that, with better dev tooling than anything else i’ve seen.

I disagree. If you're a heavy Traefik user you're eventually going to need a feature that has been carefully omitted from the F/OSS projects.

> I disagree. If you're a heavy Traefik user you're eventually going to need a feature that has been carefully omitted from the F/OSS projects.

Ok, I use it at home as part of my K8s cluster. I haven't once come close to needing a feature I don't have because it largely does what I need as a proxy and gets out of the way.

What features do you feel a more average of the target audience is likely to need or want to pay for eventually?

> What features do you feel a more average of the target audience

Auth and middleware packages that are essential for a production site.

> I use it at home as part of my K8s cluster.

That's not heavy use.

Running it in production for free and complaining about the offering is a choice.

They are not complaining about the price, but about the closed source nature of the product.

I'm not running Traefik in production. The features that I need are all closed source so I moved on.

Sure, it's a choice but I think it's more that don't pretend you are open source when your carefully hide things behind closed sourced paid licenses. Be like Microsoft, we have eval version but if you want to use our Windows Server, you will be paying up. Cool, I can make a decision about your software with that in mind.

A choice is a far cry from the "standard" the title purports.

Do they not provide source under commercial license to enterprise users? It makes sense to not use in production if you need source to make sense of features.

By contrast, Kong Enterprise gave us source access to commercial offering plugins we needed. Not to all things but the things we needed yes.

> If you're a heavy Traefik user...

...shouldn't you be paying then? Expecting developers to work for free to provide you with a product you use heavily is acting pretty entitled.

Just to give a contrasting account, I have been using Traefik to manage my public server (a $4 Digital Ocean VPS running a web server and a Bluesky PDS) and my local home server (running dozens of services with all kinds of weird configurations) flawlessly for more than 5 years now.

No. That is emphatically NOT entitled -- if the Traefik people have made heavy use of "open source," either practically or in marketing.

If you tout "open source" ideas in the work you do, then you can reasonably be held to the social contract that the ideas of open source originate in.

Lately (by lately I mean maybe the last 20 years or so) there's the idea of "because the open source ish company needs to pay the bills, they can completely abandon the ideas of open source."

Nah. You took from the commons, the commons has at least SOME right to ask for something back.

I never became a heavy user. All of the features that I needed were closed source so I moved on.

> If you're a heavy Traefik user you're eventually going to need a feature that has been carefully omitted from the F/OSS projects

That's literally the point of open core software. It's free and open source at the core, but "enterprise" / "scale" features are behind a license.

Enterprises/Scaled users that can pay, have to, to get the features they need. Everyone else can enjoy and profit off fully free and open source piece of software.

Win-Win-Win.

It's probably the only software business model that allows for a company to actually make money while also giving out most of their products for free as open source. Just selling support/services does not work and does not scale. Cf. literally everyone, the only orgs that somewhat pull it off are foundations/volunteer based projects like Django, Debian, etc but they are not commercial for-profit entities (there is nothing wrong with that, but most people want to be paid well). And your $1k/year, while decent towards a volunteer organisation, would be probably worse than nothing for a commercial company that has costs associated with each contract (legal, administrative, support, etc). For a fun story on the topic, check out HashiCorp's first commercial deal with Apple for a Vagrant plugin, that resulted in HashiCorp losing money on the deal due to the amount of money spent on lawyers reviewing Apple's terms and time spent supporting them afterwards. The only existing somewhat exception is Red Hat, but even they have moved more and more into open core with Ansible Automation Platform and OpenShift, which are their money makers, and have scrapped CentOS as a RHEL compatible free OS.

Same. At this point I've spent more time in devops moving away from shit that does this, and then doing it again, just to keep things as they are in a way that can be trusted. It fuckin sucks

I’ve deployed Traefik in-front of Kubernetes on some moderately large traffic sites with and without enterprise licensing. Recently I switched to using Caddy though. I know the stigma is that Caddy is not “production” ready and battle tested but I haven’t encountered any issues with it in terms of performance. It just works. Let’s Encrypt with CloudFlare DNS verification is super easy to setup and the configuration is very intuitive.

With JWTs I don't do anything at the proxy beyond "This is a protected route. Is there a JWT? Is it valid? No to either? 403." This is one of the primary use cases for JWTs and it takes a majority of the load off of my application servers.

The route is open to the public for authenticated and authorized users. You wouldn't use a VPN here.

That's really just added work, IMO, and likely room for security misconfiguration between backend and proxy. You should still be validating and everything on the application server to inspect identity and possibly attributes like roles, so in the cases where you have invalid tokens you do the work once, just in the proxy instead of the backend, and with valid tokens you will do the signature validation work twice.

Security starts at the edge.

Have you used JWTs in production? Better to bounce a bad JWT with a server written in C/C++/Rust/Go at the edge than to pass it back and have it tie up a Python or Node process.

Even in Python the time to validate a small JWT is negligible. At the edge it's nearly imperceptible.

If you're concerned about misconfigurations, just verify/validate everything in tests.

Caddy my guy, caddy.

Traefik is really only useful in k8s. Soon we’ll be replacing ours.

They have to put bread on the table somehow.

If I had access to the code I would pay for it. Create a private repo for paying customers.

The problem is that you would be one of the 1% doing that, the rest of the companies would just not bother with that and it will end like many open source problems that constantly have to come up with ways to get funding.