Skip to content

Tunneling & Encryption

Old documentation for Hub v1

The following section describes the tunneling and encryption features of Traefik Hub.


Traefik Hub provides you with a way to expose to the internet services hosted on your cluster.

Thanks to our tunneling technology, the exposing services does not require you to open the gates to your router. All the external traffic is handled by Traefik Hub and forwarded to your cluster through a WebSocket based tunnel initiated by the Traefik Hub Agent.

The service becomes available with a unique, autogenerated domain name, or your own domain name.


A tunnel is a multiplexed connection opened between Traefik Hub and the Traefik Hub Agent. Agents open multiple tunnels to ensure higher availability of your workloads.

Tunneling brings many benefits, such as:

  • No networking configuration on your part
  • NAT/Firewall traversal
  • No need for a static IP address
  • No need for a dynamic DNS


Tunneling with Traefik Hub

The process makes the overall communication more secure as you don't need to expose any ports from your router that are facing the internet, reducing the number of potential issues.

Data Encryption

Traefik Hub becomes the main entry point for your service.

The requests received by the Traefik Hub platform are end-to-end encrypted with TLS, and the HostSNI is used to route the request to the right cluster. The TLS termination is done by the Traefik Hub agent on your cluster, making the whole chain secure and protected against man-in-the-middle attacks.

The certificates are generated per workspace. It means that 2 services from the same workspace will be using the same certificate to encrypt the data. An exception is made when you use custom domains where one certificate is generated per published service.