diff --git a/.claude/settings.json b/.claude/settings.json
index 8227578..1ddf0a2 100644
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -10,7 +10,8 @@
       "Bash(go vet:*)",
       "Bash(git checkout:*)",
       "Bash(git stash:*)",
-      "Bash(echo \"EXIT: $?\")"
+      "Bash(echo \"EXIT: $?\")",
+      "Bash(./scripts/dev-server.sh)"
     ],
     "additionalDirectories": [
       "C:\\Users\\Alexei\\Documents\\docker-watcher\\internal",
diff --git a/cmd/server/main.go b/cmd/server/main.go
index 798ede4..15524ea 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -101,6 +101,14 @@ func main() {
 	case "none":
 		proxyProvider = proxy.NewNoneProvider()
 		slog.Info("proxy provider: none")
+	case "traefik":
+		proxyProvider = proxy.NewTraefikProvider(
+			settings.TraefikEntrypoint,
+			settings.TraefikCertResolver,
+			settings.TraefikNetwork,
+			settings.TraefikAPIURL,
+		)
+		slog.Info("proxy provider: traefik", "entrypoint", settings.TraefikEntrypoint)
 	default:
 		// Default to NPM for backward compatibility (including "npm" and empty string).
 		npmPassword := ""
@@ -164,13 +172,6 @@ func main() {
 		slog.Warn("failed to start stale scanner", "error", err)
 	}
 
-	// Initialize proxy manager and health monitor.
-	proxyManager := proxy.NewManager(db, proxyProvider)
-	proxyHealth := proxy.NewHealthMonitor(db, eventBus)
-	if err := proxyHealth.Start("5m"); err != nil {
-		slog.Warn("failed to start proxy health monitor", "error", err)
-	}
-
 	// Start daily event log pruning cron job.
 	cronScheduler := cron.New()
 	if _, err := cronScheduler.AddFunc("@daily", func() {
@@ -220,7 +221,6 @@ func main() {
 	dnsProvider := initDNSProvider(settings, encKey)
 	if dnsProvider != nil {
 		dep.SetDNSProvider(dnsProvider)
-		proxyManager.SetDNSProvider(dnsProvider)
 		slog.Info("DNS provider initialized", "provider", settings.DNSProvider)
 	}
 
@@ -283,14 +283,12 @@ func main() {
 	// Build API server.
 	apiServer := api.NewServer(db, dockerClient, npmClient, proxyProvider, dep, webhookHandler, eventBus, encKey)
 	apiServer.SetStaleScanner(staleScanner)
-	apiServer.SetProxyManager(proxyManager)
 	apiServer.SetBackupEngine(backupEngine)
 	apiServer.SetDBPath(dbPath)
 	apiServer.SetBackupSettingsChangedCallback(scheduleAutobackup)
 	apiServer.SetDNSProvider(dnsProvider)
 	apiServer.SetDNSProviderChangedCallback(func(provider dns.Provider) {
 		dep.SetDNSProvider(provider)
-		proxyManager.SetDNSProvider(provider)
 	})
 	router := apiServer.Router()
 
@@ -340,7 +338,6 @@ func main() {
 	// Stop accepting new work.
 	cronScheduler.Stop()
 	eventBus.Unsubscribe(notifySub)
-	proxyHealth.Stop()
 	staleScanner.Stop()
 	poller.Stop()
 
diff --git a/internal/api/dns.go b/internal/api/dns.go
index c61b6bd..6a7b29e 100644
--- a/internal/api/dns.go
+++ b/internal/api/dns.go
@@ -202,12 +202,6 @@ func (s *Server) buildConsumerNameMap() map[string]string {
 		}
 	}
 
-	// Standalone proxy consumers: "standalone:id" -> domain
-	proxies, _ := s.store.ListStandaloneProxies()
-	for _, p := range proxies {
-		names["standalone:"+p.ID] = p.Domain
-	}
-
 	return names
 }
 
@@ -373,13 +367,5 @@ func (s *Server) computeExpectedFQDNs(settings store.Settings) (map[string]strin
 		}
 	}
 
-	// Standalone proxies.
-	proxies, _ := s.store.ListStandaloneProxies()
-	for _, p := range proxies {
-		if p.Domain != "" {
-			expected[p.Domain] = "standalone:" + p.ID
-		}
-	}
-
 	return expected, nil
 }
diff --git a/internal/api/proxy.go b/internal/api/proxy.go
deleted file mode 100644
index e5dd8a0..0000000
--- a/internal/api/proxy.go
+++ /dev/null
@@ -1,199 +0,0 @@
-package api
-
-import (
-	"context"
-	"log/slog"
-	"net/http"
-	"time"
-
-	"github.com/go-chi/chi/v5"
-
-	"github.com/alexei/docker-watcher/internal/proxy"
-)
-
-// validateProxy runs the validation pipeline without creating a proxy.
-// POST /api/proxies/validate
-func (s *Server) validateProxy(w http.ResponseWriter, r *http.Request) {
-	var req struct {
-		Host string `json:"host"`
-		Port int    `json:"port"`
-	}
-	if !decodeJSON(w, r, &req) {
-		return
-	}
-
-	if req.Host == "" {
-		respondError(w, http.StatusBadRequest, "host is required")
-		return
-	}
-	if req.Port < 1 || req.Port > 65535 {
-		respondError(w, http.StatusBadRequest, "port must be between 1 and 65535")
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second)
-	defer cancel()
-
-	result := proxy.ValidateDestination(ctx, req.Host, req.Port)
-	respondJSON(w, http.StatusOK, result)
-}
-
-// createProxy creates a new standalone proxy.
-// POST /api/proxies
-func (s *Server) createProxy(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	var req proxy.CreateProxyRequest
-	if !decodeJSON(w, r, &req) {
-		return
-	}
-
-	if req.Domain == "" {
-		respondError(w, http.StatusBadRequest, "domain is required")
-		return
-	}
-	if req.DestinationURL == "" {
-		respondError(w, http.StatusBadRequest, "destination_url is required")
-		return
-	}
-	if req.DestinationPort < 1 || req.DestinationPort > 65535 {
-		respondError(w, http.StatusBadRequest, "destination_port must be between 1 and 65535")
-		return
-	}
-
-	p, err := s.proxyManager.CreateProxy(r.Context(), req)
-	if err != nil {
-		slog.Error("failed to create proxy", "domain", req.Domain, "error", err)
-		respondError(w, http.StatusInternalServerError, "failed to create proxy")
-		return
-	}
-
-	respondJSON(w, http.StatusCreated, p)
-}
-
-// listProxies returns all standalone proxies.
-// GET /api/proxies
-func (s *Server) listProxies(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	proxies, err := s.proxyManager.ListProxies()
-	if err != nil {
-		slog.Error("proxy operation failed", "error", err)
-		respondError(w, http.StatusInternalServerError, "proxy operation failed")
-		return
-	}
-
-	respondJSON(w, http.StatusOK, proxies)
-}
-
-// getProxy returns a single standalone proxy.
-// GET /api/proxies/{id}
-func (s *Server) getProxy(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	id := chi.URLParam(r, "id")
-	p, err := s.proxyManager.GetProxy(id)
-	if err != nil {
-		if proxy.IsNotFound(err) {
-			respondNotFound(w, "proxy")
-			return
-		}
-		slog.Error("proxy operation failed", "error", err)
-		respondError(w, http.StatusInternalServerError, "proxy operation failed")
-		return
-	}
-
-	respondJSON(w, http.StatusOK, p)
-}
-
-// updateProxy updates an existing standalone proxy.
-// PUT /api/proxies/{id}
-func (s *Server) updateProxy(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	id := chi.URLParam(r, "id")
-
-	var req proxy.UpdateProxyRequest
-	if !decodeJSON(w, r, &req) {
-		return
-	}
-
-	if req.Domain == "" {
-		respondError(w, http.StatusBadRequest, "domain is required")
-		return
-	}
-	if req.DestinationURL == "" {
-		respondError(w, http.StatusBadRequest, "destination_url is required")
-		return
-	}
-	if req.DestinationPort < 1 || req.DestinationPort > 65535 {
-		respondError(w, http.StatusBadRequest, "destination_port must be between 1 and 65535")
-		return
-	}
-
-	p, err := s.proxyManager.UpdateProxy(r.Context(), id, req)
-	if err != nil {
-		if proxy.IsNotFound(err) {
-			respondNotFound(w, "proxy")
-			return
-		}
-		slog.Error("proxy operation failed", "error", err)
-		respondError(w, http.StatusInternalServerError, "proxy operation failed")
-		return
-	}
-
-	respondJSON(w, http.StatusOK, p)
-}
-
-// deleteProxy removes a standalone proxy.
-// DELETE /api/proxies/{id}
-func (s *Server) deleteProxy(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	id := chi.URLParam(r, "id")
-
-	if err := s.proxyManager.DeleteProxy(r.Context(), id); err != nil {
-		if proxy.IsNotFound(err) {
-			respondNotFound(w, "proxy")
-			return
-		}
-		slog.Error("proxy operation failed", "error", err)
-		respondError(w, http.StatusInternalServerError, "proxy operation failed")
-		return
-	}
-
-	respondJSON(w, http.StatusOK, map[string]string{"deleted": id})
-}
-
-// listAllProxies returns a merged view of standalone and deploy-managed proxies.
-// GET /api/proxies/all
-func (s *Server) listAllProxies(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	views, err := s.proxyManager.ListAllProxies()
-	if err != nil {
-		slog.Error("proxy operation failed", "error", err)
-		respondError(w, http.StatusInternalServerError, "proxy operation failed")
-		return
-	}
-
-	respondJSON(w, http.StatusOK, views)
-}
diff --git a/internal/api/router.go b/internal/api/router.go
index 8b7a133..ae1671b 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -21,7 +21,7 @@ import (
 )
 
 // DNSProviderChangedFunc is called when DNS settings change so the caller can
-// update the provider on the deployer and proxy manager.
+// update the provider on the deployer.
 type DNSProviderChangedFunc func(provider dns.Provider)
 
 // Server holds all dependencies for the API layer.
@@ -37,7 +37,6 @@ type Server struct {
 	localAuth    *auth.LocalAuth
 	oidcProvider *auth.OIDCProvider
 	staleScanner *stale.Scanner
-	proxyManager *proxy.Manager
 
 	dnsProviderMu        sync.RWMutex
 	dnsProvider          dns.Provider
@@ -89,12 +88,6 @@ func (s *Server) SetStaleScanner(scanner *stale.Scanner) {
 	s.staleScanner = scanner
 }
 
-// SetProxyManager sets the proxy manager on the server.
-// Called after both the API server and proxy manager are initialized.
-func (s *Server) SetProxyManager(pm *proxy.Manager) {
-	s.proxyManager = pm
-}
-
 // SetBackupEngine sets the backup engine on the server.
 func (s *Server) SetBackupEngine(engine *backup.Engine) {
 	s.backupEngine = engine
@@ -261,19 +254,6 @@ func (s *Server) Router() chi.Router {
 			// Stale container endpoints (read).
 			r.Get("/containers/stale", s.listStaleContainers)
 
-			// Proxy endpoints (read-only for any authenticated user).
-			r.Get("/proxies", s.listProxies)
-			r.Get("/proxies/all", s.listAllProxies)
-			r.Route("/proxies/{id}", func(r chi.Router) {
-				r.Get("/", s.getProxy)
-				// Admin-only proxy mutations.
-				r.Group(func(r chi.Router) {
-					r.Use(auth.AdminOnly)
-					r.Put("/", s.updateProxy)
-					r.Delete("/", s.deleteProxy)
-				})
-			})
-
 			// Admin-only routes: require admin role.
 			r.Group(func(r chi.Router) {
 				r.Use(auth.AdminOnly)
@@ -300,10 +280,6 @@ func (s *Server) Router() chi.Router {
 				// Registry creation.
 				r.Post("/registries", s.createRegistry)
 
-				// Proxy mutation endpoints.
-				r.Post("/proxies/validate", s.validateProxy)
-				r.Post("/proxies", s.createProxy)
-
 				// Stale container cleanup endpoints.
 				// Bulk route must be registered before parameterized route.
 				r.Post("/containers/stale/cleanup", s.bulkCleanupStaleContainers)
diff --git a/internal/api/settings.go b/internal/api/settings.go
index f7188b3..8804746 100644
--- a/internal/api/settings.go
+++ b/internal/api/settings.go
@@ -35,6 +35,10 @@ type settingsRequest struct {
 	CloudflareAPIToken   string  `json:"cloudflare_api_token"`
 	CloudflareZoneID     *string `json:"cloudflare_zone_id,omitempty"`
 	ProxyProvider        *string `json:"proxy_provider,omitempty"`
+	TraefikEntrypoint    *string `json:"traefik_entrypoint,omitempty"`
+	TraefikCertResolver  *string `json:"traefik_cert_resolver,omitempty"`
+	TraefikNetwork       *string `json:"traefik_network,omitempty"`
+	TraefikAPIURL        *string `json:"traefik_api_url,omitempty"`
 	BackupEnabled        *bool   `json:"backup_enabled,omitempty"`
 	BackupIntervalHours  *int    `json:"backup_interval_hours,omitempty"`
 	BackupRetentionCount *int    `json:"backup_retention_count,omitempty"`
@@ -67,6 +71,10 @@ func (s *Server) getSettings(w http.ResponseWriter, r *http.Request) {
 		"has_cloudflare_api_token":  settings.CloudflareAPIToken != "",
 		"cloudflare_zone_id":        settings.CloudflareZoneID,
 		"proxy_provider":            settings.ProxyProvider,
+		"traefik_entrypoint":        settings.TraefikEntrypoint,
+		"traefik_cert_resolver":     settings.TraefikCertResolver,
+		"traefik_network":           settings.TraefikNetwork,
+		"traefik_api_url":           settings.TraefikAPIURL,
 		"backup_enabled":            settings.BackupEnabled,
 		"backup_interval_hours":     settings.BackupIntervalHours,
 		"backup_retention_count":    settings.BackupRetentionCount,
@@ -171,13 +179,27 @@ func (s *Server) updateSettings(w http.ResponseWriter, r *http.Request) {
 	// Proxy provider setting.
 	if req.ProxyProvider != nil {
 		prov := *req.ProxyProvider
-		if prov != "" && prov != "none" && prov != "npm" {
-			respondError(w, http.StatusBadRequest, "proxy_provider must be 'none' or 'npm'")
+		if prov != "" && prov != "none" && prov != "npm" && prov != "traefik" {
+			respondError(w, http.StatusBadRequest, "proxy_provider must be 'none', 'npm', or 'traefik'")
 			return
 		}
 		updated.ProxyProvider = prov
 	}
 
+	// Traefik provider settings.
+	if req.TraefikEntrypoint != nil {
+		updated.TraefikEntrypoint = *req.TraefikEntrypoint
+	}
+	if req.TraefikCertResolver != nil {
+		updated.TraefikCertResolver = *req.TraefikCertResolver
+	}
+	if req.TraefikNetwork != nil {
+		updated.TraefikNetwork = *req.TraefikNetwork
+	}
+	if req.TraefikAPIURL != nil {
+		updated.TraefikAPIURL = *req.TraefikAPIURL
+	}
+
 	// Backup settings.
 	if req.BackupEnabled != nil {
 		updated.BackupEnabled = *req.BackupEnabled
diff --git a/internal/deployer/bluegreen.go b/internal/deployer/bluegreen.go
index 3f5a94a..4793405 100644
--- a/internal/deployer/bluegreen.go
+++ b/internal/deployer/bluegreen.go
@@ -89,6 +89,19 @@ func (d *Deployer) blueGreenDeploy(
 		Mounts:       mounts,
 	}
 
+	// Set proxy labels for providers that use Docker labels (e.g., Traefik).
+	if stage.EnableProxy {
+		fqdn := subdomain + "." + settings.Domain
+		if proxyLabels := d.proxy.ContainerLabels(fqdn, project.Port); proxyLabels != nil {
+			if containerCfg.Labels == nil {
+				containerCfg.Labels = make(map[string]string)
+			}
+			for k, v := range proxyLabels {
+				containerCfg.Labels[k] = v
+			}
+		}
+	}
+
 	d.logDeploy(deployID, fmt.Sprintf("Blue-green: creating green container %s", containerName), "info")
 	containerID, err := d.docker.CreateContainer(ctx, containerCfg)
 	if err != nil {
diff --git a/internal/deployer/deployer.go b/internal/deployer/deployer.go
index 6a317c5..bc4952c 100644
--- a/internal/deployer/deployer.go
+++ b/internal/deployer/deployer.go
@@ -315,6 +315,19 @@ func (d *Deployer) executeDeploy(
 		Mounts:       mounts,
 	}
 
+	// Set proxy labels for providers that use Docker labels (e.g., Traefik).
+	if stage.EnableProxy {
+		fqdn := subdomain + "." + settings.Domain
+		if proxyLabels := d.proxy.ContainerLabels(fqdn, project.Port); proxyLabels != nil {
+			if containerCfg.Labels == nil {
+				containerCfg.Labels = make(map[string]string)
+			}
+			for k, v := range proxyLabels {
+				containerCfg.Labels[k] = v
+			}
+		}
+	}
+
 	d.logDeploy(deployID, fmt.Sprintf("Creating container %s", containerName), "info")
 	containerID, err = d.docker.CreateContainer(ctx, containerCfg)
 	if err != nil {
diff --git a/internal/proxy/health.go b/internal/proxy/health.go
deleted file mode 100644
index 323d08f..0000000
--- a/internal/proxy/health.go
+++ /dev/null
@@ -1,184 +0,0 @@
-package proxy
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"log/slog"
-	"net/http"
-	"sync"
-	"time"
-
-	"github.com/alexei/docker-watcher/internal/events"
-	"github.com/alexei/docker-watcher/internal/store"
-	"github.com/robfig/cron/v3"
-)
-
-// HealthMonitor periodically checks the health of all standalone proxies.
-type HealthMonitor struct {
-	store    *store.Store
-	eventBus *events.Bus
-
-	cron    *cron.Cron
-	mu      sync.Mutex
-	entryID cron.EntryID
-	running bool
-}
-
-// NewHealthMonitor creates a new proxy health monitor.
-func NewHealthMonitor(st *store.Store, eventBus *events.Bus) *HealthMonitor {
-	return &HealthMonitor{
-		store:    st,
-		eventBus: eventBus,
-		cron:     cron.New(),
-	}
-}
-
-// Start begins periodic health checks with the given interval (e.g., "5m", "1m").
-// If already running, it stops and restarts with the new interval.
-func (h *HealthMonitor) Start(interval string) error {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-
-	duration, err := time.ParseDuration(interval)
-	if err != nil {
-		return fmt.Errorf("parse health check interval %q: %w", interval, err)
-	}
-
-	if h.running {
-		h.cron.Remove(h.entryID)
-	}
-
-	spec := fmt.Sprintf("@every %s", duration.String())
-	entryID, err := h.cron.AddFunc(spec, func() {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
-		defer cancel()
-		if checkErr := h.CheckAll(ctx); checkErr != nil {
-			slog.Warn("proxy health monitor: check error", "error", checkErr)
-		}
-	})
-	if err != nil {
-		return fmt.Errorf("schedule proxy health monitor: %w", err)
-	}
-
-	h.entryID = entryID
-	if !h.running {
-		h.cron.Start()
-	}
-	h.running = true
-
-	slog.Info("proxy health monitor started", "interval", duration.String())
-	return nil
-}
-
-// Stop gracefully shuts down the health monitor.
-func (h *HealthMonitor) Stop() {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-
-	if h.running {
-		ctx := h.cron.Stop()
-		<-ctx.Done()
-		h.running = false
-		slog.Info("proxy health monitor stopped")
-	}
-}
-
-// CheckAll performs a single health check cycle for all standalone proxies.
-func (h *HealthMonitor) CheckAll(ctx context.Context) error {
-	proxies, err := h.store.ListStandaloneProxies()
-	if err != nil {
-		return fmt.Errorf("list standalone proxies: %w", err)
-	}
-
-	for _, proxy := range proxies {
-		newStatus := checkProxyHealth(ctx, proxy.DestinationURL, proxy.DestinationPort)
-		oldStatus := proxy.HealthStatus
-
-		if err := h.store.UpdateProxyHealth(proxy.ID, newStatus); err != nil {
-			slog.Warn("proxy health monitor: failed to update health",
-				"proxy_id", proxy.ID, "error", err)
-			continue
-		}
-
-		// Emit event on status change.
-		if oldStatus != newStatus && oldStatus != "unknown" {
-			h.emitHealthEvent(proxy, oldStatus, newStatus)
-		}
-	}
-
-	return nil
-}
-
-// checkProxyHealth performs an HTTP GET to the destination and returns the health status.
-func checkProxyHealth(ctx context.Context, host string, port int) string {
-	target := fmt.Sprintf("http://%s:%d/", host, port)
-
-	reqCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
-	defer cancel()
-
-	req, err := http.NewRequestWithContext(reqCtx, http.MethodGet, target, nil)
-	if err != nil {
-		return "unhealthy"
-	}
-
-	client := &http.Client{
-		Timeout: 10 * time.Second,
-		CheckRedirect: func(*http.Request, []*http.Request) error {
-			return http.ErrUseLastResponse
-		},
-	}
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return "unhealthy"
-	}
-	resp.Body.Close()
-
-	if resp.StatusCode >= 500 {
-		return "unhealthy"
-	}
-
-	return "healthy"
-}
-
-// emitHealthEvent persists and publishes a health status change event.
-func (h *HealthMonitor) emitHealthEvent(proxy store.StandaloneProxy, oldStatus, newStatus string) {
-	severity := "info"
-	if newStatus == "unhealthy" {
-		severity = "warn"
-	}
-
-	msg := fmt.Sprintf("Proxy %s (%s) health changed: %s -> %s",
-		proxy.Domain, proxy.ID, oldStatus, newStatus)
-
-	metadata, _ := json.Marshal(map[string]any{
-		"proxy_id":   proxy.ID,
-		"domain":     proxy.Domain,
-		"old_status": oldStatus,
-		"new_status": newStatus,
-	})
-
-	evt, err := h.store.InsertEvent(store.EventLog{
-		Source:   "proxy_health",
-		Severity: severity,
-		Message:  msg,
-		Metadata: string(metadata),
-	})
-	if err != nil {
-		slog.Error("proxy health monitor: failed to persist event", "error", err)
-		return
-	}
-
-	h.eventBus.Publish(events.Event{
-		Type: events.EventLog,
-		Payload: events.EventLogPayload{
-			ID:        evt.ID,
-			Source:    "proxy_health",
-			Severity:  severity,
-			Message:   msg,
-			Metadata:  string(metadata),
-			CreatedAt: evt.CreatedAt,
-		},
-	})
-}
diff --git a/internal/proxy/hints.go b/internal/proxy/hints.go
deleted file mode 100644
index 8c1fbdc..0000000
--- a/internal/proxy/hints.go
+++ /dev/null
@@ -1,74 +0,0 @@
-package proxy
-
-import (
-	"errors"
-	"fmt"
-	"net"
-	"strings"
-)
-
-// diagnosticHint returns a user-friendly suggestion for a validation failure.
-func diagnosticHint(step string, err error) string {
-	if err == nil {
-		return ""
-	}
-
-	switch step {
-	case StepDNS:
-		return "Domain cannot be resolved. Check DNS settings or use an IP address."
-
-	case StepTCP:
-		return tcpHintFromError(err)
-
-	case StepHTTP:
-		return httpHint(err.Error())
-
-	default:
-		return "Validation failed: " + err.Error()
-	}
-}
-
-// tcpHintFromError returns a specific hint based on the TCP error type.
-func tcpHintFromError(err error) string {
-	if err == nil {
-		return ""
-	}
-
-	var opErr *net.OpError
-	if errors.As(err, &opErr) {
-		lower := strings.ToLower(opErr.Err.Error())
-		switch {
-		case strings.Contains(lower, "connection refused"):
-			return "Port is not accepting connections. Check if the service is running and the port is correct."
-		case strings.Contains(lower, "i/o timeout") || strings.Contains(lower, "timeout"):
-			return "Connection timed out. Possible firewall blocking. Check network/firewall rules."
-		case strings.Contains(lower, "no route to host") || strings.Contains(lower, "host is unreachable"):
-			return "Host is not reachable. Verify the IP address and network connectivity."
-		}
-	}
-
-	msg := err.Error()
-	lower := strings.ToLower(msg)
-	switch {
-	case strings.Contains(lower, "connection refused"):
-		return "Port is not accepting connections. Check if the service is running and the port is correct."
-	case strings.Contains(lower, "timeout"):
-		return "Connection timed out. Possible firewall blocking. Check network/firewall rules."
-	default:
-		return fmt.Sprintf("TCP connection failed: %s", msg)
-	}
-}
-
-// httpHint returns a specific hint based on the HTTP probe result.
-func httpHint(msg string) string {
-	lower := strings.ToLower(msg)
-
-	switch {
-	case strings.Contains(lower, "status"):
-		return msg // Already formatted by the caller with the status code.
-	case strings.Contains(lower, "timeout"):
-		return "HTTP health probe timed out. The service may be slow or unresponsive."
-	default:
-		return "HTTP health probe failed: " + msg
-	}
-}
diff --git a/internal/proxy/manager.go b/internal/proxy/manager.go
deleted file mode 100644
index e8a3eb6..0000000
--- a/internal/proxy/manager.go
+++ /dev/null
@@ -1,370 +0,0 @@
-package proxy
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"log/slog"
-	"sync"
-
-	"github.com/alexei/docker-watcher/internal/dns"
-	"github.com/alexei/docker-watcher/internal/store"
-)
-
-// Manager handles the lifecycle of standalone proxy hosts.
-type Manager struct {
-	store    *store.Store
-	provider Provider
-	dnsMu    sync.RWMutex
-	dns      dns.Provider // nil when wildcard DNS is active
-}
-
-// NewManager creates a new proxy manager.
-func NewManager(st *store.Store, provider Provider) *Manager {
-	return &Manager{
-		store:    st,
-		provider: provider,
-	}
-}
-
-// SetDNSProvider sets the DNS provider for managing DNS records.
-func (m *Manager) SetDNSProvider(provider dns.Provider) {
-	m.dnsMu.Lock()
-	defer m.dnsMu.Unlock()
-	m.dns = provider
-}
-
-// getDNS returns the current DNS provider under read lock.
-func (m *Manager) getDNS() dns.Provider {
-	m.dnsMu.RLock()
-	defer m.dnsMu.RUnlock()
-	return m.dns
-}
-
-// CreateProxyRequest is the input for creating a standalone proxy.
-type CreateProxyRequest struct {
-	Domain          string `json:"domain"`
-	DestinationURL  string `json:"destination_url"`
-	DestinationPort int    `json:"destination_port"`
-}
-
-// UpdateProxyRequest is the input for updating a standalone proxy.
-type UpdateProxyRequest struct {
-	Domain          string `json:"domain"`
-	DestinationURL  string `json:"destination_url"`
-	DestinationPort int    `json:"destination_port"`
-}
-
-// ProxyView is a unified view of both standalone and deploy-managed proxies.
-type ProxyView struct {
-	ID           string `json:"id"`
-	Domain       string `json:"domain"`
-	Destination  string `json:"destination"`
-	Type         string `json:"type"` // "standalone" or "managed"
-	ProjectName  string `json:"project_name,omitempty"`
-	StageName    string `json:"stage_name,omitempty"`
-	HealthStatus string `json:"health_status"`
-	SSLEnabled   bool   `json:"ssl_enabled"`
-	NpmProxyID   int    `json:"npm_proxy_id"`
-	CreatedAt    string `json:"created_at"`
-}
-
-// CreateProxy validates the destination, creates a proxy route via the provider, and saves to the store.
-func (m *Manager) CreateProxy(ctx context.Context, req CreateProxyRequest) (store.StandaloneProxy, error) {
-	// Validate destination.
-	result := ValidateDestination(ctx, req.DestinationURL, req.DestinationPort)
-	if !result.Valid {
-		return store.StandaloneProxy{}, fmt.Errorf("destination validation failed: %s", lastFailedStep(result))
-	}
-
-	// Load settings for SSL certificate and domain.
-	settings, err := m.store.GetSettings()
-	if err != nil {
-		return store.StandaloneProxy{}, fmt.Errorf("get settings: %w", err)
-	}
-
-	// Create proxy route via provider.
-	routeID, err := m.provider.ConfigureRoute(ctx, req.Domain, req.DestinationURL, req.DestinationPort, RouteOptions{
-		SSLCertificateID: settings.SSLCertificateID,
-	})
-	if err != nil {
-		return store.StandaloneProxy{}, fmt.Errorf("create proxy route: %w", err)
-	}
-
-	slog.Info("created proxy route for standalone proxy",
-		"domain", req.Domain, "route_id", routeID, "provider", m.provider.Name())
-
-	// Save to store.
-	proxy, err := m.store.CreateStandaloneProxy(store.StandaloneProxy{
-		Domain:           req.Domain,
-		DestinationURL:   req.DestinationURL,
-		DestinationPort:  req.DestinationPort,
-		SSLCertificateID: settings.SSLCertificateID,
-		HealthStatus:     "unknown",
-	})
-	if err != nil {
-		// Best effort: clean up the proxy route if store insert fails.
-		if delErr := m.provider.DeleteRoute(ctx, routeID); delErr != nil {
-			slog.Error("failed to clean up proxy route after store error",
-				"route_id", routeID, "error", delErr)
-		}
-		return store.StandaloneProxy{}, fmt.Errorf("save standalone proxy: %w", err)
-	}
-
-	// Create DNS record after successful store save.
-	m.ensureDNS(ctx, req.Domain, proxy.ID)
-
-	return proxy, nil
-}
-
-// UpdateProxy re-validates the destination, updates the proxy route via the provider, and updates the store.
-func (m *Manager) UpdateProxy(ctx context.Context, id string, req UpdateProxyRequest) (store.StandaloneProxy, error) {
-	existing, err := m.store.GetStandaloneProxy(id)
-	if err != nil {
-		return store.StandaloneProxy{}, fmt.Errorf("get proxy: %w", err)
-	}
-
-	// Validate new destination.
-	result := ValidateDestination(ctx, req.DestinationURL, req.DestinationPort)
-	if !result.Valid {
-		return store.StandaloneProxy{}, fmt.Errorf("destination validation failed: %s", lastFailedStep(result))
-	}
-
-	// Load settings for SSL certificate.
-	settings, err := m.store.GetSettings()
-	if err != nil {
-		return store.StandaloneProxy{}, fmt.Errorf("get settings: %w", err)
-	}
-
-	// Update proxy route via provider (ConfigureRoute handles create-or-update).
-	if _, err := m.provider.ConfigureRoute(ctx, req.Domain, req.DestinationURL, req.DestinationPort, RouteOptions{
-		SSLCertificateID: settings.SSLCertificateID,
-	}); err != nil {
-		return store.StandaloneProxy{}, fmt.Errorf("update proxy route: %w", err)
-	}
-
-	// Update store.
-	updated := existing
-	updated.Domain = req.Domain
-	updated.DestinationURL = req.DestinationURL
-	updated.DestinationPort = req.DestinationPort
-	updated.SSLCertificateID = settings.SSLCertificateID
-
-	if err := m.store.UpdateStandaloneProxy(updated); err != nil {
-		return store.StandaloneProxy{}, fmt.Errorf("update standalone proxy: %w", err)
-	}
-
-	// Update DNS records if domain changed.
-	if existing.Domain != req.Domain {
-		m.removeDNS(ctx, existing.Domain)
-		m.ensureDNS(ctx, req.Domain, id)
-	}
-
-	// Re-read from store to get updated timestamps.
-	return m.store.GetStandaloneProxy(id)
-}
-
-// DeleteProxy removes the proxy route via the provider and deletes from the store.
-func (m *Manager) DeleteProxy(ctx context.Context, id string) error {
-	p, err := m.store.GetStandaloneProxy(id)
-	if err != nil {
-		return fmt.Errorf("get proxy: %w", err)
-	}
-
-	// Delete proxy route via provider using the NpmProxyID as a string route ID.
-	if p.NpmProxyID > 0 {
-		routeID := fmt.Sprintf("%d", p.NpmProxyID)
-		if err := m.provider.DeleteRoute(ctx, routeID); err != nil {
-			slog.Warn("failed to delete proxy route (continuing with store deletion)",
-				"route_id", routeID, "error", err)
-		}
-	}
-
-	// Remove DNS record.
-	m.removeDNS(ctx, p.Domain)
-
-	if err := m.store.DeleteStandaloneProxy(id); err != nil {
-		return fmt.Errorf("delete standalone proxy: %w", err)
-	}
-
-	return nil
-}
-
-// GetProxy returns a single standalone proxy by ID.
-func (m *Manager) GetProxy(id string) (store.StandaloneProxy, error) {
-	proxy, err := m.store.GetStandaloneProxy(id)
-	if err != nil {
-		return store.StandaloneProxy{}, fmt.Errorf("get proxy: %w", err)
-	}
-	return proxy, nil
-}
-
-// ListProxies returns all standalone proxies.
-func (m *Manager) ListProxies() ([]store.StandaloneProxy, error) {
-	proxies, err := m.store.ListStandaloneProxies()
-	if err != nil {
-		return nil, fmt.Errorf("list proxies: %w", err)
-	}
-	return proxies, nil
-}
-
-// ListAllProxies returns a merged view of standalone and deploy-managed proxies.
-func (m *Manager) ListAllProxies() ([]ProxyView, error) {
-	views := []ProxyView{}
-
-	// Standalone proxies.
-	standalones, err := m.store.ListStandaloneProxies()
-	if err != nil {
-		return nil, fmt.Errorf("list standalone proxies: %w", err)
-	}
-
-	for _, p := range standalones {
-		views = append(views, ProxyView{
-			ID:           p.ID,
-			Domain:       p.Domain,
-			Destination:  fmt.Sprintf("%s:%d", p.DestinationURL, p.DestinationPort),
-			Type:         "standalone",
-			HealthStatus: p.HealthStatus,
-			SSLEnabled:   p.SSLCertificateID > 0,
-			NpmProxyID:   p.NpmProxyID,
-			CreatedAt:    p.CreatedAt,
-		})
-	}
-
-	// Deploy-managed proxies: instances with a proxy route configured.
-	instances, err := m.store.ListAllInstances()
-	if err != nil {
-		return nil, fmt.Errorf("list instances: %w", err)
-	}
-
-	// Pre-load project and stage names to avoid N+1 queries.
-	allProjects, _ := m.store.GetAllProjects()
-	projectNames := make(map[string]string, len(allProjects))
-	for _, p := range allProjects {
-		projectNames[p.ID] = p.Name
-	}
-	stageNames := make(map[string]string)
-	for _, p := range allProjects {
-		stages, _ := m.store.GetStagesByProjectID(p.ID)
-		for _, s := range stages {
-			stageNames[s.ID] = s.Name
-		}
-	}
-
-	for _, inst := range instances {
-		if inst.ProxyRouteID == "" && inst.NpmProxyID <= 0 {
-			continue
-		}
-
-		projectName := projectNames[inst.ProjectID]
-		if projectName == "" {
-			projectName = inst.ProjectID
-		}
-		stageName := stageNames[inst.StageID]
-		if stageName == "" {
-			stageName = inst.StageID
-		}
-
-		cid := inst.ContainerID
-		if len(cid) > 12 {
-			cid = cid[:12]
-		}
-		destination := fmt.Sprintf("%s:%d", cid, inst.Port)
-		if inst.Subdomain != "" {
-			destination = fmt.Sprintf("%s:%d", inst.Subdomain, inst.Port)
-		}
-
-		healthStatus := "unknown"
-		if inst.Status == "running" {
-			healthStatus = "healthy"
-		} else if inst.Status == "stopped" || inst.Status == "failed" {
-			healthStatus = "unhealthy"
-		}
-
-		views = append(views, ProxyView{
-			ID:           inst.ID,
-			Domain:       inst.Subdomain,
-			Destination:  destination,
-			Type:         "managed",
-			ProjectName:  projectName,
-			StageName:    stageName,
-			HealthStatus: healthStatus,
-			SSLEnabled:   true, // managed proxies always get SSL from settings
-			NpmProxyID:   inst.NpmProxyID,
-			CreatedAt:    inst.CreatedAt,
-		})
-	}
-
-	return views, nil
-}
-
-// ensureDNS creates or updates a DNS record for a standalone proxy domain. Best-effort.
-func (m *Manager) ensureDNS(ctx context.Context, domain, proxyID string) {
-	dnsProvider := m.getDNS()
-	if dnsProvider == nil {
-		return
-	}
-	settings, err := m.store.GetSettings()
-	if err != nil {
-		slog.Warn("dns: get settings for server IP", "error", err)
-		return
-	}
-	if settings.ServerIP == "" {
-		slog.Warn("dns: server IP not configured, skipping DNS record creation", "domain", domain)
-		return
-	}
-
-	recordID, err := dnsProvider.EnsureRecord(ctx, domain, settings.ServerIP)
-	if err != nil {
-		slog.Warn("dns: failed to create/update record for standalone proxy", "domain", domain, "error", err)
-		return
-	}
-
-	if _, err := m.store.CreateDNSRecord(store.DNSRecord{
-		FQDN:             domain,
-		ProviderRecordID: recordID,
-		ConsumerType:     "standalone",
-		ConsumerID:       proxyID,
-	}); err != nil {
-		// May already exist — try updating.
-		if updateErr := m.store.UpdateDNSRecordProviderID(domain, recordID); updateErr != nil {
-			slog.Warn("dns: failed to track record", "domain", domain, "error", updateErr)
-		}
-	}
-	slog.Info("dns: record ensured for standalone proxy", "domain", domain)
-}
-
-// removeDNS deletes a DNS record for a standalone proxy domain. Best-effort.
-func (m *Manager) removeDNS(ctx context.Context, domain string) {
-	dnsProvider := m.getDNS()
-	if dnsProvider == nil {
-		return
-	}
-	if err := dnsProvider.DeleteRecord(ctx, domain); err != nil {
-		slog.Warn("dns: failed to delete record for standalone proxy", "domain", domain, "error", err)
-		return
-	}
-	if err := m.store.DeleteDNSRecord(domain); err != nil {
-		slog.Warn("dns: failed to remove tracking record", "domain", domain, "error", err)
-	}
-	slog.Info("dns: record deleted for standalone proxy", "domain", domain)
-}
-
-// lastFailedStep returns the message of the last failed validation step.
-func lastFailedStep(result ValidationResult) string {
-	for _, step := range result.Steps {
-		if !step.Passed {
-			msg := step.Message
-			if step.Hint != "" {
-				msg += " — " + step.Hint
-			}
-			return msg
-		}
-	}
-	return "unknown validation failure"
-}
-
-// IsNotFound checks if an error wraps store.ErrNotFound.
-func IsNotFound(err error) bool {
-	return errors.Is(err, store.ErrNotFound)
-}
diff --git a/internal/proxy/traefik_provider.go b/internal/proxy/traefik_provider.go
new file mode 100644
index 0000000..2a247eb
--- /dev/null
+++ b/internal/proxy/traefik_provider.go
@@ -0,0 +1,93 @@
+package proxy
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// TraefikProvider manages proxy routes via Docker labels.
+// Traefik auto-discovers containers with the appropriate labels.
+type TraefikProvider struct {
+	entrypoint   string
+	certResolver string
+	network      string // Docker network for traefik.docker.network label
+	apiURL       string // Traefik API URL for health checks (optional)
+	httpClient   *http.Client
+}
+
+// NewTraefikProvider creates a Traefik-backed proxy provider.
+func NewTraefikProvider(entrypoint, certResolver, network, apiURL string) *TraefikProvider {
+	if entrypoint == "" {
+		entrypoint = "websecure"
+	}
+	return &TraefikProvider{
+		entrypoint:   entrypoint,
+		certResolver: certResolver,
+		network:      network,
+		apiURL:       strings.TrimRight(apiURL, "/"),
+		httpClient:   &http.Client{Timeout: 5 * time.Second},
+	}
+}
+
+func (t *TraefikProvider) Name() string { return "traefik" }
+
+// ConfigureRoute for Traefik is a no-op for deploy-managed containers.
+// Labels are set at container creation time via ContainerLabels().
+// Returns a route ID for tracking.
+func (t *TraefikProvider) ConfigureRoute(_ context.Context, domain, _ string, _ int, _ RouteOptions) (string, error) {
+	routerName := sanitizeDomain(domain)
+	return routerName, nil
+}
+
+// DeleteRoute for Traefik is a no-op — removing the container removes the labels,
+// and Traefik automatically de-registers the route.
+func (t *TraefikProvider) DeleteRoute(_ context.Context, _ string) error {
+	return nil
+}
+
+// ContainerLabels returns Docker labels for Traefik auto-discovery.
+func (t *TraefikProvider) ContainerLabels(domain string, port int) map[string]string {
+	name := sanitizeDomain(domain)
+	labels := map[string]string{
+		"traefik.enable": "true",
+		fmt.Sprintf("traefik.http.routers.%s.rule", name):                     fmt.Sprintf("Host(`%s`)", domain),
+		fmt.Sprintf("traefik.http.routers.%s.entrypoints", name):              t.entrypoint,
+		fmt.Sprintf("traefik.http.services.%s.loadbalancer.server.port", name): fmt.Sprintf("%d", port),
+	}
+	if t.certResolver != "" {
+		labels[fmt.Sprintf("traefik.http.routers.%s.tls.certresolver", name)] = t.certResolver
+	}
+	if t.network != "" {
+		labels["traefik.docker.network"] = t.network
+	}
+	return labels
+}
+
+// Ping checks Traefik API connectivity if a URL is configured.
+func (t *TraefikProvider) Ping(ctx context.Context) error {
+	if t.apiURL == "" {
+		return nil // No API URL configured, skip health check.
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, t.apiURL+"/api/overview", nil)
+	if err != nil {
+		return fmt.Errorf("create traefik ping request: %w", err)
+	}
+	resp, err := t.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("traefik ping: %w", err)
+	}
+	resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		return fmt.Errorf("traefik api returned status %d", resp.StatusCode)
+	}
+	return nil
+}
+
+// sanitizeDomain converts a domain to a safe Traefik router name.
+func sanitizeDomain(domain string) string {
+	r := strings.NewReplacer(".", "-", ":", "-", "*", "wildcard")
+	return r.Replace(strings.ToLower(domain))
+}
diff --git a/internal/proxy/validator.go b/internal/proxy/validator.go
deleted file mode 100644
index a1a5ce5..0000000
--- a/internal/proxy/validator.go
+++ /dev/null
@@ -1,224 +0,0 @@
-package proxy
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/http"
-	"net/url"
-	"strconv"
-	"time"
-)
-
-// Validation step names.
-const (
-	StepSyntax = "syntax"
-	StepDNS    = "dns"
-	StepTCP    = "tcp"
-	StepHTTP   = "http"
-)
-
-// ValidationStep holds the result of a single validation check.
-type ValidationStep struct {
-	Name    string `json:"name"`
-	Passed  bool   `json:"passed"`
-	Message string `json:"message,omitempty"`
-	Hint    string `json:"hint,omitempty"`
-}
-
-// ValidationResult holds the aggregate result of the validation pipeline.
-type ValidationResult struct {
-	Valid bool             `json:"valid"`
-	Steps []ValidationStep `json:"steps"`
-}
-
-// ValidateDestination runs the multi-step validation pipeline against the given
-// destination host and port. It checks syntax, DNS, TCP reachability, and HTTP health.
-// The pipeline short-circuits on failure: later steps are skipped if an earlier one fails.
-func ValidateDestination(ctx context.Context, host string, port int) ValidationResult {
-	result := ValidationResult{Valid: true}
-
-	// Step 1: Syntax validation.
-	if step, ok := validateSyntax(host, port); !ok {
-		result.Valid = false
-		result.Steps = append(result.Steps, step)
-		return result
-	} else {
-		result.Steps = append(result.Steps, step)
-	}
-
-	// Step 2: DNS resolution (skip for IP addresses).
-	ip := net.ParseIP(host)
-	if ip == nil {
-		if step, ok := validateDNS(ctx, host); !ok {
-			result.Valid = false
-			result.Steps = append(result.Steps, step)
-			return result
-		} else {
-			result.Steps = append(result.Steps, step)
-		}
-	} else {
-		result.Steps = append(result.Steps, ValidationStep{
-			Name:    StepDNS,
-			Passed:  true,
-			Message: "Skipped (IP address provided)",
-		})
-	}
-
-	// Step 3: TCP port reachability.
-	if step, ok := validateTCP(ctx, host, port); !ok {
-		result.Valid = false
-		result.Steps = append(result.Steps, step)
-		return result
-	} else {
-		result.Steps = append(result.Steps, step)
-	}
-
-	// Step 4: HTTP health probe.
-	step := validateHTTP(ctx, host, port)
-	result.Steps = append(result.Steps, step)
-	if !step.Passed {
-		result.Valid = false
-	}
-
-	return result
-}
-
-// validateSyntax checks that the host and port values are syntactically valid.
-func validateSyntax(host string, port int) (ValidationStep, bool) {
-	if host == "" {
-		return ValidationStep{
-			Name:    StepSyntax,
-			Passed:  false,
-			Message: "Host is empty",
-			Hint:    "Provide a valid hostname or IP address.",
-		}, false
-	}
-
-	if port < 1 || port > 65535 {
-		return ValidationStep{
-			Name:    StepSyntax,
-			Passed:  false,
-			Message: fmt.Sprintf("Port %d is out of range (1-65535)", port),
-			Hint:    "Provide a valid port number between 1 and 65535.",
-		}, false
-	}
-
-	// Reject obviously invalid hostnames (but allow IPs).
-	if net.ParseIP(host) == nil {
-		// Basic hostname validation: must not contain spaces or schemes.
-		if _, err := url.Parse("http://" + host); err != nil {
-			return ValidationStep{
-				Name:    StepSyntax,
-				Passed:  false,
-				Message: "Invalid hostname: " + err.Error(),
-				Hint:    "Provide a valid hostname without scheme (e.g., 'example.com' not 'http://example.com').",
-			}, false
-		}
-	}
-
-	return ValidationStep{
-		Name:    StepSyntax,
-		Passed:  true,
-		Message: fmt.Sprintf("Host %q port %d syntax OK", host, port),
-	}, true
-}
-
-// validateDNS performs a DNS lookup on the given host.
-func validateDNS(ctx context.Context, host string) (ValidationStep, bool) {
-	resolver := net.DefaultResolver
-	addrs, err := resolver.LookupHost(ctx, host)
-	if err != nil {
-		return ValidationStep{
-			Name:    StepDNS,
-			Passed:  false,
-			Message: fmt.Sprintf("DNS resolution failed for %q: %s", host, err.Error()),
-			Hint:    diagnosticHint(StepDNS, err),
-		}, false
-	}
-
-	return ValidationStep{
-		Name:    StepDNS,
-		Passed:  true,
-		Message: fmt.Sprintf("Resolved to %v", addrs),
-	}, true
-}
-
-// validateTCP attempts a TCP connection to host:port with a 5-second timeout.
-func validateTCP(ctx context.Context, host string, port int) (ValidationStep, bool) {
-	addr := net.JoinHostPort(host, strconv.Itoa(port))
-
-	dialCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
-	defer cancel()
-
-	var d net.Dialer
-	conn, err := d.DialContext(dialCtx, "tcp", addr)
-	if err != nil {
-		return ValidationStep{
-			Name:    StepTCP,
-			Passed:  false,
-			Message: fmt.Sprintf("TCP connect to %s failed: %s", addr, err.Error()),
-			Hint:    diagnosticHint(StepTCP, err),
-		}, false
-	}
-	conn.Close()
-
-	return ValidationStep{
-		Name:    StepTCP,
-		Passed:  true,
-		Message: fmt.Sprintf("TCP connect to %s succeeded", addr),
-	}, true
-}
-
-// validateHTTP performs a GET request to the destination and checks for a response.
-// Non-5xx responses are considered passing (the service is responding).
-func validateHTTP(ctx context.Context, host string, port int) ValidationStep {
-	target := fmt.Sprintf("http://%s:%d/", host, port)
-
-	httpCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
-	defer cancel()
-
-	req, err := http.NewRequestWithContext(httpCtx, http.MethodGet, target, nil)
-	if err != nil {
-		return ValidationStep{
-			Name:    StepHTTP,
-			Passed:  false,
-			Message: fmt.Sprintf("Failed to build HTTP request: %s", err.Error()),
-			Hint:    diagnosticHint(StepHTTP, err),
-		}
-	}
-
-	client := &http.Client{
-		Timeout: 10 * time.Second,
-		// Do not follow redirects — we just want to see if the port responds to HTTP.
-		CheckRedirect: func(*http.Request, []*http.Request) error {
-			return http.ErrUseLastResponse
-		},
-	}
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return ValidationStep{
-			Name:    StepHTTP,
-			Passed:  false,
-			Message: fmt.Sprintf("HTTP probe to %s failed: %s", target, err.Error()),
-			Hint:    diagnosticHint(StepHTTP, err),
-		}
-	}
-	resp.Body.Close()
-
-	if resp.StatusCode >= 500 {
-		return ValidationStep{
-			Name:    StepHTTP,
-			Passed:  false,
-			Message: fmt.Sprintf("Service responded with HTTP %d. The service may not be healthy.", resp.StatusCode),
-			Hint:    fmt.Sprintf("Service responded with HTTP %d. The service may not be healthy.", resp.StatusCode),
-		}
-	}
-
-	return ValidationStep{
-		Name:    StepHTTP,
-		Passed:  true,
-		Message: fmt.Sprintf("HTTP probe returned %d", resp.StatusCode),
-	}
-}
diff --git a/internal/store/models.go b/internal/store/models.go
index c81f3dd..ed67538 100644
--- a/internal/store/models.go
+++ b/internal/store/models.go
@@ -63,8 +63,12 @@ type Settings struct {
 	DNSProvider          string `json:"dns_provider"`
 	CloudflareAPIToken   string `json:"cloudflare_api_token"`
 	CloudflareZoneID     string `json:"cloudflare_zone_id"`
-	ProxyProvider        string `json:"proxy_provider"`
-	BackupEnabled        bool   `json:"backup_enabled"`
+	ProxyProvider       string `json:"proxy_provider"`
+	TraefikEntrypoint   string `json:"traefik_entrypoint"`
+	TraefikCertResolver string `json:"traefik_cert_resolver"`
+	TraefikNetwork      string `json:"traefik_network"`
+	TraefikAPIURL       string `json:"traefik_api_url"`
+	BackupEnabled       bool   `json:"backup_enabled"`
 	BackupIntervalHours  int    `json:"backup_interval_hours"`
 	BackupRetentionCount int    `json:"backup_retention_count"`
 	UpdatedAt            string `json:"updated_at"`
@@ -194,16 +198,3 @@ type EventLog struct {
 	CreatedAt string `json:"created_at"`
 }
 
-// StandaloneProxy represents a standalone reverse proxy not tied to a project.
-type StandaloneProxy struct {
-	ID               string `json:"id"`
-	Domain           string `json:"domain"`
-	DestinationURL   string `json:"destination_url"`
-	DestinationPort  int    `json:"destination_port"`
-	SSLCertificateID int    `json:"ssl_certificate_id"`
-	NpmProxyID       int    `json:"npm_proxy_id"`
-	HealthStatus     string `json:"health_status"` // unknown, healthy, unhealthy
-	HealthCheckedAt  string `json:"health_checked_at"`
-	CreatedAt        string `json:"created_at"`
-	UpdatedAt        string `json:"updated_at"`
-}
diff --git a/internal/store/settings.go b/internal/store/settings.go
index e8ae580..6f29f5d 100644
--- a/internal/store/settings.go
+++ b/internal/store/settings.go
@@ -15,6 +15,7 @@ func (s *Store) GetSettings() (Settings, error) {
 		        allowed_volume_paths, wildcard_dns, dns_provider,
 		        cloudflare_api_token, cloudflare_zone_id,
 		        proxy_provider,
+		        traefik_entrypoint, traefik_cert_resolver, traefik_network, traefik_api_url,
 		        backup_enabled, backup_interval_hours, backup_retention_count,
 		        updated_at
 		 FROM settings WHERE id = 1`,
@@ -24,6 +25,7 @@ func (s *Store) GetSettings() (Settings, error) {
 		&st.AllowedVolumePaths, &wildcardDNS, &st.DNSProvider,
 		&st.CloudflareAPIToken, &st.CloudflareZoneID,
 		&st.ProxyProvider,
+		&st.TraefikEntrypoint, &st.TraefikCertResolver, &st.TraefikNetwork, &st.TraefikAPIURL,
 		&backupEnabled, &st.BackupIntervalHours, &st.BackupRetentionCount,
 		&st.UpdatedAt)
 	if err != nil {
@@ -53,6 +55,7 @@ func (s *Store) UpdateSettings(st Settings) error {
 			allowed_volume_paths=?, wildcard_dns=?, dns_provider=?,
 			cloudflare_api_token=?, cloudflare_zone_id=?,
 			proxy_provider=?,
+			traefik_entrypoint=?, traefik_cert_resolver=?, traefik_network=?, traefik_api_url=?,
 			backup_enabled=?, backup_interval_hours=?, backup_retention_count=?,
 			updated_at=?
 		 WHERE id = 1`,
@@ -62,6 +65,7 @@ func (s *Store) UpdateSettings(st Settings) error {
 		st.AllowedVolumePaths, wildcardDNS, st.DNSProvider,
 		st.CloudflareAPIToken, st.CloudflareZoneID,
 		st.ProxyProvider,
+		st.TraefikEntrypoint, st.TraefikCertResolver, st.TraefikNetwork, st.TraefikAPIURL,
 		backupEnabled, st.BackupIntervalHours, st.BackupRetentionCount,
 		st.UpdatedAt,
 	)
diff --git a/internal/store/standalone_proxy.go b/internal/store/standalone_proxy.go
deleted file mode 100644
index a1ce46e..0000000
--- a/internal/store/standalone_proxy.go
+++ /dev/null
@@ -1,120 +0,0 @@
-package store
-
-import (
-	"database/sql"
-	"errors"
-	"fmt"
-
-	"github.com/google/uuid"
-)
-
-// CreateStandaloneProxy inserts a new standalone proxy record.
-func (s *Store) CreateStandaloneProxy(p StandaloneProxy) (StandaloneProxy, error) {
-	p.ID = uuid.New().String()
-	p.CreatedAt = Now()
-	p.UpdatedAt = p.CreatedAt
-
-	if p.HealthStatus == "" {
-		p.HealthStatus = "unknown"
-	}
-
-	_, err := s.db.Exec(
-		`INSERT INTO standalone_proxies (id, domain, destination_url, destination_port, ssl_certificate_id, npm_proxy_id, health_status, health_checked_at, created_at, updated_at)
-		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
-		p.ID, p.Domain, p.DestinationURL, p.DestinationPort, p.SSLCertificateID,
-		p.NpmProxyID, p.HealthStatus, p.HealthCheckedAt, p.CreatedAt, p.UpdatedAt,
-	)
-	if err != nil {
-		return StandaloneProxy{}, fmt.Errorf("insert standalone proxy: %w", err)
-	}
-	return p, nil
-}
-
-// GetStandaloneProxy returns a standalone proxy by ID.
-func (s *Store) GetStandaloneProxy(id string) (StandaloneProxy, error) {
-	var p StandaloneProxy
-	err := s.db.QueryRow(
-		`SELECT id, domain, destination_url, destination_port, ssl_certificate_id, npm_proxy_id, health_status, health_checked_at, created_at, updated_at
-		 FROM standalone_proxies WHERE id = ?`, id,
-	).Scan(&p.ID, &p.Domain, &p.DestinationURL, &p.DestinationPort, &p.SSLCertificateID,
-		&p.NpmProxyID, &p.HealthStatus, &p.HealthCheckedAt, &p.CreatedAt, &p.UpdatedAt)
-	if errors.Is(err, sql.ErrNoRows) {
-		return StandaloneProxy{}, fmt.Errorf("standalone proxy %s: %w", id, ErrNotFound)
-	}
-	if err != nil {
-		return StandaloneProxy{}, fmt.Errorf("query standalone proxy: %w", err)
-	}
-	return p, nil
-}
-
-// ListStandaloneProxies returns all standalone proxy records ordered by creation time.
-func (s *Store) ListStandaloneProxies() ([]StandaloneProxy, error) {
-	rows, err := s.db.Query(
-		`SELECT id, domain, destination_url, destination_port, ssl_certificate_id, npm_proxy_id, health_status, health_checked_at, created_at, updated_at
-		 FROM standalone_proxies ORDER BY created_at DESC`,
-	)
-	if err != nil {
-		return nil, fmt.Errorf("query standalone proxies: %w", err)
-	}
-	defer rows.Close()
-
-	proxies := []StandaloneProxy{}
-	for rows.Next() {
-		var p StandaloneProxy
-		if err := rows.Scan(&p.ID, &p.Domain, &p.DestinationURL, &p.DestinationPort, &p.SSLCertificateID,
-			&p.NpmProxyID, &p.HealthStatus, &p.HealthCheckedAt, &p.CreatedAt, &p.UpdatedAt); err != nil {
-			return nil, fmt.Errorf("scan standalone proxy: %w", err)
-		}
-		proxies = append(proxies, p)
-	}
-	return proxies, rows.Err()
-}
-
-// UpdateStandaloneProxy updates an existing standalone proxy's mutable fields.
-func (s *Store) UpdateStandaloneProxy(p StandaloneProxy) error {
-	p.UpdatedAt = Now()
-	result, err := s.db.Exec(
-		`UPDATE standalone_proxies SET domain=?, destination_url=?, destination_port=?, ssl_certificate_id=?, npm_proxy_id=?, health_status=?, health_checked_at=?, updated_at=?
-		 WHERE id=?`,
-		p.Domain, p.DestinationURL, p.DestinationPort, p.SSLCertificateID,
-		p.NpmProxyID, p.HealthStatus, p.HealthCheckedAt, p.UpdatedAt, p.ID,
-	)
-	if err != nil {
-		return fmt.Errorf("update standalone proxy: %w", err)
-	}
-	n, _ := result.RowsAffected()
-	if n == 0 {
-		return fmt.Errorf("standalone proxy %s: %w", p.ID, ErrNotFound)
-	}
-	return nil
-}
-
-// DeleteStandaloneProxy removes a standalone proxy by ID.
-func (s *Store) DeleteStandaloneProxy(id string) error {
-	result, err := s.db.Exec(`DELETE FROM standalone_proxies WHERE id = ?`, id)
-	if err != nil {
-		return fmt.Errorf("delete standalone proxy: %w", err)
-	}
-	n, _ := result.RowsAffected()
-	if n == 0 {
-		return fmt.Errorf("standalone proxy %s: %w", id, ErrNotFound)
-	}
-	return nil
-}
-
-// UpdateProxyHealth updates the health status and check timestamp for a standalone proxy.
-func (s *Store) UpdateProxyHealth(id string, status string) error {
-	ts := Now()
-	result, err := s.db.Exec(
-		`UPDATE standalone_proxies SET health_status=?, health_checked_at=?, updated_at=? WHERE id=?`,
-		status, ts, ts, id,
-	)
-	if err != nil {
-		return fmt.Errorf("update proxy health: %w", err)
-	}
-	n, _ := result.RowsAffected()
-	if n == 0 {
-		return fmt.Errorf("standalone proxy %s: %w", id, ErrNotFound)
-	}
-	return nil
-}
diff --git a/internal/store/store.go b/internal/store/store.go
index a466fac..47180ed 100644
--- a/internal/store/store.go
+++ b/internal/store/store.go
@@ -104,6 +104,11 @@ func (s *Store) runMigrations() error {
 		`ALTER TABLE instances ADD COLUMN proxy_route_id TEXT NOT NULL DEFAULT ''`,
 		// Add proxy_provider to settings (2026-04-04). Default to npm for backward compat.
 		`ALTER TABLE settings ADD COLUMN proxy_provider TEXT NOT NULL DEFAULT 'npm'`,
+		// Add Traefik provider settings (2026-04-04).
+		`ALTER TABLE settings ADD COLUMN traefik_entrypoint TEXT NOT NULL DEFAULT 'websecure'`,
+		`ALTER TABLE settings ADD COLUMN traefik_cert_resolver TEXT NOT NULL DEFAULT 'letsencrypt'`,
+		`ALTER TABLE settings ADD COLUMN traefik_network TEXT NOT NULL DEFAULT ''`,
+		`ALTER TABLE settings ADD COLUMN traefik_api_url TEXT NOT NULL DEFAULT ''`,
 	}
 
 	for _, m := range migrations {
@@ -202,8 +207,12 @@ CREATE TABLE IF NOT EXISTS settings (
 	webhook_secret      TEXT NOT NULL DEFAULT '',
 	polling_interval    TEXT NOT NULL DEFAULT '5m',
 	base_volume_path   TEXT NOT NULL DEFAULT '',
-	ssl_certificate_id INTEGER NOT NULL DEFAULT 0,
-	updated_at          TEXT NOT NULL DEFAULT (datetime('now'))
+	ssl_certificate_id     INTEGER NOT NULL DEFAULT 0,
+	traefik_entrypoint     TEXT NOT NULL DEFAULT 'websecure',
+	traefik_cert_resolver  TEXT NOT NULL DEFAULT 'letsencrypt',
+	traefik_network        TEXT NOT NULL DEFAULT '',
+	traefik_api_url        TEXT NOT NULL DEFAULT '',
+	updated_at             TEXT NOT NULL DEFAULT (datetime('now'))
 );
 
 CREATE TABLE IF NOT EXISTS instances (
diff --git a/web/src/lib/api.ts b/web/src/lib/api.ts
index 0793d65..2b86f76 100644
--- a/web/src/lib/api.ts
+++ b/web/src/lib/api.ts
@@ -11,15 +11,12 @@ import type {
 	NpmCertificate,
 	Project,
 	ProjectDetail,
-	ProxyView,
 	Registry,
 	RegistryImage,
 	Settings,
 	StaleContainer,
 	Stage,
 	StageEnv,
-	StandaloneProxy,
-	ValidationResult,
 	Volume,
 	VolumeScopeInfo,
 	BrowseResult,
@@ -531,43 +528,6 @@ export function fetchEventLogStats(): Promise<EventLogStats> {
 	return get<EventLogStats>('/api/events/log/stats');
 }
 
-// ── Proxies ─────────────────────────────────────────────────────────
-
-export function validateProxy(host: string, port: number): Promise<ValidationResult> {
-	return post<ValidationResult>('/api/proxies/validate', { host, port });
-}
-
-export function createProxy(data: {
-	domain: string;
-	destination_url: string;
-	destination_port: number;
-}): Promise<StandaloneProxy> {
-	return post<StandaloneProxy>('/api/proxies', data);
-}
-
-export function listProxies(): Promise<StandaloneProxy[]> {
-	return get<StandaloneProxy[]>('/api/proxies');
-}
-
-export function getProxy(id: string): Promise<StandaloneProxy> {
-	return get<StandaloneProxy>(`/api/proxies/${id}`);
-}
-
-export function updateProxy(
-	id: string,
-	data: { domain: string; destination_url: string; destination_port: number }
-): Promise<StandaloneProxy> {
-	return put<StandaloneProxy>(`/api/proxies/${id}`, data);
-}
-
-export function deleteProxy(id: string): Promise<{ deleted: string }> {
-	return del<{ deleted: string }>(`/api/proxies/${id}`);
-}
-
-export function listAllProxies(): Promise<ProxyView[]> {
-	return get<ProxyView[]>('/api/proxies/all');
-}
-
 // ── Stale Containers ────────────────────────────────────────────────
 
 export function fetchStaleContainers(): Promise<StaleContainer[]> {
diff --git a/web/src/lib/components/ProxyCard.svelte b/web/src/lib/components/ProxyCard.svelte
deleted file mode 100644
index 2b2c9b6..0000000
--- a/web/src/lib/components/ProxyCard.svelte
+++ /dev/null
@@ -1,129 +0,0 @@
-<!--
-  Phase 4: Individual proxy display card showing domain, destination,
-  type badge, health indicator, SSL badge, and project/stage labels.
--->
-<script lang="ts">
-	import type { ProxyView } from '$lib/types';
-	import { t } from '$lib/i18n';
-	import { IconEdit, IconExternalLink, IconLock } from '$lib/components/icons';
-
-	interface Props {
-		proxy: ProxyView;
-	}
-
-	const { proxy }: Props = $props();
-
-	const healthColors: Record<string, { dot: string; ring: string }> = {
-		healthy: { dot: 'bg-emerald-500', ring: 'bg-emerald-500' },
-		unhealthy: { dot: 'bg-red-500', ring: 'bg-red-500' },
-		unknown: { dot: 'bg-amber-400', ring: 'bg-amber-400' }
-	};
-
-	const healthColor = $derived(healthColors[proxy.health_status] ?? healthColors.unknown);
-	const isHealthy = $derived(proxy.health_status === 'healthy');
-
-	const typeBadgeClass = $derived(
-		proxy.type === 'managed'
-			? 'bg-blue-50 text-blue-700 dark:bg-blue-950 dark:text-blue-300'
-			: 'bg-purple-50 text-purple-700 dark:bg-purple-950 dark:text-purple-300'
-	);
-
-	const healthLabel = $derived($t(`proxies.health.${proxy.health_status}`));
-
-	function formatTimestamp(iso: string): string {
-		if (!iso) return '';
-		try {
-			const date = new Date(iso);
-			return date.toLocaleString();
-		} catch {
-			return iso;
-		}
-	}
-</script>
-
-<div class="rounded-xl border border-[var(--border-primary)] bg-[var(--surface-card)] p-4 shadow-[var(--shadow-sm)] transition-all duration-200 hover:border-[var(--color-brand-300)] hover:shadow-[var(--shadow-md)]">
-	<!-- Top row: domain + health dot -->
-	<div class="flex items-start justify-between gap-3">
-		<div class="min-w-0 flex-1">
-			<div class="flex items-center gap-2">
-				<!-- Health indicator -->
-				<span class="relative flex h-2.5 w-2.5 shrink-0" title={healthLabel}>
-					{#if isHealthy}
-						<span class="absolute inline-flex h-full w-full animate-ping rounded-full {healthColor.ring} opacity-50"></span>
-					{/if}
-					<span class="relative inline-flex h-2.5 w-2.5 rounded-full {healthColor.dot}"></span>
-				</span>
-
-				<!-- Domain link -->
-				<a
-					href="https://{proxy.domain}"
-					target="_blank"
-					rel="noopener noreferrer"
-					class="group inline-flex items-center gap-1 truncate text-sm font-semibold text-[var(--text-primary)] hover:text-[var(--color-brand-600)] transition-colors"
-				>
-					<span class="truncate">{proxy.domain}</span>
-					<IconExternalLink size={13} class="shrink-0 opacity-0 group-hover:opacity-100 transition-opacity" />
-				</a>
-			</div>
-
-			<!-- Destination -->
-			<p class="mt-1 truncate font-mono text-xs text-[var(--text-tertiary)]">
-				{proxy.destination}
-			</p>
-		</div>
-
-		<!-- Type badge -->
-		<span class="shrink-0 rounded-full px-2 py-0.5 text-xs font-medium {typeBadgeClass}">
-			{proxy.type}
-		</span>
-	</div>
-
-	<!-- Badges row -->
-	<div class="mt-3 flex flex-wrap items-center gap-2">
-		<!-- SSL badge -->
-		{#if proxy.ssl_enabled}
-			<span class="inline-flex items-center gap-1 rounded-full bg-emerald-50 px-2 py-0.5 text-xs font-medium text-emerald-700 dark:bg-emerald-950 dark:text-emerald-300">
-				<IconLock size={11} />
-				SSL
-			</span>
-		{/if}
-
-		<!-- Health status label -->
-		<span class="inline-flex items-center gap-1 rounded-full bg-[var(--surface-card-hover)] px-2 py-0.5 text-xs font-medium text-[var(--text-secondary)]">
-			{healthLabel}
-		</span>
-
-		<!-- Project / stage labels for managed proxies -->
-		{#if proxy.type === 'managed' && proxy.project_name}
-			<span class="rounded-full bg-blue-50 px-2 py-0.5 text-xs font-medium text-blue-700 dark:bg-blue-950 dark:text-blue-300">
-				{proxy.project_name}
-			</span>
-			{#if proxy.stage_name}
-				<span class="rounded-full bg-indigo-50 px-2 py-0.5 text-xs font-medium text-indigo-700 dark:bg-indigo-950 dark:text-indigo-300">
-					{proxy.stage_name}
-				</span>
-			{/if}
-		{/if}
-	</div>
-
-	<!-- Footer row: edit link (standalone only) + timestamp -->
-	<div class="mt-3 flex items-center justify-between">
-		{#if proxy.type === 'standalone'}
-			<a
-				href="/proxies/{proxy.id}/edit"
-				class="inline-flex items-center gap-1 text-xs font-medium text-[var(--color-brand-600)] hover:text-[var(--color-brand-700)] transition-colors"
-			>
-				<IconEdit size={12} />
-				{$t('common.edit')}
-			</a>
-		{:else}
-			<span></span>
-		{/if}
-
-		{#if proxy.created_at}
-			<p class="text-xs text-[var(--text-tertiary)]">
-				{$t('proxies.lastChecked')}: {formatTimestamp(proxy.created_at)}
-			</p>
-		{/if}
-	</div>
-</div>
diff --git a/web/src/lib/components/ProxyFilter.svelte b/web/src/lib/components/ProxyFilter.svelte
deleted file mode 100644
index 80be70e..0000000
--- a/web/src/lib/components/ProxyFilter.svelte
+++ /dev/null
@@ -1,85 +0,0 @@
-<!--
-  Phase 4: Filter bar for the unified proxy viewer.
-  Provides text search, health status dropdown, type dropdown, and clear filters.
--->
-<script lang="ts">
-	import type { ProxyHealthStatus } from '$lib/types';
-	import { t } from '$lib/i18n';
-	import { IconSearch, IconX } from '$lib/components/icons';
-
-	interface Props {
-		search: string;
-		healthFilter: ProxyHealthStatus | 'all';
-		typeFilter: 'all' | 'managed' | 'standalone';
-		onsearchchange: (value: string) => void;
-		onhealthchange: (value: ProxyHealthStatus | 'all') => void;
-		ontypechange: (value: 'all' | 'managed' | 'standalone') => void;
-		onclear: () => void;
-	}
-
-	const {
-		search,
-		healthFilter,
-		typeFilter,
-		onsearchchange,
-		onhealthchange,
-		ontypechange,
-		onclear
-	}: Props = $props();
-
-	const hasFilters = $derived(
-		search.length > 0 || healthFilter !== 'all' || typeFilter !== 'all'
-	);
-</script>
-
-<div class="flex flex-col gap-3 sm:flex-row sm:items-center">
-	<!-- Text search -->
-	<div class="relative flex-1">
-		<IconSearch
-			size={16}
-			class="absolute left-3 top-1/2 -translate-y-1/2 text-[var(--text-tertiary)]"
-		/>
-		<input
-			type="text"
-			value={search}
-			oninput={(e) => onsearchchange(e.currentTarget.value)}
-			placeholder={$t('proxies.filter.search')}
-			class="w-full rounded-lg border border-[var(--border-primary)] bg-[var(--surface-card)] py-2 pl-9 pr-3 text-sm text-[var(--text-primary)] placeholder:text-[var(--text-tertiary)] transition-colors focus:border-[var(--color-brand-500)] focus:outline-none focus:ring-1 focus:ring-[var(--color-brand-500)]"
-		/>
-	</div>
-
-	<!-- Health filter -->
-	<select
-		value={healthFilter}
-		onchange={(e) => onhealthchange(e.currentTarget.value as ProxyHealthStatus | 'all')}
-		class="rounded-lg border border-[var(--border-primary)] bg-[var(--surface-card)] px-3 py-2 text-sm text-[var(--text-primary)] transition-colors focus:border-[var(--color-brand-500)] focus:outline-none focus:ring-1 focus:ring-[var(--color-brand-500)]"
-	>
-		<option value="all">{$t('proxies.filter.health')}: {$t('proxies.filter.all')}</option>
-		<option value="healthy">{$t('proxies.health.healthy')}</option>
-		<option value="unhealthy">{$t('proxies.health.unhealthy')}</option>
-		<option value="unknown">{$t('proxies.health.unknown')}</option>
-	</select>
-
-	<!-- Type filter -->
-	<select
-		value={typeFilter}
-		onchange={(e) => ontypechange(e.currentTarget.value as 'all' | 'managed' | 'standalone')}
-		class="rounded-lg border border-[var(--border-primary)] bg-[var(--surface-card)] px-3 py-2 text-sm text-[var(--text-primary)] transition-colors focus:border-[var(--color-brand-500)] focus:outline-none focus:ring-1 focus:ring-[var(--color-brand-500)]"
-	>
-		<option value="all">{$t('proxies.filter.type')}: {$t('proxies.filter.all')}</option>
-		<option value="managed">{$t('proxies.managed')}</option>
-		<option value="standalone">{$t('proxies.standalone')}</option>
-	</select>
-
-	<!-- Clear filters -->
-	{#if hasFilters}
-		<button
-			type="button"
-			onclick={onclear}
-			class="inline-flex items-center gap-1.5 rounded-lg border border-[var(--border-primary)] bg-[var(--surface-card)] px-3 py-2 text-sm text-[var(--text-secondary)] transition-colors hover:bg-[var(--surface-card-hover)] hover:text-[var(--text-primary)]"
-		>
-			<IconX size={14} />
-			{$t('proxies.filter.clear')}
-		</button>
-	{/if}
-</div>
diff --git a/web/src/lib/components/ProxyForm.svelte b/web/src/lib/components/ProxyForm.svelte
deleted file mode 100644
index d5a10fa..0000000
--- a/web/src/lib/components/ProxyForm.svelte
+++ /dev/null
@@ -1,292 +0,0 @@
-<!--
-  Phase 6: Create/edit form for standalone proxies.
-  Supports live destination validation with debounce.
--->
-<script lang="ts">
-	import type { StandaloneProxy, ValidationResult } from '$lib/types';
-	import { validateProxy, createProxy, updateProxy, deleteProxy } from '$lib/api';
-	import FormField from '$lib/components/FormField.svelte';
-	import ValidationChecklist from '$lib/components/ValidationChecklist.svelte';
-	import ConfirmDialog from '$lib/components/ConfirmDialog.svelte';
-	import { IconLoader } from '$lib/components/icons';
-	import { t } from '$lib/i18n';
-
-	interface Props {
-		mode: 'create' | 'edit';
-		proxy?: StandaloneProxy;
-		onsave?: (proxy: StandaloneProxy) => void;
-		ondelete?: (id: string) => void;
-		oncancel?: () => void;
-	}
-
-	const { mode, proxy, onsave, ondelete, oncancel }: Props = $props();
-
-	// ── Form state ────────────────────────────────────────────────────
-	let destinationUrl = $state(proxy?.destination_url ?? '');
-	let port = $state(proxy?.destination_port?.toString() ?? '');
-	let domain = $state(proxy?.domain ?? '');
-
-	// ── Validation state ──────────────────────────────────────────────
-	let validationResult: ValidationResult | null = $state(null);
-	let validating = $state(false);
-	let validationTimer: ReturnType<typeof setTimeout> | null = $state(null);
-
-	// ── Submit state ──────────────────────────────────────────────────
-	let submitting = $state(false);
-	let submitError = $state('');
-
-	// ── Delete state ──────────────────────────────────────────────────
-	let deleteConfirmOpen = $state(false);
-	let deleting = $state(false);
-
-	// ── Derived ───────────────────────────────────────────────────────
-	const portNum = $derived(parseInt(port, 10));
-	const portValid = $derived(!isNaN(portNum) && portNum >= 1 && portNum <= 65535);
-	const canSubmit = $derived(
-		destinationUrl.trim().length > 0 &&
-		port.trim().length > 0 &&
-		portValid &&
-		domain.trim().length > 0 &&
-		!submitting
-	);
-
-	const title = $derived(
-		mode === 'create' ? $t('proxies.form.title') : $t('proxies.form.editTitle')
-	);
-
-	const submitLabel = $derived(
-		submitting
-			? (mode === 'create' ? $t('proxies.form.create') : $t('proxies.form.save'))
-			: (mode === 'create' ? $t('proxies.form.create') : $t('proxies.form.save'))
-	);
-
-	// ── Domain auto-suggestion ────────────────────────────────────────
-	function suggestDomain(dest: string): string {
-		if (!dest) return '';
-		try {
-			// If it looks like a URL, parse the hostname
-			const withScheme = dest.includes('://') ? dest : `http://${dest}`;
-			const url = new URL(withScheme);
-			const host = url.hostname;
-			// Strip common prefixes and use as subdomain suggestion
-			const cleaned = host
-				.replace(/^(www|api|app)\./, '')
-				.replace(/\.\w+$/, '')
-				.replace(/[^a-z0-9.-]/gi, '-')
-				.toLowerCase();
-			return cleaned || '';
-		} catch {
-			// If it's a plain IP or hostname, use it directly
-			return dest.replace(/[^a-z0-9.-]/gi, '-').toLowerCase();
-		}
-	}
-
-	// ── Live validation with debounce ─────────────────────────────────
-	function scheduleValidation(): void {
-		if (validationTimer !== null) {
-			clearTimeout(validationTimer);
-		}
-		validationResult = null;
-
-		if (!destinationUrl.trim() || !port.trim() || !portValid) {
-			return;
-		}
-
-		validationTimer = setTimeout(() => {
-			runValidation();
-		}, 300);
-	}
-
-	async function runValidation(): Promise<void> {
-		if (!destinationUrl.trim() || !portValid) return;
-
-		validating = true;
-		try {
-			validationResult = await validateProxy(destinationUrl.trim(), portNum);
-		} catch {
-			// Validation is advisory -- don't block the UI
-			validationResult = null;
-		} finally {
-			validating = false;
-		}
-	}
-
-	function handleDestinationInput(): void {
-		// Auto-suggest domain only when creating and domain is empty or was auto-generated
-		if (mode === 'create') {
-			const suggested = suggestDomain(destinationUrl);
-			if (!domain || domain === suggestDomain(destinationUrl.slice(0, -1))) {
-				domain = suggested;
-			}
-		}
-		scheduleValidation();
-	}
-
-	function handlePortInput(): void {
-		scheduleValidation();
-	}
-
-	function handleValidateClick(): void {
-		if (validationTimer !== null) {
-			clearTimeout(validationTimer);
-		}
-		runValidation();
-	}
-
-	// ── Submit ────────────────────────────────────────────────────────
-	async function handleSubmit(): Promise<void> {
-		if (!canSubmit) return;
-
-		submitting = true;
-		submitError = '';
-
-		const data = {
-			domain: domain.trim(),
-			destination_url: destinationUrl.trim(),
-			destination_port: portNum
-		};
-
-		try {
-			const saved = mode === 'create'
-				? await createProxy(data)
-				: await updateProxy(proxy!.id, data);
-			onsave?.(saved);
-		} catch (err: unknown) {
-			submitError = err instanceof Error ? err.message : 'Unknown error';
-		} finally {
-			submitting = false;
-		}
-	}
-
-	// ── Delete ────────────────────────────────────────────────────────
-	async function handleDeleteConfirm(): Promise<void> {
-		if (!proxy) return;
-		deleting = true;
-		try {
-			await deleteProxy(proxy.id);
-			deleteConfirmOpen = false;
-			ondelete?.(proxy.id);
-		} catch (err: unknown) {
-			submitError = err instanceof Error ? err.message : 'Unknown error';
-		} finally {
-			deleting = false;
-		}
-	}
-</script>
-
-<div class="space-y-6">
-	<!-- Header -->
-	<h3 class="text-lg font-semibold text-[var(--text-primary)]">{title}</h3>
-
-	<!-- Form fields -->
-	<form onsubmit={(e) => { e.preventDefault(); handleSubmit(); }} class="space-y-4">
-		<FormField
-			label={$t('proxies.form.destination')}
-			name="destination_url"
-			bind:value={destinationUrl}
-			placeholder="192.168.1.100 or http://my-service"
-			required
-			oninput={handleDestinationInput}
-		/>
-
-		<FormField
-			label={$t('proxies.form.port')}
-			name="destination_port"
-			type="number"
-			bind:value={port}
-			placeholder="8080"
-			required
-			error={port && !portValid ? $t('validation.invalidPort') : ''}
-			oninput={handlePortInput}
-		/>
-
-		<FormField
-			label={$t('proxies.form.domain')}
-			name="domain"
-			bind:value={domain}
-			placeholder="my-service.example.com"
-			required
-			helpText={$t('proxies.form.domainHelp')}
-		/>
-
-		<!-- Validation checklist -->
-		<div class="space-y-2">
-			<ValidationChecklist result={validationResult} loading={validating} />
-
-			<button
-				type="button"
-				class="inline-flex items-center gap-1.5 rounded-lg border border-[var(--border-primary)] px-3 py-1.5 text-sm font-medium text-[var(--text-secondary)] hover:bg-[var(--surface-card-hover)] transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
-				disabled={!destinationUrl.trim() || !portValid || validating}
-				onclick={handleValidateClick}
-			>
-				{#if validating}
-					<IconLoader size={14} />
-					{$t('proxies.form.validating')}
-				{:else}
-					{$t('proxies.form.validate')}
-				{/if}
-			</button>
-		</div>
-
-		<!-- Validation warning (non-blocking) -->
-		{#if validationResult && !validationResult.valid}
-			<p class="text-xs text-amber-600 dark:text-amber-400">
-				Validation reported issues but you can still create the proxy.
-			</p>
-		{/if}
-
-		<!-- Submit error -->
-		{#if submitError}
-			<p class="text-sm text-[var(--color-danger)]">{submitError}</p>
-		{/if}
-
-		<!-- Action buttons -->
-		<div class="flex items-center justify-between pt-2">
-			<div>
-				{#if mode === 'edit'}
-					<button
-						type="button"
-						class="rounded-lg px-3 py-2 text-sm font-medium text-[var(--color-danger)] hover:bg-red-50 dark:hover:bg-red-950 transition-colors"
-						onclick={() => { deleteConfirmOpen = true; }}
-					>
-						{$t('proxies.form.delete')}
-					</button>
-				{/if}
-			</div>
-
-			<div class="flex items-center gap-3">
-				<button
-					type="button"
-					class="rounded-lg px-4 py-2 text-sm font-medium text-[var(--text-secondary)] hover:bg-[var(--surface-card-hover)] transition-colors"
-					onclick={() => oncancel?.()}
-				>
-					{$t('proxies.form.cancel')}
-				</button>
-
-				<button
-					type="submit"
-					class="inline-flex items-center gap-2 rounded-lg bg-[var(--color-brand-600)] px-4 py-2 text-sm font-medium text-white shadow-sm hover:bg-[var(--color-brand-700)] transition-colors focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-[var(--color-brand-600)] disabled:opacity-50 disabled:cursor-not-allowed"
-					disabled={!canSubmit}
-				>
-					{#if submitting}
-						<IconLoader size={14} />
-					{/if}
-					{submitLabel}
-				</button>
-			</div>
-		</div>
-	</form>
-</div>
-
-<!-- Delete confirmation dialog -->
-{#if mode === 'edit'}
-	<ConfirmDialog
-		open={deleteConfirmOpen}
-		title={$t('proxies.form.delete')}
-		message={$t('proxies.form.deleteConfirm')}
-		confirmLabel={deleting ? $t('common.loading') : $t('proxies.form.delete')}
-		confirmVariant="danger"
-		onconfirm={handleDeleteConfirm}
-		oncancel={() => { deleteConfirmOpen = false; }}
-	/>
-{/if}
diff --git a/web/src/lib/components/ProxyGroup.svelte b/web/src/lib/components/ProxyGroup.svelte
deleted file mode 100644
index 17cd76d..0000000
--- a/web/src/lib/components/ProxyGroup.svelte
+++ /dev/null
@@ -1,46 +0,0 @@
-<!--
-  Phase 4: Collapsible group for proxies by project/stage.
-  Shows a header with project name, proxy count, and expandable body.
--->
-<script lang="ts">
-	import type { Snippet } from 'svelte';
-	import { IconChevronRight } from '$lib/components/icons';
-
-	interface Props {
-		title: string;
-		count: number;
-		defaultExpanded?: boolean;
-		children: Snippet;
-	}
-
-	const { title, count, defaultExpanded = true, children }: Props = $props();
-
-	let expanded = $state(defaultExpanded);
-</script>
-
-<div class="rounded-xl border border-[var(--border-primary)] bg-[var(--surface-card)] overflow-hidden">
-	<!-- Header -->
-	<button
-		type="button"
-		onclick={() => { expanded = !expanded; }}
-		class="flex w-full items-center gap-3 px-5 py-3.5 text-left transition-colors hover:bg-[var(--surface-card-hover)]"
-	>
-		<IconChevronRight
-			size={16}
-			class="shrink-0 text-[var(--text-tertiary)] transition-transform duration-200 {expanded ? 'rotate-90' : ''}"
-		/>
-		<span class="text-sm font-semibold text-[var(--text-primary)]">{title}</span>
-		<span class="rounded-full bg-[var(--surface-card-hover)] px-2 py-0.5 text-xs font-medium text-[var(--text-secondary)]">
-			{count}
-		</span>
-	</button>
-
-	<!-- Expandable body -->
-	{#if expanded}
-		<div class="border-t border-[var(--border-primary)] p-4 animate-fade-in">
-			<div class="grid gap-3 sm:grid-cols-2 lg:grid-cols-3">
-				{@render children()}
-			</div>
-		</div>
-	{/if}
-</div>
diff --git a/web/src/lib/components/SystemHealthCard.svelte b/web/src/lib/components/SystemHealthCard.svelte
index d147a3a..3386a8f 100644
--- a/web/src/lib/components/SystemHealthCard.svelte
+++ b/web/src/lib/components/SystemHealthCard.svelte
@@ -1,16 +1,14 @@
 <!--
-  Dashboard summary card: container counts, proxy health, recent errors.
+  Dashboard summary card: container counts and recent errors.
 -->
 <script lang="ts">
-	import type { Instance, ProxyView, EventLogStats } from '$lib/types';
+	import type { Instance, EventLogStats } from '$lib/types';
 	import * as api from '$lib/api';
-	import { IconServer, IconProxies, IconAlert } from '$lib/components/icons';
+	import { IconServer, IconAlert } from '$lib/components/icons';
 	import { t } from '$lib/i18n';
 
 	let runningCount = $state(0);
 	let stoppedCount = $state(0);
-	let healthyProxies = $state(0);
-	let unhealthyProxies = $state(0);
 	let recentErrors = $state(0);
 	let loading = $state(true);
 
@@ -19,9 +17,8 @@
 
 		async function load() {
 			try {
-				const [projects, proxies, eventStats] = await Promise.all([
+				const [projects, eventStats] = await Promise.all([
 					api.listProjects(),
-					api.listAllProxies().catch(() => [] as ProxyView[]),
 					api.fetchEventLogStats().catch(() => ({ info: 0, warn: 0, error: 0, total: 0 }) as EventLogStats)
 				]);
 
@@ -42,8 +39,6 @@
 				if (!cancelled) {
 					runningCount = allInstances.filter((i) => i.status === 'running').length;
 					stoppedCount = allInstances.filter((i) => i.status !== 'running').length;
-					healthyProxies = proxies.filter((p) => p.health_status === 'healthy').length;
-					unhealthyProxies = proxies.filter((p) => p.health_status === 'unhealthy').length;
 					recentErrors = eventStats.error;
 					loading = false;
 				}
@@ -65,10 +60,10 @@
 {#if !loading}
 	<div class="rounded-xl border border-[var(--border-primary)] bg-[var(--surface-card)] p-5 shadow-[var(--shadow-sm)]">
 		<h3 class="mb-4 text-sm font-semibold text-[var(--text-primary)]">{$t('systemHealth.title')}</h3>
-		<div class="grid grid-cols-1 gap-3 sm:grid-cols-3">
+		<div class="grid grid-cols-1 gap-3 sm:grid-cols-2">
 			<!-- Containers -->
 			<a href="/projects" class="flex items-center gap-3 rounded-lg p-3 transition-colors hover:bg-[var(--surface-card-hover)]">
-				<div class="flex h-9 w-9 items-center justify-center rounded-lg bg-emerald-50 text-emerald-600">
+				<div class="flex h-9 w-9 items-center justify-center rounded-lg bg-emerald-50 dark:bg-emerald-950/30 text-emerald-600">
 					<IconServer size={18} />
 				</div>
 				<div>
@@ -81,26 +76,9 @@
 				</div>
 			</a>
 
-			<!-- Proxies -->
-			<a href="/proxies" class="flex items-center gap-3 rounded-lg p-3 transition-colors hover:bg-[var(--surface-card-hover)]">
-				<div class="flex h-9 w-9 items-center justify-center rounded-lg {unhealthyProxies > 0 ? 'bg-red-50 text-red-600' : 'bg-blue-50 text-blue-600'}">
-					<IconProxies size={18} />
-				</div>
-				<div>
-					<p class="text-xs text-[var(--text-secondary)]">{$t('systemHealth.proxies')}</p>
-					<p class="text-sm font-semibold text-[var(--text-primary)]">
-						<span class="text-emerald-600">{healthyProxies}</span>
-						{#if unhealthyProxies > 0}
-							<span class="text-[var(--text-tertiary)]"> / </span>
-							<span class="text-red-600">{unhealthyProxies}</span>
-						{/if}
-					</p>
-				</div>
-			</a>
-
 			<!-- Recent errors -->
 			<a href="/events" class="flex items-center gap-3 rounded-lg p-3 transition-colors hover:bg-[var(--surface-card-hover)]">
-				<div class="flex h-9 w-9 items-center justify-center rounded-lg {recentErrors > 0 ? 'bg-red-50 text-red-600' : 'bg-gray-50 text-gray-400'}">
+				<div class="flex h-9 w-9 items-center justify-center rounded-lg {recentErrors > 0 ? 'bg-red-50 dark:bg-red-950/30 text-red-600' : 'bg-gray-50 dark:bg-gray-900/30 text-gray-400'}">
 					<IconAlert size={18} />
 				</div>
 				<div>
diff --git a/web/src/lib/components/ValidationChecklist.svelte b/web/src/lib/components/ValidationChecklist.svelte
deleted file mode 100644
index 54f9a4d..0000000
--- a/web/src/lib/components/ValidationChecklist.svelte
+++ /dev/null
@@ -1,73 +0,0 @@
-<!--
-  Phase 6: Validation checklist for proxy destination validation.
-  Shows each validation step with pass/fail/pending status indicators.
--->
-<script lang="ts">
-	import type { ValidationResult } from '$lib/types';
-	import { IconCheck, IconX, IconLoader } from '$lib/components/icons';
-	import { t } from '$lib/i18n';
-
-	interface Props {
-		result: ValidationResult | null;
-		loading?: boolean;
-	}
-
-	const { result, loading = false }: Props = $props();
-
-	/** Map step names to i18n keys. */
-	const stepLabelKeys: Record<string, string> = {
-		syntax: 'proxies.validation.syntax',
-		dns: 'proxies.validation.dns',
-		tcp: 'proxies.validation.tcp',
-		http: 'proxies.validation.http'
-	};
-
-	function getStepLabel(name: string): string {
-		const key = stepLabelKeys[name];
-		return key ? $t(key) : name;
-	}
-</script>
-
-{#if loading || result}
-	<div class="rounded-lg border border-[var(--border-primary)] bg-[var(--surface-card)] p-4">
-		<h4 class="text-sm font-medium text-[var(--text-primary)] mb-3">
-			{$t('proxies.validation.title')}
-		</h4>
-
-		{#if loading && !result}
-			<div class="flex items-center gap-2 text-sm text-[var(--text-secondary)]">
-				<IconLoader size={16} />
-				<span>{$t('proxies.validation.checking')}</span>
-			</div>
-		{:else if result}
-			<ul class="space-y-2">
-				{#each result.steps as step}
-					<li>
-						<div class="flex items-center gap-2">
-							{#if step.passed}
-								<span class="flex h-5 w-5 flex-shrink-0 items-center justify-center rounded-full bg-emerald-100 dark:bg-emerald-950">
-									<IconCheck size={14} class="text-emerald-600 dark:text-emerald-400" />
-								</span>
-								<span class="text-sm text-[var(--text-primary)]">{getStepLabel(step.name)}</span>
-								{#if step.message}
-									<span class="text-xs text-[var(--text-tertiary)]">&mdash; {step.message}</span>
-								{/if}
-							{:else}
-								<span class="flex h-5 w-5 flex-shrink-0 items-center justify-center rounded-full bg-red-100 dark:bg-red-950">
-									<IconX size={14} class="text-red-600 dark:text-red-400" />
-								</span>
-								<span class="text-sm text-[var(--text-primary)]">{getStepLabel(step.name)}</span>
-								{#if step.message}
-									<span class="text-xs text-[var(--text-tertiary)]">&mdash; {step.message}</span>
-								{/if}
-							{/if}
-						</div>
-						{#if !step.passed && step.hint}
-							<p class="ml-7 mt-1 text-xs text-amber-600 dark:text-amber-400">{step.hint}</p>
-						{/if}
-					</li>
-				{/each}
-			</ul>
-		{/if}
-	</div>
-{/if}
diff --git a/web/src/lib/components/icons/index.ts b/web/src/lib/components/icons/index.ts
index 0bde807..8733fa5 100644
--- a/web/src/lib/components/icons/index.ts
+++ b/web/src/lib/components/icons/index.ts
@@ -45,7 +45,6 @@ export { default as IconContainer } from './IconContainer.svelte';
 export { default as IconHardDrive } from './IconHardDrive.svelte';
 export { default as IconWifi } from './IconWifi.svelte';
 export { default as IconRefresh } from './IconRefresh.svelte';
-export { default as IconProxies } from './IconProxies.svelte';
 export { default as IconEvents } from './IconEvents.svelte';
 export { default as IconLogout } from './IconLogout.svelte';
 export { default as IconArrowLeft } from './IconArrowLeft.svelte';
diff --git a/web/src/lib/i18n/en.json b/web/src/lib/i18n/en.json
index f52815e..9f877e4 100644
--- a/web/src/lib/i18n/en.json
+++ b/web/src/lib/i18n/en.json
@@ -248,7 +248,17 @@
     "proxyNoneDesc": "No proxy — containers are accessed directly by port",
     "proxyNpm": "Nginx Proxy Manager",
     "proxyNpmDesc": "Routes managed via NPM API (configure credentials below)",
-    "proxyNoneWarning": "Switching to None does not remove existing proxy routes from NPM. You can delete them manually from your NPM dashboard."
+    "proxyTraefik": "Traefik",
+    "proxyTraefikDesc": "Auto-discovery via Docker labels — no API calls needed",
+    "proxyNoneWarning": "Switching to None does not remove existing proxy routes. You may need to clean them up manually.",
+    "traefikEntrypoint": "Entrypoint",
+    "traefikEntrypointHelp": "Traefik entrypoint name for HTTPS routes",
+    "traefikCertResolver": "Cert Resolver",
+    "traefikCertResolverHelp": "TLS certificate resolver name (e.g., letsencrypt)",
+    "traefikNetwork": "Docker Network",
+    "traefikNetworkHelp": "Network Traefik listens on (leave empty to use global network)",
+    "traefikApiUrl": "Traefik API URL",
+    "traefikApiUrlHelp": "Optional — for health checks (e.g., http://traefik:8080)"
   },
   "settingsGeneral": {
     "title": "General Settings",
diff --git a/web/src/lib/i18n/ru.json b/web/src/lib/i18n/ru.json
index 0f0cadf..cbbe6a8 100644
--- a/web/src/lib/i18n/ru.json
+++ b/web/src/lib/i18n/ru.json
@@ -248,7 +248,17 @@
     "proxyNoneDesc": "Без прокси — контейнеры доступны напрямую по порту",
     "proxyNpm": "Nginx Proxy Manager",
     "proxyNpmDesc": "Маршруты через NPM API (настройте учётные данные ниже)",
-    "proxyNoneWarning": "Переключение на «Нет» не удаляет существующие прокси-маршруты из NPM. Вы можете удалить их вручную в панели NPM."
+    "proxyTraefik": "Traefik",
+    "proxyTraefikDesc": "Автообнаружение через Docker-метки — без API-вызовов",
+    "proxyNoneWarning": "Переключение на «Нет» не удаляет существующие прокси-маршруты. Возможно, потребуется очистить их вручную.",
+    "traefikEntrypoint": "Точка входа",
+    "traefikEntrypointHelp": "Имя точки входа Traefik для HTTPS-маршрутов",
+    "traefikCertResolver": "Резолвер сертификатов",
+    "traefikCertResolverHelp": "Имя резолвера TLS-сертификатов (напр., letsencrypt)",
+    "traefikNetwork": "Docker-сеть",
+    "traefikNetworkHelp": "Сеть, которую слушает Traefik (оставьте пустым для глобальной сети)",
+    "traefikApiUrl": "URL API Traefik",
+    "traefikApiUrlHelp": "Необязательно — для проверки состояния (напр., http://traefik:8080)"
   },
   "settingsGeneral": {
     "title": "Общие настройки",
diff --git a/web/src/lib/types.ts b/web/src/lib/types.ts
index 168ac2a..626ab00 100644
--- a/web/src/lib/types.ts
+++ b/web/src/lib/types.ts
@@ -116,6 +116,10 @@ export interface Settings {
 	has_cloudflare_api_token: boolean;
 	cloudflare_zone_id: string;
 	proxy_provider: string;
+	traefik_entrypoint: string;
+	traefik_cert_resolver: string;
+	traefik_network: string;
+	traefik_api_url: string;
 	backup_enabled: boolean;
 	backup_interval_hours: number;
 	backup_retention_count: number;
@@ -265,23 +269,6 @@ export interface EventLogStats {
 	total: number;
 }
 
-/** A standalone reverse proxy not tied to a project. */
-export interface StandaloneProxy {
-	id: string;
-	domain: string;
-	destination_url: string;
-	destination_port: number;
-	ssl_certificate_id: number;
-	npm_proxy_id: number;
-	health_status: ProxyHealthStatus;
-	health_checked_at: string;
-	created_at: string;
-	updated_at: string;
-}
-
-/** Health status for a proxy. */
-export type ProxyHealthStatus = 'unknown' | 'healthy' | 'unhealthy';
-
 /** A container detected as stale by the backend poller. */
 export interface StaleContainer {
 	instance: {
@@ -303,20 +290,6 @@ export interface StaleContainer {
 	days_stale: number;
 }
 
-/** A single step in the validation pipeline. */
-export interface ValidationStep {
-	name: string;
-	passed: boolean;
-	message?: string;
-	hint?: string;
-}
-
-/** Result of the proxy destination validation pipeline. */
-export interface ValidationResult {
-	valid: boolean;
-	steps: ValidationStep[];
-}
-
 /** Container CPU and memory stats from the Docker stats API. */
 export interface ContainerStats {
 	cpu_percent: number;
@@ -325,16 +298,3 @@ export interface ContainerStats {
 	memory_percent: number;
 }
 
-/** Unified view of standalone + deploy-managed proxies (from /api/proxies/all). */
-export interface ProxyView {
-	id: string;
-	domain: string;
-	destination: string;
-	type: 'standalone' | 'managed';
-	project_name?: string;
-	stage_name?: string;
-	health_status: ProxyHealthStatus;
-	ssl_enabled: boolean;
-	npm_proxy_id: number;
-	created_at: string;
-}
diff --git a/web/src/routes/proxies/+page.svelte b/web/src/routes/proxies/+page.svelte
deleted file mode 100644
index f41be1a..0000000
--- a/web/src/routes/proxies/+page.svelte
+++ /dev/null
@@ -1,232 +0,0 @@
-<!--
-  Phase 4: Unified Proxy Viewer — shows all proxies (managed + standalone)
-  with grouping, filtering, and real-time health indicators.
--->
-<script lang="ts">
-	import { onMount } from 'svelte';
-	import type { ProxyView, ProxyHealthStatus } from '$lib/types';
-	import { listAllProxies } from '$lib/api';
-	import { t } from '$lib/i18n';
-	import ProxyCard from '$lib/components/ProxyCard.svelte';
-	import ProxyGroup from '$lib/components/ProxyGroup.svelte';
-	import ProxyFilter from '$lib/components/ProxyFilter.svelte';
-	import EmptyState from '$lib/components/EmptyState.svelte';
-	import { IconGlobe, IconLoader, IconPlus } from '$lib/components/icons';
-
-	let proxies = $state<ProxyView[]>([]);
-	let loading = $state(true);
-	let error = $state('');
-
-	// Filter state
-	let search = $state('');
-	let healthFilter = $state<ProxyHealthStatus | 'all'>('all');
-	let typeFilter = $state<'all' | 'managed' | 'standalone'>('all');
-
-	// Filtered proxies
-	const filtered = $derived(() => {
-		let result = proxies;
-
-		// Text search
-		if (search.length > 0) {
-			const q = search.toLowerCase();
-			result = result.filter(
-				(p) =>
-					p.domain.toLowerCase().includes(q) ||
-					p.destination.toLowerCase().includes(q)
-			);
-		}
-
-		// Health filter
-		if (healthFilter !== 'all') {
-			result = result.filter((p) => p.health_status === healthFilter);
-		}
-
-		// Type filter
-		if (typeFilter !== 'all') {
-			result = result.filter((p) => p.type === typeFilter);
-		}
-
-		return result;
-	});
-
-	// Split into standalone and managed
-	const standaloneProxies = $derived(filtered().filter((p) => p.type === 'standalone'));
-	const managedProxies = $derived(filtered().filter((p) => p.type === 'managed'));
-
-	// Group managed proxies by project, then stage within each project
-	interface StageGroup {
-		stageName: string;
-		proxies: ProxyView[];
-	}
-
-	interface ProjectGroup {
-		projectName: string;
-		stages: StageGroup[];
-		totalCount: number;
-	}
-
-	const managedGroups = $derived<ProjectGroup[]>(() => {
-		const projectMap = new Map<string, Map<string, ProxyView[]>>();
-
-		for (const proxy of managedProxies) {
-			const projName = proxy.project_name ?? 'Unknown';
-			const stageName = proxy.stage_name ?? 'default';
-
-			if (!projectMap.has(projName)) {
-				projectMap.set(projName, new Map());
-			}
-			const stageMap = projectMap.get(projName)!;
-
-			if (!stageMap.has(stageName)) {
-				stageMap.set(stageName, []);
-			}
-			stageMap.get(stageName)!.push(proxy);
-		}
-
-		const groups: ProjectGroup[] = [];
-		for (const [projectName, stageMap] of projectMap) {
-			const stages: StageGroup[] = [];
-			let totalCount = 0;
-			for (const [stageName, stageProxies] of stageMap) {
-				stages.push({ stageName, proxies: stageProxies });
-				totalCount += stageProxies.length;
-			}
-			groups.push({ projectName, stages, totalCount });
-		}
-
-		return groups.sort((a, b) => a.projectName.localeCompare(b.projectName));
-	});
-
-	function clearFilters(): void {
-		search = '';
-		healthFilter = 'all';
-		typeFilter = 'all';
-	}
-
-	async function loadProxies(): Promise<void> {
-		loading = true;
-		error = '';
-		try {
-			proxies = await listAllProxies();
-		} catch (err: unknown) {
-			error = err instanceof Error ? err.message : 'Failed to load proxies';
-		} finally {
-			loading = false;
-		}
-	}
-
-	onMount(() => {
-		loadProxies();
-	});
-</script>
-
-<svelte:head>
-	<title>{$t('proxies.title')} - {$t('app.name')}</title>
-</svelte:head>
-
-<!-- Header -->
-<div class="mb-6 flex flex-col gap-4 sm:flex-row sm:items-center sm:justify-between">
-	<div class="flex items-center gap-3">
-		<div class="flex h-10 w-10 items-center justify-center rounded-xl bg-[var(--color-brand-50)] text-[var(--color-brand-600)]">
-			<IconGlobe size={22} />
-		</div>
-		<div>
-			<h1 class="text-xl font-bold text-[var(--text-primary)]">{$t('proxies.title')}</h1>
-			{#if !loading && proxies.length > 0}
-				<p class="text-sm text-[var(--text-tertiary)]">
-					{proxies.length} {proxies.length === 1 ? 'proxy' : 'proxies'}
-				</p>
-			{/if}
-		</div>
-	</div>
-
-	<a
-		href="/proxies/create"
-		class="inline-flex items-center gap-2 rounded-lg bg-[var(--color-brand-600)] px-4 py-2.5 text-sm font-medium text-white shadow-sm transition-all duration-150 hover:bg-[var(--color-brand-700)] active:animate-press"
-	>
-		<IconPlus size={16} />
-		{$t('proxies.create')}
-	</a>
-</div>
-
-<!-- Loading state -->
-{#if loading}
-	<div class="flex items-center justify-center py-20">
-		<IconLoader size={24} class="animate-spin text-[var(--color-brand-500)]" />
-		<span class="ml-2 text-sm text-[var(--text-secondary)]">{$t('common.loading')}</span>
-	</div>
-{:else if error}
-	<div class="rounded-xl border border-[var(--color-danger-light)] bg-[var(--color-danger-light)] p-4">
-		<p class="text-sm text-[var(--color-danger)]">{error}</p>
-		<button type="button" class="mt-2 text-sm font-medium text-[var(--color-danger)] underline hover:no-underline" onclick={loadProxies}>
-			{$t('common.retry')}
-		</button>
-	</div>
-{:else if proxies.length === 0}
-	<!-- Empty state -->
-	<EmptyState
-		title={$t('proxies.noProxies')}
-		description={$t('proxies.noProxiesDesc')}
-		actionLabel={$t('proxies.create')}
-		actionHref="/proxies/create"
-		icon="projects"
-	/>
-{:else}
-	<!-- Filter bar -->
-	<div class="mb-6">
-		<ProxyFilter
-			{search}
-			{healthFilter}
-			{typeFilter}
-			onsearchchange={(v) => { search = v; }}
-			onhealthchange={(v) => { healthFilter = v; }}
-			ontypechange={(v) => { typeFilter = v; }}
-			onclear={clearFilters}
-		/>
-	</div>
-
-	<!-- No filter results -->
-	{#if filtered().length === 0}
-		<div class="rounded-xl border-2 border-dashed border-[var(--border-primary)] px-6 py-16 text-center">
-			<p class="text-sm text-[var(--text-secondary)]">{$t('proxies.noProxies')}</p>
-			<button
-				type="button"
-				onclick={clearFilters}
-				class="mt-3 text-sm font-medium text-[var(--color-brand-600)] hover:text-[var(--color-brand-700)] transition-colors"
-			>
-				{$t('proxies.filter.clear')}
-			</button>
-		</div>
-	{:else}
-		<div class="space-y-6">
-			<!-- Standalone proxies section -->
-			{#if standaloneProxies.length > 0}
-				<ProxyGroup title={$t('proxies.standalone')} count={standaloneProxies.length}>
-					{#each standaloneProxies as proxy (proxy.id)}
-						<ProxyCard {proxy} />
-					{/each}
-				</ProxyGroup>
-			{/if}
-
-			<!-- Managed proxies grouped by project -->
-			{#if managedGroups().length > 0}
-				{#each managedGroups() as group (group.projectName)}
-					<ProxyGroup title={group.projectName} count={group.totalCount}>
-						{#each group.stages as stage (stage.stageName)}
-							{#if group.stages.length > 1}
-								<div class="col-span-full">
-									<p class="mb-2 text-xs font-semibold uppercase tracking-wider text-[var(--text-tertiary)]">
-										{stage.stageName}
-									</p>
-								</div>
-							{/if}
-							{#each stage.proxies as proxy (proxy.id)}
-								<ProxyCard {proxy} />
-							{/each}
-						{/each}
-					</ProxyGroup>
-				{/each}
-			{/if}
-		</div>
-	{/if}
-{/if}
diff --git a/web/src/routes/proxies/+page.ts b/web/src/routes/proxies/+page.ts
deleted file mode 100644
index 0aef742..0000000
--- a/web/src/routes/proxies/+page.ts
+++ /dev/null
@@ -1 +0,0 @@
-// Client-side loading — data is fetched in the component via $effect.
diff --git a/web/src/routes/proxies/[id]/edit/+page.svelte b/web/src/routes/proxies/[id]/edit/+page.svelte
deleted file mode 100644
index a36ce2c..0000000
--- a/web/src/routes/proxies/[id]/edit/+page.svelte
+++ /dev/null
@@ -1,89 +0,0 @@
-<!--
-  Phase 6: Edit Proxy page — loads a standalone proxy and wraps ProxyForm in edit mode.
--->
-<script lang="ts">
-	import { page } from '$app/stores';
-	import { goto } from '$app/navigation';
-	import { onMount } from 'svelte';
-	import type { StandaloneProxy } from '$lib/types';
-	import { getProxy } from '$lib/api';
-	import { t } from '$lib/i18n';
-	import ProxyForm from '$lib/components/ProxyForm.svelte';
-	import { IconGlobe, IconLoader, IconArrowLeft } from '$lib/components/icons';
-
-	let proxy: StandaloneProxy | null = $state(null);
-	let loading = $state(true);
-	let error = $state('');
-
-	const proxyId = $derived($page.params.id);
-
-	onMount(async () => {
-		try {
-			proxy = await getProxy(proxyId);
-		} catch (err: unknown) {
-			error = err instanceof Error ? err.message : 'Failed to load proxy';
-		} finally {
-			loading = false;
-		}
-	});
-
-	function handleSave(_proxy: StandaloneProxy): void {
-		goto('/proxies');
-	}
-
-	function handleDelete(_id: string): void {
-		goto('/proxies');
-	}
-
-	function handleCancel(): void {
-		goto('/proxies');
-	}
-</script>
-
-<svelte:head>
-	<title>{$t('proxies.form.editTitle')} - {$t('app.name')}</title>
-</svelte:head>
-
-<!-- Back link -->
-<div class="mb-6">
-	<a
-		href="/proxies"
-		class="inline-flex items-center gap-1 text-sm text-[var(--text-secondary)] hover:text-[var(--color-brand-600)] transition-colors"
-	>
-		<IconArrowLeft size={16} />
-		{$t('common.back')}
-	</a>
-</div>
-
-<!-- Header -->
-<div class="mb-6 flex items-center gap-3">
-	<div class="flex h-10 w-10 items-center justify-center rounded-xl bg-[var(--color-brand-50)] text-[var(--color-brand-600)]">
-		<IconGlobe size={22} />
-	</div>
-	<h1 class="text-xl font-bold text-[var(--text-primary)]">{$t('proxies.form.editTitle')}</h1>
-</div>
-
-{#if loading}
-	<div class="flex items-center justify-center py-20">
-		<IconLoader size={24} class="text-[var(--color-brand-500)]" />
-		<span class="ml-2 text-sm text-[var(--text-secondary)]">{$t('common.loading')}</span>
-	</div>
-{:else if error}
-	<div class="rounded-xl border border-[var(--color-danger-light)] bg-[var(--color-danger-light)] p-4">
-		<p class="text-sm text-[var(--color-danger)]">{error}</p>
-		<a href="/proxies" class="mt-2 inline-block text-sm font-medium text-[var(--color-danger)] underline hover:no-underline">
-			{$t('common.back')}
-		</a>
-	</div>
-{:else if proxy}
-	<!-- Form card -->
-	<div class="mx-auto max-w-2xl rounded-2xl border border-[var(--border-primary)] bg-[var(--surface-card)] p-6 shadow-[var(--shadow-sm)]">
-		<ProxyForm
-			mode="edit"
-			{proxy}
-			onsave={handleSave}
-			ondelete={handleDelete}
-			oncancel={handleCancel}
-		/>
-	</div>
-{/if}
diff --git a/web/src/routes/proxies/[id]/edit/+page.ts b/web/src/routes/proxies/[id]/edit/+page.ts
deleted file mode 100644
index 12c4939..0000000
--- a/web/src/routes/proxies/[id]/edit/+page.ts
+++ /dev/null
@@ -1 +0,0 @@
-// Client-side loading — proxy data is fetched in the component.
diff --git a/web/src/routes/proxies/create/+page.svelte b/web/src/routes/proxies/create/+page.svelte
deleted file mode 100644
index 6a8f9c0..0000000
--- a/web/src/routes/proxies/create/+page.svelte
+++ /dev/null
@@ -1,50 +0,0 @@
-<!--
-  Phase 6: Create Proxy page — wraps ProxyForm in create mode.
--->
-<script lang="ts">
-	import { goto } from '$app/navigation';
-	import type { StandaloneProxy } from '$lib/types';
-	import { t } from '$lib/i18n';
-	import ProxyForm from '$lib/components/ProxyForm.svelte';
-	import { IconGlobe, IconArrowLeft } from '$lib/components/icons';
-
-	function handleSave(_proxy: StandaloneProxy): void {
-		goto('/proxies');
-	}
-
-	function handleCancel(): void {
-		goto('/proxies');
-	}
-</script>
-
-<svelte:head>
-	<title>{$t('proxies.form.title')} - {$t('app.name')}</title>
-</svelte:head>
-
-<!-- Back link -->
-<div class="mb-6">
-	<a
-		href="/proxies"
-		class="inline-flex items-center gap-1 text-sm text-[var(--text-secondary)] hover:text-[var(--color-brand-600)] transition-colors"
-	>
-		<IconArrowLeft size={16} />
-		{$t('common.back')}
-	</a>
-</div>
-
-<!-- Header -->
-<div class="mb-6 flex items-center gap-3">
-	<div class="flex h-10 w-10 items-center justify-center rounded-xl bg-[var(--color-brand-50)] text-[var(--color-brand-600)]">
-		<IconGlobe size={22} />
-	</div>
-	<h1 class="text-xl font-bold text-[var(--text-primary)]">{$t('proxies.form.title')}</h1>
-</div>
-
-<!-- Form card -->
-<div class="mx-auto max-w-2xl rounded-2xl border border-[var(--border-primary)] bg-[var(--surface-card)] p-6 shadow-[var(--shadow-sm)]">
-	<ProxyForm
-		mode="create"
-		onsave={handleSave}
-		oncancel={handleCancel}
-	/>
-</div>
diff --git a/web/src/routes/proxies/create/+page.ts b/web/src/routes/proxies/create/+page.ts
deleted file mode 100644
index c480e82..0000000
--- a/web/src/routes/proxies/create/+page.ts
+++ /dev/null
@@ -1 +0,0 @@
-// Client-side loading — ProxyForm handles data fetching.
diff --git a/web/src/routes/settings/+page.svelte b/web/src/routes/settings/+page.svelte
index 7b27fc6..5462b8c 100644
--- a/web/src/routes/settings/+page.svelte
+++ b/web/src/routes/settings/+page.svelte
@@ -26,6 +26,12 @@
 	// Proxy provider state.
 	let proxyProvider = $state('npm');
 
+	// Traefik settings state.
+	let traefikEntrypoint = $state('websecure');
+	let traefikCertResolver = $state('letsencrypt');
+	let traefikNetwork = $state('');
+	let traefikApiUrl = $state('');
+
 	// DNS settings state.
 	let wildcardDns = $state(true);
 	let dnsProvider = $state('');
@@ -91,6 +97,10 @@
 			notificationUrl = settings.notification_url ?? '';
 			staleThresholdDays = String(settings.stale_threshold_days ?? 7);
 			proxyProvider = settings.proxy_provider ?? 'npm';
+			traefikEntrypoint = settings.traefik_entrypoint ?? 'websecure';
+			traefikCertResolver = settings.traefik_cert_resolver ?? 'letsencrypt';
+			traefikNetwork = settings.traefik_network ?? '';
+			traefikApiUrl = settings.traefik_api_url ?? '';
 			wildcardDns = settings.wildcard_dns ?? true;
 			dnsProvider = settings.dns_provider ?? '';
 			hasCloudflareApiToken = settings.has_cloudflare_api_token ?? false;
@@ -118,6 +128,10 @@
 				subdomain_pattern: subdomainPattern.trim(), polling_interval: pollingInterval.trim(),
 				base_volume_path: baseVolumePath.trim(), notification_url: notificationUrl.trim(),
 				proxy_provider: proxyProvider,
+				traefik_entrypoint: traefikEntrypoint.trim() || 'websecure',
+				traefik_cert_resolver: traefikCertResolver.trim(),
+				traefik_network: traefikNetwork.trim(),
+				traefik_api_url: traefikApiUrl.trim(),
 				stale_threshold_days: Math.max(1, parseInt(staleThresholdDays, 10) || 7),
 				wildcard_dns: wildcardDns,
 				dns_provider: wildcardDns ? '' : dnsProvider,
@@ -290,12 +304,27 @@
 							<p class="text-xs text-[var(--text-tertiary)]">{$t('settings.proxyNpmDesc')}</p>
 						</div>
 					</label>
+					<label class="flex flex-1 cursor-pointer items-start gap-3 rounded-lg border p-3 transition-colors {proxyProvider === 'traefik' ? 'border-[var(--color-brand-500)] bg-[var(--surface-card-hover)]' : 'border-[var(--border-primary)] hover:bg-[var(--surface-card-hover)]'}">
+						<input type="radio" bind:group={proxyProvider} value="traefik" class="mt-0.5 h-4 w-4 text-[var(--color-brand-600)] focus:ring-[var(--color-brand-500)]" />
+						<div>
+							<span class="text-sm font-medium text-[var(--text-primary)]">{$t('settings.proxyTraefik')}</span>
+							<p class="text-xs text-[var(--text-tertiary)]">{$t('settings.proxyTraefikDesc')}</p>
+						</div>
+					</label>
 				</div>
 				{#if proxyProvider === 'none'}
 					<div class="mt-3 rounded-lg border border-amber-300 bg-amber-50 dark:border-amber-700 dark:bg-amber-950/30 p-3">
 						<p class="text-sm text-amber-800 dark:text-amber-300">{$t('settings.proxyNoneWarning')}</p>
 					</div>
 				{/if}
+				{#if proxyProvider === 'traefik'}
+					<div class="mt-3 grid grid-cols-1 gap-3 sm:grid-cols-2 rounded-lg border border-[var(--border-primary)] bg-[var(--surface-card-hover)] p-4">
+						<FormField label={$t('settings.traefikEntrypoint')} name="traefikEntrypoint" bind:value={traefikEntrypoint} placeholder="websecure" helpText={$t('settings.traefikEntrypointHelp')} />
+						<FormField label={$t('settings.traefikCertResolver')} name="traefikCertResolver" bind:value={traefikCertResolver} placeholder="letsencrypt" helpText={$t('settings.traefikCertResolverHelp')} />
+						<FormField label={$t('settings.traefikNetwork')} name="traefikNetwork" bind:value={traefikNetwork} placeholder="" helpText={$t('settings.traefikNetworkHelp')} />
+						<FormField label={$t('settings.traefikApiUrl')} name="traefikApiUrl" bind:value={traefikApiUrl} placeholder="http://traefik:8080" helpText={$t('settings.traefikApiUrlHelp')} />
+					</div>
+				{/if}
 			</div>
 
 			<!-- SSL Certificate moved to Credentials page -->