Traefik

URL

https://traefik.smns-bw.org/

User

smns-tr

Passwort

••••••••••

Production

hetzner:/opt/traefik/

├── traefik
│ ├── configfiles
│ │ ├── config.yml
│ │ ├── middleware-chains.yml
│ │ ├── middlewares.yml
│ │ ├── tls-opts.yml
│ ├── docker-compose.yml
│ ├── .env
│ ├── traefik.log
│ ├── traefik.yml
│ ├── access.log

In .env steht die URL traefik.smns-bw.org sowie die Zugangsdaten für diese Seite für docker-compose.yml

In die einzelnen docker-compose.yml Files der Container kommt dann sowas (Beispiel Sammlungskatalog):

    labels:
      - "traefik.http.routers.webportal.rule=Host(`${URL}`)"
      - "traefik.http.routers.webportal.entrypoints=https"
      - "traefik.http.routers.webportal.tls=true"
      - "traefik.http.routers.webportal.tls.certresolver=leresolver"
      - "traefik.http.routers.webportal.middlewares=secure-collections@file"
      - "traefik.http.services.webportal.loadbalancer.server.port=6543"
      - "traefik.http.services.webportal.loadbalancer.sticky=true"
      - "traefik.http.services.webportal.loadbalancer.sticky.cookie.name=collections.smns-bw.org"
      - "traefik.http.services.webportal.loadbalancer.sticky.cookie.httpOnly=true"
      - "traefik.http.services.webportal.loadbalancer.sticky.cookie.secure=true"
      - "traefik.docker.network=proxy"

Damit der Docker.sock nicht nach außen exposed ist, ist zusammen mit Traefik ein docker-socket aufgesetzt, der von hier stammt: https://github.com/wollomatic/socket-proxy

This page describes how to set up a robust Docker healthcheck for Traefik v3.x.

It covers recent Traefik changes, the “gotchas” with TLS, and provides full configuration (compose and YAML) for reliable service monitoring.

• As of Traefik 3, the /ping endpoint (Traefik's native health endpoint) can only be bound to a non-TLS (HTTP/plaintext) entrypoint.
• Any attempt to bind /ping to a TLS entrypoint (e.g., :443) causes it to be unavailable and will not log an error!
• Many guides and blog posts referencing Traefik 2.x are now out of date.
• Docker healthchecks are only updated when containers are recreated.

Add this to your traefik.yml:

entryPoints: 
  healthcheck: 
    address: ":8082"
    
ping:
  entryPoint: healthcheck

• Use any unused high port (8082 is common and outside process-bound port ranges).
• Do not enable TLS or configure HTTP redirection for this entrypoint.

healthcheck: 
  test: [ "CMD", "wget", "--spider", "http://localhost:8082/ping" ] 
  interval: 30s 
  timeout: 5s 
  retries: 3 
  start_period: 10s 

After editing the healthcheck, you must remove and recreate the container to apply the updated check.

 docker compose down docker compose up -d 

or for just the traefik service:

 docker compose rm traefik docker compose up -d traefik 

• Check status with:

 docker inspect traefik | grep Health -A 10 

• Look for:
  • „Status“: „healthy“
  • The test pointing at http://localhost:8082/ping
• You can also exec into the container:

 wget --spider http://localhost:8082/ping 

• and expect “remote file exists” or HTTP 200.

• If you see '404 Not Found' or status stays unhealthy, check:
  • The entryPoint in ping and traefik.yml matches (healthcheck)
  • Logs for ping endpoint registration (grep -i ping <traefik.log>)
  • Healthcheck in the running container is updated (see docker inspect)
• If the healthcheck is still using the old endpoint (e.g., port 443), the container must be removed and recreated.

• Q: Why not use /ping on :443?
  • A: Traefik 3.x forbids it; /ping only works on a non-TLS (HTTP) entrypoint.
• Q: Do I need to expose port 8082 externally?
  • A: No; healthchecks run inside the container.
• Q: Can I combine ping and redirect on the same entrypoint?
  • A: No; keep your healthcheck entrypoint plain.

• Official Traefik Ping v3 docs
• Traefik & Docker Reference
• Docker Compose healthcheck docs

Authored for SMNS IT by Chattie and AI Programmer — date