Metainformationen zur Seite
Dies ist eine alte Version des Dokuments!
Traefik
- URL
- https://traefik.smns-bw.org/
- User
- smns-tr
- Passwort
- ••••••••••
- Production
- hetzner:/opt/traefik/
├── traefik
│ ├── configfiles
│ │ ├── {{:server:config.yml|config.yml}}
│ │ ├── {{:server:middleware-chains.yml|middleware-chains.yml}}
│ │ ├── {{:server:middlewares.yml|middlewares.yml}}
│ │ ├── {{:server:tls-opts.yml|tls-opts.yml}}
│ ├── docker-compose.yml
│ ├── .env
│ ├── traefik.log
│ ├── traefik.yml
│ ├── access.log
In .env steht die URL traefik.smns-bw.org sowie die Zugangsdaten für diese Seite für docker-compose.yml
In die einzelnen docker-compose.yml Files der Container kommt dann sowas (Beispiel Sammlungskatalog):
labels:
- "traefik.http.routers.webportal.rule=Host(`${URL}`)"
- "traefik.http.routers.webportal.entrypoints=https"
- "traefik.http.routers.webportal.tls=true"
- "traefik.http.routers.webportal.tls.certresolver=leresolver"
- "traefik.http.routers.webportal.middlewares=secure-collections@file"
- "traefik.http.services.webportal.loadbalancer.server.port=6543"
- "traefik.http.services.webportal.loadbalancer.sticky=true"
- "traefik.http.services.webportal.loadbalancer.sticky.cookie.name=collections.smns-bw.org"
- "traefik.http.services.webportal.loadbalancer.sticky.cookie.httpOnly=true"
- "traefik.http.services.webportal.loadbalancer.sticky.cookie.secure=true"
- "traefik.docker.network=proxy"
Damit der Docker.sock nicht nach außen exposed ist, ist zusammen mit Traefik ein docker-socket aufgesetzt, der von hier stammt: https://github.com/wollomatic/socket-proxy
docker-compose.yml:
[1] description show
services:
traefik:
container_name: traefik
image: „traefik:latest“
restart: always
# read_only: true
command:
- –configfile=/traefik.yml
mem_limit: 2G
cpus: 0.75
ports:
- „80:80“
- „443:443“
volumes:
- „./acme.json:/acme.json“
- „./traefik.yml:/traefik.yml:ro“
- „./configfiles:/configfiles:ro“
# - „.logs/traefik.log:/traefik.log“
# - „.logs/access.log:/access.log“
- „./logs:/logs:rw“
depends_on:
- „dockerproxy“
security_opt:
- „no-new-privileges:true“
networks:
- „proxy“
- „docker-proxynet“
labels:
- „traefik.http.routers.traefik.entrypoints=https“
- „traefik.http.routers.traefik.rule=Host(`traefik.smns-bw.org`)“
- „traefik.http.routers.traefik.tls=true“
- „traefik.http.routers.traefik.tls.certresolver=leresolver“
# API service
- „traefik.http.routers.traefik.service=api@internal“
- „traefik.http.routers.traefik.middlewares=secure-traefik@file“
- „traefik.http.services.traefik.loadbalancer.sticky=true“
- „traefik.http.services.traefik.loadbalancer.sticky.cookie.httpOnly=true“
- „traefik.http.services.traefik.loadbalancer.sticky.cookie.secure=true“
healthcheck:
test: [„CMD“, „wget“, „–spider“, „http://localhost:8082/ping“]
interval: 30s
timeout: 5s
retries: 3
start_period: 10s
dockerproxy:
build:
context: .
container_name: socket-proxy
command:
- '-loglevel=DEBUG'
- '-allowfrom=traefik,172.31.0.1'
- '-listenip=0.0.0.0'
- '-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)'
- '-shutdowngracetime=5'
restart: unless-stopped
user: „65534:998“
read_only: true
mem_limit: 64M
cap_drop:
- ALL
security_opt:
- no-new-privileges
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- „proxy“
- „docker-proxynet“
healthcheck:
test: [ „CMD“, „nc“, „-z“, „localhost“, „2375“ ]
interval: 1m
timeout: 3s
retries: 3
error-pages-webportal:
container_name: error-webportal
image: nginx:alpine
restart: always
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- ./mime.types:/etc/nginx/mime.types
- ./error-pages-webportal:/usr/share/nginx/html:ro
labels:
- „traefik.http.routers.error-pages-webportal.entrypoints=https“
- „traefik.http.routers.error-pages-webportal.tls=true“
- „traefik.http.routers.error-pages-webportal.tls.certresolver=leresolver“
- „traefik.http.routers.error-pages-webportal.rule=Host(`error-webportal.smns-bw.org`)“
# - „traefik.http.routers.error-pages-webportal.middlewares=secure-global@file“
- „traefik.http.services.error-pages-webportal.loadbalancer.sticky=true“
- „traefik.http.services.error-pages-webportal.loadbalancer.sticky.cookie.httpOnly=true“
- „traefik.http.services.error-pages-webportal.loadbalancer.sticky.cookie.secure=true“
- „traefik.http.services.error-pages-webportal.loadbalancer.server.port=80“
networks:
- „proxy“
healthcheck:
test: [„CMD“, „curl“, „-f“, „http://localhost/healthz.html“]
interval: 30s
timeout: 5s
retries: 3
start_period: 10s
networks:
proxy:
external: true
docker-proxynet:
driver: bridge
internal: true
traefik.yml:
entryPoints:
http:
address: „:80“
http:
redirections:
entryPoint:
to: ':443'
scheme: https
https:
address: „:443“
# http3:
# advertisedPort: 443
postgres:
address: „:5434“
ssh:
address: „:666“
healthcheck:
address: „:8082“
log:
level: INFO
filePath: „/logs/traefik.log“
format: json
accessLog:
filePath: „/logs/access.log“
bufferingSize: 100
api: {}
ping:
entryPoint: healthcheck
providers:
docker:
# endpoint: „tcp://socket-proxy:2375“
endpoint: „tcp://dockerproxy:2375“
# endpoint: „unix:///var/run/docker.sock“
watch: true
network: proxy
# exposedByDefault: false
file:
directory: „/configfiles“
watch: true
certificatesResolvers:
leresolver:
acme:
email: „it@smns-bw.org“
storage: „/acme.json“
caServer: „https://acme-v02.api.letsencrypt.org/directory“
tlsChallenge: {}
experimental:
plugins:
traefik-plugin-cookie-path-prefix:
moduleName: „github.com/SchmitzDan/traefik-plugin-cookie-path-prefix“
version: „v0.0.3“
Traefik v3 Healthcheck (Docker)
Overview
This page describes how to set up a robust Docker healthcheck for Traefik v3.x.
It covers recent Traefik changes, the “gotchas” with TLS, and provides full configuration (compose and YAML) for reliable service monitoring.
Why Do I Need a Special Healthcheck for Traefik 3?
- As of Traefik 3, the /ping endpoint (Traefik's native health endpoint) can only be bound to a non-TLS (HTTP/plaintext) entrypoint.
- Any attempt to bind /ping to a TLS entrypoint (e.g., :443) causes it to be unavailable and will not log an error!
- Many guides and blog posts referencing Traefik 2.x are now out of date.
- Docker healthchecks are only updated when containers are recreated.
Step-by-Step Setup
1. Add a dedicated HTTP (non-TLS) entrypoint for health
Add this to your traefik.yml:
entryPoints: healthcheck: address: ":8082" ping: entryPoint: healthcheck
- Use any unused high port (8082 is common and outside process-bound port ranges).
- Do not enable TLS or configure HTTP redirection for this entrypoint.
2. Update ''docker-compose.yml'' healthcheck section
healthcheck: test: [ "CMD", "wget", "--spider", "http://localhost:8082/ping" ] interval: 30s timeout: 5s retries: 3 start_period: 10s
3. Recreate the container (!important)
After editing the healthcheck, you must remove and recreate the container to apply the updated check.
docker compose down docker compose up -d
or for just the traefik service:
docker compose rm traefik docker compose up -d traefik
4. Confirm it's working
- Check status with:
docker inspect traefik | grep Health -A 10
- Look for:
„Status“: „healthy“- The test pointing at
http://localhost:8082/ping
- You can also exec into the container:
wget --spider http://localhost:8082/ping
- and expect “remote file exists” or HTTP 200.
Troubleshooting
- If you see
'404 Not Found' or status staysunhealthy, check:- The entryPoint in ping and traefik.yml matches (healthcheck)
- Logs for ping endpoint registration (grep -i ping <traefik.log>)
- Healthcheck in the running container is updated (see
docker inspect)
- If the healthcheck is still using the old endpoint (e.g., port 443), the container must be removed and recreated.
FAQ
- Q: Why not use /ping on :443?
- A: Traefik 3.x forbids it; /ping only works on a non-TLS (HTTP) entrypoint.
- Q: Do I need to expose port 8082 externally?
- A: No; healthchecks run inside the container.
- Q: Can I combine ping and redirect on the same entrypoint?
- A: No; keep your healthcheck entrypoint plain.
References
Authored for SMNS IT by Chattie and AI Programmer — date