My setup is running traefik version 2.3.2 within docker.
I'm really new to Traefik and I like it's making me think...but honestly sometimes I don't know what the verbage means. My question is regarding specifically healthchecks and ping. ping by nature runs over icmp and doesn't run using a specific port. When setting up firewalls and such (iptables) I'm aware you need to add entries which would block/allow icmp traffic and not TCP traffic.
Reading the traefik documentation, it states in order to enable ping, you would enable ping within the static configuration file (traefik.yml) and by adding a section such as:
However I then start to become confused since it also lists the ping default entrypoint as "traefik" and provide examples such as:
[entryPoints] [entryPoints.ping] address = ":8082" [ping] entryPoint = "ping"
This example above however uses a port number which implicitly implies a TCP (or UDP) protocol. So now I'm really confused since the documentation is in a way saying traefik's ping implementation now runs over TCP, which isn't what I was expecting in anyway given by nature ping does not run over any port.
Anyway, further investigating the issue I ran across this post discussing ping over TLS:
The last post in this thread states the following:
ping on TLS will work.
You have to do these 3 steps:
1.in the traefik deployment, enable ping and add entryPoint=traefik
2. add a service that points to port 9000 and targetport: "traefik" and the selector has to be the traefik deployment.
3. create an ingress that has the websecure entrypoint router and tls to true. Add path /ping and backend name to that service and add "traefik" to the servicePort"
So why port 9000? I don't understand -- is this just an arbitrary port?
So stepping through these instructions:
- I'd edit /etc/traefik.yaml and add the following:
ping: entryPoint: traefik
- Honestly I'm not sure what this section even means.
- Ok the first line I've done within my compose file.
Add path /ping and backend name to that service and add "traefik" to the servicePort.
I honestly don't even know what this means either.
I'm not sure if anyone can help me with this one.
Here are my reference file (docker-compose.yml, traefik.yml, and dynamic-config.yml)
services: traefik: image: traefik:latest container_name: traefik hostname: traefik restart: unless-stopped secrets: - CF_DNS_API_TOKEN_secret - CF_ZONE_API_TOKEN_secret - CF_API_KEY_secret networks: - docker-net ports: - 80:80 - 443:443 - 8080:8080 #healthcheck: # test: traefik healthcheck --ping #interval: 1m30s #timeout: 10s #retries: 3 #start_period: 30s labels: - "traefik.enable=true" - "traefik.network=docker-net" - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" - "traefik.http.routers.dashboard.tls=true" - "traefik.http.routers.dashboard.tls.options=modern@file" - "traefik.http.routers.dashboard.tls.certresolver=le" - "traefik.http.routers.dashboard.tls.domains.main=traefik.example.com"" - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.middlewares=auth" - "traefik.http.middlewares.auth.basicauth.users=<token added here>" - "traefik.http.routers.dashboard.entrypoints=web,websecure" environment: - TZ - CLOUDFLARE_EMAIL - CF_DNS_API_TOKEN_FILE=/run/secrets/CF_DNS_API_TOKEN_secret - CF_ZONE_API_TOKEN_FILE=/run/secrets/CF_ZONE_API_TOKEN_secret volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /etc/traefik/traefik.yml:/etc/traefik/traefik.yml:ro - /etc/traefik/dynamic_conf.yml:/etc/traefik/dynamic_conf.yml - /etc/letsencrypt/certificates:/etc/letsencrypt
entryPoints: web: address: :80 http: redirections: entryPoint: to: websecure scheme: https websecure: address: :443 certificatesResolvers: le: acme: email: email@example.com #Staging Server caServer: https://acme-staging-v02.api.letsencrypt.org/directory #Production Server #caServer: https://acme-v02.api.letsencrypt.org/directory storage: /etc/letsencrypt/acme.json keyType: 'EC384' dnsChallenge: provider: cloudflare delayBeforeCheck: 0 resolvers: - "188.8.131.52:53" - "184.108.40.206:53" providers: docker: endpoint: "unix:///var/run/docker.sock" exposedbydefault: false watch: true network: docker-net file: filename: /etc/traefik/dynamic_conf.yml watch: true api: # insecure: true debug: true dashboard: true log: level: DEBUG ping: entryPoint: websecure
tls: options: default: minVersion: VersionTLS12 sniStrict: true cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 intermediate: minVersion: VersionTLS12 sniStrict: true cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 modern: minVersion: VersionTLS13 sniStrict: true