Ping over TLS - Do not understand how to implement this

Traefik Traefik v2
,
1

My setup is running traefik version 2.3.2 within docker.

I'm really new to Traefik and I like it's making me think...but honestly sometimes I don't know what the verbage means. My question is regarding specifically healthchecks and ping. ping by nature runs over icmp and doesn't run using a specific port. When setting up firewalls and such (iptables) I'm aware you need to add entries which would block/allow icmp traffic and not TCP traffic.

Reading the traefik documentation, it states in order to enable ping, you would enable ping within the static configuration file (traefik.yml) and by adding a section such as:

ping: {}

However I then start to become confused since it also lists the ping default entrypoint as "traefik" and provide examples such as:

[entryPoints]
  [entryPoints.ping]
    address = ":8082"

[ping]
  entryPoint = "ping"

This example above however uses a port number which implicitly implies a TCP (or UDP) protocol. So now I'm really confused since the documentation is in a way saying traefik's ping implementation now runs over TCP, which isn't what I was expecting in anyway given by nature ping does not run over any port.

Anyway, further investigating the issue I ran across this post discussing ping over TLS:

Expose ping to external load balancer

The last post in this thread states the following:

ping on TLS will work.
You have to do these 3 steps:
1.in the traefik deployment, enable ping and add entryPoint=traefik
2. add a service that points to port 9000 and targetport: "traefik" and the selector has to be the traefik deployment.
3. create an ingress that has the websecure entrypoint router and tls to true. Add path /ping and backend name to that service and add "traefik" to the servicePort"

So why port 9000? I don't understand -- is this just an arbitrary port?
So stepping through these instructions:

  1. I'd edit /etc/traefik.yaml and add the following:
ping:
  entryPoint: traefik
  1. Honestly I'm not sure what this section even means.
  2. Ok the first line I've done within my compose file.

Add path /ping and backend name to that service and add "traefik" to the servicePort.

I honestly don't even know what this means either.

I'm not sure if anyone can help me with this one.

Here are my reference file (docker-compose.yml, traefik.yml, and dynamic-config.yml)

docker-compose.yml:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    hostname: traefik
    restart: unless-stopped
    secrets:
      - CF_DNS_API_TOKEN_secret
      - CF_ZONE_API_TOKEN_secret
      - CF_API_KEY_secret
    networks:
      - docker-net
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    #healthcheck:
     # test: traefik healthcheck --ping
      #interval: 1m30s
      #timeout: 10s
      #retries: 3
      #start_period: 30s
    labels:
      - "traefik.enable=true"
      - "traefik.network=docker-net"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.options=modern@file"
      - "traefik.http.routers.dashboard.tls.certresolver=le"
      - "traefik.http.routers.dashboard.tls.domains[0].main=traefik.example.com""
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=<token added here>"
      - "traefik.http.routers.dashboard.entrypoints=web,websecure"
    environment:
      - TZ
      - CLOUDFLARE_EMAIL
      - CF_DNS_API_TOKEN_FILE=/run/secrets/CF_DNS_API_TOKEN_secret
      - CF_ZONE_API_TOKEN_FILE=/run/secrets/CF_ZONE_API_TOKEN_secret
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - /etc/traefik/dynamic_conf.yml:/etc/traefik/dynamic_conf.yml
      - /etc/letsencrypt/certificates:/etc/letsencrypt

traefik.yml

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443

certificatesResolvers:
  le:
    acme:
      email: xxxxx@gmail.com
      #Staging Server
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      #Production Server
      #caServer: https://acme-v02.api.letsencrypt.org/directory
      storage: /etc/letsencrypt/acme.json
      keyType: 'EC384'
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0
        resolvers:
          - "1.1.1.1:53"
          - "9.9.9.9:53"


providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedbydefault: false
    watch: true
    network: docker-net
  file:
    filename: /etc/traefik/dynamic_conf.yml
    watch: true

api:
#  insecure: true
  debug: true
  dashboard: true

log:
  level: DEBUG

ping:
  entryPoint: websecure

dynamic-config.yml:

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    intermediate:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    modern:
      minVersion: VersionTLS13
      sniStrict: true