tutorial

Monitoring Traefik Reverse Proxy with Vigilmon

Traefik dynamically routes traffic but gives you no uptime alerting. Learn how to monitor Traefik reverse proxy health, routing liveness, SSL certificate expiry, and backend service availability with Vigilmon.

Traefik is the go-to reverse proxy for container-native infrastructure — it auto-discovers Docker services, handles Let's Encrypt certificates automatically, and routes traffic without a single config reload. But Traefik's dynamic nature is also its blind spot: a backend container that disappears silently removes its route, a certificate that fails to renew causes an HTTPS outage, and a Traefik process crash takes down every service behind it at once.

Vigilmon gives you external monitoring for Traefik availability, routing health, load balancer liveness, and SSL certificate expiry. This tutorial walks through the complete setup.

Why Traefik Needs External Monitoring

Traefik exposes a dashboard and metrics endpoint — useful for observability, but not for uptime alerting. Traefik metrics cannot tell you:

  • Whether Traefik is reachable from the public internet (internal health checks survive a firewall drop)
  • Whether a specific route is resolving correctly to the right backend
  • Whether an SSL certificate auto-renewal has silently failed
  • Whether a backend service has crashed and Traefik is returning 502 to all routed traffic
  • Whether Traefik's entry points are actually accepting connections on ports 80 and 443

External monitoring through Vigilmon probes Traefik from outside your infrastructure, catching the failures that internal checks miss.

Step 1: Enable the Traefik Dashboard and Ping Endpoint

Traefik ships with a built-in /ping endpoint that returns 200 OK when Traefik is alive. Enable it in your configuration:

# traefik.yml (static configuration)
api:
  dashboard: true
  insecure: false  # Never expose the dashboard publicly without auth

ping:
  entryPoint: traefik  # The ping endpoint runs on the internal traefik entry point

Or via Docker labels if you're using Traefik in container mode:

# docker-compose.yml
version: "3.9"

services:
  traefik:
    image: traefik:v3.0
    command:
      - "--api.dashboard=true"
      - "--ping=true"
      - "--ping.entrypoint=traefik"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.traefik.address=:8080"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--certificatesresolvers.letsencrypt.acme.email=admin@example.com"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"  # Internal management port — do not expose publicly
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    restart: unless-stopped

Verify the ping endpoint locally:

curl http://localhost:8080/ping
# OK

Step 2: Add a Health Check Route for External Monitoring

The /ping endpoint on port 8080 is internal-only. For external monitoring, expose a health route through Traefik's own routing on your public entry point:

# docker-compose.yml — add to Traefik service labels
labels:
  - "traefik.enable=true"
  - "traefik.http.routers.traefik-health.rule=Host(`traefik.example.com`) && Path(`/health`)"
  - "traefik.http.routers.traefik-health.entrypoints=websecure"
  - "traefik.http.routers.traefik-health.tls.certresolver=letsencrypt"
  - "traefik.http.routers.traefik-health.service=ping@internal"

This exposes https://traefik.example.com/health which proxies to the internal /ping endpoint. Vigilmon can now probe it from any region without reaching your internal management port.

Test it:

curl -I https://traefik.example.com/health
# HTTP/2 200
# content-type: text/plain; charset=utf-8

Step 3: Monitor Traefik with Vigilmon

Log in to Vigilmon and go to Monitors → New Monitor.

Traefik Liveness Monitor

  1. Select HTTP / HTTPS as the monitor type
  2. Set the URL to your health route: https://traefik.example.com/health
  3. Set the check interval to 1 minute
  4. Under Expected response, configure:
    • Status code: 200
    • Response body contains: OK
  5. Set the timeout to 5000ms
  6. Save the monitor

Add Monitors via the Vigilmon API

For Traefik deployments with multiple routers, create monitors programmatically:

curl -X POST https://api.vigilmon.online/v1/monitors \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Traefik Reverse Proxy",
    "type": "http",
    "url": "https://traefik.example.com/health",
    "interval": 60,
    "timeout": 5000,
    "expected_status": 200,
    "expected_body": "OK",
    "regions": ["us-east", "eu-west", "ap-southeast"]
  }'

Step 4: Monitor Individual Backend Routes

Traefik's liveness check only tells you Traefik is running — not that your individual routes are working. A backend container crash makes Traefik return 502 for that route while remaining perfectly healthy itself.

Add separate monitors for each critical route Traefik proxies:

# Monitor the API service behind Traefik
curl -X POST https://api.vigilmon.online/v1/monitors \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "API Service via Traefik",
    "type": "http",
    "url": "https://api.example.com/health",
    "interval": 60,
    "timeout": 10000,
    "expected_status": 200
  }'

# Monitor the frontend app behind Traefik
curl -X POST https://api.vigilmon.online/v1/monitors \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Frontend App via Traefik",
    "type": "http",
    "url": "https://app.example.com/",
    "interval": 60,
    "timeout": 5000,
    "expected_status": 200
  }'

This lets you distinguish "Traefik is down" from "the API backend is down" in your alerts — critical for fast incident triage.

Step 5: Monitor SSL Certificate Expiry

Traefik manages Let's Encrypt certificates automatically, but renewals can fail due to:

  • DNS propagation delays during ACME challenges
  • ACME rate limits if you've requested too many certificates
  • Disk full preventing writes to acme.json
  • Docker socket permission issues

Vigilmon monitors SSL certificates automatically when you use https:// in your monitor URL. You'll receive alerts:

  • 30 days before expiry
  • 14 days before expiry
  • 7 days before expiry

For comprehensive SSL coverage, add explicit SSL certificate monitors for each domain Traefik manages:

for DOMAIN in app.example.com api.example.com traefik.example.com; do
  curl -X POST https://api.vigilmon.online/v1/monitors \
    -H "Authorization: Bearer YOUR_API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
      \"name\": \"SSL - ${DOMAIN}\",
      \"type\": \"ssl\",
      \"host\": \"${DOMAIN}\",
      \"alert_days_before_expiry\": [30, 14, 7]
    }"
done

Step 6: Configure Alerts for Routing Failures

When a Traefik-proxied service goes down, immediate notification is critical — every route Traefik serves goes through a single process.

Go to Alert Channels → Add Channel and configure:

  • Webhook for Slack or PagerDuty integration
  • Email for immediate notification
  • SMS for critical on-call escalation

Example Slack alert payload Vigilmon sends on a Traefik outage:

{
  "monitor_name": "Traefik Reverse Proxy",
  "status": "down",
  "url": "https://traefik.example.com/health",
  "error": "HTTP 502 Bad Gateway",
  "started_at": "2026-01-15T14:30:00Z",
  "duration_seconds": 120,
  "checked_from": "eu-west-1"
}

Assign your alert channel to all Traefik-related monitors and set a reasonable confirmation threshold (e.g. 2 consecutive failures) to avoid paging on transient network blips.

Step 7: Build a Status Page for Your Routed Services

If Traefik routes traffic to customer-facing services, give users a public status page.

  1. In Vigilmon, go to Status Pages → New Status Page
  2. Name it appropriately
  3. Add monitors as components, grouped by service:
    • "API Gateway" → Traefik health monitor
    • "Application" → Frontend app monitor
    • "API" → API service monitor
  4. Publish and share the URL with your users

Complete Monitoring Setup Summary

| Monitor | Type | URL | Alert | |---------|------|-----|-------| | Traefik liveness | HTTP | https://traefik.example.com/health | 1 failure | | API backend | HTTP | https://api.example.com/health | 1 failure | | Frontend app | HTTP | https://app.example.com/ | 1 failure | | SSL - app domain | SSL | app.example.com | 30d before expiry | | SSL - api domain | SSL | api.example.com | 30d before expiry |

This gives you visibility into Traefik itself, the routes it proxies, and the SSL certificates it manages — from outside your infrastructure.

Get Started for Free

Vigilmon monitors Traefik and all your routed services from multiple global regions with 1-minute checks and instant alerts. The free tier covers up to 5 monitors with no credit card needed.

Add your first Traefik monitor in under two minutes: vigilmon.online

Monitor your app with Vigilmon

Free plan — 5 monitors, no credit card required. Up and running in 60 seconds.

Start free →
← Back to all articles