Tyk + Traefik routing four OpenAPI specs behind one gateway, how to expose a separate health-check endpoint?

amein · June 18, 2025, 3:28pm

I’m running a single Tyk Gateway container behind Traefik v3, and I’m routing four different hostnames → four OpenAPI specs:

${HAWILPAY_DOMAIN} → Hawilpay-prod-api.json
${HAWILPAY_DEV_DOMAIN} → Hawilpay-dev-api.json
${CICO_DOMAIN} → CICO-prod-api.json
${CICO_DEV_DOMAIN} → CICO-dev-api.json

dynamic.yml (excerpt)

tls:
  certificates:
    - certFile: /etc/ssl/certs/hawilpay.com.crt
      keyFile:  /etc/ssl/certs/hawilpay.com.key
    - certFile: /etc/ssl/certs/cico.cash.crt
      keyFile:  /etc/ssl/certs/cico.cash.key

http:
  routers:
    hawilpay-prod:
      rule:        "Host(`api.hawilpay.com`)"
      entryPoints: [websecure]
      service:     tyk-gateway
      tls:         {}
    # … dev, cico-prod, cico-dev identical …

  services:
    tyk-gateway:
      loadBalancer:
        servers:
          - url: "http://tyk-gateway:8080"

My `docker-compose.yml` mounts in only the four API JSON files and `tyk.conf`:
  tyk-gateway:
    image: tykio/tyk-gateway:v5.8
    restart: unless-stopped
    container_name: tyk-gateway
    environment:
      - TYK_GW_SECRET=${TYK_GW_SECRET}
      - TYK_GW_LISTENPORT=${TYK_GW_LISTENPORT}
      - TYK_GW_LOGLEVEL=${TYK_GW_LOGLEVEL}
      # Redis password removed
      - REDIS_HOST=${REDIS_HOST}
      - REDIS_PORT=${REDIS_PORT}
    volumes:
      - ./configs/tyk/tyk.conf:/opt/tyk-gateway/tyk.conf
      - ./configs/tyk/apps:/opt/tyk-gateway/apps
      - ./configs/tyk/policies:/opt/tyk-gateway/policies
      - /var/log/tyk:/var/log/tyk
    networks:
      - tyk-network
    depends_on:
      tyk-redis:
        condition: service_healthy
      tyk-pump:
        condition: service_started
    healthcheck:
      disable: true
    labels:

  - "traefik.enable=true"
  - "traefik.http.routers.hawilpay-prod.rule=Host(`${HAWILPAY_DOMAIN}`)"
  - "traefik.http.routers.hawilpay-prod.entrypoints=websecure"
  - "traefik.http.routers.hawilpay-prod.tls=true"
  - "traefik.http.routers.hawilpay-dev.rule=Host(`${HAWILPAY_DEV_DOMAIN}`)"
  - "traefik.http.routers.hawilpay-dev.entrypoints=websecure"
  - "traefik.http.routers.hawilpay-dev.tls=true"
  - "traefik.http.routers.cico-prod.rule=Host(`${CICO_DOMAIN}`)"
  - "traefik.http.routers.cico-prod.entrypoints=websecure"
  - "traefik.http.routers.cico-prod.tls=true"
  - "traefik.http.routers.cico-dev.rule=Host(`${CICO_DEV_DOMAIN}`)"
  - "traefik.http.routers.cico-dev.entrypoints=websecure"
  - "traefik.http.routers.cico-dev.tls=true"
  
  # Service configuration
  - "traefik.http.services.tyk-gateway.loadbalancer.server.port=8080"

{
  "listen_port": 8080,
  "secret": ${TYK_GW_SECRET},
  "use_db_app_configs": false,
  "app_path": "/opt/tyk-gateway/apps/",
  "health_check": {
    "enable_health_checks": true,
    "health_check_value_timeouts": 60
  },
  // ...
}

Problem:
I don’t have /hello (or any health-check path) defined in any of my four OpenAPI specs, so hitting /hello returns 403 Forbidden