generated from bisco/codex-bootstrap
feat: add traefik tcp load balancer
This commit is contained in:
+35
-12
@@ -1,16 +1,39 @@
|
||||
# Security
|
||||
|
||||
Describe security assumptions and controls.
|
||||
## TLS and certificates
|
||||
|
||||
Include:
|
||||
Traefik is configured for TCP TLS passthrough. It does not terminate TLS and does not require certificate files or private keys.
|
||||
|
||||
- authentication;
|
||||
- authorization;
|
||||
- network exposure;
|
||||
- TLS/certificates;
|
||||
- secrets management;
|
||||
- logging of sensitive data;
|
||||
- container privileges;
|
||||
- filesystem permissions;
|
||||
- dependency management;
|
||||
- relevant ADRs.
|
||||
Backend services are responsible for:
|
||||
|
||||
- presenting SSL certificates;
|
||||
- protecting private keys;
|
||||
- renewing certificates;
|
||||
- enforcing any application-layer authentication and authorization.
|
||||
|
||||
## Network exposure
|
||||
|
||||
Only `443/tcp` is published by Compose. The Traefik ping entrypoint listens inside the container for healthchecks and is not published on the host.
|
||||
|
||||
## Container hardening
|
||||
|
||||
The Traefik service:
|
||||
|
||||
- does not mount the Docker socket;
|
||||
- is not privileged;
|
||||
- drops Linux capabilities;
|
||||
- enables `no-new-privileges`;
|
||||
- mounts configuration read-only;
|
||||
- uses an explicit Traefik image tag instead of `latest`.
|
||||
|
||||
## Secrets
|
||||
|
||||
No secrets should be stored in this repository. Do not add certificates, private keys, API tokens, or passwords to `config/` or documentation.
|
||||
|
||||
## Logging
|
||||
|
||||
Traefik logs operational events to stdout. Do not enable debug logging in production unless needed for a time-limited investigation.
|
||||
|
||||
## Relevant ADRs
|
||||
|
||||
- `docs/adr/0001-traefik-tcp-tls-passthrough.md`
|
||||
|
||||
Reference in New Issue
Block a user