feat: add traefik tcp load balancer

This commit is contained in:
Alfredo Di Stasio
2026-06-30 09:50:18 +02:00
parent 786fa78ebd
commit 7dfc23d69e
13 changed files with 393 additions and 129 deletions
+35 -12
View File
@@ -1,16 +1,39 @@
# Security
Describe security assumptions and controls.
## TLS and certificates
Include:
Traefik is configured for TCP TLS passthrough. It does not terminate TLS and does not require certificate files or private keys.
- authentication;
- authorization;
- network exposure;
- TLS/certificates;
- secrets management;
- logging of sensitive data;
- container privileges;
- filesystem permissions;
- dependency management;
- relevant ADRs.
Backend services are responsible for:
- presenting SSL certificates;
- protecting private keys;
- renewing certificates;
- enforcing any application-layer authentication and authorization.
## Network exposure
Only `443/tcp` is published by Compose. The Traefik ping entrypoint listens inside the container for healthchecks and is not published on the host.
## Container hardening
The Traefik service:
- does not mount the Docker socket;
- is not privileged;
- drops Linux capabilities;
- enables `no-new-privileges`;
- mounts configuration read-only;
- uses an explicit Traefik image tag instead of `latest`.
## Secrets
No secrets should be stored in this repository. Do not add certificates, private keys, API tokens, or passwords to `config/` or documentation.
## Logging
Traefik logs operational events to stdout. Do not enable debug logging in production unless needed for a time-limited investigation.
## Relevant ADRs
- `docs/adr/0001-traefik-tcp-tls-passthrough.md`