# Security ## TLS and certificates Traefik is configured for TCP TLS passthrough. It does not terminate TLS and does not require certificate files or private keys. Backend services are responsible for: - presenting SSL certificates; - protecting private keys; - renewing certificates; - enforcing any application-layer authentication and authorization. ## Network exposure Compose publishes `80/tcp` for HTTP-01 certificate challenges and `443/tcp` for TLS passthrough traffic. The Traefik ping entrypoint listens inside the container for healthchecks and is not published on the host. The HTTP routers only match `/.well-known/acme-challenge/` paths for configured hostnames. ## Container hardening The Traefik service: - does not mount the Docker socket; - is not privileged; - drops Linux capabilities; - enables `no-new-privileges`; - mounts configuration read-only; - uses an explicit Traefik image tag instead of `latest`. ## Secrets No secrets should be stored in this repository. Do not add certificates, private keys, API tokens, or passwords to `config/` or documentation. ## Logging Traefik logs operational events to stdout. Do not enable debug logging in production unless needed for a time-limited investigation. ## Relevant ADRs - `docs/adr/0001-traefik-tcp-tls-passthrough.md`