generated from bisco/codex-bootstrap
42 lines
1.5 KiB
Markdown
42 lines
1.5 KiB
Markdown
# Security
|
|
|
|
## TLS and certificates
|
|
|
|
Traefik is configured for TCP TLS passthrough. It does not terminate TLS and does not require certificate files or private keys.
|
|
|
|
Backend services are responsible for:
|
|
|
|
- presenting SSL certificates;
|
|
- protecting private keys;
|
|
- renewing certificates;
|
|
- enforcing any application-layer authentication and authorization.
|
|
|
|
## Network exposure
|
|
|
|
Traefik uses host networking and listens directly on host ports `80/tcp` for HTTP traffic and `443/tcp` for TLS passthrough traffic. The Traefik ping entrypoint listens on host port `8082/tcp` for healthchecks; restrict this port with host firewall rules if needed.
|
|
|
|
The HTTP routers match configured hostnames and forward the full HTTP request to the selected backend. Backend services are responsible for redirects and ACME challenge handling.
|
|
|
|
## Container hardening
|
|
|
|
The Traefik service:
|
|
|
|
- does not mount the Docker socket;
|
|
- is not privileged;
|
|
- drops Linux capabilities except `NET_BIND_SERVICE`, which is required to bind host ports `80` and `443`;
|
|
- enables `no-new-privileges`;
|
|
- mounts configuration read-only;
|
|
- uses an explicit Traefik image tag instead of `latest`.
|
|
|
|
## Secrets
|
|
|
|
No secrets should be stored in this repository. Do not add certificates, private keys, API tokens, or passwords to `config/` or documentation.
|
|
|
|
## Logging
|
|
|
|
Traefik logs operational events to stdout. Do not enable debug logging in production unless needed for a time-limited investigation.
|
|
|
|
## Relevant ADRs
|
|
|
|
- `docs/adr/0001-traefik-tcp-tls-passthrough.md`
|