Files
loadbalancer/docs/security.md
T
2026-06-30 10:16:03 +02:00

42 lines
1.5 KiB
Markdown

# Security
## TLS and certificates
Traefik is configured for TCP TLS passthrough. It does not terminate TLS and does not require certificate files or private keys.
Backend services are responsible for:
- presenting SSL certificates;
- protecting private keys;
- renewing certificates;
- enforcing any application-layer authentication and authorization.
## Network exposure
Traefik uses host networking and listens directly on host ports `80/tcp` for HTTP traffic and `443/tcp` for TLS passthrough traffic. The Traefik ping entrypoint listens on host port `8082/tcp` for healthchecks; restrict this port with host firewall rules if needed.
The HTTP routers match configured hostnames and forward the full HTTP request to the selected backend. Backend services are responsible for redirects and ACME challenge handling.
## Container hardening
The Traefik service:
- does not mount the Docker socket;
- is not privileged;
- drops Linux capabilities except `NET_BIND_SERVICE`, which is required to bind host ports `80` and `443`;
- enables `no-new-privileges`;
- mounts configuration read-only;
- uses an explicit Traefik image tag instead of `latest`.
## Secrets
No secrets should be stored in this repository. Do not add certificates, private keys, API tokens, or passwords to `config/` or documentation.
## Logging
Traefik logs operational events to stdout. Do not enable debug logging in production unless needed for a time-limited investigation.
## Relevant ADRs
- `docs/adr/0001-traefik-tcp-tls-passthrough.md`