generated from bisco/codex-bootstrap
40 lines
1.1 KiB
Markdown
40 lines
1.1 KiB
Markdown
# Security
|
|
|
|
## TLS and certificates
|
|
|
|
Traefik is configured for TCP TLS passthrough. It does not terminate TLS and does not require certificate files or private keys.
|
|
|
|
Backend services are responsible for:
|
|
|
|
- presenting SSL certificates;
|
|
- protecting private keys;
|
|
- renewing certificates;
|
|
- enforcing any application-layer authentication and authorization.
|
|
|
|
## Network exposure
|
|
|
|
Only `443/tcp` is published by Compose. The Traefik ping entrypoint listens inside the container for healthchecks and is not published on the host.
|
|
|
|
## Container hardening
|
|
|
|
The Traefik service:
|
|
|
|
- does not mount the Docker socket;
|
|
- is not privileged;
|
|
- drops Linux capabilities;
|
|
- enables `no-new-privileges`;
|
|
- mounts configuration read-only;
|
|
- uses an explicit Traefik image tag instead of `latest`.
|
|
|
|
## Secrets
|
|
|
|
No secrets should be stored in this repository. Do not add certificates, private keys, API tokens, or passwords to `config/` or documentation.
|
|
|
|
## Logging
|
|
|
|
Traefik logs operational events to stdout. Do not enable debug logging in production unless needed for a time-limited investigation.
|
|
|
|
## Relevant ADRs
|
|
|
|
- `docs/adr/0001-traefik-tcp-tls-passthrough.md`
|