1.3 KiB
Security
TLS and certificates
Traefik is configured for TCP TLS passthrough. It does not terminate TLS and does not require certificate files or private keys.
Backend services are responsible for:
- presenting SSL certificates;
- protecting private keys;
- renewing certificates;
- enforcing any application-layer authentication and authorization.
Network exposure
Compose publishes 80/tcp for HTTP-01 certificate challenges and 443/tcp for TLS passthrough traffic. The Traefik ping entrypoint listens inside the container for healthchecks and is not published on the host.
The HTTP routers only match /.well-known/acme-challenge/ paths for configured hostnames.
Container hardening
The Traefik service:
- does not mount the Docker socket;
- is not privileged;
- drops Linux capabilities;
- enables
no-new-privileges; - mounts configuration read-only;
- uses an explicit Traefik image tag instead of
latest.
Secrets
No secrets should be stored in this repository. Do not add certificates, private keys, API tokens, or passwords to config/ or documentation.
Logging
Traefik logs operational events to stdout. Do not enable debug logging in production unless needed for a time-limited investigation.
Relevant ADRs
docs/adr/0001-traefik-tcp-tls-passthrough.md