Files
loadbalancer/docs/security.md
T
2026-06-30 10:09:35 +02:00

42 lines
1.3 KiB
Markdown

# Security
## TLS and certificates
Traefik is configured for TCP TLS passthrough. It does not terminate TLS and does not require certificate files or private keys.
Backend services are responsible for:
- presenting SSL certificates;
- protecting private keys;
- renewing certificates;
- enforcing any application-layer authentication and authorization.
## Network exposure
Compose publishes `80/tcp` for HTTP-01 certificate challenges and `443/tcp` for TLS passthrough traffic. The Traefik ping entrypoint listens inside the container for healthchecks and is not published on the host.
The HTTP routers only match `/.well-known/acme-challenge/` paths for configured hostnames.
## Container hardening
The Traefik service:
- does not mount the Docker socket;
- is not privileged;
- drops Linux capabilities;
- enables `no-new-privileges`;
- mounts configuration read-only;
- uses an explicit Traefik image tag instead of `latest`.
## Secrets
No secrets should be stored in this repository. Do not add certificates, private keys, API tokens, or passwords to `config/` or documentation.
## Logging
Traefik logs operational events to stdout. Do not enable debug logging in production unless needed for a time-limited investigation.
## Relevant ADRs
- `docs/adr/0001-traefik-tcp-tls-passthrough.md`