Skip to content
HMS-Docker

Security

How the containers are protected

Section titled “How the containers are protected”

By default, Traefik is configured with an allowlist that only permits private IPs (RFC1918) to access containers.

Exception: If you route a container through Cloudflare Tunnel, the traffic goes directly to the container and bypasses Traefik entirely. Traefik allowlists and middlewares do not apply to Tunnel traffic.

This is controlled on a per-container basis in the inventory/group_vars/all/container_map.yml file as the expose_to_public variable for each container. If you set this to true, it will allow all IPs (0.0.0.0/0) to access them.

SSO

Section titled “SSO”

To configure SSO (Single Sign-On) for certain containers, see the Authentik docs

Security Hardening

Section titled “Security Hardening”

There is a traefik_security_hardening variable in inventory/group_vars/all/traefik.yml that will do the following if enabled:

  • Enforce HTTPS only requests
  • Enforce Traefik dashboard over secure connection
  • Disable port 8080 access to Traefik
    • This will also disable Homepage integration with Traefik
  • Only allows requests to services/Hosts with Traefik enabled
  • Disable TLS1.0 and TLS1.1 and use TLS1.2 as the new minimum
  • Add security headers for the following:
    • X-Frame-Options: DENY : [Mozilla Docs] Denies iFrame embedding
    • X-Content-Type-Options: nosniff : [Mozilla Docs] Blocks a request if the request destination is of type style and the MIME type is not text/css, or of type script and the MIME type is not a JavaScript MIME type

Middlewares

Section titled “Middlewares”

The following middlewares are available:

  • internal-secured: A chain, applies the internal-ipallowlist, https-only, secure-headers
  • external-secured: A chain, applies the external-ipallowlist, https-only, secure-headers
  • internal-ipallowlist: Allows only RFC1918 private address space and any other IPs/ranges defined in the traefik_subnet_allow_list variable
  • external-ipallowlist: Allows all traffic from 0.0.0.0/0
  • https-only: Configures permanent redirection to HTTPS
  • secure-headers: Applies headers to prevent iFrame embedding, blocks requests if MIME types do not match certain criteria, and only allows Host headers for applications that are enabled within this project