From f062ee80c8daa0ede62f094e9a72a1f5d38dd0d0 Mon Sep 17 00:00:00 2001 From: Damien Duportal Date: Mon, 20 Aug 2018 12:02:03 +0200 Subject: [PATCH] Docs: Adding warnings and solution about the configuration exposure --- docs/configuration/api.md | 21 ++++++++++++++++++++- docs/index.md | 4 ++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/docs/configuration/api.md b/docs/configuration/api.md index 9da05c7e8..05aa23277 100644 --- a/docs/configuration/api.md +++ b/docs/configuration/api.md @@ -4,6 +4,9 @@ ```toml # API definition +# Warning: Enabling API will expose Træfik's configuration and secret. +# It is not recommended in production, +# unless secured by authentication and authorizations [api] # Name of the related entry point # @@ -12,7 +15,7 @@ # entryPoint = "traefik" - # Enabled Dashboard + # Enable Dashboard # # Optional # Default: true @@ -38,6 +41,22 @@ For more customization, see [entry points](/configuration/entrypoints/) document ![Web UI Health](/img/traefik-health.png) +## Security + +Enabling the API will expose all configuration elements, +including secret. + +It is not recommended in production, +unless secured by authentication and authorizations. + +A good sane default (but not exhaustive) set of recommendations +would be to apply the following protection mechanism: + +* _At application level:_ enabling HTTP [Basic Authentication](#authentication) +* _At transport level:_ NOT exposing publicly the API's port, +keeping it restricted over internal networks +(restricted networks as in https://en.wikipedia.org/wiki/Principle_of_least_privilege). + ## API | Path | Method | Description | diff --git a/docs/index.md b/docs/index.md index a0fb81280..a7b6cc339 100644 --- a/docs/index.md +++ b/docs/index.md @@ -86,6 +86,10 @@ services: - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events ``` +!!! warning + Enabling the Web UI with the `--api` flag might exposes configuration elements. You can read more about this on the [API/Dashboard's Security section](/configuration/api#security). + + **That's it. Now you can launch Træfik!** Start your `reverse-proxy` with the following command: