Traefik

Changelog

2024-12-30: Init

Used more in the Docker concept, where configuration can be passed through labels. For containers without the overhead of Docker, one can run the binary directly. Idea is that Traefik is likely much more straightforward to configure with very sane defaults (nginx is my preferred reverse proxy, but is a tad overkill to configure and run).

Installation

Official binary releases here.

Absolute barebones setup

# Download file
root:~# FILE="traefik_v3.2.3_linux_amd64.tar.gz"
root:~# URL="https://github.com/traefik/traefik/releases/download/v3.2.3/${FILE}"
root:~# curl -OL ${URL}
 
# Move binary to sbin
root:~# tar xvf ${FILE}
root:~# mv traefik /usr/sbin/
 
# Create configuration
root:~# mkdir -p /etc/traefik/providers.d
root:~# ln -s /etc/traefik/traefik.service /etc/systemd/system/traefik.service
root:~# systemctl start traefik

/etc/traefik/traefik.toml

[entryPoints.web]
address = ":80"
 
[providers.file]
directory = "/etc/traefik/providers.d"

/etc/traefik/providers.d/service.toml

[[http.services.SERVICENAME.loadBalancer.servers]]
url = "http://localhost:8000/"

/etc/traefik/traefik.service

[Unit]
After=network.target
 
[Service]
User=root
ExecStart=/usr/sbin/traefik
 
[Install]
WantedBy=multi-user.target

Hardening

Configuration changes

# Create traefik service account and lock down files
root:~# useradd -rMs /bin/false traefik
root:~# chown -R traefik /etc/traefik
root:~# find /etc/traefik \( -type f -exec chmod 600 {} \; \) , \( -type d -exec chmod 755 {} \; \)

/etc/traefik/traefik.service

...
[Service]
User=traefik
ExecStart=/usr/sbin/traefik
 
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
NoNewPrivileges=true
RestrictNamespaces=~user
ProtectSystem=strict
PrivateTmp=true
PrivateDevices=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
...

TLS

Simple package for deploying TLS certificates, for use in LXC containers running as root: deploy_traefik_tls.tgz. Unpack, modify setup script to create proxy pass and point to certs and key, then run the script. Destroys any previous Traefik configuration, so watch out!

Configuration changes

HTTP redirect to HTTPS

[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"