50 lines
3.5 KiB
Markdown
50 lines
3.5 KiB
Markdown
# Security and Secrets
|
|
|
|
_Last updated: 2025-12-13_
|
|
|
|
This document outlines the security mechanisms and best practices for managing secrets within this infrastructure.
|
|
|
|
## Authentication
|
|
|
|
### Authelia
|
|
|
|
The primary authentication mechanism is [Authelia](https://www.authelia.com/), an open-source authentication and authorization server. Authelia provides Single Sign-On (SSO) for most web-facing services.
|
|
|
|
- **How it works:** Traefik is configured to use Authelia as a forward authentication middleware. When a user tries to access a protected service, Traefik forwards the request to Authelia. If the user is not authenticated, Authelia presents a login page. Upon successful authentication, Authelia sets the `Remote-User` header in the request and forwards it to the backend service.
|
|
- **Configuration:** Authelia's configuration is managed in its own `configuration.yml` file.
|
|
- **Middleware:** Two Authelia middleware configurations are used in Traefik:
|
|
- `authelia-brewery`
|
|
- `authelia-fails`
|
|
|
|
### Application-level Authentication
|
|
|
|
Some applications manage their own authentication, separate from Authelia. These services are typically not behind the Authelia middleware in Traefik.
|
|
|
|
## Secret Storage
|
|
|
|
Secrets, such as API keys and database passwords, are primarily stored in `.env` files within each service's directory.
|
|
|
|
- **.env files:** These files are used to populate environment variables in the `docker-compose.yml` files. For example, `books_webv2/.env` contains the database credentials for the Books V2 application.
|
|
- **docker-compose.yml:** Some secrets are stored directly in the `docker-compose.yml` files. This is less secure and should be avoided where possible.
|
|
|
|
### ⚠️ **WARNING:**
|
|
- **Do not commit `.env` files to Git repositories.** These files should be listed in the `.gitignore` file.
|
|
- **Be careful when sharing `docker-compose.yml` files.** They may contain sensitive information.
|
|
|
|
## SSL/TLS Configuration
|
|
|
|
- **Traefik:** Traefik automatically handles SSL/TLS termination for all web services. It is configured to use Let's Encrypt to automatically provision and renew SSL certificates.
|
|
- **Entry Points:** The `websecure` entry point on port 443 is used for all HTTPS traffic. The `web` entry point on port 80 redirects all HTTP traffic to HTTPS.
|
|
|
|
## Network Security
|
|
|
|
- **Firewall:** The network's edge router/firewall should be configured to only allow inbound traffic on ports `80` and `443`, and forward this traffic to the Traefik server (`192.168.12.3`).
|
|
- **Exposed Ports:** Most services do not expose their ports directly to the host machine. They are only accessible through the `traefik_proxy` network. Only services that require direct access (e.g., `sftp`) should have their ports exposed.
|
|
- **Docker Networks:** Services are isolated using Docker networks. This limits the ability of a compromised container to access other services on the host.
|
|
|
|
## Best Practices
|
|
|
|
- **Rotate credentials regularly:** API keys, database passwords, and other secrets should be rotated on a regular basis.
|
|
- **Use strong, unique passwords:** Avoid using default or weak passwords.
|
|
- **Keep software up to date:** Regularly update all services and the underlying host operating system to patch security vulnerabilities. Watchtower is used to automatically update Docker containers.
|
|
- **Principle of least privilege:** Each service should only have the permissions it needs to function. For example, database users should only have access to the databases they need.
|