This might not be directly traefik related, but most likely something you do often deal with.. Given a bunch of docker services attached to Traefik through a docker network, all these services can also reach each other directly over that network.
traefik | traefik-net / \ service1 service2
In this scenario service1 can directly reach service2 through the shared network 'traefik-net'. Other than creating a 'traefik-net-[service]' per service, is there another common practice that I'm overlooking which can be used to ensure isolation between service1 and service2?
Another issue I found, is that when "faking" the "Host" header, one can reach all services.
For instance, given the following two SNI names:
Issueing the following cURL command against the External service (and IP):
curl -H "Host: service1.my-internal-domain.lan" https://service1.my-external-domain.com
allows me to serve up the 'internal' site by connecting to the external URL; granted knowledge of the internal sites name is required, nevertheless I would like to prevent this from being possible.t