Hello there. I was thinking about PROs & CONs of enabling the API (and consequently the Dashboard!) in a production environment. As per the doc:
Enabling the API in production is not recommended, because it will expose all configuration elements, including sensitive data.
In production, it should be at least secured by authentication and authorizations.
and again:
This is the recommended method.
Start by enabling the dashboard by using the following option from Traefik's API on the static configuration:
Then define a routing configuration on Traefik itself, with a router attached to the service
api@internalin the dynamic configuration, to allow defining:# # Optional # Default: true # --api.dashboard=true
- One or more security features through middlewares like authentication (basicAuth , digestAuth, forwardAuth) or whitelisting.
A good balance between information gathering and security could be deploying the API this way:
labels:
traefik.http.routers.dashboard.rule: Host(`traefik.example.com`)
traefik.http.routers.dashboard.service: api@internal
traefik.http.routers.dashboard.middlewares: auth
traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
This is extremely helpful also in a production env to understand what is going on behind the scenes thanks to the Dashboard. Of course, you are potentially exposing information about your system to an attacker (even with HTTP basic auth).
I'm just wondering what are your thoughts about the API/Dashboard and if you usually enable it or not in your production envs.
Cheers!