Enabling the API in production, PROs & CONs

Hello there. I was thinking about PROs & CONs of enabling the API (and consequently the Dashboard!) in a production environment. As per the doc:

Enabling the API in production is not recommended, because it will expose all configuration elements, including sensitive data.

In production, it should be at least secured by authentication and authorizations.

and again:

This is the recommended method.

Start by enabling the dashboard by using the following option from Traefik's API on the static configuration:

Then define a routing configuration on Traefik itself, with a router attached to the service api@internal in the dynamic configuration, to allow defining:

# Optional
# Default: true

A good balance between information gathering and security could be deploying the API this way:

  traefik.http.routers.dashboard.rule: Host(`traefik.example.com`)
  traefik.http.routers.dashboard.service: api@internal
  traefik.http.routers.dashboard.middlewares: auth

This is extremely helpful also in a production env to understand what is going on behind the scenes thanks to the Dashboard. Of course, you are potentially exposing information about your system to an attacker (even with HTTP basic auth).

I'm just wondering what are your thoughts about the API/Dashboard and if you usually enable it or not in your production envs.


1 Like


In one case IP whitelisting in another traefikEE with OIDC middleware.

1 Like

Yep, IP whitelisting seems to be much more secure than the basic auth