I have a few services behind traefik routed using different subdomains. I sue a a wildcard subdomain at DNS and with letsencrypt for simplicity , flexibility and some security through obscurity, and I notice a few connections attempts to non-existing subdomains in the logs, which are promptly banned through crowdsec. Ideally, I would like to not only ban them but also not send them any responses so their request simply times out. I.e., have the 404 logged as usual but drop the response. Is there a way to accomplish this?
You can check middlewares (doc) and plugins (doc), but I would assume this is not possible, you don’t want Traefik to use resources for longer than necessary (I think that’s at least the approach of the developers). It kind of would provoke a DoS when more requests come in.
You could create a catchall router to a custom target to return an empty response with a custom error status code. Keeping the connection open would probably not work that way, as Traefik might timeout and send that error status back.
an empty page with a custom error ode is still a response - it lets port scanners there's something there to probe. I believe a silent drop behaves the same way as if there was no service is running on that IP/port.
I'm not too worried about DoS I'm behind traefik + crowdsec and ban IPs attempting to connect to non-existing subdomains at first attempt. Currently a scanner gets a 401 and is automatically banned. With a silent drop it would get nothing, the 401 would still be on traefik's access log and they'd get banned so subsequent probes would be handled by my firewall.
Basically., some thing like this. Their intro does a good job on why.
I started experimenting with traefik when I had two apps running on docker. I liked the fact I could leave the application ports unexposed and the only see the HTTPS port when checking for listening ports on my host.
Since then I increased the number of services and started running everything on podman as rootless containers. Unfortunately I haven't figured out how to make the rootless containers see each other and am having to expose their ports instead of using traefik's docker provider and I am starting to wonder if it makes sense to use traefik if I can't fix my podman networking.
It's on my todo list. I prioritised moving everything to rootless first. I figured out how to get the containers to see the original IPs connecting to the services but that meant saying goodbye to docker/podman-compose, running them all individually and not having them seeing each other without exposing ports on the host.
I read something about having the containers sharing the same network namespace I need to look into, but I think this requires the containers too be running under the same user and I am actually looking into the exact opposite.
yes, that was working perfectly with docker. with podman rootless containers I can only get X-Forward to work using slirp4netns and I am yet to find a way to get the containers to see each other like they would do on a normal docker network.
that's what I mean. when you use podman rootless containers with slirp4netns and podman socket, it breaks the discovery.
from memory, if I create a podman network without using slirp4nets, discovery works but the containers don't see past the host. X-Forward doesn't work and, e.g., whoami only gives you traefik's ip not matter where the original request comes from.
I think things changed a bit since the last time I looked at it and need to look at it again, but this is the reason I currently am not using a podman network and traefik's docker provider.
No issues with traefik. I had a question about silently dropping bad requests and we ended up discussing the implications of running your apps on podman rootless containers instead of docker.