I have a few services behind traefik routed using different subdomains. I sue a a wildcard subdomain at DNS and with letsencrypt for simplicity , flexibility and some security through obscurity, and I notice a few connections attempts to non-existing subdomains in the logs, which are promptly banned through crowdsec. Ideally, I would like to not only ban them but also not send them any responses so their request simply times out. I.e., have the 404 logged as usual but drop the response. Is there a way to accomplish this?
You can check middlewares (doc) and plugins (doc), but I would assume this is not possible, you don’t want Traefik to use resources for longer than necessary (I think that’s at least the approach of the developers). It kind of would provoke a DoS when more requests come in.
You could create a catchall router to a custom target to return an empty response with a custom error status code. Keeping the connection open would probably not work that way, as Traefik might timeout and send that error status back.
an empty page with a custom error ode is still a response - it lets port scanners there's something there to probe. I believe a silent drop behaves the same way as if there was no service is running on that IP/port.
I'm not too worried about DoS I'm behind traefik + crowdsec and ban IPs attempting to connect to non-existing subdomains at first attempt. Currently a scanner gets a 401 and is automatically banned. With a silent drop it would get nothing, the 401 would still be on traefik's access log and they'd get banned so subsequent probes would be handled by my firewall.
Basically., some thing like this. Their intro does a good job on why.
I do understand the reasoning.
AFAIK Traefik sees its role as reverse proxy, and it’s doing exactly that. When you look at v3, it‘s build to be part of k8s (link).
As a part of the k8s infra, I would assume it can’t just let connections hang, they might be coming in from a LB module before it.
I am not sure if those features of haproxy you linked to will be available in a k8s setting.
But I am just a user, not a developer or product manager of Traefik, so this is all just guessing.
I see, thanks. It gives me a lot to think about.
I started experimenting with traefik when I had two apps running on docker. I liked the fact I could leave the application ports unexposed and the only see the HTTPS port when checking for listening ports on my host.
Since then I increased the number of services and started running everything on podman as rootless containers. Unfortunately I haven't figured out how to make the rootless containers see each other and am having to expose their ports instead of using traefik's docker provider and I am starting to wonder if it makes sense to use traefik if I can't fix my podman networking.
Yeah, I am also looking for easier rootless containers, but Docker Swarm doesn’t support rootless.
K8s seems way too complicated, maybe the podman community can come up with something.
It's on my todo list. I prioritised moving everything to rootless first. I figured out how to get the containers to see the original IPs connecting to the services but that meant saying goodbye to docker/podman-compose, running them all individually and not having them seeing each other without exposing ports on the host.
I read something about having the containers sharing the same network namespace I need to look into, but I think this requires the containers too be running under the same user and I am actually looking into the exact opposite.
You can create an individual Docker network for Traefik and every application, so at least apps can’t talk to each other if not explicitly set up.
To get the original IP, you usually use the http header with
X-Forward (automatically added by Traefik).
Or you can use
ProxyProtocol going to Traefik and going from Traefik to your application (doc).
yes, that was working perfectly with docker. with podman rootless containers I can only get X-Forward to work using slirp4netns and I am yet to find a way to get the containers to see each other like they would do on a normal docker network.
What do you mean with "see each other"?
Traefik Configuration Discovery only works with Docker through Docker socket.
that's what I mean. when you use podman rootless containers with slirp4netns and podman socket, it breaks the discovery.
from memory, if I create a podman network without using slirp4nets, discovery works but the containers don't see past the host.
X-Forward doesn't work and, e.g., whoami only gives you traefik's ip not matter where the original request comes from.
I think things changed a bit since the last time I looked at it and need to look at it again, but this is the reason I currently am not using a podman network and traefik's docker provider.
Sorry, what is the issue?
There is no
providers.docker (doc). If the podman socket is not compatible with Docker, then it won’t work.
If you want a
providers.podman, you can implement it and do a pull request.