Security concern: API/Dashboard should not be exposed on entry "web" by default - Githubissues

traefik / traefik-helm-chart

Traefik Proxy Helm Chart

https://traefik.io

Apache License 2.0

1.08k stars 763 forks source link

Security concern: API/Dashboard should not be exposed on entry "web" by default #78

Closed nanmu42 closed 4 years ago

nanmu42 commented 4 years ago

Hi, Traefik API/dashboard is turned on and exposed on entry web by default, which is kind of scary, since the whole Internet may access them.

https://github.com/containous/traefik-helm-chart/blob/76cc1a80eefe0a00d17c2c5c71340cead1bad22e/traefik/templates/dashboard-hook-ingressroute.yaml#L13-L21

I propose to expose them on entry treafik to avoid bad things happen.

https://github.com/containous/traefik-helm-chart/blob/76cc1a80eefe0a00d17c2c5c71340cead1bad22e/traefik/values.yaml#L35-L45

I would like to draft a small PR if you guys consider it a good idea.

Brilliant work. I am enjoying it. Thank you.

ldez commented 4 years ago

Hello,

by default the IngressRoute for the Dashboard is disabled: https://github.com/containous/traefik-helm-chart/blob/76cc1a80eefe0a00d17c2c5c71340cead1bad22e/traefik/values.yaml#L79

This IngressRoute it's just an optional helper, mainly for testing purpose, to activate the dashboard: in production and in all cases you have to create an IngressRoute manually to add TLS, auth, ...