SEC: Traefik should run as non-root

[westurner]

trafficstars

Traefik should not run as root. When traefik runs as nonroot, it cannot bind to 80 or 443; but you can map 80 and 443 to e.g. 8080 and 8443 with Docker (e.g. in the docker-compose.yml production.yml).

In order to run Traefik as non-root on other ports, I had to write a redirect rule in my traefik.toml; "You should not run as root" https://github.com/containous/traefik-library-image/issues/38#issuecomment-476142425

You can specify the user as user: uid:gid in the docker-compose.yml; or in the Dockerfile. AFAIU, the user does not have to be added first. https://forums.docker.com/t/how-can-we-add-uid-and-gid-in-stack-file-or-compose-file/68261/3

• https://github.com/pydanny/cookiecutter-django/blob/master/%7B%7Bcookiecutter.project_slug%7D%7D/production.yml

# ...
   user: 1005:1005

https://github.com/pydanny/cookiecutter-django/blob/master/%7B%7Bcookiecutter.project_slug%7D%7D/compose/production/traefik/Dockerfile

EXPOSE 8080/tcp 8443/tcp
USER 1005:1005  # or:  user: uid:gid

• https://github.com/pydanny/cookiecutter-django/blob/master/%7B%7Bcookiecutter.project_slug%7D%7D/compose/production/traefik/traefik.toml

[entryPoints]
  [entryPoints.http]
  address = ":8080"
    [entryPoints.http.redirect]
    #entryPoint = "https"
    regex = "^http://(.*):8080/(.*)"
    replacement = "https://$1/$2"

  [entryPoints.https]
  address = ":8443"
    [entryPoints.https.tls]
      #[[entryPoints.https.tls.certificates]]
      #certFile = "/certs/website.crt"
      #keyFile  = "/certs/website.key"

Without these default certs, when you access traefik by IP (instead of by the configured hostname); there's a default traefik cert that says 'traefik' in teh CN.