Traefik

Goals: single node elasticsearch single node kibana password for all accounts https between all components behind traefik future post: collect network logs (routers) future post: collect application logs (web servers, dns servers, docker) future post: collect application metrics future post: correlate with threat intelligence Create compose file version: '3' services: es: image: docker.elastic.co/elasticsearch/elasticsearch:7.16.3 container_name: elastic_es restart: always env_file: - ./.env environment: ES_JAVA_OPTS: "-Xms2g -Xmx2g" node.name: "es" discovery.type: "single-node" bootstrap.memory_lock: "true" # minimal security xpack.security.enabled: "true" # no encryption on internode communication xpack.security.transport.ssl.enabled: "false" # https traffic xpack.security.http.ssl.enabled: "true" xpack.security.http.ssl.key: "${CERTS_DIR}/es.key" xpack.security.http.ssl.certificate: "${CERTS_DIR}/es_chain.crt" xpack.security.http.ssl.certificate_authorities: "${CERTS_DIR}/ca.crt" ulimits: memlock: soft: -1 hard: -1 networks: - reverseproxy - default volumes: - data:/usr/share/elasticsearch/data - certs:${CERTS_DIR}:ro labels: - "traefik.enable=true" - "traefik.http.routers.elastic.rule=Host(`elasticsearch.foobar.com`)" - "traefik.http.routers.elastic.service=elastic" - "traefik.http.routers.elastic.tls=true" - "traefik.http.routers.elastic.tls.certresolver=le" - "traefik.http.routers.elastic.entrypoints=websecure" - "traefik.http.services.elastic.loadbalancer.server.port=9200" - "traefik.http.services.elastic.loadbalancer.server.scheme=https" - "traefik.http.services.elastic.loadbalancer.serversTransport=elastic" - "traefik.http.serversTransports.elastic.serverName=es" - "traefik.http.serversTransports.elastic.insecureSkipVerify=true" deploy: resources: limits: cpus: "4.0" memory: 4000M memswap_limit: 4000M kibana: image: docker.elastic.co/kibana/kibana:7.16.3 container_name: elastic_kibana restart: always depends_on: - es env_file: - ./.env - ./.env.kibana environment: - ELASTICSEARCH_URL="https://es:9200" - ELASTICSEARCH_HOSTS=["https://es:9200"] # minimal security: defined in environment files # kibana has to trust elasticsearch certificate - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES="${CERTS_DIR}/ca.crt" # https traffic between other components and kibana - SERVER_SSL_ENABLED=true - SERVER_SSL_KEY=${CERTS_DIR}/kibana.key - SERVER_SSL_CERTIFICATE=${CERTS_DIR}/kibana_chain.crt - SERVER_PUBLICBASEURL=https://kibana.foobar.com networks: - reverseproxy - default volumes: - certs:${CERTS_DIR}:ro labels: - "traefik.enable=true" - "traefik.http.routers.kibana.rule=Host(`kibana.foobar.com`)" - "traefik.http.routers.kibana.service=kibana" - "traefik.http.routers.kibana.tls=true" - "traefik.http.routers.kibana.tls.certresolver=le" - "traefik.http.routers.kibana.entrypoints=websecure" - "traefik.http.services.kibana.loadbalancer.server.port=5601" - "traefik.http.services.kibana.loadbalancer.server.scheme=https" - "traefik.http.services.kibana.loadbalancer.serversTransport=kibana" - "traefik.http.serversTransports.kibana.serverName=kibana" - "traefik.http.serversTransports.kibana.insecureSkipVerify=true" deploy: resources: limits: cpus: "4.0" memory: 4000M memswap_limit: 4000M volumes: data: certs: name: elastic_certs external: true networks: reverseproxy: external: true Create a file named .env with the following content: ...

Traefik itself does not include WAF capabilities. If you want to add this capability, you can opt to replace Traefik with Apache httpd or nginx coupled with ModSecurity, however you loose the autoconfiguration of Traefik. Fortunately, Alexis Couvreur has developed a ModSecurity plugin for Traefik to forward requests received by Traefik to another webserver (running ModSecurity) before actually forwarding the requests to the application server. If the ModSecurity webserver returns a code > 400, then Traefik will reject the request, otherwise it will forward it to the application server. ...