Security Considerations


When using Traefik as proxy there are some security considerations as mentioned here.

Using the workarounds, e.g.

  • Accounting at networking level (proxy_backend network)
  • Accounting at container level ("socket exposer" container)

This will separating the control plane ("socket exposer" container with own network) from the data plane (proxy_backend network) as would it be the case when using TraefikEE as well?

Or is there any benefit from using TraefikEE (beside the support)?

Hi x-jokay,
This is Adrien from Containous.
Traefik EE has these main features on top of Traefik :

  • Clustering/ High Availability
  • Scalability:
    • Ability to automatically spin up new data nodes and spin down when needed.
    • Less pressure on k8s (or Swarm) API as only 1 TraefikEE instance watches it at a time (instead of all OSS instances)
  • Security:
    • Isolation between Data nodes (that handles the traffic) and the Control nodes (store the configuration).
    • Encrypted Data (including sensitive data as certificates) on each node
  • TraefikEE Cuddle
    • Quick deployment with 1 line of code for all orchestrators through the CLI
    • Lean management: switch from staging to production cluster with 1 flag, ensuring the same configuration everywhere
    • Easier Static Configuration management: new static configuration is deployed node per node, no traffic lost
  • Distributed Let’s Encrypt : able to share the Let’s Encrypt certificates to all the Data nodes
  • Support

happy to continue the discussion /