Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Able to access to acme private key from get http API request #3651

Closed
ltupin opened this issue Jul 20, 2018 · 2 comments
Closed

Security: Able to access to acme private key from get http API request #3651

ltupin opened this issue Jul 20, 2018 · 2 comments
Assignees
@mmatur
Labels
area/acme kind/bug/confirmed a confirmed bug (reproducible). priority/P1 need to be fixed in next release status/5-frozen-due-to-age
Milestone
1.6

Comments

@ltupin
Copy link

ltupin commented Jul 20, 2018
edited
Loading

Do you want to request a feature or report a bug?

Bug

What did you do?

Request the API simply through dashboard URL with /api show me the content of the acme.json letsencrypt file (the private key)
https://monitor.company.com/api

What did you expect to see?

Nothing or at least not my acme private key.

What did you see instead?

My private key

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.6.5
Codename:     tetedemoine
Go version:   go1.10.3
Built:        2018-07-10_03:54:03PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

logLevel = "ERROR"

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
  [entryPoints.monitor]
  address = ":8080"
    [entryPoints.monitor.auth.basic]
    users = ["admin:$apr1$HKRfdjhghdfnhldgmkfjldfVaxtUrScmKc."]

[acme]
email = "email@company.com"
  storage = "acme.json"
  entryPoint = "https"
  main = "*.company.com"
  sans = ["monitor.company.com", "frontend.company.com", "backend.company.com"]
  onHostRule = true
  [acme.httpChallenge]
    entryPoint = "http"

# Enable Docker configuration backend
[docker]
  endpoint = "unix:///var/run/docker.sock"
  domain = "company.com"
  watch = true
  exposedbydefault = false

[api]
entrypoint="monitor"
version: "3"

networks:
  traefik-proxy:
    external: true
  internal:
    external: false

services:
  traefik-ui:
    image: traefik:tetedemoine-alpine
    container_name: monitor
    command: --docker
    labels:
      - traefik.backend=monitor
      - traefik.enable=true
      - traefik.frontend.rule=Host:monitor.company.com
      - traefik.docker.network=traefik-proxy
      - traefik.port=8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.toml:/traefik.toml
      - ./acme.json:/acme.json
    ports:
      - "80:80"
      - "8080:8080" # The Web UI (enabled by --api)
      - "443:443"
    networks:
      - internal
      - traefik-proxy

  frontend:
    build: ./frontend
    image: frontend:latest
    container_name: frontend
    command: gunicorn --bind 0.0.0.0 wsgi:app
    labels:
      - traefik.backend=frontend
      - traefik.frontend.rule=Host:frontend.company.com
      - traefik.docker.network=traefik-proxy
      - traefik.port=8000
    networks:
      - internal
      - traefik-proxy

  backend:
    build: ./backend
    image: backend:latest
    container_name: backend
    command: gunicorn --bind 0.0.0.0 wsgi:app
    labels:
      - traefik.backend=backend
      - traefik.frontend.rule=Host:backend.company.com
      - traefik.docker.network=traefik-proxy
      - traefik.port=8000
    networks:
      - internal
      - traefik-proxy
@ldez ldez added the area/acme label Jul 21, 2018
@juliens juliens added kind/bug/confirmed a confirmed bug (reproducible). priority/P2 need to be fixed in the future priority/P1 need to be fixed in next release and removed status/0-needs-triage priority/P2 need to be fixed in the future labels Jul 23, 2018
@mmatur mmatur mentioned this issue Jul 24, 2018
Merged
@traefiker
Copy link
Contributor

Closed by #3665.

@traefiker traefiker added this to the 1.7 milestone Jul 26, 2018
@juliens juliens mentioned this issue Aug 20, 2018
Merged
@dduportal dduportal mentioned this issue Aug 20, 2018
Merged
1 task
@traefiker
Copy link
Contributor

Closed by #3788.

@traefiker traefiker modified the milestones: 1.7, 1.6 Aug 20, 2018
@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mmatur mmatur

Labels
area/acme kind/bug/confirmed a confirmed bug (reproducible). priority/P1 need to be fixed in next release status/5-frozen-due-to-age
Projects
None yet
Milestone
1.6
Development

No branches or pull requests
5 participants
@juliens @ltupin @mmatur @ldez @traefiker