Infrastructure Stack – PMS & CIS with Traefik Reverse Proxy

This Docker Compose stack deploys:

• Project Registry System (PMS)
• Computer Inventory System (CIS)
• A centralized Traefik v3 reverse proxy
• A secured Docker Socket Proxy
• Separate PostgreSQL databases for each system
• Network isolation between systems

The architecture is designed for segmented networking, restricted Docker API access, and host-local reverse proxy exposure.

Architecture Overview

Reverse Proxy Layer

1. Traefik v3

Traefik is a modern, open-source HTTP reverse proxy and load balancer designed for cloud-native and containerized environments

• Image: traefik:v3.0
• EntryPoint: 81
• Exposed only on: 127.0.0.1:81

Traefik

• Uses Docker provider
• Does NOT expose containers by default
• Uses label-based routing
• Does not expose dashboard
• Logging level: ERROR
• Access log disabled

2. Docker Socket Proxy (Security Layer)

Image: tecnativa/docker-socket-proxy

Purpose:

• Prevents Traefik from having full access to the Docker daemon.
• Blocks all write operations.
• Allows only:
  • Containers
  • Networkss
  • Services
• Swarm, Nodes, Tasks, and POST operations are disabled.

This reduces attack surface significantly.

---

Network Segmentation

Three isolated bridge networks are used:

Network	Purpose
socket_net	Communication between Traefik and Docker Proxy
app_net	PMS services
computer_invertory_network	CIS services

Project Registry System (PMS)

Services

Database

• Image: postgres:15-alpine
• Container: db_pms
• Volume: db_pms_vol_1
• Network: app_net

Environment Variables:

• PMS_DB_USER
• PMS_DB_PASSWORD

---

Backend API

Image: ictdev2025/prs-backend:1.0.46 Container: pms_backendapi Internal Port: 8000 Network: app_net

Environment: - DB connection via db-pms - JWT configuration - Origin validation - Token expiration: 65 minutes

Traefik Routing: - Host: projectregistry.moa.gov.jm - Path Prefix: /api - Prefix stripped before forwarding - Routes to port 8000

---

Frontend

• Image: ictdev2025/prs-frontend:2.0.2
• Container: pms_frontend
• Internal Port: 80
• Network: app_net
• Traefik Routing:
  • Host: projectregistry.moa.gov.jm
  • Routes to port 80

---

Computer Inventory System (CIS)

Services

• Database

  • Image: postgres:16-alpine
  • Container: computer_inventory_db
  • Volume: com_inven_vol
  • Network: computer_invertory_network

• Environment Variables:

  • CIS_DB_USER
  • CIS_DB_PASSWORD

---

Backend API

• Image: ictdev2025/computerinventorybackend:1.0.5

• Container: computer_inventory_backend_api

• Internal Port: 8000

• Network: computer_invertory_network

Environment:

• DB connection via db-cis

• JWT configuration

• Default login credentials

• Token expiration: 30 minutes

Traefik Routing:

• Host: computer-inventory.moa.gov.jm

• Path Prefix: /cinv-api

• Prefix stripped before forwarding

• Routes to port 8000

---

Port Exposure Model

Only one port is exposed externally:

    127.0.0.1:81 → Traefik:81

This implies:

• A higher-level reverse proxy (e.g., Nginx, Apache, Plesk) should handle:

  • Public HTTPS termination

  • Forwarding to 127.0.0.1:81

• Traefik is not directly exposed to the internet.

---

Required Environment Variables

Create a .env file in the same directory as the compose file.

PMS Variables

    PMS_DB_USER=
    PMS_DB_PASSWORD=
    PMS_DB_URL=
    PMS_SECRET_KEY=
    PMS_URL=
    ALGORITHM=

CIS Variables

    CIS_DB_USER=
    CIS_DB_PASSWORD=
    CIS_DATABASE_URL=
    CIS_SECRET_KEY=
    CIS_DEFAULT_USERNAME=
    CIS_DEFAULT_PASSWORD=
    CIS_ORGIN_URL=

---

Persistent Storage

Volume	Purpose
db_pms_vol_1	PMS PostgreSQL data
com_inven_vol	CIS PostgreSQL data

These volumes ensure database persistence across container restarts.

Deployment

Start Stack

    docker compose up -d

Stop Stack

  docker compose down

View Logs

 docker compose logs -f

---

Security Considerations

• Docker socket access is proxied and restricted.

• Traefik does not expose its dashboard.

• Containers are not exposed by default.

• Separate bridge networks isolate systems.

• Databases are not exposed externally.

• Traefik binds only to localhost.

---

DNS Requirements

The following DNS records must point to the server:

• projectregistry.moa.gov.jm

• computer-inventory.moa.gov.jm

Upstream reverse proxy must forward traffic to:

  http://127.0.0.1:81

---

Resource Constraints

Database containers are limited to:

• 0.75 CPU
• 512 RAM This prevents database resource starvation.

---

Summary

This stack provides:

• Multi-application hosting on a single Traefik instance

• Network isolation per application

• Hardened Docker API access

• Clean separation between PMS and CIS

• Reverse-proxy-driven routing

• Database persistence

The design emphasizes security, isolation, and production stability.

👥 Author

• ministry of agriculture fisheries and mining
• Armani Brown