← Return to Selected Works

Traefik Mesh

EU-CENTRAL-1SHA-256: G7H8I9LIVE

Traefik Mesh is the ingress and internal routing layer for the production service cluster. It handles TLS termination, per-service rate limiting, and request authentication via a forward-auth middleware chain backed by Keycloak.

Ingress Configuration

All services are declared via Docker labels, making the routing configuration live alongside the service definition in the compose stack:

deploy:
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.api.rule=Host(`api.example.com`)"
    - "traefik.http.routers.api.tls.certresolver=letsencrypt"
    - "traefik.http.middlewares.auth.forwardauth.address=http://auth-service/verify"
    - "traefik.http.routers.api.middlewares=auth@docker"

Zero-Trust Auth Layer

Every service route passes through the forward-auth middleware. The auth service validates JWTs issued by Keycloak and returns a 401 for unauthenticated requests before traffic ever reaches the upstream service.

Status

Handling ~15k requests per minute in steady state. Rate limiting has successfully throttled three separate credential-stuffing attempts without any manual intervention. Auto-renewing Let's Encrypt certificates across 8 domains.