5005a4980a
- Bind Loki to 127.0.0.1:3100 instead of 0.0.0.0:3100 to prevent external access - Add Traefik labels for secure HTTPS access with Authentik authentication - Bind Blackbox Exporter to 127.0.0.1:9115 instead of 0.0.0.0:9115 - Add Traefik labels for secure monitoring dashboard access - Enable Authentik middleware for Portainer (was disabled temporarily) - Services are now only accessible through Traefik reverse proxy with HTTPS and SSO Fixes critical security issues: - Prevents direct access to monitoring services (CVSS 9.8-9.1) - Eliminates log file exposure through public Loki port - Restricts infrastructure reconnaissance via Blackbox exporter - Enforces authentication for critical management tools 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| docker-compose.yml | ||
| loki-config.yaml | ||
| promtail-config.yaml | ||