BestHub
Sign in
Cloud Native 4 min read

Using Traefik Log4Shell Plugin to Mitigate the Log4J Vulnerability

This article explains how to deploy Traefik's Log4Shell plugin—a middleware that mitigates the Log4J (CVE‑2021‑44228) vulnerability—by configuring it via Pilot token, static files, Kubernetes CRDs, Ingress annotations, or Docker labels, with example code snippets for each method.

DevOps Cloud Academy
DevOps Cloud Academy
DevOps Cloud Academy
Using Traefik Log4Shell Plugin to Mitigate the Log4J Vulnerability

Traefik's middleware system is one of its most appreciated features. To extend middleware capabilities, Traefik offers the Pilot SaaS service, which integrates deeply with Traefik and allows users to enable a variety of middleware directly from the Dashboard.

The Log4Shell plugin ( https://github.com/traefik/plugin-log4shell ) addresses the widely publicized Log4J vulnerability (CVE‑2021‑44228). It requires Traefik version 2.5.5 or newer.

Enabling the plugin is straightforward. First, activate it through static configuration using Traefik startup parameters:

--pilot.token=xxx  # token obtained from Pilot registration
--experimental.plugins.log4shell.modulename=github.com/traefik/plugin-log4shell
--experimental.plugins.log4shell.version=v0.1.2

Alternatively, you can configure it in a YAML file:

pilot:
  token: xxx

experimental:
  plugins:
    log4shell:
      modulename: github.com/traefik/plugin-log4shell
      version: v0.1.2

To use the Log4Shell plugin, you first need to create a middleware resource. In a Kubernetes environment, the following manifest defines the middleware:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: log4shell-foo
spec:
  plugin:
    log4shell:
      errorCode: 200

Then, associate this middleware with an IngressRoute to apply the fix:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`whoami.localhost`)
      middlewares:
        - name: log4shell-foo
      services:
        - kind: Service
          name: whoami-svc
          port: 80

If you are using the default Ingress resource, configure the middleware via annotations:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myingress
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: default-log4shell-foo@kubernetescrd
spec:
  ingressClassName: traefik
  rules:
    - host: whoami.localhost
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: whoami
                port:
                  number: 80

When running Traefik in a Docker environment, the same middleware can be configured using labels in a Docker‑Compose file:

version: '3.7'

services:
  whoami:
    image: traefik/whoami:v1.7.1
    labels:
      traefik.enable: 'true'
      traefik.http.routers.app.rule: Host(`whoami.localhost`)
      traefik.http.routers.app.entrypoints: websecure
      traefik.http.routers.app.middlewares: log4shell-foo
      traefik.http.middlewares.log4shell-foo.plugin.log4shell.errorcode: 200
DockerKubernetesmiddlewaresecurityTraefiklog4shell
DevOps Cloud Academy
Written by

DevOps Cloud Academy

Exploring industry DevOps practices and technical expertise.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment