'How to use STS headers with Traefik when using Docker

This is an issue I have been fighting with for days, but I could not find any help on stackoverflow, not even close to it. I hope to help people with similar issues in the future. Any elaboration on this question/answer is very much welcome.

I have been trying to set STS-headers to http-requests when using Traefik as a proxy in a Docker environment. Somehow, no matter how I try to set the headers, my browser (Google Chrome) ignores them. What am I doing wrong?

dockertraefikhsts


Solution 1:[1]

I have been fighting with HSTS headers in Traefik for multiple days, when I learned something important about HSTS:

Your browser will ignore any STS headers when the certificate you are using is considered not trustworthy/safe by your browser. You can verify this (in Chrome) with the security tab in the developer tools.

For HSTS (HTTP Strict Transport Security) to work, I had to solve the next few things in my particular scenario:

  • The certificate I was using for development, was self-signed and installed onto my machine. But because it was self-signed, it was not put in the "Trusted Root Certification Authorities" directory. My browser complained that it could not find my certificate in that directory, so I had to put it there, otherwise the browser will still consider the certificate unsafe. Note that this was only meant for development purposes, official certificates were on the way.

  • At first I created my certificate, putting my domain in the CN (Common Name) section. Nowadays, browser kinda ignore that section and look for SAN (Subject Alternative Names). I had to create a new certificate with my domain in that section.

Those two things were the things I missed, after solving those, my STS headers (used in docker-compose service labels) were working. The labels (Traefik v1.7) look as following:

my_service:
    deploy:
      labels:
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.STSSeconds=31536000"

Hope it helps anybody.

Solution 2:[2]

For Traefik v2 the labels look like this:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.service.rule=Host(`service.com`)"
      - "traefik.http.middlewares.servicests.headers.stsincludesubdomains=false"
      - "traefik.http.middlewares.servicests.headers.stspreload=true"
      - "traefik.http.middlewares.servicests.headers.stsseconds=31536000"
      - "traefik.http.middlewares.servicests.headers.isdevelopment=false"
      - "traefik.http.routers.service.middlewares=servicests"

I recommend you replace the word service with the name of your service.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 Erik van Oosten

Related Questions

docker image - merged/diff/work/LowerDir components of GraphDriver

docker image - merged/diff/work/LowerDir components of GraphDriver

In docker-compose, is it possible to reuse volume configuration between services?

Installing imagemagick in docker container

How to set docker container name in Pycharm Docker Interpreter

Docker. Communication between Laravel containers

E: Package 'mysql-client' has no installation candidate in php-fpm image build using docker compose

M1 chip, Install Puppeteer in Docker NodeJs, The chromium binary is not available for arm64

How do I configure "ulimits" for a Docker container running in AWS ECS?

Travis-ci installs packages from requirements.txt file automatically

How critical is dumb-init for Docker?

docker build failed after pip installed requirements with exit code 137

Error with docker and react, digital envelope routines::unsupported

npm ERR! Tracker "idealTree" already exists while creating the Docker image for Node project

How to access gradle test reports from a docker container