4

This is an issue I have been fighting with for days, but I could not find any help on stackoverflow, not even close to it. I hope to help people with similar issues in the future. Any elaboration on this question/answer is very much welcome.

I have been trying to set STS-headers to http-requests when using Traefik as a proxy in a Docker environment. Somehow, no matter how I try to set the headers, my browser (Google Chrome) ignores them. What am I doing wrong?

Kenny
  • 571
  • 5
  • 18

2 Answers2

7

I have been fighting with HSTS headers in Traefik for multiple days, when I learned something important about HSTS:

Your browser will ignore any STS headers when the certificate you are using is considered not trustworthy/safe by your browser. You can verify this (in Chrome) with the security tab in the developer tools.

For HSTS (HTTP Strict Transport Security) to work, I had to solve the next few things in my particular scenario:

  • The certificate I was using for development, was self-signed and installed onto my machine. But because it was self-signed, it was not put in the "Trusted Root Certification Authorities" directory. My browser complained that it could not find my certificate in that directory, so I had to put it there, otherwise the browser will still consider the certificate unsafe. Note that this was only meant for development purposes, official certificates were on the way.

  • At first I created my certificate, putting my domain in the CN (Common Name) section. Nowadays, browser kinda ignore that section and look for SAN (Subject Alternative Names). I had to create a new certificate with my domain in that section.

Those two things were the things I missed, after solving those, my STS headers (used in docker-compose service labels) were working. The labels (Traefik v1.7) look as following:

my_service:
    deploy:
      labels:
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.STSSeconds=31536000"

Hope it helps anybody.

Kenny
  • 571
  • 5
  • 18
7

For Traefik v2 the labels look like this:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.service.rule=Host(`service.com`)"
      - "traefik.http.middlewares.servicests.headers.stsincludesubdomains=false"
      - "traefik.http.middlewares.servicests.headers.stspreload=true"
      - "traefik.http.middlewares.servicests.headers.stsseconds=31536000"
      - "traefik.http.middlewares.servicests.headers.isdevelopment=false"
      - "traefik.http.routers.service.middlewares=servicests"

I recommend you replace the word service with the name of your service.

Erik van Oosten
  • 1,541
  • 14
  • 16