Global configuration of security in Traefik for Docker

Question

Since version 1.5 Traefik give option to configure security for each service.

These options are for available here https://docs.traefik.io/configuration/backends/doc

Answer 1

So just for posterity, here is how to do it using a template file:

1. Get the template docker.tmpl from source and make sure it's for your exact version. The easiest way - just click on the build number in the top right of the UI and browse to /template folder. Use the filename without version.

2. Speaking of versions - add the following to your traefik.toml:

   [docker]
   filename = "docker.tmpl"
   templateVersion = 2
   

   and you should add -v /path/docker.tmpl:/docker.tmpl:ro to your container too!

3. Now you should be able to restart Traefik and everything should work as normal. To add your specific headers for all auto-generated frontends, edit docker.tmpl and just before the next to last {{end}} that is for the {{if $headers }} add this (spacing is kept):

         {{else}}
         [frontends."frontend-{{ $frontendName }}".headers]
           STSSeconds = 315360000
           STSIncludeSubdomains = true
           STSPreload = true
           CustomFrameOptionsValue = "SAMEORIGIN"
           ContentTypeNosniff = true
           BrowserXSSFilter = true
   

   This will add the listed headers for every automatically generated fronted based on found containers just as with default installation. If a container has any custom labels though it will execute the previous logic and will skip those.

I made it like this in order to allow for predictability in how containers work and to make it as easy as possible for updating to new version. Just pasting to specific section would allow you to upgrade without handling merge conflicts and new logic.

You can go ahead and create more robust version that will handle overwriting the global config, but it would require more work during upgrades.

Answer 2

As dtomcej answer me on github, there is no option to set security header in a globaly maner.

We have to override the default docker's template like explained in the doc.

I find this solution a bit risky. So for now I duplicate my configuration header security in each container configuration that need it.

At the end I have something like this :

version: '3'

services:

  my-service:
    build: my-service
    labels:
      - traefik.enable=true
      - traefik.backend=my-service
      - traefik.frontend.rule=Host:exemple.com;PathPrefix:/service
      - traefik.port=80
      - traefik.frontend.headers.SSLRedirect=true
      - traefik.frontend.headers.SSLHost=exemple.com
      - traefik.frontend.headers.STSSeconds=315360000
      - traefik.frontend.headers.STSIncludeSubdomains=true
      - traefik.frontend.headers.STSPreload=true
      - traefik.frontend.headers.frameDeny=true
      - traefik.frontend.headers.browserXSSFilter=true