Global configuration of security in Traefik for Docker

ぃ、小莉子 提交于 2019-12-01 13:12:15
Stoinov

So just for posterity, here is how to do it using a template file:

  1. Get the template docker.tmpl from source and make sure it's for your exact version. The easiest way - just click on the build number in the top right of the UI and browse to /template folder. Use the filename without version.
  2. Speaking of versions - add the following to your traefik.toml:

    [docker]
    filename = "docker.tmpl"
    templateVersion = 2
    

    and you should add -v /path/docker.tmpl:/docker.tmpl:ro to your container too!

  3. Now you should be able to restart Traefik and everything should work as normal. To add your specific headers for all auto-generated frontends, edit docker.tmpl and just before the next to last {{end}} that is for the {{if $headers }} add this (spacing is kept):

          {{else}}
          [frontends."frontend-{{ $frontendName }}".headers]
            STSSeconds = 315360000
            STSIncludeSubdomains = true
            STSPreload = true
            CustomFrameOptionsValue = "SAMEORIGIN"
            ContentTypeNosniff = true
            BrowserXSSFilter = true
    

    This will add the listed headers for every automatically generated fronted based on found containers just as with default installation. If a container has any custom labels though it will execute the previous logic and will skip those.

I made it like this in order to allow for predictability in how containers work and to make it as easy as possible for updating to new version. Just pasting to specific section would allow you to upgrade without handling merge conflicts and new logic.

You can go ahead and create more robust version that will handle overwriting the global config, but it would require more work during upgrades.

As dtomcej answer me on github, there is no option to set security header in a globaly maner.

We have to override the default docker's template like explained in the doc.

I find this solution a bit risky. So for now I duplicate my configuration header security in each container configuration that need it.

At the end I have something like this :

version: '3'

services:

  my-service:
    build: my-service
    labels:
      - traefik.enable=true
      - traefik.backend=my-service
      - traefik.frontend.rule=Host:exemple.com;PathPrefix:/service
      - traefik.port=80
      - traefik.frontend.headers.SSLRedirect=true
      - traefik.frontend.headers.SSLHost=exemple.com
      - traefik.frontend.headers.STSSeconds=315360000
      - traefik.frontend.headers.STSIncludeSubdomains=true
      - traefik.frontend.headers.STSPreload=true
      - traefik.frontend.headers.frameDeny=true
      - traefik.frontend.headers.browserXSSFilter=true
标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!