Since version 1.5 Traefik give option to configure security for each service.
These options are for available here https://docs.traefik.io/configuration/backends/docker/#security-headers and must be set in the label section of each service defined in the docker-compose file.
I wonder how can I add these options in a global manner?
So just for posterity, here is how to do it using a template file:
- Get the template
docker.tmpl
from source and make sure it's for your exact version. The easiest way - just click on the build number in the top right of the UI and browse to/template
folder. Use the filename without version. Speaking of versions - add the following to your
traefik.toml
:[docker] filename = "docker.tmpl" templateVersion = 2
and you should add
-v /path/docker.tmpl:/docker.tmpl:ro
to your container too!Now you should be able to restart Traefik and everything should work as normal. To add your specific headers for all auto-generated frontends, edit
docker.tmpl
and just before the next to last{{end}}
that is for the{{if $headers }}
add this (spacing is kept):{{else}} [frontends."frontend-{{ $frontendName }}".headers] STSSeconds = 315360000 STSIncludeSubdomains = true STSPreload = true CustomFrameOptionsValue = "SAMEORIGIN" ContentTypeNosniff = true BrowserXSSFilter = true
This will add the listed headers for every automatically generated fronted based on found containers just as with default installation. If a container has any custom labels though it will execute the previous logic and will skip those.
I made it like this in order to allow for predictability in how containers work and to make it as easy as possible for updating to new version. Just pasting to specific section would allow you to upgrade without handling merge conflicts and new logic.
You can go ahead and create more robust version that will handle overwriting the global config, but it would require more work during upgrades.
As dtomcej answer me on github, there is no option to set security header in a globaly maner.
We have to override the default docker's template like explained in the doc.
I find this solution a bit risky. So for now I duplicate my configuration header security in each container configuration that need it.
At the end I have something like this :
version: '3'
services:
my-service:
build: my-service
labels:
- traefik.enable=true
- traefik.backend=my-service
- traefik.frontend.rule=Host:exemple.com;PathPrefix:/service
- traefik.port=80
- traefik.frontend.headers.SSLRedirect=true
- traefik.frontend.headers.SSLHost=exemple.com
- traefik.frontend.headers.STSSeconds=315360000
- traefik.frontend.headers.STSIncludeSubdomains=true
- traefik.frontend.headers.STSPreload=true
- traefik.frontend.headers.frameDeny=true
- traefik.frontend.headers.browserXSSFilter=true
来源:https://stackoverflow.com/questions/48498453/global-configuration-of-security-in-traefik-for-docker