Security Headers with dashes in value don't work (docker)
captn3m0 opened this issue · comments
Do you want to request a feature or report a bug?
Bug
What did you do?
Container has the following labels:
{
"traefik.enable": "true",
"traefik.frontend.headers.SSLTemporaryRedirect": "true",
"traefik.frontend.headers.STSIncludeSubdomains": "false",
"traefik.frontend.headers.STSSeconds": "2592000",
"traefik.frontend.headers.browserXSSFilter": "true",
"traefik.frontend.headers.contentTypeNosniff": "true",
"traefik.frontend.headers.customresponseheaders": "X-Powered-By:Allomancy,X-Server:Blackbox",
"traefik.frontend.headers.referrerPolicy": "no-referrer",
"traefik.port": "5050"
}
What did you expect to see?
Traefik serving traffic and registering the docker backend.
What did you see instead?
docker backend doesn't get registered. I get the following in my log:
time="2017-11-29T20:39:10Z" level=error msg="Near line 256 (last key parsed 'frontends.frontend-Host-hostname-8.headers.ReferrerPolicy'): expected value but found "no" instead"
Output of traefik version
: (What version of Traefik are you using?)
Version: v1.5.0-rc1
Codename: cancoillotte
Go version: go1.9.2
Built: 2017-11-28_02:11:24PM
OS/Arch: linux/amd64
What is your environment & configuration (arguments, toml, provider, platform, ...)?
Applying the following configuration via terraform:
labels {
"traefik.frontend.auth.basic" = "${var.basic_auth}"
"traefik.port" = 5050
"traefik.enable" = "true"
"traefik.frontend.headers.SSLTemporaryRedirect" = "true"
"traefik.frontend.headers.STSSeconds" = "2592000"
"traefik.frontend.headers.STSIncludeSubdomains" = "false"
"traefik.frontend.headers.contentTypeNosniff" = "true"
"traefik.frontend.headers.browserXSSFilter" = "true"
"traefik.frontend.headers.referrerPolicy" = "no-referrer"
"traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox"
}
I'm applying the same header via the file backend for another frontend:
[frontends.scan.headers]
SSLRedirect = true
SSLTemporaryRedirect = true
STSSeconds = 2592000
FrameDeny = true
ContentTypeNosniff = true
BrowserXssFilter = true
ReferrerPolicy = "no-referrer"
And that doesn't give an error. I get the same error if I try to apply the following XFO header: "ALLOW-FROM https://domain.name/"
Removing the XFO and the Referrer policy from the container tags fixes the issue.
If applicable, please paste the log output in debug mode (--debug
switch)
time="2017-11-29T20:45:37Z" level=error msg="Near line 624 (last key parsed 'frontends.frontend-Host-hostname.headers.ReferrerPolicy'): expected value but found "no" instead"
Will run some tests on this, I have a suspicion as to why this is.
Will post more when I have more info!
Closed by #2496.
That was quick, thanks 👍