Security Headers with dashes in value don't work (docker)

Question

Security Headers with dashes in value don't work (docker)

captn3m0 opened this issue 7 years ago · comments

Nemo commented 7 years ago

Do you want to request a feature or report a bug?

Bug

What did you do?

Container has the following labels:

{
                "traefik.enable": "true",
                "traefik.frontend.headers.SSLTemporaryRedirect": "true",
                "traefik.frontend.headers.STSIncludeSubdomains": "false",
                "traefik.frontend.headers.STSSeconds": "2592000",
                "traefik.frontend.headers.browserXSSFilter": "true",
                "traefik.frontend.headers.contentTypeNosniff": "true",
                "traefik.frontend.headers.customresponseheaders": "X-Powered-By:Allomancy,X-Server:Blackbox",
                "traefik.frontend.headers.referrerPolicy": "no-referrer",
                "traefik.port": "5050"
            }

What did you expect to see?

Traefik serving traffic and registering the docker backend.

What did you see instead?

docker backend doesn't get registered. I get the following in my log:

time="2017-11-29T20:39:10Z" level=error msg="Near line 256 (last key parsed 'frontends.frontend-Host-hostname-8.headers.ReferrerPolicy'): expected value but found "no" instead"

Output of `traefik version`: (What version of Traefik are you using?)

Version:      v1.5.0-rc1
Codename:     cancoillotte
Go version:   go1.9.2
Built:        2017-11-28_02:11:24PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

Applying the following configuration via terraform:

labels {
    "traefik.frontend.auth.basic" = "${var.basic_auth}"
    "traefik.port" = 5050
    "traefik.enable" = "true"
    "traefik.frontend.headers.SSLTemporaryRedirect" = "true"
    "traefik.frontend.headers.STSSeconds" = "2592000"
    "traefik.frontend.headers.STSIncludeSubdomains" = "false"
    "traefik.frontend.headers.contentTypeNosniff" = "true"
    "traefik.frontend.headers.browserXSSFilter" = "true"
    "traefik.frontend.headers.referrerPolicy" = "no-referrer"
    "traefik.frontend.headers.customresponseheaders" = "X-Powered-By:Allomancy,X-Server:Blackbox"
  }

I'm applying the same header via the file backend for another frontend:

[frontends.scan.headers]
    SSLRedirect = true
    SSLTemporaryRedirect = true
    STSSeconds = 2592000
    FrameDeny = true
    ContentTypeNosniff = true
    BrowserXssFilter = true
    ReferrerPolicy = "no-referrer"

And that doesn't give an error. I get the same error if I try to apply the following XFO header: "ALLOW-FROM https://domain.name/"

Removing the XFO and the Referrer policy from the container tags fixes the issue.

If applicable, please paste the log output in debug mode (`--debug` switch)

time="2017-11-29T20:45:37Z" level=error msg="Near line 624 (last key parsed 'frontends.frontend-Host-hostname.headers.ReferrerPolicy'): expected value but found "no" instead"

Daniel Tomcej · Answer 1 · Thu Nov 30 2017 06:57:07 GMT+0800 (China Standard Time)

Will run some tests on this, I have a suspicion as to why this is.

Will post more when I have more info!

Traefiker Bot · Answer 2 · Thu Nov 30 2017 17:42:04 GMT+0800 (China Standard Time)

Closed by #2496.

Nemo · Answer 3 · Thu Nov 30 2017 19:45:00 GMT+0800 (China Standard Time)

That was quick, thanks 👍

Security Headers with dashes in value don't work (docker)

Do you want to request a feature or report a bug?

What did you do?

What did you expect to see?

What did you see instead?

Output of traefik version: (What version of Traefik are you using?)

What is your environment & configuration (arguments, toml, provider, platform, ...)?

If applicable, please paste the log output in debug mode (--debug switch)

Output of `traefik version`: (What version of Traefik are you using?)

If applicable, please paste the log output in debug mode (`--debug` switch)