使用Docker时如何在Traefik中使用STS标头 [英] How to use STS headers with Traefik when using Docker

问题描述

这是我一直在努力解决的问题，但是我在stackoverflow上找不到任何帮助，甚至没有找到任何帮助.我希望将来能为有类似问题的人提供帮助.非常欢迎您对此问题/答案进行详细说明.

This is an issue I have been fighting with for days, but I could not find any help on stackoverflow, not even close to it. I hope to help people with similar issues in the future. Any elaboration on this question/answer is very much welcome.

在 Docker 环境中使用 Traefik 作为代理时，我一直试图将 STS-headers 设置为http请求.无论如何，无论我如何设置标题，我的浏览器(Google Chrome)都将忽略它们.我在做什么错了?

I have been trying to set STS-headers to http-requests when using Traefik as a proxy in a Docker environment. Somehow, no matter how I try to set the headers, my browser (Google Chrome) ignores them. What am I doing wrong?

推荐答案

当我了解到有关HSTS的一些重要知识时，我已经在Traefik中使用HSTS标头进行了多日的战斗:

I have been fighting with HSTS headers in Traefik for multiple days, when I learned something important about HSTS:

当您使用的证书被浏览器认为不可信/不安全时，您的浏览器将忽略任何STS标头.您可以使用开发人员工具中的安全性"标签对此进行验证(在Chrome中).

Your browser will ignore any STS headers when the certificate you are using is considered not trustworthy/safe by your browser. You can verify this (in Chrome) with the security tab in the developer tools.

要使HSTS(HTTP严格传输安全性)正常工作，我必须解决特定情况下的以下几件事:

For HSTS (HTTP Strict Transport Security) to work, I had to solve the next few things in my particular scenario:

• 我用于开发的证书已自签名并安装到我的计算机上.但是因为它是自签名的，所以它没有放在"受信任的根证书颁发机构"目录中.我的浏览器抱怨它在该目录中找不到我的证书，因此我不得不将其放在该目录中，否则浏览器仍会认为该证书不安全. 请注意，这仅是出于开发目的，官方证书正在发布中.

• The certificate I was using for development, was self-signed and installed onto my machine. But because it was self-signed, it was not put in the "Trusted Root Certification Authorities" directory. My browser complained that it could not find my certificate in that directory, so I had to put it there, otherwise the browser will still consider the certificate unsafe. Note that this was only meant for development purposes, official certificates were on the way.

首先，我创建了证书，并将我的域放在 CN (公用名)部分中.如今，浏览器有点忽略该部分，而是查找 SAN (主题备用名称).我必须在该部分中使用自己的域创建一个新证书.

At first I created my certificate, putting my domain in the CN (Common Name) section. Nowadays, browser kinda ignore that section and look for SAN (Subject Alternative Names). I had to create a new certificate with my domain in that section.

这是我想念的两件事，解决了这些问题后，我的STS标头(用于docker-compose服务标签中)工作了.标签( Traefik v1.7 )如下所示:

Those two things were the things I missed, after solving those, my STS headers (used in docker-compose service labels) were working. The labels (Traefik v1.7) look as following:

my_service:
    deploy:
      labels:
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.STSSeconds=31536000"

希望它对任何人都有帮助.

Hope it helps anybody.

这篇关于使用Docker时如何在Traefik中使用STS标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！