docker - 向 Traefik 添加自定义标头会产生奇怪的行为

问题描述

在我的内部，我docker-compose.yml定义了我的 Traefik 路线，如下所示：

labels:
  - 'traefik.enable=true'
  - 'traefik.docker.network=traefik'
  - 'traefik.http.routers.nginx.entrypoints=http'
  - 'traefik.http.routers.nginx.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`)'
  - 'traefik.http.routers.nginx.middlewares=redirect@file'
  - 'traefik.http.routers.nginx-https.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`)'
  - 'traefik.http.routers.nginx-https.tls=true'
  - 'traefik.http.routers.nginx-https.tls.certresolver=${DNS_PROVIDER}'
  - 'traefik.http.routers.nginx-https.tls.domains[0].main=${DOMAIN}'
  - 'traefik.http.routers.nginx-https.tls.domains[1].main=www.${DOMAIN}'
  - 'traefik.http.routers.nginx.service=nginx'
  - 'traefik.http.services.nginx.loadbalancer.server.port=80'
  - 'traefik.http.services.nginx.loadBalancer.passHostHeader=true'
  - 'traefik.http.middlewares.https_redirect.redirectscheme.scheme=https'
  - 'traefik.http.middlewares.https-redirect.redirectscheme.scheme=https'
  - 'traefik.http.middlewares.https-redirect.headers.customrequestheaders.X-Forwarded-Proto=https'
  - 'traefik.http.routers.nginx.middlewares=https-redirect'
  - 'traefik.http.middlewares.https_redirect.redirectscheme.permanent=true'
  - 'traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)'
  - 'traefik.http.routers.http_catchall.entrypoints=http'
  - 'traefik.http.routers.http_catchall.middlewares=https_redirect'
  - 'traefik.http.middlewares.https-redirect.headers.customresponseheaders.Set-Cookie=Path=/; HttpOnly; Secure'
  - 'traefik.http.middlewares.https-redirect.headers.customresponseheaders.X-Powered-By=PHP'
  - 'traefik.http.middlewares.https-redirect.headers.customresponseheaders.HTTPServer=PHP'

我尝试设置一个全局traefik.yaml：

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict : true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

    mintls13:
      minVersion: VersionTLS13
http:
  middlewares:
    all-sites:
      redirectScheme:
        scheme: https
        permanent: true
      rateLimit:
        average: 100
        brust: 50
      headers:
        frameDeny: true
        sslRedirect: true
        accessControlAllowMethods:
          - GET
          - POST
        contentTypeNosniff: true
        browserXssFilter: true
        stsPreload: true
        stsIncludeSubdomains: true
        sslForceHost: true
        sslRedirec: true

我在日志中看到 Traefik 加载了这些：

"customResponseHeaders\":{\"HTTPServer\":\"PHP\",\"Set-Cookie\":\"Path=/; HttpOnly; Secure\",\"X-Powered-By\":\"PHP\"}},\

但是，当我运行时，whatweb我看到：

[200 OK] Cookies[...._session,Path,XSRF-TOKEN], Country[UNITED STATES][US], HTML5, HTTPServer[nginx], HttpOnly[...._session,Path], IP[x.xx.xxx.xx], PHP[7.4.21], PasswordField[password], Strict-Transport-Security[max-age=63072000], Title[......], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/7.4.21], X-XSS-Protection[1; mode=block], nginx

在我的里面我nginx有：

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header X-Real-IP "$remote_user";
add_header 'Access-Control-Allow-Origin' $allow_origin;

client_max_body_size 10M;

# RFC 6797
add_header Strict-Transport-Security "max-age=63072000" always;

set_real_ip_from  172.18.0.0/24;
real_ip_header    X-Forwarded-For;

# Disallow
add_header Set-Cookie "Path=/; HttpOnly; Secure";

# Remove info disclosure
server_tokens off;

# SWEET32 - TLSv1.2 defualt enabled
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

但是只有某些标头对某些文件生效，我真的无法弄清楚我做错了什么，只是尝试删除服务器令牌并添加我的自定义安全标头。任何帮助表示赞赏。

标签： dockernginxdocker-composetraefiknginx-ingress