docker - 向 Traefik 添加自定义标头会产生奇怪的行为
问题描述
在我的内部,我docker-compose.yml
定义了我的 Traefik 路线,如下所示:
labels:
- 'traefik.enable=true'
- 'traefik.docker.network=traefik'
- 'traefik.http.routers.nginx.entrypoints=http'
- 'traefik.http.routers.nginx.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`)'
- 'traefik.http.routers.nginx.middlewares=redirect@file'
- 'traefik.http.routers.nginx-https.rule=Host(`${DOMAIN}`) || Host(`www.${DOMAIN}`)'
- 'traefik.http.routers.nginx-https.tls=true'
- 'traefik.http.routers.nginx-https.tls.certresolver=${DNS_PROVIDER}'
- 'traefik.http.routers.nginx-https.tls.domains[0].main=${DOMAIN}'
- 'traefik.http.routers.nginx-https.tls.domains[1].main=www.${DOMAIN}'
- 'traefik.http.routers.nginx.service=nginx'
- 'traefik.http.services.nginx.loadbalancer.server.port=80'
- 'traefik.http.services.nginx.loadBalancer.passHostHeader=true'
- 'traefik.http.middlewares.https_redirect.redirectscheme.scheme=https'
- 'traefik.http.middlewares.https-redirect.redirectscheme.scheme=https'
- 'traefik.http.middlewares.https-redirect.headers.customrequestheaders.X-Forwarded-Proto=https'
- 'traefik.http.routers.nginx.middlewares=https-redirect'
- 'traefik.http.middlewares.https_redirect.redirectscheme.permanent=true'
- 'traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)'
- 'traefik.http.routers.http_catchall.entrypoints=http'
- 'traefik.http.routers.http_catchall.middlewares=https_redirect'
- 'traefik.http.middlewares.https-redirect.headers.customresponseheaders.Set-Cookie=Path=/; HttpOnly; Secure'
- 'traefik.http.middlewares.https-redirect.headers.customresponseheaders.X-Powered-By=PHP'
- 'traefik.http.middlewares.https-redirect.headers.customresponseheaders.HTTPServer=PHP'
我尝试设置一个全局traefik.yaml
:
tls:
options:
default:
minVersion: VersionTLS12
sniStrict : true
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
mintls13:
minVersion: VersionTLS13
http:
middlewares:
all-sites:
redirectScheme:
scheme: https
permanent: true
rateLimit:
average: 100
brust: 50
headers:
frameDeny: true
sslRedirect: true
accessControlAllowMethods:
- GET
- POST
contentTypeNosniff: true
browserXssFilter: true
stsPreload: true
stsIncludeSubdomains: true
sslForceHost: true
sslRedirec: true
我在日志中看到 Traefik 加载了这些:
"customResponseHeaders\":{\"HTTPServer\":\"PHP\",\"Set-Cookie\":\"Path=/; HttpOnly; Secure\",\"X-Powered-By\":\"PHP\"}},\
但是,当我运行时,whatweb
我看到:
[200 OK] Cookies[...._session,Path,XSRF-TOKEN], Country[UNITED STATES][US], HTML5, HTTPServer[nginx], HttpOnly[...._session,Path], IP[x.xx.xxx.xx], PHP[7.4.21], PasswordField[password], Strict-Transport-Security[max-age=63072000], Title[......], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/7.4.21], X-XSS-Protection[1; mode=block], nginx
在我的里面我nginx
有:
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header X-Real-IP "$remote_user";
add_header 'Access-Control-Allow-Origin' $allow_origin;
client_max_body_size 10M;
# RFC 6797
add_header Strict-Transport-Security "max-age=63072000" always;
set_real_ip_from 172.18.0.0/24;
real_ip_header X-Forwarded-For;
# Disallow
add_header Set-Cookie "Path=/; HttpOnly; Secure";
# Remove info disclosure
server_tokens off;
# SWEET32 - TLSv1.2 defualt enabled
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
但是只有某些标头对某些文件生效,我真的无法弄清楚我做错了什么,只是尝试删除服务器令牌并添加我的自定义安全标头。任何帮助表示赞赏。
解决方案
推荐阅读
- spring-boot - 异常启动 SpringBootApplication - 无法启动 Web 服务器
- java - Android Studio、Volley、api响应第一次点击不显示
- php - 如果用户未登录 Woocommerce,请避免将特定产品类别添加到购物车
- c# - 使用 Windows 命令删除文件并显示已删除文件的列表
- r - 使用 ggplot 进行更高效的绘图
- gulp - 流吞咽过滤器错误
- python - 如何将透明颜色应用于 XSLXWriter 中的单元格?
- c# - 在模型中使用 MVVM 处理异常
- instagram-api - api.instagram CORB 网络错误,因为带有 `Content-Type: application/json` 的 jsonp 响应标头
- java - 必须使用嵌套的 while 循环制作乘法表。\t 间距搞砸了三位数