301 redirect to HTTPS www does not contain HSTS headers

dreamgate · March 15, 2020, 11:52pm

Hi!

I currently have a global HTTP -> HTTPS redirect (which works fine) but after I canonicalize my URL to contain "www", Traefik won't include my "headers" middleware.

HSTS "standard" suggests to redirect to HTTPS first before adding or removing "www". It seems like my middleware chain isn't including the headers I provided once I've been redirected to HTTPS:

I'm still relatively new to learning web stuff and Traefik, It works amazingly so far but I'm just having trouble making my website HSTS ready.

Any help is appreciated

traefik.yml (static config):

global:
    sendAnonymousUsage: false

log:
    format: "common"
    level:  "ERROR"

api:
    dashboard: true

providers:
    file:
        filename: "config.yml"
    docker:
        endpoint:         "tcp://docker-socket-proxy:2375"
        network:          "traefik-web"
        exposedByDefault: false

entryPoints:
    web:
        address: ":80"
    web-secure:
        address: ":443"

certificatesResolvers:
    le:
        acme:
            email:   "foo@bar.net"
            keyType: "EC256"
            storage: "acme.json"
            dnsChallenge:
                provider: "cloudflare"
                resolvers:
                    - "1.1.1.1:53"
                    - "1.0.0.1:53"
                    - "8.8.8.8:53"
                    - "8.8.4.4:53"

config.yml (dynamic config):

http:
    middlewares:
        https-redirect:
            redirectScheme:
                scheme:    "https"
                permanent: true
        www-redirect:
            redirectRegex:
                regex:       "^https://(foo\\.net.*)"
                replacement: "https://www.${1}"
                permanent:   true
        response-headers:
            headers:
                sslRedirect:             true
                contentTypeNosniff:      true
                browserXssFilter:        true
                forceSTSHeader:          true
                stsPreload:              true
                stsIncludeSubdomains:    true
                stsSeconds:              31536000
                customFrameOptionsValue: "SAMEORIGIN"
        api-auth:
            basicAuth:
                users:
                    - "[[REDACTED]]:[[REDACTED]]"
        insecure-chain:
            chain:
                middlewares:
                    - "https-redirect"
        secure-and-www-chain:
            chain:
                middlewares:
                    - "response-headers"
                    - "www-redirect"
        secure-chain:
            chain:
                middlewares:
                    - "response-headers"

tls:
    options:
        default:
            sniStrict:  true
            minVersion: "VersionTLS12"
            mintls13:
                minVersion: "VersionTLS13"
            cipherSuites:
                - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
                - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
                - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
                - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
                - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

docker-compose.yml:

version: "3.7"

services:
    # docker socket proxy (for security)
    docker-socket-proxy:
        image:      "tecnativa/docker-socket-proxy"
        restart:    "unless-stopped"
        privileged: true
        environment:
            CONTAINERS: 1
        networks:
            - "docker-socket-proxy"
        volumes:
            - "/var/run/docker.sock:/var/run/docker.sock:ro" # docker socket

    # reverse proxy
    traefik:
        image:   "traefik:v2.1.6"
        restart: "unless-stopped"
        env_file:
            - "./traefik/traefik.env"
        networks:
            - "internal"
            - "docker-socket-proxy"
            - "traefik-web"
        ports:
            - "80:80"
            - "443:443"
            - "8080:8080"
        volumes:
            - "./traefik/traefik.yml:/traefik.yml:ro" # static configuration config file
            - "./traefik/config.yml:/config.yml:ro"   # dynamic configuration config file
            - "./traefik/acme.json:/acme.json"        # save traefik SSL cert data here
        labels: # dynamic configuration
            # enable docker service so traefik can see it
            - "traefik.enable=true"

            # redirect all HTTP requests to HTTPS
            - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
            - "traefik.http.routers.http-catchall.entrypoints=web"
            - "traefik.http.routers.http-catchall.middlewares=insecure-chain@file"

            # wildcard SSL
            - "traefik.http.routers.traefik.tls.domains[0].main=foo.net"
            - "traefik.http.routers.traefik.tls.domains[0].sans=*.foo.net"

            # route dashboard
            - "traefik.http.routers.traefik.rule=Host(`traefik.foo.net`)"
            - "traefik.http.routers.traefik.entrypoints=web-secure"
            - "traefik.http.routers.traefik.tls=true"
            - "traefik.http.routers.traefik.tls.certresolver=le"
            - "traefik.http.routers.traefik.middlewares=secure-chain@file,api-auth@file"
            - "traefik.http.routers.traefik.service=api@internal"

    # primary website
    main:
        build:   "./main"
        restart: "unless-stopped"
        networks:
            - "internal"
            - "traefik-web"
        # volumes:
        #     - "./main/app/Cargo.lock:/usr/src/app/Cargo.lock"
        labels:
            # enable this service so traefik can see it
            - "traefik.enable=true"

            # route main website (rust)
            - "traefik.http.routers.main.rule=Host(`foo.net`, `www.foo.net`)"
            - "traefik.http.routers.main.entrypoints=web-secure"
            - "traefik.http.routers.main.tls=true"
            - "traefik.http.routers.main.tls.certresolver=le"
            - "traefik.http.routers.main.middlewares=secure-and-www-chain@file"
            - "traefik.http.services.main.loadbalancer.server.port=9200"

networks:
    internal:
        internal: true
    docker-socket-proxy:
        internal: true
    traefik-web:
        external: false

dreamgate · March 16, 2020, 3:51am

Actually, Adding on to my original post...

Could this issue be related to: https://github.com/containous/traefik/issues/5890 ?

I assume it's fixed once stable is at 2.2.0
Edit: Or not... I tried the rc2 release and my headers are still not added to any of my redirects. Am I misunderstanding this?

dreamgate · March 17, 2020, 4:47am

Still not sure about this. Does anyone have any advice for this? Maybe I'm missing a flag for the redirects? Without having HSTS headers on HTTPS redirects, sites can't be eligible for HSTS preload list.

I also tried with more basic settings and stripping the "www" prefix, but the same issue happens:

Initial request @ "http://www.foo.net" (global HTTP->HTTPS redirect):

Then, the second redirect (which should have HSTS headers from my chain):

dreamgate · March 22, 2020, 3:21am

Bump.

This is still an issue I'm struggling with and I'm still not able to add my domain to the HSTS preload list.

The 2nd HTTPS redirect to "www" should contain headers I've added, but it doesn't.

On top of that, How come "forceSTSHeader" isn't adding the headers on redirects?

Topic		Replies	Views
Setting HSTS headers Traefik v2 docker , docker-swarm , file , middleware	1	5723	January 17, 2020
HTTPS Redirection Default Traefik v2 docker , middleware	2	615	May 21, 2020
V2.4.8 www to non-www redirect Traefik v2 docker , middleware	0	827	May 23, 2021
Http-https redirect does not provide sts headers Traefik v2 file	2	900	July 19, 2021
I can't set up redirect http to https Traefik v2 docker , middleware	2	142	July 1, 2024

301 redirect to HTTPS www does not contain HSTS headers

Related topics