Disable default configuration options on a per-container basis

Hi all

I have the following default middleware defined in a dynamic config file:

        contentTypeNosniff: true
        <other options>

and I register this as a default middleware on my websecure entrypoint as follows:

    address: ":443"
        - security-headers@file
        <other middlewares>
      tls.certResolver: letsencrypt

The problem now, is that I would like to disable the ContentType header for a single docker container running a legacy application, while keeping it enabled for all the others.

I tried adding a separate middleware in a docker label like this:

  - "traefik.http.middlewares.my-application-middleware.headers.contentTypeNosniff=false"

but when doing so, I get an error in the Traefik dashboard saying headers configuration not valid, presumably because the two middlewares have conflicting values and Traefik doesn't know how to choose which one to use.

Is there any way to configure this in a way that I don't need to manually add a middleware to all my containers, but I can still disable this option for one single container? I basically want to be able to add additional configuration only to the exceptional containers that do not support modern security features (opt-out), and have these features enabled by default for all others.

Thanks in advance for your inputs!

Hi @R-VdP,
You can keep your default configuration but you have to define the middlewares for your "exceptional containers" routers.
The easiest way could be to define another middleware chain for specifics containers and use its reference in those containers router.

Hi jbd

Thanks for your answer.

I don't understand however, that's what I already tried, no? I defined an alternative middleware using a label, as shown, and then added it to the router (I forgot to add that label in my post).

But as I said, I then got an error in the Traefik dashboard saying headers configuration not valid, so it seems that overriding middlewares like this, doesn't work.

Do you have a working example or such?

I'd be interested also in an example of how you define chains of middleware and just attach one chain using docker labels.

I'm sorry, in fact, as said in the documentation:

The list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point.

So, you have to keep only the common middlewares in the default middlewares configuration on the entrypoint and add the specificity for each container/router.

It could be something like:

version: '3.7'

    image: traefik:v2.3.4
      - '80:80'
      - /var/run/docker.sock:/var/run/docker.sock
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.middlewares=default-chain@docker
      - --providers.docker
      # default middlewares
      traefik.http.middlewares.default-chain.chain.middlewares: simple-auth #, ...
      traefik.http.middlewares.specific-chain.chain.middlewares: add-bar #, ...
      traefik.http.middlewares.add-bar.addprefix.prefix: "/bar"
      # basic auth with test:test
      traefik.http.middlewares.simple-auth.basicauth.users: "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"

    image: traefik/whoami:v1.6.0
      traefik.http.routers.router0.rule: Host(`whoami`)
      # will generate middlewares: default-chain@docker, specific-chain@docker
      traefik.http.routers.router0.middlewares: specific-chain@docker

    image: traefik/whoami:v1.6.0
      traefik.http.routers.router1.rule: Host(`localhost`)
      # will generate middlewares: default-chain@docker

One year later, I also couldn't find a way to di this nicely, anyone else had some better luck ?

Thanks for the idea of having another entrypoint, I'm now considering having an https-noauth entrypoint as default 443 entrypoint and find a way for that entrypoint to forward anything to an https-forwardauth entrypoint on another port if no rule matched.
But I'm worried that it will not play nice with traefik autogenerating certs from letsencrypt for the entrypoint that will not be on port 443... Will try something out and hope in the meantime someone gets the feature in traefik to disable a middleware with a label.