Https redirect reported as not working

Traefik Traefik v2
,
1

I used this service to scan my: traefik.domain.tld and it shows a number of warnings. I don't seem to be able to resolve this with my current configuration. Can someone advise?

This is what the report says:

Test Scores

Test Pass Score Reason Info
Content Security Policy -25 Content Security Policy (CSP) header not implemented
Cookies 0 No cookies detected
Cross-origin Resource Sharing 0 Content is not visible via cross-origin resource sharing (CORS) files or headers
HTTP Public Key Pinning 0 HTTP Public Key Pinning (HPKP) header not implemented (optional)
HTTP Strict Transport Security -20 HTTP Strict Transport Security (HSTS) header not implemented
Redirection -20 Does not redirect to an HTTPS site
Referrer Policy +5 Referrer-Policy header set to "no-referrer", "same-origin", "strict-origin" or "strict-origin-when-cross-origin"
Subresource Integrity -5 Subresource Integrity (SRI) not implemented, but all external scripts are loaded over HTTPS
X-Content-Type-Options -5 X-Content-Type-Options header not implemented
X-Frame-Options 0 X-Frame-Options (XFO) header set to SAMEORIGIN or DENY
X-XSS-Protection -10 X-XSS-Protection header not implemented

docker-compose.yml

version: '3.8'
services:
  traefik:
    image: 'traefik:latest'
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    volumes:
      - '/mnt/data/app-config/traefik/data/configurations:/configurations'
      - '/mnt/data/app-config/traefik/data/traefik.yml:/traefik.yml:ro'
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - '/mnt/data/app-config/traefik/traefik.log:/traefik.log'
    environment:
      - CF_API_EMAIL=/ru/mnt/data/app-config/cloudflare_email
      - CF_API_KEY=/ru/mnt/data/app-config/cloudflare_api_key
    secrets:
      - cloudflare_email
      - cloudflare_api_key
    networks:
      - t2_proxy
      - monitor
    deploy:
      mode: global


networks:
  t2_proxy:
    external: true
  monitor:
    external: true
secrets:
  cloudflare_email:
    external: true
  cloudflare_api_key:
    external: true

traefik.yml

api:
  dashboard: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: :443

log:
  level: DEBUG


accessLog:
  filePath: "/traefik.log"
  bufferingSize: 100
  filters:
    statusCodes:
      - "400-499"

metrics:
  prometheus:
    buckets:
      - 0.1
      - 0.3
      - 1.2
      - 5.0

providers:
  file:
    directory: "/configurations/"
    watch: true

certificatesResolvers:
  dns-cloudflare:
    acme:
      email: "$CLOUDFLARE_EMAIL"
      storage: "/acme.json"
      dnsChallenge:
        provider:
          - cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
        delayBeforeCheck: 90

middleware.yml

http:
  middlewares:
    basic-auth:
      basicAuth:
        realm: "Traefik2 Basic Auth"
        usersFile: "/configurations/.htpasswd"

    app-rate-limit:
      rateLimit:
        average: 100
        burst: 50

    secure-headers:
      headers:
        accessControlAllowMethods: ["GET", "OPTIONS", "PUT"]
        accessControlMaxAge: 100
        hostsProxyHeaders: ["X-Forwarded-Host"]
        stsSeconds: 63072000
        isdevelopment: false
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "allow-from https:domain.tld" #CSP takes care of this but may be needed for organizr.
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
          server: ""

    authelia:
      forwardAuth:
        address: "http://authelia:9091/api/verify?rd=https://authelia.domain.tld"
        trustForwardHeader: true
        authResponseHeaders: ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]

    redirect-to-https:
      redirectScheme:
        scheme: https
        permanent: true

    nc-headers:
      headers:
        customResponseHeaders:
           X-Robots-Tag: 'none'
        customFrameOptionsValue: 'sameorigin'
        frameDeny: 'false'

    nc-wellknown:
      replacepathregex:
        regex: '^(/.well-known.*)'
        replacement: '/index.php$${1}"'

routers.yml


http:
  routers:
    traefik:
      rule: Host(`traefik.domain.tld`)
      entrypoints: websecure
      tls: true
      service: api@internal
      middlewares:
        - basic-auth
        - redirect-to-https
        - secure-headers
        - app-rate-limit

Another this is I cannot frame deny to work. It always says false:

image

2

Anyone at all able to answer this?

3

Are you testing the right domain? The Traefik config clearly shows a global http->https redirect, so something seems odd.

Do you use Cloudflare only for DNS or is „security“ enabled and it is doing some kind of proxying? Where is your domain pointing to?

4

Im using cloudflare proxying also

5

Assuming you are using the cf security and certificates, did you set cloudflare to always redirect to https?

image
image1583×123 7.8 KB

You are using customFrameOptionsValue: "allow-from https:domain.tld" this will override frameDeny: true Traefik Headers Documentation - Traefik you cannot have both.

1 Like