Hi, I've discorded Traefik recently and so far has been a great tool! But to get into the main topic, I'm trying to define multiple "headers" middleware. Specifically:
- One "global" that contains some security headers like HSTS, XSS-Protection, etc. Defined in a file provider
- And another that contains the CSP header for a docker container (specific to that container)
In the Traefik dashboard they appear as if the two are enabled (and without errors), but on the requests only the last middleware takes place (even when they don't have common headers)
Here are my definition of the middlewares in a file:
middlewares: # Other middlewares... secure-headers: headers: stsSeconds: 31536000 # Strict-Transport-Security stsIncludeSubdomains: true stsPreload: true browserXssFilter: true # X-XSS-Protection frameDeny: true # X-Frame-Options featurePolicy: "vibrate 'none';" # Feature-Policy header contentTypeNosniff: true # X-Content-Type-Options referrerPolicy: "strict-origin-when-cross-origin" # Referrer-Policy
And the labels for the specific container:
labels: # Other labels ... # CSP headers - "traefik.http.middlewares.geoserver-csp-headers.headers.contentSecurityPolicy=img-src 'self'; script-src-elem 'self' 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'self'; report-uri https://xxxxxxxx.report-uri.com/r/d/csp/enforce" # Middleware - "traefik.http.routers.geoserver-secure.middlewares=secure-headers@file, geoserver-csp-headers@docker" #- "traefik.http.routers.geoserver-secure.middlewares=geoserver-csp-headers@docker,secure-headers@file"
I've tried changing the order of the middlewares and the same thing applies. Only the headers present in the last middleware are applied, the others are discarded.
I thought that this may be related to how i declared the list of middlewares in the docker labels, but on the documentation I see that they use the same syntax
- "traefik.http.routers.router0.middlewares=foobar, foobar"
Also on the documentation of the middlewares I don't see anywhere that the middlewares overwrite each other. Can you guys help me out? I cant seem to find where the issue is as both middlewares seems to be declared correctly