Trying to chain middlewares: basicAuth + security headers but headers never gets applied


Currently running Traefik 2.2. I am using docker-compose.yml, traefik.yml and dynamic.yml as a file provider.

I have created 2 middlewares, one to provide basic authentication and the other to provide security headers. Here is what they look like in the dynamic.yml file:

          - "user:password"

        forceSTSHeader: true
        frameDeny: true
        sslRedirect: true
        stsPreload: true
        contentTypeNosniff: true
        browserXssFilter: true
        stsIncludeSubdomains: true
        stsSeconds: 315360000

Separately they work great but I cannot get them to apply together to a router. I have tried with a chain in my dynamic.yml:

          - security
          - testauth

and then the following in the docker-compose file:

    - "traefik.http.routers.whoami.middlewares=allin@file"

When I check in my dashboard the chain is correctly applied but the headers middleware is not being applied, only basicAuth

So I tried by calling both middleware by their labels in the docker-compose.yml

    - "traefik.http.routers.whoami.middlewares=security@file,testauth@file"

Still the headers doesn't get applied even if they are both shown as being applied to the router in the dashboard.

I must be missing something obvious but I couldn't find a solution.Could it be that the testing results I am receiving from websites such as ssl labs are wrong because of the authentication being applied so they never get to read the headers?

Thanks in advance. Apologies for the formatting, trying to fix it.

Yes. Very likely. The Auth middleware is the first evaluated.

Try with curl and you should them.

Thanks for your reply. Would you know the curl command I should run?

Tried with the following command:

curl -i -u "user":"password" -X GET -H "Content-Type:application/json"

and got the following results:

content-type: text/plain; charset=utf-8
date: Sat, 09 May 2020 03:52:28 GMT
strict-transport-security: max-age=315360000; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
content-length: 440

I guess all is working correctly and it was all due to the results being based on the authentication middleware and not reaching the security headers.

Case can considered closed.