Middlewares : questions and suggestions

Hi,

I am playing with Traefik v2 because i want to understand it better before deploy it in production. My goal is to replace several nginx reverse proxy (that manage several servers located in different network areas) with a single instance of Traefik.

  1. Some middlewares (headers) are not interpreted.
    In a dynamic config file i have created
http:
  middlewares:
    testfirefoxheaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true

i am testing this testfirefoxheaders middleware with traefik container itself (http router, no https) and the labels are the following

      - traefik.http.routers.traefik-dash2-unsecure.rule=Host("traefik.my.domain")
      - traefik.http.routers.traefik-dash2-unsecure.entrypoints=web
      - traefik.http.routers.traefik-dash2-unsecure.middlewares=testfirefoxheaders@file
      - traefik.http.routers.traefik-dash2-unsecure.service=api@internal

When i use firefox development tools and analyse the headers, i cannot see any of X-XSS-Protection or X-Frame-Options..... in the response headers

Is there something i missed?

  1. Some Middleware important informations are not in the documentation

thanks to these forum, i have found some answers to some of my interrogations . I have read that

  • the middlewares order is the same as the definition order. sorry just found it in documentation
  • we can not create multi-types middleware

Maybe i am wrong but i have not found theses informations in the documentation and in my opinion they are important.

The concept of middleware is really powerful, chains as well. My goal is to create a catalog of reusable piece of unit middlewares. Now i know that we cannot mix multi-types middleware but still dont know if in the same router we can define 2 middlewares of the same type? I think this information is also revelant and could be in the documentation.

For example, in the dynamic config i have created 2 middlewares for IP Whitelisting

http:
  middlewares:
    Station1IpWhitelist:
      ipWhiteList:
        sourceRange:
        - 172.20.x.x/32
    Station2IpWhitelist:
      ipWhiteList:
        sourceRange:
        - 172.20.y.y/32

If in a router definition i use one of them, everything work normally. If i combine these 2 middlewares none of whitelist is working.

Note : as i said i don't know if it's normally possible to do so and if it should work but in the case it cannot work, i really think allowing to use several middleware of the same type in a router would make Traefik even more powerful.

Best regards,

Alexandre

As far as headers not working, my guess would be that they are not supposed to work over plain http, not https, but I may be wrong here. I tried to replicate your configuration and did not get the headers either. May be someone from traefik team could have a look and confirm. @daniel.tomcej any thoughts?

As far as for 2 whitelist middlewares I did not try that but from your description it sounds like they are working as expected. If you block anything but A and then block anything but B you effectively block everything, because A won't get through the second filter, B won't get though the first, and everithing else won't get through either. It looks like you can use multiple source ranges in the same ipWhiteList middleware if that's what you want.

Hi, thank you very much Zespri for taking the time to answer make some tests :slight_smile:
About the security headers (browserXssFilter...) i have done different tests with Traefik container itself using Firefox or curl but never saw them (headers) in the http answer. thank you as well to confirm that in your tests you had the same behavior.

Concerning the whitelist middleware, again, thank you because i now understand how they work :slight_smile: (block anything but). I know that i can use multiple source ranges but in my use case i would have been really useful if mixing multiple whitelist middllewares work like this : block everything but allow [A (from middleware1) or B (from middleware2) or C(from middleware3)] .
In fact i manage more than 30 networks with different categories of people and depending the network i would allow or not access to services (behind Traefik) we provide. I wanted to use whitelist middlewares as if i go to shopping :slight_smile:, service S1 must be accessible from Network N1, N8 and N30 for example, hope you understand what i mean because i am not (at al)l fluent in English.

Again thank you very much Zespri. Hope someone from traefik team can check the problem with the security headers i mentioned not passed to the answer.

Have an nice day.

Regards,

Alexandre

@ Ch1ch1, thank you for your help, i share your opinion and would have been happy if specifically for whitelist middleware a OR was used instead of AND. Maybe we can imagine that one day there will be options for middleware to specify the logical operation (OR/AND...)

Best regards,

1 Like

@edger

I posted an issue here: https://github.com/containous/traefik/issues/5568

Note that with services other than dashboard, the response headers are added. For example:

docker-compose.yml
version: "3.3"
services:
  traefik:
    image: "traefik:v2.0.0"
    container_name: "traefik"
    command:
      - --entryPoints.web.address=:80
      - --log.level=DEBUG
      - --accesslog
      - --api
      - --providers.docker.exposedByDefault=false
      - --providers.file.filename=/dyn.yaml
    ports:
      - "80:80"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./dyn.yaml:/dyn.yaml"
    labels:   
      #- traefik.enable=true
      - traefik.http.routers.traefik-dash2-unsecure.rule=PathPrefix("/")
      - traefik.http.routers.traefik-dash2-unsecure.entrypoints=web
      - traefik.http.routers.traefik-dash2-unsecure.middlewares=testfirefoxheaders@file
      - traefik.http.routers.traefik-dash2-unsecure.service=api@internal
  whoami:
    image: containous/whoami
    labels:
      - "traefik.enable=true"     
      - "traefik.http.routers.whoami_http.rule=PathPrefix(`/`)"
      - "traefik.http.routers.whoami_http.entrypoints=web"
      - traefik.http.routers.whoami_http.middlewares=testfirefoxheaders@file
dyn.yaml
http:
  middlewares:
    testfirefoxheaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true

@zespri

Thank you very much Zespri for the time you spent opening this issue in Github.
I also confirm that with other services than dashboard, theses response headers are added.

Have a nice day!

best regards