HSTS with Traefik
The settings to get an A+ rating on SSL Labs!
I didn’t find any simple guide out there to do this so I thought I’d write it myself.
Traefik HSTS Configuration
The Traefik documentation talks about HSTS headers in only one place and it doesn’t even provide an example for it. All Traefik security headers, including HSTS, can be found can be found at a separate GitHub repo: unrolled/secure.
Add the following Docker labels to your container or your
traefik.toml file’s frontend:
1 2 3 traefik.frontend.headers.STSSeconds: "31536000" traefik.frontend.headers.STSIncludeSubdomains: "true" traefik.frontend.headers.STSPreload: "true"
While you’re there, only accept the latest ciphers. This can be configured on the HTTPS entrypoint:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] minVersion = "VersionTLS12" cipherSuites = [ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" ]
What is HSTS?
HTTP Strict Transport Security (HSTS) tells browsers that your site should ONLY be accessed with HTTPS instead of HTTP. After the initial connection over HTTPS, your browser will never load the site using HTTP and will attempt to convert all connections using HTTP to HTTPS instead.
Some other websites to check your HTTPS configuration as well as other web features:
- SSL Labs is the de-facto place to test your site’s SSL configuration
- Cipherli.st provide settings for Apache, NGINX and Lightppd
- SSL Decoder provides similar tests as SSL Labs
- Observatory by Mozilla is tester that can do HTTP, TLS, SSH
- CryptCheck is a site that tests HTTPS, SMTP and XMPP
- Immuni Web provide free tests for website security, mobile app security, SSL and phishing.
- Security Headers checks for headers in your site and gives it a rating
- Mozilla provide all these settings already but for some reason there’s no easy guide out there, so I made one.