Traefik can add a simple authentication to your services with a login/password. Indeed, some applications don't have an authentication mechanism, and expose these services can lead to security problems.
|1.1||08/2023||Update versions, paths and some formulations|
Goal : Use basic authentication (HTTP basic auth) with Traefik
docker compose (plugin) 2.20.x,
Execution context :
jho@vmi866042:/opt/docker/dc$ tree . ├── conf │ ├── acme.json │ ├── traefik.yml │ ├── traefikdynamic │ │ ├── general.yml │ │ ├── routersservices.yml ├── docker-compose.yml └── logs ├── traefikAccess.log ├── traefik.log
- path where are every folder and files :
- path of the principal configuration file for Traefik :
- folder where are every dynamic configuration files :
- path of the file which is used to store SSL certificates for let's encrypt (or other provider) :
- folder to store logs :
To do it, I'm using "dynamic configuration" (more information here)
We will use a "middleware", which execute an operation before accessing the service called. There are some types listed here :
- HTTP : https://doc.traefik.io/traefik/middlewares/http/overview/#available-http-middlewares
- TCP : https://doc.traefik.io/traefik/middlewares/tcp/overview/#available-tcp-middlewares
Hash of passwords for Traefik basic authentication is done with MD5, SHA1 or BCrypt. Here, I'm using BCrypt with the website "bcrypt.fr" to generate hashes. You can also use the command
htpasswd (it needs the package
Basic authentication is a login and a password. Only the password needs to be hashed (bcrypt here). Let's add the middleware and let's configure Traefik dashboard with it in the dynamic configuration file (in my example :
http: middlewares: authentification: basicAuth: users: # admin / admin - admin:$2y$10$KbBxnjLyBfFi355gJKhgJuXzGUaWbSRvNnvB2R9WDKpLFG1NEdcdi routers: rt-traefik: entryPoints: - websecure middlewares: - authentification service: api@internal rule: Host (`traefik.rezo.net`)
The user created (admin) have the password "admin". Because of the Traefik dynamic configuration, no need to restart containers. Basic authentication is a very low level of security, this will not replace other security mechanisms.
This middleware can be used on every resource (routers) of your Traefik. Remember to add the name of the middleware in the definitions of your routers to protect.