Search code examples
http-authenticationtraefik

How to set password for Traefik dashboard with CLI argument?

There's a manual in here for that but it's heavily tight for TOML, I need CLI argument, as I'm in docker-swarm with Consul setup and highly available

   consul:
     image: consul
     command: agent -server -bootstrap-expect=1
     volumes:
       - consul-data:/consul/data
     environment:
       - CONSUL_LOCAL_CONFIG={"datacenter":"ams3","server":true}
       - CONSUL_BIND_INTERFACE=eth0
       - CONSUL_CLIENT_INTERFACE=eth0
     deploy:
      replicas: 1
      placement:
       constraints:
         - node.role == manager
      restart_policy:
        condition: on-failure
     networks:
       - traefik

proxy_init:
  image: traefik:1.6.3-alpine
  command: >
    storeconfig
    --api
    --entrypoints=Name:http Address::80 Redirect.EntryPoint:https
    --entrypoints=Name:api Address::8080 Auth.Basic.Users:test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/ Auth.HeaderField:X-WebAuth-User
    --entrypoints=Name:https Address::443 TLS
    --defaultentrypoints=http,https
    --acme
    --acme.storage="traefik/acme/account"
    --acme.entryPoint=https
    --acme.httpChallenge.entryPoint=http
    --acme.onHostRule=true
    --acme.acmelogging=true
    --acme.onDemand=false
    --acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
    --acme.email="[email protected]"
    --docker
    --docker.swarmMode
    --docker.domain=swarm.xxx.io
    --docker.endpoint=unix://var/run/docker.sock
    --docker.watch
    --consul
    --consul.watch
    --consul.endpoint=consul:8500
    --consul.prefix=traefik
    --logLevel=DEBUG
    --accesslogsfile=/dev/stdout
  networks:
    - traefik
  deploy:
    placement:
      constraints:
        - node.role == manager
    restart_policy:
      condition: on-failure
  depends_on:
    - consul

proxy:
  image: traefik:1.6.3-alpine
  depends_on:
    - traefik_init
    - consul
  command: >
    --consul
    --consul.endpoint=consul:8500
    --consul.prefix=traefik
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock
  networks:
    - webgateway
    - traefik
  ports:
    - 80:80
    - 443:443
    - 8080:8080
  deploy:
    mode: replicated
    replicas: 2
    restart_policy:
      condition: on-failure
    placement:
      constraints:
        - node.role == manager
    update_config:
      parallelism: 1
      delay: 10s
  volumes:
    - "/var/run/docker.sock:/var/run/docker.sock
Solution

  • You can also set labels for traefik container too. Traefik can manage own container so you can set http basic auth through label like you do with any other container. The only problem I've had is that DNS challenge from ACME client fails, but it works with self-signed certificates.

     deploy:
        labels:
            - "traefik.docker.network=infra_traefik"
            - "traefik.port=8080"
            - "traefik.tags=monitoring"
            - "traefik.backend.loadbalancer.stickiness=true"
            - "traefik.frontend.passHostHeader=true"
            - "traefik.frontend.rule=Host:proxy01.swarm.lympo.io,proxy.swarm.lympo.io"
            - "traefik.frontend.auth.basic=admin:$$apr1$$Xv0Slw4m$$MqFgCq4Do83fcKIsPTDGu/"
        restart_policy:
          condition: on-failure
        placement:
          constraints:
            - node.role == manager