There's a manual in here for that but it's heavily tight for TOML, I need CLI argument, as I'm in docker-swarm with Consul setup and highly available
consul:
image: consul
command: agent -server -bootstrap-expect=1
volumes:
- consul-data:/consul/data
environment:
- CONSUL_LOCAL_CONFIG={"datacenter":"ams3","server":true}
- CONSUL_BIND_INTERFACE=eth0
- CONSUL_CLIENT_INTERFACE=eth0
deploy:
replicas: 1
placement:
constraints:
- node.role == manager
restart_policy:
condition: on-failure
networks:
- traefik
proxy_init:
image: traefik:1.6.3-alpine
command: >
storeconfig
--api
--entrypoints=Name:http Address::80 Redirect.EntryPoint:https
--entrypoints=Name:api Address::8080 Auth.Basic.Users:test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/ Auth.HeaderField:X-WebAuth-User
--entrypoints=Name:https Address::443 TLS
--defaultentrypoints=http,https
--acme
--acme.storage="traefik/acme/account"
--acme.entryPoint=https
--acme.httpChallenge.entryPoint=http
--acme.onHostRule=true
--acme.acmelogging=true
--acme.onDemand=false
--acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
--acme.email="whatever@gmail.com"
--docker
--docker.swarmMode
--docker.domain=swarm.xxx.io
--docker.endpoint=unix://var/run/docker.sock
--docker.watch
--consul
--consul.watch
--consul.endpoint=consul:8500
--consul.prefix=traefik
--logLevel=DEBUG
--accesslogsfile=/dev/stdout
networks:
- traefik
deploy:
placement:
constraints:
- node.role == manager
restart_policy:
condition: on-failure
depends_on:
- consul
proxy:
image: traefik:1.6.3-alpine
depends_on:
- traefik_init
- consul
command: >
--consul
--consul.endpoint=consul:8500
--consul.prefix=traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- webgateway
- traefik
ports:
- 80:80
- 443:443
- 8080:8080
deploy:
mode: replicated
replicas: 2
restart_policy:
condition: on-failure
placement:
constraints:
- node.role == manager
update_config:
parallelism: 1
delay: 10s
volumes:
- "/var/run/docker.sock:/var/run/docker.sock
You can also set labels for traefik container too. Traefik can manage own container so you can set http basic auth through label like you do with any other container. The only problem I've had is that DNS challenge from ACME client fails, but it works with self-signed certificates.
deploy:
labels:
- "traefik.docker.network=infra_traefik"
- "traefik.port=8080"
- "traefik.tags=monitoring"
- "traefik.backend.loadbalancer.stickiness=true"
- "traefik.frontend.passHostHeader=true"
- "traefik.frontend.rule=Host:proxy01.swarm.lympo.io,proxy.swarm.lympo.io"
- "traefik.frontend.auth.basic=admin:$$apr1$$Xv0Slw4m$$MqFgCq4Do83fcKIsPTDGu/"
restart_policy:
condition: on-failure
placement:
constraints:
- node.role == manager