I am running around 20 service stacks on a docker swarm host that all expose their individual https frontends which are protected by basic auth using Traefik (same username and password for all services).
I would love to centrally manage the .htpassword file or username/passwordHash, so that if there is a requirement for a password change, I can do it once and it will affect all services immediately or after redeployment. I am using Swarmpit to orchestrate Docker Swarm.
I looked into Docker Secrets and Docker Configs but both seem to be immutable if actively used by a running service. I also thought about environment variables, but I cannot really find my way through.
How should I go about this?
If you don't want to use docker secrets/configs for this then you can do the following (for Traefik 2.1):
First add a dynamic configuration directory to your traefik config
--providers.file.directory=/my/path/to/dynamic/conf
--providers.file.watch=true
The mount a volume in this location and create your middleware file (middlewares.yml for example)
http:
middlewares:
defaultAuth:
basicAuth:
users:
- "admin:$apr1$13r2hvw0$Oljx0V7CwdQJG7WxLWRVt0" # correcthorsebatterystaple
Now you can edit your users array and traefik will pick the changes automatically.
To use the middleware just reference it on your docker labels:
- traefik.http.routers.<my_router_name>.middlewares=defaultAuth@file
For traefik 1.x you could add the following label
- traefik.frontend.auth.basic.usersFile=/path/.htpasswd
Then update the file when needed and restart the affected services. I don't use 1.x anymore so that one isn't tested.