Search code examples
dockerdocker-composetraefiktraefik-authenticationtraefik-middleware

Protect Traefik v3 Dashboard by BasicAuth

I fail to protect the Traefik v3 dashboard using basic auth, this is what I tried:

  reverse-proxy:
    # official v3 traefik docker image
    image: traefik:v3.1
    # enables web UI and tells traefik to listen to docker
    security_opt:
      - no-new-privileges:true
    command: --api.insecure=true --providers.docker=true --providers.docker.exposedbydefault=false --entryPoints.web.address=:80
    ports:
      # HTTP port
      - "80:80"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    volumes:
      # So that traefik can listen to the docker events
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/traefik:/opt/traefik:ro
    labels:
    # This is my basic auth configration, that however shows no effect <==================
      - "traefik.http.routers.reverse-proxy.middlewares=myauth-admin"
      - "traefik.http.middlewares.myauth-admin.basicauth.usersfile=/opt/traefik/userfile_admin"

However when calling the dashboard, I am not prompted for any authentication details and can directly access it. What am I doing wrong?

Solution

  • If you use --api.insecure=true, then you can't use security middleware, that's why its called "insecure".

    To add auth to Traefik dashboard, use:

    services:
  traefik:
    image: traefik:v3.1
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - letsencrypt:/letsencrypt
    command:
      - --api.dashboard=true
      - --log.level=INFO
      - --accesslog=true
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true 
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - [email protected]
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

    Taken from simple Traefik example.