Add basic/digest auth

[emilevauge]

This PR adds basic/digest auth in entrypoints.
WebUI can use this creating an entrypoint and adding a frontend connected to localhost.

• code
• tests
• doc

Fixes #77
Fixes #201

Signed-off-by: Emile Vauge emile@vauge.com

[vdemeester]

Hum, md5 ? Out of curiosity, wouldn't it be better to be able to provide your own ? like test:md5:$apr1$… or test:sha1:… ?

[emilevauge]

In fact, you can use MD5, SHA1 and BCrypt: https://github.com/abbot/go-http-auth/blob/master/basic.go#L25. I will update the doc.

[vdemeester]

LGTM 🐹
But needs a rebase 👼

[Russell-IO]

LGTM 👍
Needs a rebase
Might be handy to have some docs around the key value settings for controlling the auth users ?

[errm]

LGTM

I will have to think of a way of adding support for this to k8s . . .

[Toflar]

Sorry, maybe this is the wrong issue to discuss about this but I think it's very much related. Feel free to redirect me to the correct spot to talk about it ;-)

As far as I can see from the docs I can configure the traefik.toml once and then launch as many containers as I wish as the Host rule does dynamically match them. However, if I want to launch the container and protect it using basic auth I apparently cannot do this without editing the traefik.toml for every container which makes it a bit inflexible. Think of applications using the docker remote api to dynamically fire up containers :)
I'm thinking of something like docker run -d --label traefik.frontend.auth="whatever" myimage.

Then I could launch as many containers as I want and automatically have them basic/digest auth secured which would make it truly dynamic. Obviously we should not pass the auth stuff on the command line. The famous docker nginx proxy does this by mounting a password folder in which all the auth details reside (named according to the container). Or maybe something like this:
docker run -d --label traefik.frontend.auth.basic="path/on/host/to/passwords.htpasswd" myimage.

What do you think?

[emilevauge]

@Toflar authentication is managed in entrypoints, as long as you launch your containers in this entrypoint, you will get authentication.

[Toflar]

I see. But what if I want to have different auth per container? Real world example: You fire up a container (or even a replicated service, docker 1.12 features still to come ;-)) per customer. Every customer gets their own subdomain (already perfectly handled by traefik) and their own access credentials. At the moment you need to add an entry point for every customer which is tedious work. See what I mean?

[emilevauge]

Indeed, but I want to keep authentication in traefik really simple right now. I don't want traefik to manage basic/digest/oauth/two factor authentication in every possible use case ;) I prefer implementing #391 that would be a generic solution to this issue. WDYT?

[Toflar]

I agree, it does not make sense on the container itself. #391 sounds very cool, didn't think about that. Also, should be pretty easy to fire a regular http request and check for the http response code which makes it easier for you to maintain 👍 I just wonder what data you send with every request so the backend can decide upon?
Now I just have to find a fast way to have a docker container that responds to such requests and accepts requests to add and delete auth entries. Or write one one my own ;-)

[jmahowald]

I was so happy when I saw this in the documentation this morning. Would solve a bunch of things for me. Then struggled for the last couple of hours figuring out why it wasn't working. Then saw how new this was.

I'm not sure I have this configured correctly, as I had been using compose and labels for my entire experience (read 2 days) with traefik.

In my compose I have

registry:
  labels:
    traefik.frontend.rule: Host:registry.infra.experimantal.com
    traefik.port: "5000"
  image: registry

and in my traefik.toml file I have

[entryPoints]
   [entryPoints.http]
   address = ":80"
   [entryPoints.http.auth.basic]
   users = ["builduser:$2y$05$PLo4KUISSAaoZXVA/4UfpemvIJmxXYIFYfhJslS1GaibXXS0ov0xC"]

But when I do a test, I still get 200 rather than a 403.

Any advice?

[ViViDboarder]

@Toflar a strategy recommended in #593 worked out well for me to do put basic auth in front of a single container. Take a look at beevelop/nginx-basic-auth

I am now using this to put the Traefik web interface behind basic auth while allowing all my other containers to manage their own authentication.

Managed this in my docker-compose.yaml file.

traefik:
  image: traefik
  container_name: traefik
  ports:
    - "80:80"
    - "443:443"
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - ./traefik.toml:/etc/traefik/traefik.toml
    - ./rules.toml:/etc/traefik/rules.toml
    - ./acme:/etc/traefik/acme
  labels:
    - traefik.enable=false

auth_proxy:
  image: beevelop/nginx-basic-auth
  links:
    - traefik:web
  environment:
    - "HTPASSWD=User:PassHash"
    - "FORWARD_PORT=8080"
  labels:
    - traefik.port=80
    - traefik.frontend.rule=Host:traefik.domain.com

[Toflar]

Hi @ViViDboarder, thanks for taking the time to help me out! I see what they did there but it feels a bit like a wonky workaround to me. Might sure work but I don't feel like using this in production. I think people choose traefik because everything runs in one container and is fully unit tested. I might as well use [jwilder/nginx-proxy](https://github.com/jwilder/nginx-proxy proxy) plus JrCs/docker-letsencrypt-nginx-proxy-companion but as I said, traefik just seems like the better fit for production, also because traefik plans on supporting Docker Swarm Mode. Once Docker Swarm Mode and a general authentication back end will be supported, I guess traefik will get the attention it deserves :)

[ViViDboarder]

Totally. I'd rather one service as well, but since my production is a private VPS for my own use only, this will do until then.

@emilevauge, was there a particular reason for putting authentication at the entrypoint rather than the frontend? If added at the frontend, a user could still do everything they can do with this patch and you don't lose any usecases.

[emilevauge]

@ViViDboarder

@emilevauge, was there a particular reason for putting authentication at the entrypoint rather than the frontend?

To keep it simple :)
But this could be added to the frontend section (in addition to entrypoint) easily. I can assist you if you want to make a PR on that.

[bendenoz]

Hi all, thanks for all this, just wanted to share I have just been trying the auth feature on the master branch, using auth.digest, and it seems the Realm is hard coded to "traefik", so generating passwords with htdigest is limited to this Realm..

Also the toml docs mentions entryPoints.http.auth.basic twice but not entryPoints.http.auth.digest

[SantoDE]

To keep it simple :)
But this could be added to the frontend section (in addition to entrypoint) easily. I can assist you if you want to make a PR on that.

I'd like to fill a PR for that. If you could help me out, I'd be very grateful @emilevauge :)

[seertenedos]

Any idea when this will end up in the latest docker image? Just spent 30 min trying to get it working to realise latest docker image is a month old and this change is a lot newer than that.

[vdemeester]

@seertenedos what image are you using ?

• containous/traefik should be up-to-date with current master (and thus this PR)
• traefik (official image) only contains stable versions and thus is using traefik 1.0.

[seertenedos]

I was using traefik but looking at containous/traefik. is there a particular tag i would need to use on containous/traefik as the latest there is also a month old.

[vdemeester]

@seertenedos this being merged a little more than a month ago, I think it should be in it. But I'll look into it 👼

[seertenedos]

Just tried the latest tag from containous/traefik and just let me in without basic auth

[errm]

@seertenedos i think the experimental tag on containous/traefik should give you the most recent build.

[seertenedos]

Thanks that versioned worked. Any idea how long till it makes it to a proper release? Also should it be in the sample config linked to on the official docker image if that docker image does not support that feature?

Grab a sample configuration file and rename it to traefik.toml
the link points to https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml
maybe it should point to the branch the build is based off if the build is not based off master. from https://hub.docker.com/_/traefik/

[errm]

Good point, we should be linking to https://docs.traefik.io/toml/ the docs site tracks the stable versions, master on Github is the latest version.