-
-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add basic/digest auth #547
Conversation
70ad8b3
to
7df826a
Compare
2238473
to
ef5bc67
Compare
a112d6a
to
1ed69d1
Compare
|
||
# To enable basic auth on an entrypoint | ||
# with 2 user/pass: test:test and test2:test2 | ||
# Passwords are encoded in MD5: you can use htpasswd to generate those ones |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hum, md5
? Out of curiosity, wouldn't it be better to be able to provide your own ? like test:md5:$apr1$…
or test:sha1:…
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In fact, you can use MD5, SHA1 and BCrypt: /~https://github.com/abbot/go-http-auth/blob/master/basic.go#L25. I will update the doc.
LGTM 🐹 |
LGTM 👍 |
LGTM I will have to think of a way of adding support for this to k8s . . . |
Signed-off-by: Emile Vauge <emile@vauge.com>
Signed-off-by: Emile Vauge <emile@vauge.com>
Signed-off-by: Emile Vauge <emile@vauge.com> Signed-off-by: Emile Vauge <emile@vauge.com>
Signed-off-by: Emile Vauge <emile@vauge.com>
1ed69d1
to
2f95810
Compare
Sorry, maybe this is the wrong issue to discuss about this but I think it's very much related. Feel free to redirect me to the correct spot to talk about it ;-) As far as I can see from the docs I can configure the Then I could launch as many containers as I want and automatically have them basic/digest auth secured which would make it truly dynamic. Obviously we should not pass the auth stuff on the command line. The famous docker nginx proxy does this by mounting a password folder in which all the auth details reside (named according to the container). Or maybe something like this: What do you think? |
@Toflar authentication is managed in entrypoints, as long as you launch your containers in this entrypoint, you will get authentication. |
I see. But what if I want to have different auth per container? Real world example: You fire up a container (or even a replicated service, docker 1.12 features still to come ;-)) per customer. Every customer gets their own subdomain (already perfectly handled by traefik) and their own access credentials. At the moment you need to add an entry point for every customer which is tedious work. See what I mean? |
Indeed, but I want to keep authentication in traefik really simple right now. I don't want traefik to manage basic/digest/oauth/two factor authentication in every possible use case ;) I prefer implementing #391 that would be a generic solution to this issue. WDYT? |
I agree, it does not make sense on the container itself. #391 sounds very cool, didn't think about that. Also, should be pretty easy to fire a regular http request and check for the http response code which makes it easier for you to maintain 👍 I just wonder what data you send with every request so the backend can decide upon? |
I was so happy when I saw this in the documentation this morning. Would solve a bunch of things for me. Then struggled for the last couple of hours figuring out why it wasn't working. Then saw how new this was. I'm not sure I have this configured correctly, as I had been using compose and labels for my entire experience (read 2 days) with traefik. In my compose I have
and in my traefik.toml file I have
But when I do a test, I still get 200 rather than a 403. Any advice? |
@Toflar a strategy recommended in #593 worked out well for me to do put basic auth in front of a single container. Take a look at beevelop/nginx-basic-auth I am now using this to put the Traefik web interface behind basic auth while allowing all my other containers to manage their own authentication. Managed this in my
|
Hi @ViViDboarder, thanks for taking the time to help me out! I see what they did there but it feels a bit like a wonky workaround to me. Might sure work but I don't feel like using this in production. I think people choose traefik because everything runs in one container and is fully unit tested. I might as well use [jwilder/nginx-proxy](/~https://github.com/jwilder/nginx-proxy proxy) plus JrCs/docker-letsencrypt-nginx-proxy-companion but as I said, traefik just seems like the better fit for production, also because traefik plans on supporting Docker Swarm Mode. Once Docker Swarm Mode and a general authentication back end will be supported, I guess traefik will get the attention it deserves :) |
Totally. I'd rather one service as well, but since my production is a private VPS for my own use only, this will do until then. @emilevauge, was there a particular reason for putting authentication at the entrypoint rather than the frontend? If added at the frontend, a user could still do everything they can do with this patch and you don't lose any usecases. |
To keep it simple :) |
Hi all, thanks for all this, just wanted to share I have just been trying the auth feature on the master branch, using auth.digest, and it seems the Realm is hard coded to "traefik", so generating passwords with htdigest is limited to this Realm.. Also the toml docs mentions |
I'd like to fill a PR for that. If you could help me out, I'd be very grateful @emilevauge :) |
Any idea when this will end up in the latest docker image? Just spent 30 min trying to get it working to realise latest docker image is a month old and this change is a lot newer than that. |
@seertenedos what image are you using ?
|
I was using traefik but looking at containous/traefik. is there a particular tag i would need to use on containous/traefik as the latest there is also a month old. |
@seertenedos this being merged a little more than a month ago, I think it should be in it. But I'll look into it 👼 |
Just tried the latest tag from containous/traefik and just let me in without basic auth |
@seertenedos i think the |
Thanks that versioned worked. Any idea how long till it makes it to a proper release? Also should it be in the sample config linked to on the official docker image if that docker image does not support that feature?
|
Good point, we should be linking to https://docs.traefik.io/toml/ the docs site tracks the stable versions, master on Github is the latest version. |
This PR adds basic/digest auth in entrypoints.
WebUI can use this creating an entrypoint and adding a frontend connected to localhost.
Fixes #77
Fixes #201
Signed-off-by: Emile Vauge emile@vauge.com