Adding basic authentication doesn’t work for portainer

The following (no basic authentication) works

      - "traefik.enable=true"
    # Tell Traefik to use the port opened by portainer to connect to `my-container`
    # HTTPS (WAN) connection
      - "traefik.http.routers.portainer_wan.rule=Host(`MY_WAN_HOSTNAME`) && PathPrefix(`/portainer`)"
      - "traefik.http.routers.portainer_wan.entrypoints=websecure"
      - "traefik.http.routers.portainer_wan.tls.certresolver=mytlschallenge"
      - "traefik.http.routers.portainer_wan.middlewares=portainer_redirect,strip_portainer_prefix"
      # middlewares
      - "traefik.http.middlewares.strip_portainer_prefix.stripprefix.prefixes=/portainer"
      - "traefik.http.middlewares.portainer_redirect.redirectregex.regex=^(https?)://([^/]+)/portainer$$"
      - "traefik.http.middlewares.portainer_redirect.redirectregex.replacement=$${1}://$${2}/portainer/"

but it no longer works when I added basic authentication as follows to my portainer service:

1/ I changed the middleware line from

  - "traefik.http.routers.portainer_wan.middlewares=portainer_redirect,strip_portainer_prefix"


      - "traefik.http.routers.portainer_wan.middlewares=portainer_redirect,portainer_auth,strip_portainer_prefix"

2/ added the following 2 lines:

      - "traefik.http.middlewares.portainer_auth.basicauth.users=jan:$$XXXXXXXXXXXX/"
      - "traefik.http.middlewares.portainer_auth.basicauth.removeheader=true"

The problem:

When I enter in my browser https://MY_WAN_HOSTNAME/portainer I correctly get my basic authentication login screen, but when I then enter my credentials I am getting again my basic authentication login screen.

I am having the same issue with node-red in case also basic authentication has been set up for the node-red editor so it seems like the 2 levels of authentication (traefik basic authentication and node-red basic authentication for editor) don't work together.

I don't have the issue when accessing the node-red UI for which node-red authentication has been set up. So traefik basic authentication is working fine in this case.

I have the same problem but only with stripprefix enabled. 404 not found

I can only run traefik authentication without portainer one:

command: -H tcp://tasks.agent:9001 --tlsskipverify --no-auth
  traefik.enable: "true" 9000
  traefik.http.routers.portainer.rule: Host(``) && PathPrefix(`/portainer`)
  traefik.http.routers.portainer.entrypoints: websecure
  traefik.http.routers.portainer.middlewares: portainer_auth,portainer_strip
  traefik.http.middlewares.portainer_auth.basicauth.users: test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
  traefik.http.middlewares.portainer_auth.basicauth.removeheader: "true"
  traefik.http.middlewares.portainer_strip.stripprefix.prefixes: /portainer

Hi @spline, @janvda
iam just wondering and i dont understand if:

a requirement for BasicAuth middleware or only for your setup?

thanks & regards

This line can be deleted since I could not use portainer authentication with traefik one. removeheader is needed when you want "to avoid conflict Traefik's BasicAuth and application authentication mechanism".

1 Like

I can't really follow :see_no_evil: Did you find a solution or do you need more help?

My answer is half the solution because I couldn't run portainer authentication with traefik.

My working solution is only basic-auth on login API.
deploy stack on docker swarm with labels.

traefik.http.middlewares.auth.basicauth.users: ${BASIC_AUTH}
traefik.http.middlewares.auth.basicauth.headerField: X-WebAuth-User
traefik.http.middlewares.auth.basicauth.removeheader: "true"

traefik.http.routers.portainer-auth-login.rule: Host(`${DOMAIN}`) && Path(`/api/auth`)
traefik.http.routers.portainer-auth-login.priority: 25
traefik.http.routers.portainer-auth-login.middlewares: auth

traefik.http.routers.portainer-auth.rule: Host(`${DOMAIN}`)
traefik.http.routers.portainer-auth.priority: 10