janvda
February 3, 2020, 10:00pm
1
The following (no basic authentication) works
labels:
- "traefik.enable=true"
# Tell Traefik to use the port opened by portainer to connect to `my-container`
- traefik.http.services.portainer.loadbalancer.server.port=9000
# HTTPS (WAN) connection
- "traefik.http.routers.portainer_wan.rule=Host(`MY_WAN_HOSTNAME`) && PathPrefix(`/portainer`)"
- "traefik.http.routers.portainer_wan.entrypoints=websecure"
- "traefik.http.routers.portainer_wan.tls.certresolver=mytlschallenge"
- "traefik.http.routers.portainer_wan.middlewares=portainer_redirect,strip_portainer_prefix"
# middlewares
- "traefik.http.middlewares.strip_portainer_prefix.stripprefix.prefixes=/portainer"
- "traefik.http.middlewares.portainer_redirect.redirectregex.regex=^(https?)://([^/]+)/portainer$$"
- "traefik.http.middlewares.portainer_redirect.redirectregex.replacement=$${1}://$${2}/portainer/"
but it no longer works when I added basic authentication as follows to my portainer service:
1/ I changed the middleware line from
- "traefik.http.routers.portainer_wan.middlewares=portainer_redirect,strip_portainer_prefix"
into
- "traefik.http.routers.portainer_wan.middlewares=portainer_redirect,portainer_auth,strip_portainer_prefix"
2/ added the following 2 lines:
- "traefik.http.middlewares.portainer_auth.basicauth.users=jan:$$XXXXXXXXXXXX/"
- "traefik.http.middlewares.portainer_auth.basicauth.removeheader=true"
The problem:
When I enter in my browser https://MY_WAN_HOSTNAME/portainer I correctly get my basic authentication login screen, but when I then enter my credentials I am getting again my basic authentication login screen.
janvda
February 7, 2020, 7:27am
2
I am having the same issue with node-red in case also basic authentication has been set up for the node-red editor so it seems like the 2 levels of authentication (traefik basic authentication and node-red basic authentication for editor) don't work together.
I don't have the issue when accessing the node-red UI for which node-red authentication has been set up. So traefik basic authentication is working fine in this case.
janvda:
"traefik.http.middlewares.strip_portainer_prefix.stripprefix.prefixes=/portainer"
I have the same problem but only with stripprefix enabled. 404 not found
I can only run traefik authentication without portainer one:
command: -H tcp://tasks.agent:9001 --tlsskipverify --no-auth
labels:
traefik.enable: "true"
traefik.http.services.portainer.loadbalancer.server.port: 9000
traefik.http.routers.portainer.rule: Host(`sub.domain.com`) && PathPrefix(`/portainer`)
traefik.http.routers.portainer.entrypoints: websecure
traefik.http.routers.portainer.middlewares: portainer_auth,portainer_strip
traefik.http.middlewares.portainer_auth.basicauth.users: test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
traefik.http.middlewares.portainer_auth.basicauth.removeheader: "true"
traefik.http.middlewares.portainer_strip.stripprefix.prefixes: /portainer
Hi @spline , @janvda
a requirement for BasicAuth middleware or only for your setup?
thanks & regards
This line can be deleted since I could not use portainer authentication with traefik one. removeheader is needed when you want "to avoid conflict Traefik's BasicAuth and application authentication mechanism".
1 Like
I can't really follow
My answer is half the solution because I couldn't run portainer authentication with traefik.
gai00
August 17, 2020, 7:38am
9
My working solution is only basic-auth on login API.
...
traefik.http.middlewares.auth.basicauth.users: ${BASIC_AUTH}
traefik.http.middlewares.auth.basicauth.headerField: X-WebAuth-User
traefik.http.middlewares.auth.basicauth.removeheader: "true"
traefik.http.routers.portainer-auth-login.rule: Host(`${DOMAIN}`) && Path(`/api/auth`)
traefik.http.routers.portainer-auth-login.priority: 25
traefik.http.routers.portainer-auth-login.middlewares: auth
traefik.http.routers.portainer-auth.rule: Host(`${DOMAIN}`)
traefik.http.routers.portainer-auth.priority: 10
...
Did you find a solution or do you need more help?