API Key Authentication on Traefik

I have a file of API keys that were not encoded through htdigest from an existing reverse proxy, but I want to migrate to Traefik. However, after taking a look at the documentation, neither basic auth nor digest auth suit my usecase since:

A. storing anything more than a few valid auth headers in docker-compose.yml would quickly become an exercise in futility.
B. migrating to htdigest would require my users to regenerate their keys.

Is there a way to point traefik at an external keystore file for headers?

Hi @ratchet5000, have you tried the label traefik.frontend.auth.basic.usersFile in compose, that points to a "basic" htpasswd file? (it also exists it's sibling for htdigest FWIW) .

Traefik supports 3 kind of authentications: if basic auth. a,nd digest does not fit,
then you can still delegate the authentication to another system, using the "forward authentication".

Reference: https://docs.traefik.io/v1.7/configuration/entrypoints/#authentication.

1 Like

I was hoping to avoid having yet another service for authentication, but it seems like I'll have to go with forward auth for my purposes.

1 Like