Auth only on path prefix

Lithimlin · November 4, 2021, 11:56am

I'm trying to put some basic authentication on only the /metrics prefix of one of my services. For this, I have the following compose file:

version: "3.5"
services:
  reverse-proxy:
    image: traefik:latest
    command:
      - --log.level=${LOG_LEVEL}
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --providers.file.directory=/configs/
      - --entryPoints.web.address=:${HTTP_PORT}
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https 
      - --entryPoints.websecure.address=:${HTTPS_PORT}
    ports:
      - ${HTTP_PORT}:80
      - ${HTTPS_PORT}:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${DATA_DIR}/letsencrypt/acme.json:/acme.json
      - ${DATA_DIR}/traefik_configs/:/configs
      - ${DATA_DIR}/.metric_users:/userfiles/.metric_users
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=dnsresolver"
      - "traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN}"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAIN}"
    restart: unless-stopped

  backend:
    image: <myimage>
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.back.rule=Host(`${BACK_HOST}`)"
      - "traefik.http.routers.back.entryPoints=web"
      - "traefik.http.services.back.loadbalancer.server.port=8080"
      - "traefik.http.routers.back-ssl.rule=Host(`${BACK_HOST}`)"
      - "traefik.http.routers.back-ssl.entryPoints=websecure"
      - "traefik.http.routers.back-ssl.service=back"
      - "traefik.http.routers.back-ssl.tls=true"
      - "traefik.http.routers.back-auth.rule=Host(`${BACK_HOST}`) && PathPrefix(`/metrics`)"
      - "traefik.http.routers.back-auth.middlewares=metric-auth"
      - "traefik.http.routers.back-auth.priority=300"
      - "traefik.http.middlewares.metric-auth.basicauth.usersfile=/userfiles/.metric_users"

The .metric_users file contains my pairs of user:hashed-passwd and my traefik_configs directory only contains a file for TLS settings.

From what I understand, this should require me to log in when going to the /metrics prefix. However, this doesn't happen and I'm not sure why. Is this an issue with the different priorities?

kevinpollet · November 5, 2021, 5:48pm

Hello @Lithimlin and thanks for your interest in Traefik,

The issue is not related to the priority, the problem is that you missed adding the tls label to the back-auth router configuration:

traefik.http.routers.back-auth.tls=true

I would also set the entryPoints label value for the basic-auth router to websecure as all requests sent with the http scheme on web will be redirected to websecure with the https scheme.

Hope this helps!

Lithimlin · November 10, 2021, 9:39am

That worked! Thanks.

In hindsight, it seems kind of obvious what I was missing, but one is always smarter after the fact.

system · November 13, 2021, 9:39am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.