How can I get traefik to support basic auth in docker compose (when loading from a .env file)?
When hardcoding the credentials for user foo
password is bar
:
- "traefik.http.middlewares.auth_traefik_dashboard.basicauth.users=foo:$$apr1$$4yr6Hgci$$KVk04LScbKdExIqn7sCZh1"
traefik loads the password configuration just fine.http
However, when instead loading from the .env file with environment variables:
- "traefik.http.middlewares.auth_traefik_dashboard.basicauth.users=${APP_USER}:${APP_PASSWORD}"
I get a 401 denied error with the exact same credentials.
What is going wrong?
NOTICE:
echo $(htpasswd -nb foo bar) | sed -e s/\\$/\\$\\$/g
was used when creating the credentials
The .env file would look like:
APP_USER=foo
APP_PASSWORD="$$apr1$$4yr6Hgci$$KVk04LScbKdExIqn7sCZh1"
and the full compose
---
version: "3.9"
services:
proxy:
image: traefik:v2.10.5
container_name: proxy
hostname: proxy
command:
- "--api"
- "--providers.docker=true"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--api.dashboard=true"
ports:
- "80:80"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.localhost`)"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.service=api@internal"
# Basic Auth for dashboard
- "traefik.http.routers.traefik.middlewares=auth_traefik_dashboard"
# when feeding the auth from a .env file traefik no longer accepts the
# echo $(htpasswd -nb foo bar) | sed -e s/\\$/\\$\\$/g
# APP_USER=foo
# APP_PASSWORD="$$apr1$$4yr6Hgci$$KVk04LScbKdExIqn7sCZh1"
- "traefik.http.middlewares.auth_traefik_dashboard.basicauth.users=${APP_USER}:${APP_PASSWORD}"
# foo / bar
#- "traefik.http.middlewares.auth_traefik_dashboard.basicauth.users=foo:$$apr1$$4yr6Hgci$$KVk04LScbKdExIqn7sCZh1"
I observe also others seem to have issues:
- Docker Compose Template for Traefik Has Issues · Issue #59 · tiangolo/dockerswarm.rocks · GitHub
- How to use an environment variable for the basicauth.users label in the docker compose file?
The suggestion mentioned there:
The problem is that in the
.env
file you don't need to double the$
in the hashed password as is needed when directly putting the hashed password in the docker compose file.
did not solve the problem for me.
When looking at the dashboard instead of:
$$apr1$$e/NJoiAd$$5s5EJk2fxdTJHEJdlUSGx0
11180apr111180e/NJoiAd111805s5EJk2fxdTJHEJdlUSGx0
is visible as the basic auth password hash.
This is the same value I get inside zsh
when executing echo $$apr1$$e/NJoiAd$$5s5EJk2fxdTJHEJdlUSGx0
.
FYI: the dotenv plugin is loading the .env file