basicAuth defined on traefik.yml not working

Hi, I'm currently trying to tidy up my traerfik configuration files. One of my objectives is move middlewares that are used everywhere (redirections, auth) to the traefik.yml file so that the config on docker-compose.yml is more straightforward.

Here is my current traefik.yml:

api:
  dashboard: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

http:
  middlewares:
    traefik-auth:
      basicAuth:
        users:
          - "user:passwd"
          
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /traefik-dynamic.yml
    watch: true
      
certificatesResolvers:
  lets-encrypt:
    acme:
      email: email@gmail.com
      storage: acme.json
      httpChallenge:
        entryPoint: web

log:
  filePath: "/log.log"
  level: INFO

The redirection entrypoint is working perfectly. However, the basicAuth is giving me problems.

The docker-compose.yml file for trefik:

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      proxy:
        #ipv4_address: 172.27.0.3
    command:
      - "--entrypoints.redis.address=:6379" # Redis endpoint.
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/traefik-dynamic.yml:/traefik-dynamic.yml:ro
      - ./data/acme.json:/acme.json
      - ./data/log.log:/log.log
      - ./certs:/certs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.xyz`)"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=lets-encrypt"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

Then when I go to the dasboard I cannot see the basicAuth middleware:

And if I add:
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
To the docker-compose.yml then I get a 404 error on the dasboard.

What am I doing wrong?

You can only have one static Traefik config, either traefik.yml or using command.

But I'm using labels, not commands, for the middleware configuration right?

Just wanted to let you know that at least something in your „double“ static config won’t be applied.

Have you tried middleware in dynamic config?

labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

Yes, putting the middleware stuff on the docker-compose.yml works.

But I wanted to put it in a central file so that the users and general config (no only for the basicAuth middleware, but also for the rest of middlewares I may need) can be shared accross different services.

It is not possible? How could I create a middleware common for multiple docker-compose.yml file.

Checked the static file reference, doesn’t work like the way you tried.

You can define dynamic config in a file which is loaded via provider.file in static config. Or in labels.

1 Like

Try adding
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth@file"
instead of
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"

1 Like

Developing on this. I have traefik.yml with:

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /traefik-dynamic.yml
    watch: true

(among other lines)

and traefik-dynamic.yml

http:
  middlewares:
    traefik-auth:
      basicAuth:
        users:
          - "mbastida:passwd"

The labels for the traefik compose file are:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.xyz`)"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=lets-encrypt"
      - "traefik.http.routers.traefik-secure.service=api@internal"

And I still get 404 page not found

Moreover, on the logs I can see:

time="2023-04-24T19:35:35+02:00" level=error msg="middleware "traefik-auth@docker" does not exist" entryPointName=websecure routerName=traefik-secure@docker

Again, with these labels:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.xyz`)"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth@file"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=lets-encrypt"
      - "traefik.http.routers.traefik-secure.service=api@internal"

And traefik.yml with (among other):

http:
  middlewares:
    traefik-auth:
      basicAuth:
        users:
          - "mbastida:passwd"

I still get 404 error

The log says:

time="2023-04-24T19:39:15+02:00" level=error msg="middleware "traefik-auth@file" does not exist" entryPointName=websecure routerName=traefik-secure@docker

Well @bluepuma77 and @wollomatic I didn't get that it was a team effort and that I had to merge both of your proposals.

So using dynamic config and @ file for the auth everything is working now! :slight_smile:
Unfortunatelly I cannot mark two answers as the solution :frowning:

Thank you very much.

But may I ask, how can I know if something has to go in static or dynamic file? Because from the documentation I cannot see it very clearly.

And when do I have to put @ file? (@wollomatic)

Tell me when you find the logic to differentiate to place in static or dynamic config :rofl:

For me it is just experience, meaning doing a lot of things wrong before.

A good reference is the reference. Static has entrypoint, provider and certresolver.

The dynamic reference also helps to find out that some dynamic config is supported in provider.file but not in labels - even though both is “dynamic“.

At the end it is really reading the docs and getting your hands dirty with config files. I think video tutorials and copy&paste won’t enable all the features.

Finally just need to state that the Traefik docs are great. Start at the beginning.

2 Likes

LOL thanks for the sincerity @bluepuma77

At least there are only two places where config is defined, so finding where goes where should be a 50-50 chance.

I have to admit that my first traefik setup was done copying code and watching videos. It ended up working. But it is now when I'm truly learning.

Thank you and keep up with the good work :slight_smile:

PS: I don't know if it is related to what I have been touching but now the main page of the dashboard is incomplete:


Is it normal?
The rest of the tabs are fine (I can see the hosts and middlewares on the HTTP tab, for example).

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.