BasicAuth usersfile not working

Traefik Traefik v3 (latest)
1

I've set up a minimal reproducible example for the issues I'm facing. I'm using the usersfile for basic auth middleware, but it doesn't seem to be working.

I've mounted the file with the hashed username and password correctly to the Traefik volume.

I generated the password using the following commands:

docker run --rm httpd:alpine htpasswd -nbm username 'password'
username:$apr1$zBGR6Unt$4VgFO4TLbSuX0GIyjNN.n0

docker run --rm httpd:alpine htpasswd -nbm username2 'password' | sed -e s/\\$/\\$\\$/g
username2:$$apr1$$gSLgJsXF$$HBny7qMhGk3r4ZmOIFjCC0

Here's the content of whoami.txt:

username:$apr1$zBGR6Unt$4VgFO4TLbSuX0GIyjNN.n0
username2:$$apr1$$gSLgJsXF$$HBny7qMhGk3r4ZmOIFjCC0

Here's the content of docker-compose.yml:

services:
  traefik:
    command:
      - "--providers.docker"
      - "--entrypoints.web.address=:80"
      - "--log.level=DEBUG"
    depends_on:
      - whoami
    image: traefik:v3.2.1
    ports:
      - mode: host
        published: 80
        target: 80
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./whoami-users.txt:/configuration/whoami-users.txt:ro
  whoami:
    image: traefik/whoami
    labels:
      - traefik.http.routers.whoami.rule=Host(`localhost`)
      - traefik.http.routers.whoami.entrypoints=web
      - traefik.http.routers.whoami.service=whoami
      - traefik.http.services.whoami.loadbalancer.server.port=80
      - traefik.http.middlewares.whoami-basicauth.basicauth.removeheader=true
      - traefik.http.middlewares.whoami-basicauth.basicauth.usersfile=/configuration/whoami-users.txt
      - traefik.http.routers.whoami.middlewares=whoami-basicauth

I've also tried to authenticate using curl, but I keep getting a 401 Unauthorized response:

curl -u username:password http://localhost:80
401 Unauthorized

curl -u username2:password http://localhost:80
401 Unauthorized
2

The doc shows an example file, no double $.

Go into the Traefik container and check if the file is readable and has the right content.

Enable and check Traefik debug log.

Don’t use this. A single failing target service (in the future) will make all services unreachable.

3

I've put both for that exact reason. To show that with or without the double $, it doesn't matter—it's not working either way.

4

When I do:

curl -u username:password http://localhost:80
401 Unauthorized

It logs:

traefik-1  | 2024-12-07T08:10:42Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/basic_auth.go:79 > Authentication failed middlewareName=whoami-basicauth@docker middlewareType=BasicAuth

I've removed the double $ entry, but still it doesn't work.

5

Go into the Traefik container and check if the file is readable and has the right content.

6 
docker ps
CONTAINER ID   IMAGE            COMMAND                  CREATED              STATUS              PORTS                NAMES
b982b1f5741b   traefik:v3.2.1   "/entrypoint.sh --pr…"   About a minute ago   Up About a minute   0.0.0.0:80->80/tcp   servers-traefik-1
08694794faaa   traefik/whoami   "/whoami"                About a minute ago   Up About a minute   80/tcp               servers-whoami-1

docker exec b982b1f5741b sh -c "cat /configuration/whoami-users.txt"
username:$apr1$zBGR6Unt$4VgFO4TLbSuX0GIyjNN.n0

docker exec b982b1f5741b ls -l /configuration/
total 0
-rwxrwxrwx    1 root     root            47 Dec  7 08:37 whoami-users.txt
7

After much digging, I figured out that httpd:alpine was giving me the wrong hash.

Here's what I'm doing from now on to generate the correct hashes: ->

docker run --rm -it alpine:latest sh -c "apk add --no-cache apache2-utils && htpasswd -nbm username password"
1 Like
8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.