BasicAuth with matching password does not login

I'm not getting to log in my secure dashboard using basic auth . I've tried some things but nothing works.

I leave enable the insecure dashboard to debug and check if the password was correct, but I tried turn off it(--api.insecure=false) and close the ports(80 and 8080) and get the same result(not works yet).

  traefik:
    image: traefik:v2.10.1
    container_name: my-traefik-container
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=${CERT_EMAIL}"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - ./letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./auth:/auth
    labels:
      - "traefik.enable=true"

      # I currently have a frontend app that runs in `my-domain.dev`(of course that this name is an example)
      # and I want to access the dashboard through this host.
      - "traefik.http.routers.dashboard.rule=Host(`dashboard-traefik.my-domain.dev`, `www.dashboard-traefik.my-domain.dev`)"

      - "traefik.http.routers.dashboard.entrypoints=websecure"

      - "traefik.http.middlewares.dashboard-redirect-non-www-to-www.redirectregex.permanent=true"
      - "traefik.http.middlewares.dashboard-redirect-non-www-to-www.redirectregex.regex=^https?://(?:www.)?(.+)"
      - "traefik.http.middlewares.dashboard-redirect-non-www-to-www.redirectregex.replacement=https://www.$${1}"

      # reference - https://doc.traefik.io/traefik/middlewares/http/basicauth/#configuration-examples
      # generated using `echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g`
      - "traefik.http.middlewares.dashboard-auth-users.basicauth.users=user:$$apr1$$LoV1IXY/$$VUqnfZFyu0cr/JsGySjl2/"

      # reference - https://doc.traefik.io/traefik/middlewares/http/basicauth/#configuration-examples
      # generated using `echo $(htpasswd -nb user password)`
      - "traefik.http.middlewares.dashboard-auth-file.basicauth.usersfile=/auth/usersfile"
    
      - "traefik.http.routers.dashboard.middlewares=dashboard-redirect-non-www-to-www,dashboard-auth-file,dashboard-auth-users"

      - "traefik.http.routers.dashboard.service=api@internal"

      - "traefik.http.routers.dashboard.tls.certresolver=myresolver"

In this case I've tested using directly users and users from a file(one config at a time and same time), but none works.

When I access the dashboard in insecure mode we can see correct pass that I should to use when try to login

image494×672 23.3 KB

When I put this credentials and try to login, then returns with 401.(same using userfile credentials config)

➜  ~ curl --user user:$apr1$LoV1IXY/$VUqnfZFyu0cr/JsGySjl2/ https://www.dashboard-traefik.my-domain.dev/
401 Unauthorized

Same when using chrome/firefox,etc, but I get a loop in auth pop up.

Return from container log

time="2023-06-21T01:01:56Z" level=debug msg="Authentication failed" middlewareName=dashboard-auth-users@docker middlewareType=BasicAuth

This issue is related with TLS? I don't know what is wrong

Have you tried removing api.insecure completely?

I could imagine that you have a permanent to-www redirect. We are in 2023, just forget about www prefix. I have seen no one who got the to-www working correctly in this community, only see posts of people complaining it does not work. Rather forward to non-www, that works for sure.

Tried with cleaned this example, but not works

Without basicauth the dashboard open normally.

traefik:
  image: traefik:v2.10.1
  container_name: my-traefik-container
  command:
    - "--log.level=DEBUG"
    - "--api.dashboard=true"
    - "--providers.docker=true"
    - "--providers.docker.exposedbydefault=false"
    - "--entrypoints.websecure.address=:443"
    - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
    - "--certificatesresolvers.myresolver.acme.email=${CERT_EMAIL}"
    - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
  ports:
    - "443:443"
  volumes:
    - ./letsencrypt:/letsencrypt
    - /var/run/docker.sock:/var/run/docker.sock:ro
  labels:
    - "traefik.enable=true"

    - "traefik.http.routers.dashboard.rule=Host(`dashboard-traefik.my-domain.dev`)"

    - "traefik.http.routers.dashboard.entrypoints=websecure"

    # reference - https://doc.traefik.io/traefik/middlewares/http/basicauth/#configuration-examples
    # generated using `echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g`
    - "traefik.http.middlewares.dashboard-auth-users.basicauth.users=user:$$apr1$$LoV1IXY/$$VUqnfZFyu0cr/JsGySjl2/"

    - "traefik.http.routers.dashboard.middlewares=dashboard-auth-users"

    - "traefik.http.routers.dashboard.service=api@internal"

    - "traefik.http.routers.dashboard.tls.certresolver=myresolver"

I tried with only http(without TLS) and not works too.

If you want to use http instead of https, then you need to open port 80, need to create an entrypoint for 80 and assign it to the router

Have a look at simple Traefik example.

opss, I opened, but forget to add in this example haha sry. But, I want to use HTTPS, I just tried to use HTTP to check if the auth problem is related with TLS.

I just ctrl+c ctrl+v this example and does not works

I thought could be anything with image version, but even with v3.0 I got same result...

Maybe could be something related with security groups from my instance