I am running Traefik as a docker swarm service. I've gradually hammered out a pretty clean configuration, distilling the many examples I've found in the wild.
BTW, one big point of pain until I finally found the simple solution using a file provider was eradicating the LetsEncrypt junk (albeit useful to many) and using self-signed certs. I'd like to move away from using the file bind mount for that to using swarm secrets, but given the trouble I'm having with basicauth, that might be a bridge too far (?)
With Traefik redirecting all *.my.domain to https, including traefik.my.domain, and using basicauth I have the Traefik dashboard secured and all my services happily running through https. Traefik really is most excellent for that!
However, the only way I get it to work is with the basicauth : directly in the docker-compose file. E.g.
labels
...
- >
traefik.http.middlewares.admin-auth.basicauth.users=
admin:$$apr1$$xxxxxxxx$$xx.xxxxxx/xxxxx/xxx,
<other users>
...
Note that the "$" are escaped as "$$". Login to the dashboard with these credentials works OK. This is acceptable for our internal network use but I'd really like to extract the credentials into a docker swarm secret.
So I put the "admin:$$apr1$$xxxxxxxx$$xx.xxxxxx/xxxxx/xxx," string into a file and created a docker secret from that file.
I confirmed that the secret file is indeed mounted in the running container, e.g., as:
/run/secrets/traefik-admin-auth-users
and it has the correct user:pwd,user:pwd,... contents.
in compose:
secrets:
traefik-admin-auth-users:
name: traefik-admin-auth-users
external: true
and the Traefik service including
secrets:
- traefik-admin-auth-users
However, I just can't get it to work using that secrets file. Per the docks I assumed that to use the secrets file I should use the basicauth.usersFile but when that failed I also tried basicauth.users:
- traefik.http.middlewares.admin-auth.basicauth.usersFile=/run/secrets/traefik-admin-auth-users
OR
- traefik.http.middlewares.admin-auth.basicauth.users=/run/secrets/traefik-admin-auth-users
I also tried it with the $s in the hashed passwords escaped, "$$", and with them not escaped, "$". In all these cases the dashboard is not running when I redeploy the Traefik service and returns a "404 page not found".
I've also tried it without and with double-quoting the label line.
When I return to using the in-line credentials all is fine and beautiful.
As a last resort, I've tried bind mounting the credentials file directly and using it as usersFile. It still fails miserably.
What am I missing???
Thanks, overall I'm really grooving on Traefik, but this is driving me to drink even more than usual...