Dashboard basicauth not working with user:hashedpwd in a docker swarm secret

I am running Traefik as a docker swarm service. I've gradually hammered out a pretty clean configuration, distilling the many examples I've found in the wild.

BTW, one big point of pain until I finally found the simple solution using a file provider was eradicating the LetsEncrypt junk (albeit useful to many) and using self-signed certs. I'd like to move away from using the file bind mount for that to using swarm secrets, but given the trouble I'm having with basicauth, that might be a bridge too far (?)

With Traefik redirecting all *.my.domain to https, including traefik.my.domain, and using basicauth I have the Traefik dashboard secured and all my services happily running through https. Traefik really is most excellent for that!

However, the only way I get it to work is with the basicauth : directly in the docker-compose file. E.g.

         - >
           <other users>

Note that the "$" are escaped as "$$". Login to the dashboard with these credentials works OK. This is acceptable for our internal network use but I'd really like to extract the credentials into a docker swarm secret.

So I put the "admin:$$apr1$$xxxxxxxx$$xx.xxxxxx/xxxxx/xxx," string into a file and created a docker secret from that file.

I confirmed that the secret file is indeed mounted in the running container, e.g., as:


and it has the correct user:pwd,user:pwd,... contents.

in compose:

    name: traefik-admin-auth-users
    external: true

and the Traefik service including

      - traefik-admin-auth-users

However, I just can't get it to work using that secrets file. Per the docks I assumed that to use the secrets file I should use the basicauth.usersFile but when that failed I also tried basicauth.users:

  - traefik.http.middlewares.admin-auth.basicauth.usersFile=/run/secrets/traefik-admin-auth-users


  - traefik.http.middlewares.admin-auth.basicauth.users=/run/secrets/traefik-admin-auth-users

I also tried it with the $s in the hashed passwords escaped, "$$", and with them not escaped, "$". In all these cases the dashboard is not running when I redeploy the Traefik service and returns a "404 page not found".

I've also tried it without and with double-quoting the label line.

When I return to using the in-line credentials all is fine and beautiful.

As a last resort, I've tried bind mounting the credentials file directly and using it as usersFile. It still fails miserably.

What am I missing???

Thanks, overall I'm really grooving on Traefik, but this is driving me to drink even more than usual...

The usersFile option is the path to an external file that contains the authorized users for the middleware.
The file content is a list of name:hashed-password.

No escaping with $$, a list means per line. (Doc)

and that's a BINGO! I'd been brain-locked into thinking I needed to pass in the same string as for the .users option. It's now working with the swarm secret (or direct bind mount file) 'as it should be'.

Thanks for the smack-upside-the-head to properly RTFM - I really appreciate your fast answer @bluepuma77 !!


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.