How to Bypass Basic Auth for Images with Traefik?

rudak · June 22, 2024, 2:32pm

Hello Traefik Community,

I have a website protected by basic authentication, and I’m using Traefik as my reverse proxy. My issue is that I need to include images from this site in emails, but these images are blocked due to the authentication requirement.

Current Setup:
I am using the following labels in my docker-compose.yml to configure Traefik:

labels:
  - traefik.enable=true
  - traefik.http.routers.xxx-secured.entrypoints=websecure
  - traefik.http.routers.xxx-secured.rule=Host(`mydomain.com`)
  - traefik.http.routers.xxx-secured.tls.certresolver=myresolver

With this configuration, all routes are secured by Traefik's basic authentication. However, I need to make the /images/ path publicly accessible so that images can be viewed without requiring authentication, especially for email clients.

Desired Outcome:
I want to allow public access to images located under /images/ while keeping the rest of the site behind basic authentication.

Question:
How can I configure Traefik to bypass authentication for the /images/ path?
Is it possible to use a middleware to achieve this, or is there a better approach?

Example Labels or other stuff for Desired Configuration:
Could you provide an example of how to adjust my current labels to achieve this?

I appreciate any guidance or examples you can provide. Thank you!

bluepuma77 · June 22, 2024, 2:43pm

You need a second router (and service) for images, without the auth middleware:

traefik.http.routers.xxx-images.rule=Host(`mydomain.com`) && PathPrefix(`/images`)

Because the rule is longer, it has a higher priority and will be matched first.

rudak · June 22, 2024, 8:46pm

My abcdef-secured service works perfectly, but when I add the abcdef-images service with loadbalancer.server.port=80, the router dont start.
it's the commented section that's giving me trouble
am I wrong?

services:

  nginx:
    image: 'nginx:latest'
    container_name: abcdef
    volumes:
      - ./nginx:/etc/nginx/conf.d
      - ./app:/var/www/html
    depends_on:
      - php
    labels:
      - traefik.enable=true
      - traefik.http.services.abcdef-secured.loadbalancer.server.port=80
      - traefik.http.routers.abcdef-secured.entrypoints=websecure
      - traefik.http.routers.abcdef-secured.rule=Host(`abcdef.link`)
      - traefik.http.routers.abcdef-secured.tls.certresolver=myresolver
      - traefik.http.routers.abcdef-secured.middlewares=auth@file

#      - traefik.http.services.abcdef-images.loadbalancer.server.port=80
#      - traefik.http.routers.abcdef-images.rule=Host(`abcdef.link`) && PathPrefix(`/images`)
#      - traefik.http.routers.abcdef-images.entrypoints=websecure
#      - traefik.http.routers.abcdef-images.tls.certresolver=myresolver

bluepuma77 · June 23, 2024, 5:41pm

Working example, needs service definitions and assignments in labels:

services:
  traefik:
    image: traefik:v3.0
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
      #- /var/log:/var/log
    command:
      - --api.dashboard=true
      - --log.level=INFO
      #- --log.filepath=/var/log/traefik.log
      - --accesslog=true
      #- --accesslog.filepath=/var/log/traefik-access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.email=mail@example.com
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

  whoami:
    image: traefik/whoami:v1.10
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.example.com`)
      - traefik.http.routers.mywhoami.middlewares=mywhoami-auth
      - traefik.http.routers.mywhoami.service=mywhoami
      - traefik.http.middlewares.mywhoami-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

      - traefik.http.routers.mywhoami-unsecured.rule=Host(`whoami.example.com`) && PathPrefix(`/unsecured`)
      - traefik.http.routers.mywhoami-unsecured.service=mywhoami-unsecured
      - traefik.http.services.mywhoami-unsecured.loadbalancer.server.port=80

networks:
  proxy:
    name: proxy

volumes:
  letsencrypt:
    name: letsencrypt

Topic		Replies	Views
Traefik v2 simple trick to bypass basic Auth Traefik v2 docker , middleware	5	10450	August 21, 2022
Basic auth for /administrator path Traefik v2 middleware	1	649	December 1, 2022
Exclude particular path from basicauth doesn't work Traefik v2 middleware	2	236	January 27, 2024
Forward hard-coded basic auth to some service? Traefik v2 docker	3	975	July 14, 2021
Exclude particular path(s) from basicauth Traefik v2 middleware	1	3849	June 24, 2020

How to Bypass Basic Auth for Images with Traefik?

Related Topics