Securing the dashboard observations

Traefik Traefik v2
,
1

Hi,
I am trying to implement https with self signed certificates and secure the traefik dashboard using basicauth. Things are working fine, I can open the dashboard on https and there is a login prompt. But there are couple of observations on which I am looking for more clarity.

Here is the config:

    labels:
      - "traefik.http.routers.traefik.rule=Host(`traefik.dev.localhost`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=auth"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.middlewares.auth.basicauth.users=admin:$$"

Static config:


[log]
  level = "DEBUG"

[entrypoints]
  [entrypoints.http]
    address = ":80"

  [entrypoints.https]
    address = ":443"

[providers]
  [providers.docker]
  
  [providers.file]
    filename = "/etc/traefik/traefik.config.toml" # this file points to certs

[api]
  # With this you enable the web UI
  # insecure = true
  dashboard = true

  1. After adding this config and restarting the containers, I see the login/password prompt only once if auth is successful. Closing the dashboard and open again, I am not asked for login/password. Restarting the containers and open dashboard, I am not asked for login/password. Not sure if this has to do more with cookies or something outside the scope of traefik. Is there a setting to enforce login/password everytime the dashboard is opened?

  2. I am in debug mode and see the logs floating even when there is no traffic. Hope this is some internal stuff and nothing to be concerned about.

traefik_1       | time="2019-11-26T21:40:36Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
traefik_1       | time="2019-11-26T21:40:36Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker
traefik_1       | time="2019-11-26T21:40:41Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
traefik_1       | time="2019-11-26T21:40:41Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
traefik_1       | time="2019-11-26T21:40:46Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
traefik_1       | time="2019-11-26T21:40:46Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
traefik_1       | time="2019-11-26T21:40:51Z" level=debug msg="Authentication succeeded" middlewareName=auth@docker middlewareType=BasicAuth
traefik_1       | time="2019-11-26T21:40:51Z" level=debug msg="Authentication succeeded" middlewareType=BasicAuth middlewareName=auth@docker

Thanks!

2

Hi @sisuser1987,

  • About your 1st question, it is your web browser which is storing the user and password in its session, and provide it on each request (to dashboard's resource or any further XHR call to /api). Use a private session on your web browser or disable any cookie or cache on it to ask it every time. You can see this by trying to reach the dashboard with consecutive curl or wget commands: if you do not provide any credentials, you'll get HTTP/40x answers.
  • About your 2nd question, this is a visual proof of what I said below. The dashboard's webapplication regularly check the state of Traefik, by sending XHR HTTP requests to /api. Each of this request also requires authentication, provided by your web browser. The debug log on Traefik side show the requess have the right credentials. By enabling the accesslog (ref. https://docs.traefik.io/v2.0/observability/access-logs/) you'll able to correlate debug messages with incoming requests. Please note that using the "debug" mode is not recommended for nominal cases : only for "debugging" purpose.