How to configure basic auth for protecting the traefik dashboard from public access #560
Labels
No Label
abra
abra-gandi
awaiting-feedback
backups
bug
build
ci/cd
community organising
contributing
coopcloud.tech
democracy
design
documentation
duplicate
enhancement
finance
funding
good first issue
help wanted
installer
kadabra
performance
proposal
question
recipes.coopcloud.tech
security
test
wontfix
No Milestone
No project
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: coop-cloud/organising#560
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I am following the guide, and the dashboard is now open to public. I reviewed the config and uncommented the lines:
In the compose file I see
I used
htpasswd
to generate the secret as instructed, but I don't know what to do with it =) Should I place the generated file somewhere (according to userfile above) or inject the secret with the CLI or what? This should be covered in the tutorial so that you do not make something public by accident. This is especially easy since it's easy to think thatufw
would deny anything not opened, whereas Docker bypassesufw
...Yes, great point! I am using
DASHBOARD_ENABLED=false
to stop making it public atm. I am not sure if that simple "off switch" is documented clearly either? Definitely nice to have basic auth option clearly laid out too.Yes, this,
abra app secret insert traefik.foo.com usersfile v1 ...
HOWEVER! 🚨
compose.basicauth.yml
currently just makes thebasicAuth
middleware available. That middleware is only so far used for metrics reporting (e.g. seetraefik.yml.tmpl
, and coop-cloud/monitoring-ng), and for one app (Voila) where it was needed in a specific situation.I think for the Traefik dashboard we'd probably want a(nother) separate
compose.basicauth-dashboard.yml
to apply the relevantmiddleware
label to the Traefik dashboard router, to support cases where the dashboard is behind SSO but we still want thebasicAuth
middleware defined.Either way, yes, existing
compose.basicauth.yml
could do with a lot more explanation in README.It was definitely not documented in the Operators Tutorial, nor was it clear to a newcomer how to add HTTP Auth version. I will be clarifying both in the Docs
Docs: How to configure basic auth for protecting the traefik dashboard from public accessto How to configure basic auth for protecting the traefik dashboard from public access