How to configure basic auth for protecting the traefik dashboard from public access #560

New Issue

einarpersson · 2024-01-30T20:03:22Z

einarpersson commented

2024-01-30 20:03:22 +00:00

I am following the guide, and the dashboard is now open to public. I reviewed the config and uncommented the lines:

## BASIC_AUTH
## Use httpasswd to generate the secret
COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml"
BASIC_AUTH=1
SECRET_USERSFILE_VERSION=v1

In the compose file I see

secrets:
  usersfile:
    name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION}
    external: true

I used htpasswd to generate the secret as instructed, but I don't know what to do with it =) Should I place the generated file somewhere (according to userfile above) or inject the secret with the CLI or what? This should be covered in the tutorial so that you do not make something public by accident. This is especially easy since it's easy to think that ufw would deny anything not opened, whereas Docker bypasses ufw...

I am following the guide, and the dashboard is now open to public. I reviewed the config and uncommented the lines: ``` ## BASIC_AUTH ## Use httpasswd to generate the secret COMPOSE_FILE="$COMPOSE_FILE:compose.basicauth.yml" BASIC_AUTH=1 SECRET_USERSFILE_VERSION=v1 ``` In the compose file I see ``` secrets: usersfile: name: ${STACK_NAME}_usersfile_${SECRET_USERSFILE_VERSION} external: true ``` I used `htpasswd` to generate the secret as instructed, but I don't know what to do with it =) Should I place the generated file somewhere (according to userfile above) or inject the secret with the CLI or what? This should be covered in the tutorial so that you do not make something public by accident. This is especially easy since it's easy to think that `ufw` would deny anything not opened, whereas Docker bypasses `ufw`...

einarpersson referenced this issue

2024-01-30 20:18:57 +00:00

Improve the operators tutorial #537

decentral1se commented

2024-01-31 07:58:26 +00:00

Yes, great point! I am using DASHBOARD_ENABLED=false to stop making it public atm. I am not sure if that simple "off switch" is documented clearly either? Definitely nice to have basic auth option clearly laid out too.

Yes, great point! I am using `DASHBOARD_ENABLED=false` to stop making it public atm. I am not sure if that simple "off switch" is documented clearly either? Definitely nice to have basic auth option clearly laid out too.

decentral1se added the

documentation

label 2024-01-31 07:58:42 +00:00

3wordchant commented

2024-02-10 20:36:15 +00:00

inject the secret with the CLI or what?

Yes, this, abra app secret insert traefik.foo.com usersfile v1 ...

HOWEVER! 🚨 compose.basicauth.yml currently just makes the basicAuth middleware available. That middleware is only so far used for metrics reporting (e.g. see traefik.yml.tmpl, and coop-cloud/monitoring-ng), and for one app (Voila) where it was needed in a specific situation.

I think for the Traefik dashboard we'd probably want a(nother) separate compose.basicauth-dashboard.yml to apply the relevant middleware label to the Traefik dashboard router, to support cases where the dashboard is behind SSO but we still want the basicAuth middleware defined.

Either way, yes, existing compose.basicauth.yml could do with a lot more explanation in README.

> inject the secret with the CLI or what? Yes, this, `abra app secret insert traefik.foo.com usersfile v1 ...` HOWEVER! 🚨 `compose.basicauth.yml` currently just makes the `basicAuth` middleware available. That middleware is only so far used for metrics reporting (e.g. see `traefik.yml.tmpl`, and [coop-cloud/monitoring-ng](https://git.coopcloud.tech/coop-cloud/monitoring-ng)), and for one app (Voila) where it was needed in a specific situation. I think for the Traefik dashboard we'd probably want a(nother) separate `compose.basicauth-dashboard.yml` to apply the relevant `middleware` label to the Traefik dashboard router, to support cases where the dashboard is behind SSO but we still want the `basicAuth` middleware defined. Either way, yes, existing `compose.basicauth.yml` could do with a lot more explanation in README.

basebuilder added this to the Improvements to Websites milestone 2024-02-21 20:17:15 +00:00

basebuilder commented

2024-03-11 07:23:25 +00:00

I am not sure if that simple "off switch" is documented clearly either?

It was definitely not documented in the Operators Tutorial, nor was it clear to a newcomer how to add HTTP Auth version. I will be clarifying both in the Docs

> I am not sure if that simple "off switch" is documented clearly either? It was definitely not documented in the [Operators Tutorial](https://docs.coopcloud.tech/operators/tutorial/#web-proxy-setup), nor was it clear to a newcomer how to add HTTP Auth version. I will be clarifying both in the Docs

decentral1se changed title from ~~Docs: How to configure basic auth for protecting the traefik dashboard from public access~~ to How to configure basic auth for protecting the traefik dashboard from public access

2024-03-27 06:15:30 +00:00

Sign in to join this conversation.

No Milestone

No project

No Assignees

4 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/organising#560