Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Basic Authentication credentials not respected in Docker Swarm mode #2171
Do you want to request a feature or report a bug?
What did you do?
What did you expect to see?
I'm using docker stacks to deploy
What did you see instead?
I tried to use your configuration and, apparently, you forget few " in the labels part :
labels: - "traefik.port=8080" - "traefik.frontend.rule=PathPrefix:/function" - "traefik.frontend.auth.basic=user:password"
Moreover, I had to add your domain name (
@nmengin it doesn't seem to matter if those lines are quoted or not, the labels are correctly added either way, and the basic auth seems to be functioning, just credentials are not respected. Also, if I remove the
Sep 25, 2017
Did work for me without any issues:
version: '3' services: cadvisor: image: google/cadvisor deploy: labels: - "traefik.port=8080" - "traefik.docker.network=proxy" - "traefik.frontend.rule=Host:metrics.mysite.at" - "traefik.backend=cadvisor" - "traefik.frontend.entryPoints=http,https" - "traefik.frontend.auth.basic=berndinox:$$some$$Secret$$passwd$$md5$$escape" replicas: 1 networks: proxy: aliases: - cadvisor volumes: - /:/rootfs:ro - /var/run:/var/run:rw - /sys:/sys:ro - /var/lib/docker/:/var/lib/docker:ro - /dev/disk/:/dev/disk:ro
In the solution we suggest with @ldez , the label key is
But your label seems to use
Am I wrong?
@Berndinox Can you show your Træfik configuration?
logLevel = "INFO" debug = false defaultEntryPoints = ["http", "https"] [entryPoints] [entryPoints.http] address = ":80" compress = false [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] CertFile = "/etc/traefik/cert.at.cert" KeyFile = "/etc/traefik/key.at.key" [docker] domain = "docker.localhost" watch = true swarmmode = true
version: "3" services: traefik: image: traefik #command: --consul --consul.endpoint=consul:8500 #command: storeconfig --consul --consul.endpoint=consul:8500 networks: - proxy ports: - 80:80 - 443:443 #- 8080:8080 volumes: - /var/run/docker.sock:/var/run/docker.sock - traefikdata:/etc/traefik/ deploy: replicas: 3 #replicas: 1 placement: constraints: [node.role == manager] update_config: parallelism: 1 delay: 45s monitor: 15s restart_policy: condition: on-failure delay: 5s max_attempts: 10 window: 60s volumes: traefikdata: driver: local-persist driver_opts: mountpoint: /data/docker/proxy networks: proxy: external: true
version: "3.2" services: traefik: image: traefik:v1.3 command: -c --docker=true --docker.swarmmode=true --docker.domain=traefik --docker.watch=true --web=true --debug=true --defaultEntryPoints='http' --entryPoints='Name:http Address::80' ports: - 80:80 - 8080:8080 volumes: - "/var/run/docker.sock:/var/run/docker.sock" networks: - functions deploy: placement: constraints: [node.role == manager] gateway: volumes: - "/var/run/docker.sock:/var/run/docker.sock" image: functions/gateway:0.6.3 networks: - functions environment: dnsrr: "true" # Temporarily use dnsrr in place of VIP while issue persists on PWD deploy: labels: - traefik.port=8080 - traefik.frontend.rule=PathPrefix:/function - traefik.frontend.auth.basic=user:password placement: constraints: - 'node.role == manager' - 'node.platform.os == linux'
I've tried the above and the suggested
Sorry, but I still have the same issue.
Traefik runs in swarm mode with:
docker service create \ --name traefik \ --constraint=node.role==manager \ -p 80:80 -p 8080:8080 \ --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ --mount type=bind,source=/etc/traefik/traefik.toml,destination=/etc/traefik/traefik.toml \ --mode global \ --network traefik-net \ --label traefik.frontend.passHostHeader=true \ traefik:1.4 traefik
The traefik.toml file:
logLevel = "INFO" [accessLog] [web] address = ":8080" [web.auth.basic] users = ["toolbox:$basicauth"] [docker] domain = "xxx.yyy.net" watch = true swarmmode = true exposedbydefault = false
If I start a simple web service with:
docker service create \ --name web \ --label traefik.port=2015 \ --network traefik-net \ --label traefik.frontend.auth.basic=test:$$2y$$05$$/lF1ypvhkljsaB1nxPLuOua5DT567JXE.D7n5fxmdky4MqUFUAYam ldaume/caddy
... curl leads to
> curl -u test:test http://web.xxx.yyy.net 401 Unauthorized
Everything works without the basic auth label.
Did I miss anything?
@ldaume - put the label in single quotes and don't escape the password (unless there is a single quote in it).
Example below (I tested it):
you can generate your own passwords using
The label does not seem to be set properly when configured in a compose file, and when there's a period or slash in the hash. Quotes, single quotes or no quotes seem to not make a difference.
I've got this (test/myPassword):
Edit: A hash without any period or slash results in a empty label for me.
I haven't fully understood the issue, but using htpassword solved it for me. It seems traefik uses the same algo to unhash the passwords.
You will receive the according hash
Copy paste it to your .toml or your docker-compose script.
Use your password (not the hash) and everything will work fine.
For people coming here in the future, this is an explanation.
Docker compose files support variable substitution. Both
As a consequence, the content of your label is being mutated. Like most people have commented, you just need to replace '$' with '$$' to prevent variable substitution.
To generate credentials in the correct format, you could run:
htpasswd -Bbn test test | sed -e 's/\$/\$\$/g'