This example shows how you can secure your Flipt instance using HTTP Basic Authentication.
It is important to note that Flipt currently has no built in authentication, authorization or encryption as Flipt was designed to work inside your trusted architecture and not be exposed publicly.
That being said, if you do want to expose the Flipt dashboard and REST API publicly using HTTP Basic Authentication, you can do so by using a reverse proxy. This example uses the Caddy web server to accomplish this task.
Currently there is no way provided in Flipt to configure authentication with the GRPC API if exposed publicly. Thus, if you choose this approach is is important to not expose the GRPC port publicly! as anyone would be able to access your resources over GRPC without authenticating.
To run this example application you'll need:
Running the Example
docker-compose upfrom this directory
- Open the Flipt UI (default: http://localhost:8080)
- Note you will be prompted for a username and password, the default is
admin:password. This can be configured by setting the
HTTP_PASSWORDenvironment variables in the docker-compose.yml file.
- Try to get a list of flags without authenticating using the REST API:
❯ curl -v http://localhost:8080/api/v1/flags * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 8080 (#0) > GET /api/v1/flags HTTP/1.1 > Host: localhost:8080 > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0 > Accept: */* > Referer: > < HTTP/1.1 401 Unauthorized < Content-Type: text/plain; charset=utf-8
- You should get a 401 Unauthorized response as no username or password was present on the request
- Try again, providing the username and password:
❯ curl -v -u admin:password http://localhost:8080/api/v1/flags * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 8080 (#0) * Server auth using Basic with user 'admin' > GET /api/v1/flags HTTP/1.1 > Host: localhost:8080 > Authorization: Basic YWRtaW46cGFzc3dvcmQ= > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0 > Accept: */* > Referer: > < HTTP/1.1 200 OK < Content-Type: application/json
- This time the request succeeds and a 200 OK response is returned