Support htdigest auth basic in Docker service traefik.frontend.auth.basic label

[matthewpflueger]

Do you want to request a feature or report a bug?

I think this is a bug because clearly the htdigest is supported but could also be a feature because it has yet to be implemented for Docker labels...

What did you do?

I switched the basic auth for a Docker Swarm mode service to use htdigest in order to customize the auth realm (I don't like exposing our technology stack and the default basic auth realm is "traefik"). My service originally had the following traefik.frontend label in the deploy section of the docker yaml file which worked:

deploy:
      labels:
        - 'traefik.frontend.auth.basic=ourusername:$$apr1$$h4AR1C6e$$YHJHz87uXSqfPhT2T/X1.'

That correctly caused traefik to prompt for authentication when accessing the service. However switching to using htdigest basic auth like:

deploy:
      labels:
        - 'traefik.frontend.auth.basic=ourusername:ourrealm:26a44ebb87ee02dcd0045c1608c89b'

Causes traefik to ignore auth basic. In the debug logs it clearly shows an error parsing the htdigest basic auth:

staging_traefik.0.ovuv7c98mwkh@ip-172-31-82-157.us-west-2.compute.internal    | time="2018-01-22T18:27:42Z" level=error msg="Error creating Auth: Error parsing Authenticator user: ouruser:ourrealm:26a44ebb87ee02dcd0045c160288c89b"

What did you expect to see?

When using the htdigest auth I expected to be prompted for basic auth with a realm of ourrealm.

What did you see instead?

No basic auth done.

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.5.0-rc5
Codename:     cancoillotte
Go version:   go1.9.2
Built:        2018-01-15_03:59:03PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

{
 "LifeCycle": null,
 "GraceTimeOut": 0,
 "Debug": false,
 "CheckNewVersion": false,
 "SendAnonymousUsage": false,
 "AccessLogsFile": "/dev/stdout",
 "AccessLog": {
  "format": "common"
 },
 "TraefikLogsFile": "",
 "TraefikLog": null,
 "LogLevel": "WARN",
 "EntryPoints": {
  "http": {
   "Network": "",
   "Address": "xxxx",
   "TLS": null,
   "Redirect": {
    "entryPoint": "xxxx"
   },
   "Auth": null,
   "WhitelistSourceRange": null,
   "Compress": false,
   "ProxyProtocol": null,
   "ForwardedHeaders": null
  },
  "https": {
   "Network": "",
   "Address": "xxxx",
   "TLS": {
    "MinVersion": "",
    "CipherSuites": null,
    "Certificates": [],
    "ClientCAFiles": null,
    "ClientCA": {
     "Files": null,
     "Optional": false
    }
   },
   "Redirect": null,
   "Auth": null,
   "WhitelistSourceRange": null,
   "Compress": false,
   "ProxyProtocol": null,
   "ForwardedHeaders": null
  }
 },
 "Cluster": null,
 "Constraints": [],
 "ACME": null,
 "DefaultEntryPoints": [
  "http",
  "https"
 ],
 "ProvidersThrottleDuration": 2000000000,
 "MaxIdleConnsPerHost": 200,
 "IdleTimeout": 0,
 "InsecureSkipVerify": true,
 "RootCAs": null,
 "Retry": {
  "Attempts": 3
 },
 "HealthCheck": {
  "Interval": 30000000000
 },
 "RespondingTimeouts": null,
 "ForwardingTimeouts": null,
 "Web": {
  "Address": ":8443",
  "CertFile": "/run/secrets/selfsigned_wildcard_valuepenguin_com_cer",
  "KeyFile": "/run/secrets/selfsigned_wildcard_valuepenguin_com_key",
  "ReadOnly": true,
  "Statistics": {
   "RecentErrors": 100
  },
  "Metrics": null,
  "Path": "",
  "Auth": {
   "Basic": {
    "Users": [],
    "UsersFile": ""
   },
   "Digest": null,
   "Forward": null,
   "HeaderField": ""
  },
  "Debug": false
 },
 "Docker": null,
 "File": null,
 "Marathon": null,
 "Consul": null,
 "ConsulCatalog": null,
 "Etcd": null,
 "Zookeeper": null,
 "Boltdb": null,
 "Kubernetes": null,
 "Mesos": null,
 "Eureka": null,
 "ECS": null,
 "Rancher": null,
 "DynamoDB": null,
 "ServiceFabric": null,
 "Rest": null,
 "API": null,
 "Metrics": null,
 "Ping": null,
 "ConfigFile": "/etc/traefik/traefik.toml"
}

Contents of /etc/traefik/traefik.toml

################################################################
# Global section
################################################################
checkNewVersion = false
logLevel = "WARN"
InsecureSkipVerify = true
defaultEntryPoints = ["http", "https"]
accessLogsFile = "/dev/stdout"

# Log to stdout by default
[accessLog]

# Retry failed requests three times
[retry]
  attempts = 3


################################################################
# Entrypoints definition
#
# Redirect all http requests to https using the given
# selfsigned certs
################################################################
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/run/secrets/selfsigned_wildcard_valuepenguin_com_cer"
      KeyFile = "/run/secrets/selfsigned_wildcard_valuepenguin_com_key"

[Ezwen]

I believe the label should be traefik.frontend.auth.digest instead of traefik.frontend.auth.basic.

But I agree, I would really like to see both Digest Authentication and Forward Authentication (https://docs.traefik.io/configuration/entrypoints/#authentication) supported with Docker using traefik.frontend.auth labels :).

[ewascome]

Agree with @gwend4l and would also like to see traefik.frontend.auth.forward.

[barhun]

Support for a label like traefik.frontend.auth.digest.usersfile would be appreciated. (:

[matthewpflueger]

Any movement on this?

[ldez]

see #3460