Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth support for web backend #891

Closed
opichon opened this issue Nov 24, 2016 · 15 comments
Closed

auth support for web backend #891

opichon opened this issue Nov 24, 2016 · 15 comments
Labels
area/authentication status/5-frozen-due-to-age

Comments

@opichon
Copy link

opichon commented Nov 24, 2016

This does not seem to work.

I've added this section to the traefik.toml config:

[web]
address = ":8080"

[web.auth.basic]
users = ["admin:traefik:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]

The traefik web ui is displayed without asking for a password.
@opichon
Copy link
Author

opichon commented Nov 24, 2016

I've tried using the example from the docs. Still doesn't work.

 users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]

@emilevauge
Copy link
Member

You are taking the example of the digest auth, not basic:

# To enable basic auth on the webui
# with 2 user/pass: test:test and test2:test2
# Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones
#   [web.auth.basic]
#     users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]

@opichon
Copy link
Author

opichon commented Nov 24, 2016

From the docs:

# To enable digest auth on the webui
# with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
# You can use htdigest to generate those ones
#   [web.auth.basic]
#     users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]

@emilevauge
Copy link
Member

Oops, there is a typo indeed:

# To enable basic auth on the webui
# with 2 user/pass: test:test and test2:test2
# Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones
#   [web.auth.basic]
#     users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
# To enable digest auth on the webui
# with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
# You can use htdigest to generate those ones
#   [web.auth.digest]
#     users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]

@opichon
Copy link
Author

opichon commented Nov 24, 2016

Yes, I had tried this, but it does not work.

The docs example with basic auth does not work either.

The web ui opens with asking for a password in both cases.

@emilevauge
Copy link
Member

@opichon I just tested it and it works. What do you have in your DEBUG logs?

@opichon
Copy link
Author

opichon commented Nov 24, 2016

I see this line:

time="2016-11-24T12:47:56Z" level=info msg="Starting provider *main.WebProvider {\"Address\":\":8080\",\"CertFile\":\"\",\"KeyFile\":\"\",\"ReadOnly\":false,\"Auth\":null}"

Doesn't sound right. My config includes:

[web]
address = ":8080"

[web.auth.basic]
    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]

@emilevauge
Copy link
Member

Can give us ALL your logs?

@opichon
Copy link
Author

opichon commented Nov 24, 2016

Sorry, no, not on a public platform like github. I'll try and setup a test environment and send you the logs and config for that.

@opichon
Copy link
Author

opichon commented Nov 24, 2016 

time="2016-11-24T12:47:53Z" level=info msg="Traefik version v1.1.0 built on 2016-11-18_09:20:46AM"
time="2016-11-24T12:47:53Z" level=info msg="Using TOML configuration file //traefik.toml"
time="2016-11-24T12:47:53Z" level=debug msg="Global configuration loaded {\"GraceTimeOut\":10,\"Debug\":false,\"CheckNewVersion\":true,\"AccessLogsFile\":\"\",\"TraefikLogsFile\":\"\",\"LogLevel\":\"DEBUG\",\"EntryPoints\":{\"http\":{\"Network\":\"\",\"Address\":\":80\",\"TLS\":null,\"Redirect\":{\"EntryPoint\":\"https\",\"Regex\":\"\",\"Replacement\":\"\"},\"Auth\":null,\"Compress\":false},\"https\":{\"Network\":\"\",\"Address\":\":443\",\"TLS\":{\"MinVersion\":\"\",\"CipherSuites\":null,\"Certificates\":null,\"ClientCAFiles\":null},\"Redirect\":null,\"Auth\":null,\"Compress\":false}},\"Cluster\":null,\"Constraints\":[],\"ACME\":{\"Email\":\"le1@XXX.com\",\"Domains\":[{\"Main\":\"AAA.net\",\"SANs\":[\"www.AAA.net\",\"admin.AAA.net\",\"pma.AAA.net\",\"test.AAA.net\",\"disabled.AAA.net\",\"closed.AAA.net\",\"suspended.AAA.net\",\"gitonomy.AAA.net\"]},{\"Main\":\"satis.XXX.com\",\"SANs\":null},{\"Main\":\"gitonomy.XXX.com\",\"SANs\":null}],\"Storage\":\"\",\"StorageFile\":\"/acme.json\",\"OnDemand\":true,\"OnHostRule\":false,\"CAServer\":\"https://acme-staging.api.letsencrypt.org/directory\",\"EntryPoint\":\"https\"},\"DefaultEntryPoints\":[\"http\",\"https\"],\"ProvidersThrottleDuration\":2000000000,\"MaxIdleConnsPerHost\":200,\"InsecureSkipVerify\":false,\"Retry\":null,\"Docker\":{\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"\",\"TLS\":null,\"ExposedByDefault\":true,\"UseBindPortIP\":false,\"SwarmMode\":false},\"File\":null,\"Web\":{\"Address\":\":8080\",\"CertFile\":\"\",\"KeyFile\":\"\",\"ReadOnly\":false,\"Auth\":null},\"Marathon\":null,\"Consul\":null,\"ConsulCatalog\":null,\"Etcd\":null,\"Zookeeper\":null,\"Boltdb\":null,\"Kubernetes\":null,\"Mesos\":null}"
time="2016-11-24T12:47:53Z" level=info msg="Preparing server https &{Network: Address::443 TLS:0xc4201c39e0 Redirect:<nil> Auth:<nil> Compress:false}"
time="2016-11-24T12:47:54Z" level=warning msg="ACME.StorageFile is deprecated, use ACME.Storage instead"
time="2016-11-24T12:47:54Z" level=info msg="Loading ACME Account..."
time="2016-11-24T12:47:55Z" level=info msg="Loaded ACME config from store /acme.json"
time="2016-11-24T12:47:55Z" level=debug msg="Building ACME client..."
time="2016-11-24T12:47:55Z" level=debug msg=AgreeToTOS...
time="2016-11-24T12:47:56Z" level=info msg="Retrieving ACME certificates..."
time="2016-11-24T12:47:56Z" level=info msg="Preparing server http &{Network: Address::80 TLS:<nil> Redirect:0xc420355950 Auth:<nil> Compress:false}"
time="2016-11-24T12:47:56Z" level=info msg="Starting provider *provider.Docker {\"Watch\":true,\"Filename\":\"\",\"Constraints\":null,\"Endpoint\":\"unix:///var/run/docker.sock\",\"Domain\":\"\",\"TLS\":null,\"ExposedByDefault\":true,\"UseBindPortIP\":false,\"SwarmMode\":false}"
time="2016-11-24T12:47:56Z" level=info msg="Starting provider *main.WebProvider {\"Address\":\":8080\",\"CertFile\":\"\",\"KeyFile\":\"\",\"ReadOnly\":false,\"Auth\":null}"
time="2016-11-24T12:47:56Z" level=info msg="Starting server on :443"
time="2016-11-24T12:47:56Z" level=info msg="Starting server on :80"
time="2016-11-24T12:47:56Z" level=info msg="Retrieved ACME certificates"
time="2016-11-24T12:47:56Z" level=debug msg="Testing certificate renew..."
time="2016-11-24T12:47:56Z" level=debug msg="Docker connection established with docker 1.12.2 (API 1.24)"
time="2016-11-24T12:47:56Z" level=debug msg="Filtering disabled container /mailhog"
time="2016-11-24T12:47:56Z" level=debug msg="Filtering disabled container /phantomjs"
time="2016-11-24T12:47:56Z" level=debug msg="Filtering disabled container /proxy"
time="2016-11-24T12:47:56Z" level=debug msg="Filtering container without port and no traefik.port label /janitor"
time="2016-11-24T12:47:56Z" level=debug msg="Filtering disabled container /AAA_mysql_1"
time="2016-11-24T12:47:56Z" level=debug msg="Load balancer method '<nil>' for backend backend-AAA-phpmyadmin: Invalid method, using default. Using default wrr."
time="2016-11-24T12:47:56Z" level=debug msg="Load balancer method '<nil>' for backend backend-AAA-wiki: Invalid method, using default. Using default wrr."
time="2016-11-24T12:47:56Z" level=debug msg="Load balancer method '<nil>' for backend backend-AAA-www: Invalid method, using default. Using default wrr."
time="2016-11-24T12:47:56Z" level=debug msg="Load balancer method '<nil>' for backend backend-satis: Invalid method, using default. Using default wrr."
time="2016-11-24T12:47:56Z" level=debug msg="Load balancer method '<nil>' for backend backend-AAA-admin: Invalid method, using default. Using default wrr."
time="2016-11-24T12:47:56Z" level=debug msg="Configuration received from provider docker: {\"backends\":{\"backend-AAA-admin\":{\"servers\":{\"server-AAA_admin_1\":{\"url\":\"http://172.19.0.7:2015\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-AAA-phpmyadmin\":{\"servers\":{\"server-AAA_phpmyadmin_1\":{\"url\":\"http://172.19.0.8:80\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-AAA-wiki\":{\"servers\":{\"server-AAA_wiki_1\":{\"url\":\"http://172.19.0.5:2015\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-AAA-www\":{\"servers\":{\"server-AAA_www_1\":{\"url\":\"http://172.19.0.4:2015\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}},\"backend-satis\":{\"servers\":{\"server-satis\":{\"url\":\"http://172.19.0.2:2015\",\"weight\":1}},\"loadBalancer\":{\"method\":\"wrr\"}}},\"frontends\":{\"frontend-Host-admin-AAA-net\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-AAA-admin\",\"routes\":{\"route-frontend-Host-admin-AAA-net\":{\"rule\":\"Host:admin.AAA.net\"}},\"passHostHeader\":true,\"priority\":998},\"frontend-Host-pma-AAA-net\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-AAA-phpmyadmin\",\"routes\":{\"route-frontend-Host-pma-AAA-net\":{\"rule\":\"Host:pma.AAA.net\"}},\"passHostHeader\":true,\"priority\":997},\"frontend-Host-satis-XXX-com\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-satis\",\"routes\":{\"route-frontend-Host-satis-XXX-com\":{\"rule\":\"Host:satis.XXX.com\"}},\"passHostHeader\":true,\"priority\":1},\"frontend-Host-www-AAA-net-AAA-net\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-AAA-www\",\"routes\":{\"route-frontend-Host-www-AAA-net-AAA-net\":{\"rule\":\"Host:www.AAA.net,AAA.net\"}},\"passHostHeader\":true,\"priority\":999},\"frontend-HostRegexp-subdomain-A-Za-z0-9-AAA-net\":{\"entryPoints\":[\"http\",\"https\"],\"backend\":\"backend-AAA-wiki\",\"routes\":{\"route-frontend-HostRegexp-subdomain-A-Za-z0-9-AAA-net\":{\"rule\":\"HostRegexp:{subdomain:[A-Za-z0-9-]+}.AAA.net\"}},\"passHostHeader\":true,\"priority\":1}}}"
time="2016-11-24T12:47:56Z" level=debug msg="Last docker config received more than 2s, OK"
time="2016-11-24T12:47:56Z" level=debug msg="Creating frontend frontend-Host-admin-AAA-net"
time="2016-11-24T12:47:56Z" level=debug msg="Wiring frontend frontend-Host-admin-AAA-net to entryPoint http"
time="2016-11-24T12:47:56Z" level=debug msg="Creating route route-frontend-Host-admin-AAA-net Host:admin.AAA.net"
time="2016-11-24T12:47:56Z" level=debug msg="Creating entryPoint redirect http -> https : ^(?:https?:\\/\\/)?([\\da-z\\.-]+)(?::\\d+)?(.*)$ -> https://$1:443$2"
time="2016-11-24T12:47:56Z" level=debug msg="Wiring frontend frontend-Host-admin-AAA-net to entryPoint https"
time="2016-11-24T12:47:56Z" level=debug msg="Creating route route-frontend-Host-admin-AAA-net Host:admin.AAA.net"
time="2016-11-24T12:47:56Z" level=debug msg="Creating backend backend-AAA-admin"
time="2016-11-24T12:47:56Z" level=debug msg="Creating load-balancer wrr"
time="2016-11-24T12:47:56Z" level=debug msg="Creating server server-AAA_admin_1 at http://172.19.0.7:2015 with weight 1"
time="2016-11-24T12:47:56Z" level=debug msg="Creating frontend frontend-Host-pma-AAA-net"
time="2016-11-24T12:47:56Z" level=debug msg="Wiring frontend frontend-Host-pma-AAA-net to entryPoint http"
time="2016-11-24T12:47:56Z" level=debug msg="Creating route route-frontend-Host-pma-AAA-net Host:pma.AAA.net"
time="2016-11-24T12:47:56Z" level=debug msg="Wiring frontend frontend-Host-pma-AAA-net to entryPoint https"
time="2016-11-24T12:47:56Z" level=debug msg="Creating route route-frontend-Host-pma-AAA-net Host:pma.AAA.net"
time="2016-11-24T12:47:56Z" level=debug msg="Creating backend backend-AAA-phpmyadmin"
time="2016-11-24T12:47:56Z" level=debug msg="Creating load-balancer wrr"
time="2016-11-24T12:47:56Z" level=debug msg="Creating server server-AAA_phpmyadmin_1 at http://172.19.0.8:80 with weight 1"
time="2016-11-24T12:47:56Z" level=debug msg="Creating frontend frontend-Host-satis-XXX-com"
time="2016-11-24T12:47:56Z" level=debug msg="Wiring frontend frontend-Host-satis-XXX-com to entryPoint http"
time="2016-11-24T12:47:56Z" level=debug msg="Creating route route-frontend-Host-satis-XXX-com Host:satis.XXX.com"
time="2016-11-24T12:47:56Z" level=debug msg="Wiring frontend frontend-Host-satis-XXX-com to entryPoint https"
time="2016-11-24T12:47:56Z" level=debug msg="Creating route route-frontend-Host-satis-XXX-com Host:satis.XXX.com"
time="2016-11-24T12:47:56Z" level=debug msg="Creating backend backend-satis"
time="2016-11-24T12:47:56Z" level=debug msg="Creating load-balancer wrr"
time="2016-11-24T12:47:56Z" level=debug msg="Creating server server-satis at http://172.19.0.2:2015 with weight 1"
time="2016-11-24T12:47:56Z" level=debug msg="Creating frontend frontend-Host-www-AAA-net-AAA-net"
time="2016-11-24T12:47:56Z" level=debug msg="Wiring frontend frontend-Host-www-AAA-net-AAA-net to entryPoint http"
time="2016-11-24T12:47:56Z" level=debug msg="Creating route route-frontend-Host-www-AAA-net-AAA-net Host:www.AAA.net,AAA.net"
time="2016-11-24T12:47:56Z" level=debug msg="Wiring frontend frontend-Host-www-AAA-net-AAA-net to entryPoint https"
time="2016-11-24T12:47:56Z" level=debug msg="Creating route route-frontend-Host-www-AAA-net-AAA-net Host:www.AAA.net,AAA.net"
time="2016-11-24T12:47:56Z" level=debug msg="Creating backend backend-AAA-www"
time="2016-11-24T12:47:56Z" level=debug msg="Creating load-balancer wrr"
time="2016-11-24T12:47:56Z" level=debug msg="Creating server server-AAA_www_1 at http://172.19.0.4:2015 with weight 1"
time="2016-11-24T12:47:56Z" level=debug msg="Creating frontend frontend-HostRegexp-subdomain-A-Za-z0-9-AAA-net"
time="2016-11-24T12:47:56Z" level=debug msg="Wiring frontend frontend-HostRegexp-subdomain-A-Za-z0-9-AAA-net to entryPoint http"
time="2016-11-24T12:47:56Z" level=debug msg="Creating route route-frontend-HostRegexp-subdomain-A-Za-z0-9-AAA-net HostRegexp:{subdomain:[A-Za-z0-9-]+}.AAA.net"
time="2016-11-24T12:47:56Z" level=debug msg="Wiring frontend frontend-HostRegexp-subdomain-A-Za-z0-9-AAA-net to entryPoint https"
time="2016-11-24T12:47:56Z" level=debug msg="Creating route route-frontend-HostRegexp-subdomain-A-Za-z0-9-AAA-net HostRegexp:{subdomain:[A-Za-z0-9-]+}.AAA.net"
time="2016-11-24T12:47:56Z" level=debug msg="Creating backend backend-AAA-wiki"
time="2016-11-24T12:47:56Z" level=debug msg="Creating load-balancer wrr"
time="2016-11-24T12:47:56Z" level=debug msg="Creating server server-AAA_wiki_1 at http://172.19.0.5:2015 with weight 1"
time="2016-11-24T12:47:56Z" level=info msg="Server configuration reloaded on :80"
time="2016-11-24T12:47:56Z" level=info msg="Server configuration reloaded on :443"

@opichon
Copy link
Author

opichon commented Nov 24, 2016 

defaultEntryPoints = ["http", "https"]

[entryPoints]
[entryPoints.http]
address = ":80"
   	[entryPoints.http.redirect]
    entryPoint = "https"

[entryPoints.https]
address = ":443"
[entryPoints.https.tls]

[acme]
email = "le1@XXX.com"
storageFile = "/acme.json"
entryPoint =  "https"
onDemand = true
caServer = "https://acme-staging.api.letsencrypt.org/directory"

[[acme.domains]]
main = "XXX.net"
sans = ["www.XXX.net", "admin.XXX.net", "pma.XXX.net", "test.XXX.net", "disabled.XXX.net", "closed.XXX.net", "suspended.XXX.net", "gitonomy.XXX.net"]

[[acme.domains]]
main = "satis.united-asian.com"

[[acme.domains]]
main = "gitonomy.XXX.com"

[web]
address = ":8080"
readOnly = false

[web.auth.basic]
    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "AAA.net"
watch = true

@opichon
Copy link
Author

opichon commented Nov 24, 2016
edited

Server is Ubuntu 16.04 running docker 1.12.2. Traefik is run using docker-compose with this config:

version: '2'

services:
    proxy:
        command: --web --docker --docker.watch=true --logLevel=DEBUG
        container_name: proxy
        image: traefik
        networks:
            - staging
        ports:
            - "80:80"
            - "443:443"
            - "8080:8080"
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
            - ./traefik.toml:/traefik.toml
            - ./acme.json:/acme.json

The other containers are started using a separate docker-compose config, but on the same network.

@emilevauge
Copy link
Member

@opichon You don't have to use args if you use a TOML file.
Can you try commenting this line command: --web --docker --docker.watch=true --logLevel=DEBUG in your compose file?

@opichon
Copy link
Author

opichon commented Nov 24, 2016

It works if I remove the following arguments: --web --docker and --docker.watch=true (provided the equivalent settings are set in traefik.toml).

However, if I remove the command argument altogether, it doesn't work. See issue #888.

Anyway, this issue (auth in backend) is resolved. May thanks.

@opichon opichon mentioned this issue Nov 24, 2016
Closed
@Glideh
Copy link

Glideh commented Aug 28, 2017
edited

I also struggled a little bit with that issue. Thank you for the tip.
It didn't obvious to me that the command line arguments was overriding the whole config keys.
I actually forgot I kept these command line options.
Maybe the docs could be improved with a small additional comment in the examples.

@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/authentication status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@opichon @Glideh @ldez @emilevauge @traefiker