Add basic auth support for web backend #677
Conversation
|
Needs a proper rebase. I failed while trying to get this up. Maybe @emilevauge or @jangie can help me get this up properly :) |
|
Rebase done. All good from my side now. Waiting for you :) |
|
Rebased again |
|
Fixes #296 |
There was a problem hiding this comment.
Hi @SantoDE, thanks for your contribution :)
I have 2 comments. Could you add more explanations to the documentation you have already done in traefik.sample.toml, and add a digest section? You can copy paste (with adaptation) docs from entrypoints authentication:
# To enable basic auth on an entrypoint
# with 2 user/pass: test:test and test2:test2
# Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones
# [entryPoints]
# [entryPoints.http]
# address = ":80"
# [entryPoints.http.auth.basic]
# users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
#
# To enable digest auth on an entrypoint
# with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
# You can use htdigest to generate those ones
# [entryPoints]
# [entryPoints.http]
# address = ":80"
# [entryPoints.http.auth.basic]
# users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
Could you also add a section in the documentation web site: https://github.com/containous/traefik/blob/master/docs/toml.md ?
Thanks :)
|
Hey @emilevauge , thanks for your Feedback. I implemented the requested changes. Hope all is good! |
| @@ -411,6 +411,18 @@ address = ":8080" | |||
| # | |||
| # Optional | |||
| # ReadOnly = false | |||
| # | |||
| # To enable basic auth on an entrypoint | |||
There was a problem hiding this comment.
on an entrypoint -> on the webui
| # Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones | ||
| # [web.auth.basic] | ||
| # users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] | ||
| # To enable digest auth on an entrypoint |
There was a problem hiding this comment.
on an entrypoint -> on the webui
| @@ -221,6 +221,17 @@ | |||
| # Optional | |||
| # ReadOnly = false | |||
|
|
|||
| # To enable basic auth on an entrypoint | |||
There was a problem hiding this comment.
on an entrypoint -> on the webui
| # Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones | ||
| # [web.auth.basic] | ||
| # users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"] | ||
| # To enable digest auth on an entrypoint |
There was a problem hiding this comment.
on an entrypoint -> on the webui
|
done and rebased to squash the changes :) @emilevauge |
| @@ -28,6 +30,7 @@ type WebProvider struct { | |||
| KeyFile string `description:"SSL certificate"` | |||
| ReadOnly bool `description:"Enable read only API"` | |||
| server *Server | |||
| Auth *types.Auth `description:"Auth Crendetials for Web Point"` | |||
There was a problem hiding this comment.
Maybe an issue with the StructTag here.
A flag will be created because of the description StructTag.
But I think a custom parser is missing on type.Auth
And Træfik will probably run into an error if the flag --web.auth is called.
Maybe we should remove the StructTag and assuming that TOML file is the only way to use this feat ?
WDYT @emilevauge ?
There was a problem hiding this comment.
Looks like I missed that. I guess, removing it and assume TOML file is the only way is fine. Thanks for pointing that out!
However, let's wait for @emilevauge :)
There was a problem hiding this comment.
@cocap10 great catch !
Indeed, it sounds OK to assume that TOML will be used to configure authentication users.
Let's remove the struct tag for now :)
There was a problem hiding this comment.
done and rebased @emilevauge @cocap10 . Thanks for your Feedback 👍 :)
implemented requested changes fix docs remove struct tag
|
On the face of it this looks good to me. I am slightly wary of the fact that we now have code to handle basic auth in 2 places. Not sure if we could DRY this up a bit, or even if that is desirable.... |
As the authentication mechanism takes place in |
|
How this can be done from docker-compose? There's no way in swarm you can mount files locally, unless making your own Dockerfile. |
|
You can set labels on traefik container too? I thought this works only for
other services.
|
|
@holms I guess best way is to mount a traefik.toml inside a volume to your traefik container and set the configuration in that toml |
|
And how can you do this in swarm mode? It's not allowed to mount anything
from host? Because container can be scheduled to go for another node.. only data volumes can be used in swarm
|
|
@holms you should restrict with constraints where should traefik be placed. Something like: |
|
@holms, now there's docker configs, or you can use the local-persist driver as a global service, maybe in combination with placement constraints. |
Hey there,
this PR enables traefik to protect the web backend per basic auth. All you need to do, is at these lines to your traefik.toml
[web.auth.basic] users = ["traefik:$apr1$8EvWcwpO$RaRFXvDJk6LGQ5tM04RRd0"]so it looks like:
Feedback welcome! :)