Traefik, create a basic authentication

Traefik can add simple authentication to your services using a login/password mechanism. Some applications don’t have authentication, and exposing these services can lead to security problems.

Goal: Use basic authentication (HTTP basic auth) with Traefik

Environment : Debian 13, Docker 24.x, docker compose (plugin) 2.20.x, Traefik 3.5.

Execution context :

jho@vmi866042:/opt/docker/dc$ tree
.
├── conf
│   ├── acme.json
│   ├── traefik.yml
│   ├── traefikdynamic
│   │   ├── dynamic.yml
├── docker-compose.yml
└── logs
    ├── traefikAccess.log
    ├── traefik.log

• path where are every folder and files : /opt/docker/dc
• path of the principal configuration file for Traefik : /opt/docker/dc/conf/traefik.yml
• folder where are every dynamic configuration files : /opt/docker/dc/conf/traefikdynamic
• path of the file which is used to store SSL certificates for let’s encrypt (or other provider) : /opt/docker/dc/conf/acme.json
• folder to store logs : /opt/docker/dc/logs/

To achieve this, I’m using « dynamic configuration » (for more information, see the Traefik presentation ). We’ll employ a « middleware » that executes an operation before accessing the service called. There are several types listed here:

• HTTP : https://doc.traefik.io/traefik/middlewares/http/overview/#available-http-middlewares
• TCP : https://doc.traefik.io/traefik/middlewares/tcp/overview/#available-tcp-middlewares

Hash of passwords for Traefik basic authentication is done with MD5, SHA1 or BCrypt. Here, I’m using BCrypt with the website “bcrypt.fr ” to generate hashes. You can also use the command htpasswd (it needs the package apache2-utils). htpasswd -nbB admin Le-Motdepa$$e.

Basic authentication involves a login and password. Only the password needs to be hashed (using bcrypt in this case). Let’s add the middleware and configure the Traefik dashboard with it in the dynamic configuration file (in my example, it’s located at /opt/docker/traefik/conf/traefikdynamic/dynamic.yml).

http:
  middlewares:
    authentification:
      basicAuth:
        users: # admin / admin
          - admin:$2y$10$KbBxnjLyBfFi355gJKhgJuXzGUaWbSRvNnvB2R9WDKpLFG1NEdcdi

  routers:
    rt-traefik:
      entryPoints:
        - websecure
      middlewares:
        - authentification
      service: api@internal
      rule: Host (`traefik.rezo.net`)

The admin user has the password “admin”. Due to Traefik’s dynamic configuration, no need to restart containers. Basic authentication is a very low-level security measure and will not replace other security mechanisms.

This middleware can be used on every resource (router) of your Traefik. To protect your resources, remember to add the name of the middleware to the definitions of your routers, like this:

---
http:
  services:
    sc-prometheus:
      loadBalancer:
        servers:
          - url: "http://prometheus:9090"

  routers:
    rt-prometheus:
      entryPoints:
        - websecure
      middlewares:
        - authentification
      service: sc-prometheus
      rule: Host (`prometheus.prive.hommet.local`)

It is needed to take into account more security functions to protect your services. You can configure TLS between Traefik and services, for example. You can add other authentication methods like OAuth, JWT or SSL certificates.