DEV Community

Cover image for Secure your traefik dashboard with HTTPS and Basic Auth
Tahsin
Tahsin

Posted on

Secure your traefik dashboard with HTTPS and Basic Auth

Intro

When I created my first droplet at DigitalOcean, I needed a service discovery. At that time I had no idea how to deal with it. Eventually I went for nginx. But not knowing the concept, syntax, workaround I was having difficult time. Then I discovered nginx-proxy which made the process a bit easier as there was few app/services on my droplet running in docker. nginx-proxy adjusts the configuration automatically based on environment variable.

But, when I discovered traefik, everything changed. As it has yaml supported configuration, easy to start-with behavior and fully docker support: it became my favorite service discovery tool.


Dashboard

Traefik provides a nice looking dashboard to manage and observe configuration to routers and services. It's relatively easy to setup TLS with Let's Encrypt to a router by configuring traefik. However, it was a bit tricky for me to setup TLS for the dashboard itself.


Add TLS

Here is the configuration for docker-compose labels:

labels:
  traefik.enable: true
  traefik.http.routers.traefik_https.rule: Host(`traefik.example.com`)
  traefik.http.routers.traefik_https.entrypoints: websecure
  traefik.http.routers.traefik_https.tls: true
  traefik.http.routers.traefik_https.tls.certResolver: myresolver
  traefik.http.routers.traefik_https.service: api@internal
Enter fullscreen mode Exit fullscreen mode

After putting the above labels in your docker-compose for traefik container, just execute docker-compose up. As there are changes in the compose file, it will restart the container. As soon as you do this, you will see a new route protected with TLS in your dashboard like below:

dashboard with new route

For me the tricky part was naming the service: api@internal


Add basic auth

Of course you don't want to keep this dashboard open. In my case I just added basic auth to keep it protected. So add these labels additionally to your docker-compose file for traefik container.

traefik.http.routers.traefik_https.middlewares: basic-auth-global
traefik.http.middlewares.basic-auth-global.basicauth.users: <username>:<encoded-password>
Enter fullscreen mode Exit fullscreen mode

I thought it would read the middleware from traefik configuration which is: traefik.yml. But that was not the case. I had to create the middleware on docker-compose file with label.


Disable insecure mode

Finally, you want to disable insecure mode to prevent access with http. To do so make your trafik api configuration in traefik.yml like below:

api:
  insecure: false
  dashboard: true
Enter fullscreen mode Exit fullscreen mode

Conclusion

After doing these works, you will see that your traefik dashboard can't be accessed through http anymore, rather https. And you need to enter username and password for the first time in a browser.

Top comments (2)

Collapse
 
donsys profile image
Omar Khalil • Edited

Thanks for the article, something wasn't mentioned is how to generate the encoded password, so here you go:

apt-get install apache2-utils
echo $(htpasswd -nbB USER "PASS") | sed -e s/\\$/\\$\\$/g
Enter fullscreen mode Exit fullscreen mode
Collapse
 
encryptblockr profile image
encryptblockr

can you please post your full docker-compose file? will be a lot better to see how things connect together in your guide