Secure Traefik dashboard with https and password in docker

tl; dr: Traefik dashboard is awesome, but a few steps are required to securely deploy it.

(edit on 2018/10/26: simplified setup following a great response from Tai Lee)

A quick bit of context: I recently switched the reverse proxy for my docker-compose stack from nginx to Traefik. This was a breeze, except that the Traefik dashboard is by default accessible to the whole internet, unencrypted. Finding out how to secure it was a surprisingly long journey.

What I started with:

What I wanted to achieve

To do that, I had to update 2 files:


defaultEntryPoints = ["https"]
address = ":443"
# ... including your docker and ssl certificate setup

Here we switch the API on and default to https only.


# only expose https to outside world
- "443:443" # SSL
# traefik dashboard port
- 8080
traefik.backend: "traefik"
traefik.enable: true
traefik.frontend.rule: ""
# get md5 from htpasswd or
# and then double all $ to $$ to avoid docker-compose

traefik.frontend.auth.basic: "username:passwordMD5"
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /data/traefik/traefik.toml:/traefik.toml
- /data/traefik/acme.json:/acme.json
restart: "always"

Here everything happens: we no longer open the 8080 to the internet ( will fail), so the default entrypoint of https is used. We also define the dashboard authentication, protecting it with login and password — note we don’t protect it using SSL explicitly.


Update the two files, restart Traefik, and it works. Happy Traefik!


For me this was a long journey, here are the steps I went through:

  1. I tried to put Traefik on the https entrypoint itself: it worked ok, but then the auth.basicapplied to all my backends, not just the dashboard
  2. Then I activate TLS on the dedicatedtraefikentrypoint as well: my Let’s Encrypt certificate would not work on two entrypoints (https and traefik), I discovered this is apparently a limitation of the Let’s Encrypt provider.
  3. At this point, I had basically given up on the idea and disabled the dashboard, when I landed on this Github comment that solved it using a custom entrypoint for the dashboard.
  4. And finally Tai Lee pointed out that the entrypoint itself was redundant.

Traefik is an awesome piece of software (docker labels for proxy setup are awesome), but some operations are surprisingly unintuitive and their documentation hard to find.