Secure Traefik dashboard with https and password in docker
tl; dr: Traefik dashboard is awesome, but a few steps are required to securely deploy it.
(edit on 2018/10/26: simplified setup following a great response from Tai Lee)
A quick bit of context: I recently switched the reverse proxy for my docker-compose stack from nginx to Traefik. This was a breeze, except that the Traefik dashboard is by default accessible to the whole internet, unencrypted. Finding out how to secure it was a surprisingly long journey.
What I started with:
- a docker stack
- with a running Traefik as reverse proxy
- ssl properly setup on Traefik (https://yourdomain.com served my sites correctly)
- dashboard enabled and accessible by http://yourdomain.com:8080 on the traefik instance
What I wanted to achieve
- dashboard at https://traefik.yourdomain.com only
- a login/password popup when reaching this URL
- the other https services do not get a popup
To do that, I had to update 2 files:
defaultEntryPoints = ["https"]
address = ":443"
# ... including your docker and ssl certificate setup
Here we switch the API on and default to https only.
# only expose https to outside world
- "443:443" # SSL
# traefik dashboard port
# get md5 from htpasswd or http://www.htaccesstools.com/htpasswd-generator/
# and then double all $ to $$ to avoid docker-compose
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
Here everything happens: we no longer open the 8080 to the internet (http://yourdomain.com:8080 will fail), so the default entrypoint of
https is used. We also define the dashboard authentication, protecting it with login and password — note we don’t protect it using SSL explicitly.
Update the two files, restart Traefik, and it works. Happy Traefik!
For me this was a long journey, here are the steps I went through:
- I tried to put Traefik on the
httpsentrypoint itself: it worked ok, but then the
auth.basicapplied to all my backends, not just the dashboard
- Then I activate TLS on the dedicated
traefikentrypoint as well: my Let’s Encrypt certificate would not work on two entrypoints (
traefik), I discovered this is apparently a limitation of the Let’s Encrypt provider.
- At this point, I had basically given up on the idea and disabled the dashboard, when I landed on this Github comment that solved it using a custom entrypoint for the dashboard.
- And finally Tai Lee pointed out that the entrypoint itself was redundant.
Traefik is an awesome piece of software (docker labels for proxy setup are awesome), but some operations are surprisingly unintuitive and their documentation hard to find.