Secure Traefik dashboard with https and password in docker

tl; dr: Traefik dashboard is awesome, but a few steps are required to securely deploy it.

(edit on 2018/10/26: simplified setup following a great response from Tai Lee)

A quick bit of context: I recently switched the reverse proxy for my docker-compose stack from nginx to Traefik. This was a breeze, except that the Traefik dashboard is by default accessible to the whole internet, unencrypted. Finding out how to secure it was a surprisingly long journey.

What I started with:

What I wanted to achieve

To do that, I had to update 2 files:

traefik.toml

defaultEntryPoints = ["https"]
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[api]
# ... including your docker and ssl certificate setup

Here we switch the API on and default to https only.

docker-compose.yml

services:
traefik:
image:
traefik
ports:
# only expose https to outside world
- "443:443" # SSL
expose:
# traefik dashboard port
- 8080
labels:
traefik.backend: "traefik"
traefik.enable: true
traefik.frontend.rule: "Host:traefik.yourdomain.com"
# get md5 from htpasswd or http://www.htaccesstools.com/htpasswd-generator/
# and then double all $ to $$ to avoid docker-compose

traefik.frontend.auth.basic: "username:passwordMD5"
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /data/traefik/traefik.toml:/traefik.toml
- /data/traefik/acme.json:/acme.json
restart: "always"

Here everything happens: we no longer open the 8080 to the internet (http://yourdomain.com:8080 will fail), so the default entrypoint of https is used. We also define the dashboard authentication, protecting it with login and password — note we don’t protect it using SSL explicitly.

Conclusion

Update the two files, restart Traefik, and it works. Happy Traefik!

Bonus

For me this was a long journey, here are the steps I went through:

  1. I tried to put Traefik on the https entrypoint itself: it worked ok, but then the auth.basicapplied to all my backends, not just the dashboard
  2. Then I activate TLS on the dedicatedtraefikentrypoint as well: my Let’s Encrypt certificate would not work on two entrypoints (https and traefik), I discovered this is apparently a limitation of the Let’s Encrypt provider.
  3. At this point, I had basically given up on the idea and disabled the dashboard, when I landed on this Github comment that solved it using a custom entrypoint for the dashboard.
  4. And finally Tai Lee pointed out that the entrypoint itself was redundant.

Traefik is an awesome piece of software (docker labels for proxy setup are awesome), but some operations are surprisingly unintuitive and their documentation hard to find.