Secure Traefik dashboard with https and password in docker
tl; dr: Traefik dashboard is awesome, but a few steps are required to securely deploy it.
(edit on 2019/06/24: note that the below applies to Traefik v1, the current stable one. Traefik v2, currently in alpha, has a very different configuration.)
A quick bit of context: I recently switched the reverse proxy for my docker-compose stack from nginx to Traefik. This was a breeze, except that the Traefik dashboard is by default accessible to the whole internet, unencrypted. Finding out how to secure it was a surprisingly long journey.
What I started with:
- a docker stack
- with a running Traefik as reverse proxy
- ssl properly setup on Traefik (https://yourdomain.com served my sites correctly)
- dashboard enabled and accessible by http://yourdomain.com:8080 on the traefik instance
What I wanted to achieve
- dashboard at https://traefik.yourdomain.com only
- a login/password popup when reaching this URL
- the other https services do not get a popup
To do that, I had to update 2 files:
traefik.toml
defaultEntryPoints = ["https"][entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls][api]# ... including your docker and ssl certificate setup
Here we switch the API on and default to https only.
docker-compose.yml
services:
traefik:
image: traefik
ports:
# only expose https to outside world
- "443:443" # SSL
expose:
# traefik dashboard port
- 8080
labels:
traefik.enable: true
traefik.frontend.rule: "Host:traefik.yourdomain.com"
# get md5 from htpasswd or http://www.htaccesstools.com/htpasswd-generator/
# and then double all $ to $$ to avoid docker-compose
traefik.frontend.auth.basic: "username:passwordMD5"
traefik.port: 8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /data/traefik/traefik.toml:/traefik.toml
restart: "always" volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /data/traefik/traefik.toml:/traefik.toml
- /data/traefik/acme.json:/acme.json
restart: "always"
Here everything happens: we no longer open the 8080 to the internet (http://yourdomain.com:8080 will fail), so the default entrypoint of https is used. We also define the dashboard authentication, protecting it with login and password — note we don’t protect it using SSL explicitly.
Conclusion
Update the two files, restart Traefik, and it works. Happy Traefik!
Bonus
For me this was a long journey, here are the steps I went through:
- I tried to put Traefik on the
httpsentrypoint itself: it worked ok, but then theauth.basicapplied to all my backends, not just the dashboard - Then I activate TLS on the dedicated
traefikentrypoint as well: my Let’s Encrypt certificate would not work on two entrypoints (httpsandtraefik), I discovered this is apparently a limitation of the Let’s Encrypt provider. - At this point, I had basically given up on the idea and disabled the dashboard, when I landed on this Github comment that solved it using a custom entrypoint for the dashboard.
- And finally Tai Lee pointed out that the entrypoint itself was redundant.
Traefik is an awesome piece of software (docker labels for proxy setup are awesome), but some operations are surprisingly unintuitive and their documentation hard to find.
