traefik and basic auth

Question

I use traefik 1.7.14 and I want use basic auth for my grafana-docker-compose service. I followed e.g. https://medium.com/@xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f but I also looked at other sources. In my docker-compose.yml I have for grafana:

grafana: 
image: grafana/grafana 
labels: 
  - "traefik.enable=true" 
  - "traefik.backend=grafana" 
  - "traefik.port=3000" 
  - "traefik.frontend.rule=Host:grafana.my-domain.io" 
  - "traefik.frontend.entryPoints=http,https" 
  - "traefik.frontend.auth.basic.users=${ADMIN_CREDS}

ADMIN_CREDS is in my .env file. I created the content with htpasswd -nbm my_user my_password I also tried htpasswd -nbB my_user my_password for not md5 but bcrypt encryption. In .env

ADMIN_CREDS=test:$apr1$f0uSe/rs$KGSQaPMD.352XdXIzsfyY0

You see: I did not escape $ signs in the .env file. When I inspect my container at runtime I see exactly the same encrypted password as in my .env file!

docker inspect 47aa3dbc3623 | grep test

gives me:

"traefik.frontend.auth.basic.users": "test:$apr1$f0uSe/rs$KGSQaPMD.352XdXIzsfyY0",

I also tried to put the user/password string directly into the docker-compose.yml. this time by escaping the $ sign. The inspect command was successful too. BUT: When I call my grafana-URL I get a basic auth dialog-box and when I type in my user/password combination I get always a

{"message":"Invalid username or password"}

What could be still wrong here? I have currently no idea.

Answer 1

This message actually means that you passed the basic auth of traefik. Because the basic auth window would pop up again if you would enter invalid credentials.

Grafana on its own uses basic auth and this one is failing.

DO NOT DO IT IN PRODUCTION: To prove it you could configure grafana to ask for the same user and password. Then it will accept the forwarded basic auth of traefik and would allow access.

However, you should either setup basic auth using traefik OR using the grafana basic auth.

You also might want to check the information on running grafana behind a reverse proxy: https://grafana.com/tutorials/run-grafana-behind-a-proxy/#1 and escpecially https://grafana.com/docs/grafana/latest/auth/auth-proxy/

Another option besides forwarding the auth headers would be to disable forwording it:

labels:
...
- "traefik.http.middlewares.authGrafana.basicauth.removeheader=true"

Now you should see the grafana login page.