2022-04-15 13:44:08 +00:00
---
title: "Traefik BasicAuth Documentation"
description: "The HTTP basic authentication (BasicAuth) middleware in Traefik Proxy restricts access to your Services to known users. Read the technical documentation."
---
2019-02-26 13:50:07 +00:00
# BasicAuth
Adding Basic Authentication
{: .subtitle }
2021-06-11 13:30:05 +00:00
![BasicAuth ](../../assets/img/middleware/basicauth.png )
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
The BasicAuth middleware restricts access to your services to known users.
2019-02-26 13:50:07 +00:00
## Configuration Examples
2019-03-29 11:34:05 +00:00
```yaml tab="Docker"
# Declaring the user list
2019-05-03 08:16:06 +00:00
#
2020-07-01 10:28:04 +00:00
# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
2019-05-03 08:16:06 +00:00
# To create user:password pair, it's possible to use this command:
2021-03-22 14:26:03 +00:00
# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
2020-07-01 10:28:04 +00:00
#
# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
2019-03-29 11:34:05 +00:00
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
2019-04-03 12:32:04 +00:00
```
```yaml tab="Kubernetes"
# Declaring the user list
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-04-03 12:32:04 +00:00
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
2019-09-05 11:42:04 +00:00
secret: secretName
2019-03-29 11:34:05 +00:00
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
2019-07-22 07:58:04 +00:00
```yaml tab="File (YAML)"
# Declaring the user list
http:
middlewares:
test-auth:
basicAuth:
users:
2021-06-18 22:08:08 +00:00
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
2019-09-23 15:00:06 +00:00
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
2019-07-22 07:58:04 +00:00
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
2019-02-26 13:50:07 +00:00
## Configuration Options
### General
2020-03-13 16:30:04 +00:00
Passwords must be hashed using MD5, SHA1, or BCrypt.
2019-02-26 13:50:07 +00:00
2021-06-18 22:08:08 +00:00
!!! tip
2019-07-01 09:30:05 +00:00
2019-02-26 13:50:07 +00:00
Use `htpasswd` to generate the passwords.
2019-04-03 12:32:04 +00:00
### `users`
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
The `users` option is an array of authorized users. Each user must be declared using the `name:hashed-password` format.
2019-02-26 13:50:07 +00:00
2019-09-23 12:32:04 +00:00
!!! note ""
2021-06-18 22:08:08 +00:00
2019-09-05 11:42:04 +00:00
- If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users` .
- For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
2021-09-14 13:16:11 +00:00
!!! note "Kubernetes kubernetes.io/basic-auth secret type"
Kubernetes supports a special `kubernetes.io/basic-auth` secret type.
This secret must contain two keys: `username` and `password` .
Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
You can find more information on the [Kubernetes Basic Authentication Secret Documentation ](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret )
2019-09-05 11:42:04 +00:00
```yaml tab="Docker"
# Declaring the user list
#
2021-12-07 09:04:05 +00:00
# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
2020-01-20 12:24:05 +00:00
# To create a user:password pair, the following command can be used:
2019-09-05 11:42:04 +00:00
# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
2021-12-07 09:04:05 +00:00
#
# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
2019-09-05 11:42:04 +00:00
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
2019-09-05 11:42:04 +00:00
```
```yaml tab="Kubernetes"
# Declaring the user list
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-09-05 11:42:04 +00:00
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
secret: authsecret
---
2020-01-20 12:24:05 +00:00
# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
# To create an encoded user:password pair, the following command can be used:
# htpasswd -nb user password | openssl base64
2019-09-05 11:42:04 +00:00
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
data:
users: |2
dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
2021-09-14 13:16:11 +00:00
---
# This is an alternate auth secret that demonstrates the basic-auth secret type.
# Note: the password is not hashed, and is merely base64 encoded.
apiVersion: v1
kind: Secret
metadata:
name: authsecret2
namespace: default
type: kubernetes.io/basic-auth
data:
username: dXNlcg== # username: user
password: cGFzc3dvcmQ= # password: password
2019-09-05 11:42:04 +00:00
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
# Declaring the user list
- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
2019-09-05 11:42:04 +00:00
```yaml tab="File (YAML)"
# Declaring the user list
http:
middlewares:
test-auth:
basicAuth:
users:
2021-06-18 22:08:08 +00:00
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
2019-09-23 15:00:06 +00:00
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
2019-09-05 11:42:04 +00:00
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
2019-04-03 12:32:04 +00:00
### `usersFile`
2019-02-26 13:50:07 +00:00
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
2020-03-13 16:30:04 +00:00
The file content is a list of `name:hashed-password` .
2019-02-26 13:50:07 +00:00
2019-09-23 12:32:04 +00:00
!!! note ""
2021-06-18 22:08:08 +00:00
2019-09-05 11:42:04 +00:00
- If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users` .
2021-06-18 22:08:08 +00:00
- Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
2019-09-05 11:42:04 +00:00
```yaml tab="Docker"
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
2019-09-05 11:42:04 +00:00
```
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-09-05 11:42:04 +00:00
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
data:
users: |2
dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
```
2019-09-05 11:42:04 +00:00
```yaml tab="File (YAML)"
http:
middlewares:
test-auth:
basicAuth:
usersFile: "/path/to/my/usersfile"
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
usersFile = "/path/to/my/usersfile"
```
2019-02-26 13:50:07 +00:00
??? example "A file containing test/test and test2/test2"
2019-04-24 15:44:04 +00:00
```txt
2019-02-26 13:50:07 +00:00
test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
```
2019-04-03 12:32:04 +00:00
### `realm`
2019-02-26 13:50:07 +00:00
2021-06-18 22:08:08 +00:00
You can customize the realm for the authentication with the `realm` option. The default value is `traefik` .
2019-02-26 13:50:07 +00:00
2019-09-05 11:42:04 +00:00
```yaml tab="Docker"
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
2019-09-05 11:42:04 +00:00
```
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-09-05 11:42:04 +00:00
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
realm: MyRealm
```
2019-10-15 15:34:08 +00:00
```json tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
```
2019-09-05 11:42:04 +00:00
```yaml tab="File (YAML)"
http:
middlewares:
test-auth:
basicAuth:
realm: "MyRealm"
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
realm = "MyRealm"
```
2019-04-03 12:32:04 +00:00
### `headerField`
2019-02-26 13:50:07 +00:00
2019-09-03 16:02:05 +00:00
You can define a header field to store the authenticated user using the `headerField` option.
2019-02-26 13:50:07 +00:00
2019-04-03 12:32:04 +00:00
```yaml tab="Docker"
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
2019-04-03 12:32:04 +00:00
```
2019-02-26 13:50:07 +00:00
2019-04-03 12:32:04 +00:00
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-04-03 12:32:04 +00:00
kind: Middleware
metadata:
name: my-auth
spec:
basicAuth:
# ...
headerField: X-WebAuth-User
```
2019-10-15 15:34:08 +00:00
```json tab="Consul Catalog"
- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
```
2019-07-22 07:58:04 +00:00
```yaml tab="File (YAML)"
http:
middlewares:
my-auth:
basicAuth:
# ...
headerField: "X-WebAuth-User"
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares.my-auth.basicAuth]
# ...
headerField = "X-WebAuth-User"
```
2019-04-03 12:32:04 +00:00
### `removeHeader`
2019-02-26 13:50:07 +00:00
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false` .)
2019-09-05 11:42:04 +00:00
```yaml tab="Docker"
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
2019-09-05 11:42:04 +00:00
```
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-09-05 11:42:04 +00:00
kind: Middleware
metadata:
name: test-auth
spec:
basicAuth:
removeHeader: true
```
2019-10-15 15:34:08 +00:00
```json tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
```
2019-09-05 11:42:04 +00:00
```yaml tab="File (YAML)"
http:
middlewares:
test-auth:
basicAuth:
removeHeader: true
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
removeHeader = true
```