From d5a15d6756a897e4a8c8e6fd549843bb0fb9ffd9 Mon Sep 17 00:00:00 2001
From: Manuel Laufenberg <ich@manuel-laufenberg.de>
Date: Thu, 15 Sep 2016 15:24:22 +0200
Subject: [PATCH] add basic auth support

implemented requested changes

fix docs

remove struct tag
---
 docs/toml.md        | 12 ++++++++++++
 traefik.sample.toml | 11 +++++++++++
 web.go              | 37 ++++++++++++++++++++++++++++++++-----
 3 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/docs/toml.md b/docs/toml.md
index 2e48c4667..a77737ec9 100644
--- a/docs/toml.md
+++ b/docs/toml.md
@@ -411,6 +411,18 @@ address = ":8080"
 #
 # Optional
 # ReadOnly = false
+#
+# To enable basic auth on the webui
+# with 2 user/pass: test:test and test2:test2
+# Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones
+#   [web.auth.basic] 
+#     users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
+# To enable digest auth on the webui
+# with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
+# You can use htdigest to generate those ones
+#   [web.auth.basic] 
+#     users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
+
 ```
 
 - `/`: provides a simple HTML frontend of Træfik
diff --git a/traefik.sample.toml b/traefik.sample.toml
index 388147e5a..c0f6d7186 100644
--- a/traefik.sample.toml
+++ b/traefik.sample.toml
@@ -221,6 +221,17 @@
 # Optional
 # ReadOnly = false
 
+# To enable basic auth on the webui
+# with 2 user/pass: test:test and test2:test2
+# Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones
+#   [web.auth.basic] 
+#     users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
+# To enable digest auth on the webui
+# with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
+# You can use htdigest to generate those ones
+#   [web.auth.basic] 
+#     users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
+
 
 ################################################################
 # File configuration backend
diff --git a/web.go b/web.go
index bb0646b5e..adfc59f65 100644
--- a/web.go
+++ b/web.go
@@ -9,8 +9,10 @@ import (
 	"runtime"
 
 	log "github.com/Sirupsen/logrus"
+	"github.com/codegangsta/negroni"
 	"github.com/containous/mux"
 	"github.com/containous/traefik/autogen"
+	"github.com/containous/traefik/middlewares"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/elazarl/go-bindata-assetfs"
@@ -28,6 +30,7 @@ type WebProvider struct {
 	KeyFile  string `description:"SSL certificate"`
 	ReadOnly bool   `description:"Enable read only API"`
 	server   *Server
+	Auth     *types.Auth
 }
 
 var (
@@ -47,6 +50,7 @@ func goroutines() interface{} {
 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
 func (provider *WebProvider) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, _ []types.Constraint) error {
+
 	systemRouter := mux.NewRouter()
 
 	// health route
@@ -103,15 +107,37 @@ func (provider *WebProvider) Provide(configurationChan chan<- types.ConfigMessag
 	}
 
 	go func() {
-		if len(provider.CertFile) > 0 && len(provider.KeyFile) > 0 {
-			err := http.ListenAndServeTLS(provider.Address, provider.CertFile, provider.KeyFile, systemRouter)
+
+		if provider.Auth != nil {
+			authMiddleware, err := middlewares.NewAuthenticator(provider.Auth)
 			if err != nil {
-				log.Fatal("Error creating server: ", err)
+				log.Fatal("Error creating Auth: ", err)
+			}
+			var negroni = negroni.New()
+			negroni.Use(authMiddleware)
+			negroni.UseHandler(systemRouter)
+
+			if len(provider.CertFile) > 0 && len(provider.KeyFile) > 0 {
+				err = http.ListenAndServeTLS(provider.Address, provider.CertFile, provider.KeyFile, negroni)
+			} else {
+				err = http.ListenAndServe(provider.Address, negroni)
+			}
+
+			if err != nil {
+				log.Fatal("Error creating server with Auth: ", err)
 			}
 		} else {
-			err := http.ListenAndServe(provider.Address, systemRouter)
+
+			var err error
+
+			if len(provider.CertFile) > 0 && len(provider.KeyFile) > 0 {
+				err = http.ListenAndServeTLS(provider.Address, provider.CertFile, provider.KeyFile, systemRouter)
+			} else {
+				err = http.ListenAndServe(provider.Address, systemRouter)
+			}
+
 			if err != nil {
-				log.Fatal("Error creating server: ", err)
+				log.Fatal("Error creating server without Auth: ", err)
 			}
 		}
 	}()
@@ -238,6 +264,7 @@ func (provider *WebProvider) getRoutesHandler(response http.ResponseWriter, requ
 }
 
 func (provider *WebProvider) getRouteHandler(response http.ResponseWriter, request *http.Request) {
+
 	vars := mux.Vars(request)
 	providerID := vars["provider"]
 	frontendID := vars["frontend"]