DigestAuth

    The DigestAuth middleware is a quick way to restrict access to your services to known users.

    Docker

    Kubernetes

    1. # Declaring the user list
    2. apiVersion: traefik.containo.us/v1alpha1
    3. kind: Middleware
    4. metadata:
    5.   name: test-auth
    6. spec:
    7.   digestAuth:
    8.     secret: userssecret

    Consul Catalog

    1. # Declaring the user list
    2. - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"

    Marathon

    1. "labels": {
    2.   "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
    3. }

    Rancher

    1. # Declaring the user list
    2. labels:
    3.   - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"

    File (TOML)

    1. # Declaring the user list
    2. [http.middlewares]
    3.   [http.middlewares.test-auth.digestAuth]
    4.     users = [
    5.       "test:traefik:a2688e031edb4be6a3797f3882655c05",
    6.       "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
    7.     ]

    File (YAML)

    1. # Declaring the user list
    2. http:
    3.   middlewares:
    4.     test-auth:
    5.       digestAuth:
    6.         users:
    7.           - "test:traefik:a2688e031edb4be6a3797f3882655c05"
    8.           - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"

    Configuration Options

    Tip

    Use htdigest to generate passwords.

    The users option is an array of authorized users. Each user will be declared using the name:realm:encoded-password format.

    • If both users and usersFile are provided, the two are merged. The contents of usersFile have precedence over the values in users.
    • For security reasons, the field users doesn’t exist for Kubernetes IngressRoute, and one should use the secret field instead.

    Docker

    1. labels:
    2.   - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: Middleware
    3. metadata:
    4.   name: test-auth
    5. spec:
    6.   digestAuth:
    7.     secret: authsecret
    9. ---
    10. apiVersion: v1
    11. kind: Secret
    12. metadata:
    13.   name: authsecret
    14.   namespace: default
    16. data:
    17.     dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==

    Consul Catalog

    Marathon

    1. "labels": {
    2.   "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
    3. }

    Rancher

    1. labels:
    2.   - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
    1. [http.middlewares]
    2.   [http.middlewares.test-auth.digestAuth]
    3.     users = [
    4.       "test:traefik:a2688e031edb4be6a3797f3882655c05",
    5.       "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
    6.     ]

    File (YAML)

    1. http:
    2.   middlewares:
    3.     test-auth:
    4.       digestAuth:
    5.         users:
    6.           - "test:traefik:a2688e031edb4be6a3797f3882655c05"
    7.           - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"

    The usersFile option is the path to an external file that contains the authorized users for the middleware.

    The file content is a list of name:realm:encoded-password.

    • If both users and usersFile are provided, the two are merged. The contents of usersFile have precedence over the values in users.
    • Because it does not make much sense to refer to a file path on Kubernetes, the usersFile field doesn’t exist for Kubernetes IngressRoute, and one should use the secret field instead.

    Docker

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: Middleware
    3. metadata:
    4.   name: test-auth
    5. spec:
    6.   digestAuth:
    7.     secret: authsecret
    9. ---
    10. apiVersion: v1
    11. kind: Secret
    12. metadata:
    13.   name: authsecret
    14.   namespace: default
    16. data:
    17.   users: |2
    18.     dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
    19.     aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK

    Consul Catalog

    1. - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"

    Marathon

    1. "labels": {
    2.   "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
    3. }

    Rancher

    1. labels:
    2.   - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"

    File (TOML)

    1. [http.middlewares]
    2.   [http.middlewares.test-auth.digestAuth]
    3.     usersFile = "/path/to/my/usersfile"

    File (YAML)

    1. http:
    2.   middlewares:
    3.     test-auth:
    4.       digestAuth:
    5.         usersFile: "/path/to/my/usersfile"

    A file containing test/test and test2/test2

    1. test:traefik:a2688e031edb4be6a3797f3882655c05
    2. test2:traefik:518845800f9e2bfb1f1f740ec24f074e

    You can customize the realm for the authentication with the realm option. The default value is traefik.

    Docker

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: Middleware
    3. metadata:
    4.   name: test-auth
    5. spec:
    6.   digestAuth:
    7.     realm: MyRealm

    Consul Catalog

    1. - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"

    Marathon

    1. "labels": {
    2.   "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
    3. }

    Rancher

    1. labels:
    2.   - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
    1. [http.middlewares]
    2.   [http.middlewares.test-auth.digestAuth]
    3.     realm = "MyRealm"

    File (YAML)

    You can customize the header field for the authenticated user using the headerFieldoption.

    Docker

    1. labels:
    2.   - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: Middleware
    3. metadata:
    4.   name: my-auth
    5. spec:
    6.   digestAuth:
    7.     # ...
    8.     headerField: X-WebAuth-User

    Consul Catalog

    1. - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"

    Marathon

    1. "labels": {
    2.   "traefik.http.middlewares.my-auth.digestauth.headerField": "X-WebAuth-User"
    3. }

    Rancher

    1. labels:
    2.   - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"

    File (TOML)

    1. [http.middlewares.my-auth.digestAuth]
    2.   # ...
    3.   headerField = "X-WebAuth-User"

    File (YAML)

    1. http:
    2.   middlewares:
    3.     my-auth:
    4.       digestAuth:
    5.         # ...
    6.         headerField: "X-WebAuth-User"

    Set the removeHeader option to true to remove the authorization header before forwarding the request to your service. (Default value is false.)

    Docker

    1. labels:
    2.   - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"

    Kubernetes

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: Middleware
    3. metadata:
    4.   name: test-auth
    5. spec:
    6.   digestAuth:
    7.     removeHeader: true

    Consul Catalog

    1. - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"

    Marathon

    1. "labels": {
    2.   "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
    3. }

    Rancher

    1. labels:
    2.   - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"

    File (TOML)

    1. [http.middlewares]
    2.   [http.middlewares.test-auth.digestAuth]

    File (YAML)