DigestAuth

Adding Digest Authentication

BasicAuth

The DigestAuth middleware is a quick way to restrict access to your services to known users.

Configuration Examples

  1. # Declaring the user list
  2. labels:
  3. - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
  1. # Declaring the user list
  2. apiVersion: traefik.containo.us/v1alpha1
  3. kind: Middleware
  4. metadata:
  5. name: test-auth
  6. spec:
  7. digestAuth:
  8. secret: userssecret
  1. "labels": {
  2. "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
  3. }
  1. # Declaring the user list
  2. labels:
  3. - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
  1. # Declaring the user list
  2. [http.middlewares]
  3. [http.middlewares.test-auth.digestAuth]
  4. users = [
  5. "test:traefik:a2688e031edb4be6a3797f3882655c05",
  6. "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
  7. ]
  1. # Declaring the user list
  2. http:
  3. middlewares:
  4. test-auth:
  5. digestAuth:
  6. users:
  7. - "test:traefik:a2688e031edb4be6a3797f3882655c05"
  8. - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"

Configuration Options

Tip

Use htdigest to generate passwords.

users

The users option is an array of authorized users. Each user will be declared using the name:realm:encoded-password format.

Note

  • If both users and usersFile are provided, the two are merged. The contents of usersFile have precedence over the values in users.
  • For security reasons, the field users doesn't exist for Kubernetes IngressRoute, and one should use the secret field instead.
  1. labels:
  2. - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: Middleware
  3. metadata:
  4. name: test-auth
  5. spec:
  6. digestAuth:
  7. secret: authsecret
  8. ---
  9. apiVersion: v1
  10. kind: Secret
  11. metadata:
  12. name: authsecret
  13. namespace: default
  14. data:
  15. users: |2
  16. dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==
  1. "labels": {
  2. "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
  3. }
  1. labels:
  2. - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
  1. [http.middlewares]
  2. [http.middlewares.test-auth.digestAuth]
  3. users = [
  4. "test:traefik:a2688e031edb4be6a3797f3882655c05",
  5. "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
  6. ]
  1. http:
  2. middlewares:
  3. test-auth:
  4. digestAuth:
  5. users:
  6. - "test:traefik:a2688e031edb4be6a3797f3882655c05"
  7. - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"

usersFile

The usersFile option is the path to an external file that contains the authorized users for the middleware.

The file content is a list of name:realm:encoded-password.

Note

  • If both users and usersFile are provided, the two are merged. The contents of usersFile have precedence over the values in users.
  • Because it does not make much sense to refer to a file path on Kubernetes, the usersFile field doesn't exist for Kubernetes IngressRoute, and one should use the secret field instead.
  1. labels:
  2. - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: Middleware
  3. metadata:
  4. name: test-auth
  5. spec:
  6. digestAuth:
  7. secret: authsecret
  8. ---
  9. apiVersion: v1
  10. kind: Secret
  11. metadata:
  12. name: authsecret
  13. namespace: default
  14. data:
  15. users: |2
  16. dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
  17. aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
  1. "labels": {
  2. "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
  3. }
  1. labels:
  2. - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
  1. [http.middlewares]
  2. [http.middlewares.test-auth.digestAuth]
  3. usersFile = "/path/to/my/usersfile"
  1. http:
  2. middlewares:
  3. test-auth:
  4. digestAuth:
  5. usersFile: "/path/to/my/usersfile"

A file containing test/test and test2/test2

  1. test:traefik:a2688e031edb4be6a3797f3882655c05
  2. test2:traefik:518845800f9e2bfb1f1f740ec24f074e

realm

You can customize the realm for the authentication with the realm option. The default value is traefik.

  1. labels:
  2. - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: Middleware
  3. metadata:
  4. name: test-auth
  5. spec:
  6. digestAuth:
  7. realm: MyRealm
  1. "labels": {
  2. "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
  3. }
  1. labels:
  2. - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
  1. [http.middlewares]
  2. [http.middlewares.test-auth.digestAuth]
  3. realm = "MyRealm"
  1. http:
  2. middlewares:
  3. test-auth:
  4. digestAuth:
  5. realm: "MyRealm"

headerField

You can customize the header field for the authenticated user using the headerFieldoption.

  1. labels:
  2. - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: Middleware
  3. metadata:
  4. name: my-auth
  5. spec:
  6. digestAuth:
  7. # ...
  8. headerField: X-WebAuth-User
  1. labels:
  2. - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
  1. "labels": {
  2. "traefik.http.middlewares.my-auth.digestauth.headerField": "X-WebAuth-User"
  3. }
  1. [http.middlewares.my-auth.digestAuth]
  2. # ...
  3. headerField = "X-WebAuth-User"
  1. http:
  2. middlewares:
  3. my-auth:
  4. digestAuth:
  5. # ...
  6. headerField: "X-WebAuth-User"

removeHeader

Set the removeHeader option to true to remove the authorization header before forwarding the request to your service. (Default value is false.)

  1. labels:
  2. - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: Middleware
  3. metadata:
  4. name: test-auth
  5. spec:
  6. digestAuth:
  7. removeHeader: true
  1. "labels": {
  2. "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
  3. }
  1. labels:
  2. - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
  1. [http.middlewares]
  2. [http.middlewares.test-auth.digestAuth]
  3. removeHeader = true
  1. http:
  2. middlewares:
  3. test-auth:
  4. digestAuth:
  5. removeHeader: true