From 1ab159e4eb19f7c33bf1bcbb1f6fc44017adc21f Mon Sep 17 00:00:00 2001 From: Jean-Baptiste DONNETTE Date: Mon, 4 Nov 2024 20:22:46 +0100 Subject: [PATCH] docs: add documentation for Traefik dashboard with secure login --- README.md | 16 ++++++++++++++++ docker-compose.new.yml | 23 ++++++++++++----------- 2 files changed, 28 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index edfde17..2d8044a 100644 --- a/README.md +++ b/README.md @@ -164,6 +164,22 @@ Note that if our docker server is not at http://localhost, the following env var LAGO_DOMAIN=yourdomain.tld" ``` +##### Accessing Traefik Dashboard + +The Traefik dashboard is available at http://traefik.localhost (or replace `localhost` with your custom `LAGO_DOMAIN`). For security reasons, we have configured basic authentication for accessing the Traefik dashboard. The default username is `user` and the default password is `password`. We recommand you to change it : + +```shell +echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g +``` + +And modify line with your new value: + +```yaml + - "traefik.http.middlewares.test-auth.basicauth.users=user:$$2y$$05$$m2rFNkFDITSrY7oawkzjU.dV.69/w8FmvEaSeBFCtmYpvMar9UMGa" +``` + +If you want to learn more about traefik auth [here](https://doc.traefik.io/traefik/operations/dashboard/#secure-mode) + ### Find your API key Your API Key can be found directly in the UI: diff --git a/docker-compose.new.yml b/docker-compose.new.yml index 302baec..d6e3db3 100644 --- a/docker-compose.new.yml +++ b/docker-compose.new.yml @@ -55,12 +55,7 @@ services: container_name: traefik restart: unless-stopped command: - # WARNING: It is strongly discouraged to use Traefik with "--api.insecure=true" - # as this exposes the Traefik dashboard publicly without any security measures, - # which can lead to unauthorized access and potential security risks. - # For a production setup, consider enabling secure access to the dashboard - # by using authentication and restricting access to trusted IPs or networks. - - "--api.insecure=true" + - "--api.insecure=false" - "--api.dashboard=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" @@ -78,12 +73,18 @@ services: - traefik_certificates:/letsencrypt - traefik_config:/traefik labels: - - "traefik.http.routers.traefik.rule=Host(`${LAGO_DOMAIN:-localhost}`)" - # SSL - # - "traefik.http.routers.api.entrypoints=websecure" - - "traefik.http.routers.traefik.entrypoints=web" - - "traefik.http.routers.traefik.tls.certresolver=lagoresolver" + - "traefik.enable=true" + - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.${LAGO_DOMAIN:-localhost}`)" + - "traefik.http.routers.traefik-dashboard.entrypoints=web" + - "traefik.http.routers.traefik-dashboard.service=api@internal" - "traefik.http.services.traefik.loadbalancer.server.port=8080" + - "traefik.http.routers.traefik-dashboard.middlewares=test-auth" + # username : user + # password : password + # you can change it using echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g + - "traefik.http.middlewares.test-auth.basicauth.users=user:$$2y$$05$$m2rFNkFDITSrY7oawkzjU.dV.69/w8FmvEaSeBFCtmYpvMar9UMGa" + + api: container_name: lago-api