For when you don’t want to install httpd-tools / apache2-utils
tl; dr: openssl passwd -apr1 | sed -E "s:[\$]:\$\$:g" (traefik)
openssl passwd -apr1 (nginx)
Explanations below.
Generating a Hash
Traefik does basic auth as a middleware. For this you need a password hash. The docs suggest using htpasswd, (eg like htpasswd -nbB), which is grand if you have access to htpasswd. If you don’t, you can instead use openssl.
For this we invoke as openssl passwd for “Generation of hashed passwords.” The type of password we’d like is something secure, so we’ll use apr1 as the type. From the Apache docs:
“$apr1$” + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source fileapr_md5.cfor the details of the algorithm.
From http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
So we get something like:
$ openssl passwd -apr1 Password: Verifying - Password: $apr1$i4cUyBZl$GzyVeKlwjB5UOSw2scq420
The above used “foo” as a password. Don’t use foo as a password or the above output, obviously! Note that if we run the command again we get different output:
$ openssl passwd -apr1 Password: Verifying - Password: $apr1$CJ9ugIPG$yKSDt4ZkuNuz8NIyChsQP0
This is because the salt changes with each invocation. In the first run it is ‘i4cUyBZl’ and in the second it is ‘CJ9ugIPG’.
Formatting for Traefik
We can’t use the output from openssl as-is, because “all dollar signs need to be doubled for escaping”, so we can pipe to sed:
openssl passwd -apr1 | sed -E "s:[\$]:\$\$:g
You can then use that in your traefik label, eg:
- "traefik.http.middlewares.appauth.basicauth.users=foo:$$apr1$$i4cUyBZl$$GzyVeKlwjB5UOSw2scq420"
But don’t use that string, generate your own!
Pingback: Installing Apache guacamole with Docker & Traefik (avoiding pitfalls) – Rob's Blog