Generating a traefik/nginx password hash without htpasswd

For when you don’t want to install httpd-tools / apache2-utils

tl; dr: openssl passwd -apr1 | sed -E "s:[\$]:\$\$:g" (traefik)

openssl passwd -apr1 (nginx)

Explanations below.


Generating a Hash

Traefik does basic auth as a middleware. For this you need a password hash. The docs suggest using htpasswd, (eg like htpasswd -nbB), which is grand if you have access to htpasswd. If you don’t, you can instead use openssl.

For this we invoke as openssl passwd for “Generation of hashed passwords.” The type of password we’d like is something secure, so we’ll use apr1 as the type. From the Apache docs:

“$apr1$” + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file apr_md5.c for the details of the algorithm.

From http://httpd.apache.org/docs/2.2/misc/password_encryptions.html

So we get something like:

$ openssl passwd -apr1
Password:
Verifying - Password:
$apr1$i4cUyBZl$GzyVeKlwjB5UOSw2scq420

The above used “foo” as a password. Don’t use foo as a password or the above output, obviously! Note that if we run the command again we get different output:

$ openssl passwd -apr1
Password:
Verifying - Password:
$apr1$CJ9ugIPG$yKSDt4ZkuNuz8NIyChsQP0

This is because the salt changes with each invocation. In the first run it is ‘i4cUyBZl’ and in the second it is ‘CJ9ugIPG’.

Formatting for Traefik

We can’t use the output from openssl as-is, because “all dollar signs need to be doubled for escaping”, so we can pipe to sed:

openssl passwd -apr1 | sed -E "s:[\$]:\$\$:g

You can then use that in your traefik label, eg:

- "traefik.http.middlewares.appauth.basicauth.users=foo:$$apr1$$i4cUyBZl$$GzyVeKlwjB5UOSw2scq420"

But don’t use that string, generate your own!

Tell us what's on your mind