https://github.com/kingjan1999/traefik-plugin-exception-authbasic
Traefik Plugin to allow overrides for auth basic
https://github.com/kingjan1999/traefik-plugin-exception-authbasic
traefik-plugin
Last synced: 9 months ago
JSON representation
Traefik Plugin to allow overrides for auth basic
- Host: GitHub
- URL: https://github.com/kingjan1999/traefik-plugin-exception-authbasic
- Owner: kingjan1999
- License: mit
- Created: 2020-10-20T11:22:11.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2021-06-04T20:35:48.000Z (about 5 years ago)
- Last Synced: 2025-04-04T16:44:28.480Z (about 1 year ago)
- Topics: traefik-plugin
- Language: Go
- Homepage:
- Size: 23.4 KB
- Stars: 7
- Watchers: 1
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Traefik Plugin For Allowing Exceptions From Basic Auth
This Traefik plugin allows you to define exceptions for certain origin ips / ip ranges or requests with specific headers to override basic auth requirements.
This works by defining a special user / passwords in Traefik's basic auth configuration.
## Sample Configuration
The following code snippet is a sample configuration for the dynamic file based provider, but as usual, this plugin should work with all other configuration providers as well.
```toml
[http]
[http.routers]
[http.routers.router0]
entryPoints = ["http"]
service = "service-foo"
rule = "Path(`/foo`)"
middlewares = ["except-auth", "test-auth"]
[http.middlewares]
[http.middlewares.except-auth.plugin.except-authbasic]
allowIPList = ["127.0.0.1"]
user = "user"
password = "password"
preventUser = true
headers = {"X-Very-Secret" = "totallysecret"}
[http.middlewares.test-auth.basicauth]
users = "user:$apr1$6Ktd55e3$9qaa6Dw9t70x90uQbZsts/,anotheruser:$apr1$cwugIdEJ$juXAPT2qb0sUroFEIucqz0"
realm = "Test"
removeHeader = true
```
*Please note:* The middleware for this plugin needs to be loaded before the basic auth middleware (as seen above).
## Configuration
This plugin supports the following configuration parameters:
- **allowIPList** List of strings containing the allowed ip addresses (e.g. `127.0.0.1`) and ip address ranges (e.g. `127.0.0.1/8`). Default: `[]`
- **user** Username of the basic auth user to be used for authentication. Default: `"""`
- **password** Password of the basic auth user to be used for authentication. Default: `"""`. Needs to be in plaintext!
- **preventUser** Disallows any request trying to authenticate with the above credentials not originating from any of the allowed ip addressed. Default: `false`
- **ipHeaders** Allows you to specify additional headers (e.g. `X-Forwarded-For`, `X-Real-IP`) to use as sources besides the requests remote ip. Please note: If any ip address can be found in one of these headers, the requests remote ip is ignored. Multiple ips in a header (e.g. `127.0.0.1,127.0.0.2`) are treated equally. Using this feature is highly discouraged. Please ensure that these headers are not set by end users. Default: `[]`
- **headers** Map of headers and their expected value which override the basic auth requirement as well (so requests with these headers do not require basic auth). Use `*` as wildcard value. Please note: This is or-chained with the ip based rules. Default: `{} `
## Known Issues
### Authorization Headers Are Overwritten
Any additional authentication (for example when accessing APIs via a Bearer token from an IP on the allow list) will not work. This is because
the plugin overwrites any existing `Authorization` header with the predefined credentials to make the basic auth middleware work. [As a workarkound, you can make a backup of the `Authorization` header and restore it later.](https://github.com/kingjan1999/traefik-plugin-exception-authbasic/issues/5).