BasicAuth

The BasicAuth middleware grants access to services to authorized users only.

Configuration Example

Middleware Basic Authentication
Basic-Auth Secret
Secret with encoded credentials

---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-auth
  namespace: traefik
spec:
  basicAuth:
    secret: authsecret

# This is an alternate auth secret that demonstrates the basic-auth secret type.
# Note: the password is not hashed, and is merely base64 encoded.

apiVersion: v1
kind: Secret
metadata:
  name: authsecret
  namespace: traefik
type: kubernetes.io/basic-auth
data:
  username: dXNlcg== # username: user
  password: cGFzc3dvcmQ= # password: password

# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
# To create an encoded user:password pair, the following command can be used:
# htpasswd -nb user password | openssl base64

apiVersion: v1
kind: Secret
metadata:
  name: authsecret
  namespace: traefik
data:
  users: |2
    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK

Configuration Options

Field	Description	Default	Required
`users`	Array of authorized users. Each user must be declared using the `name:hashed-password` format. (More information here)	""	No
`usersFile`	Path to an external file that contains the authorized users for the middleware. The file content is a list of `name:hashed-password`. (More information here)	""	No
`realm`	Allow customizing the realm for the authentication.	"traefik"	No
`headerField`	Allow defining a header field to store the authenticated user.	""	No
`removeHeader`	Allow removing the authorization header before forwarding the request to your service.	false	No

users

If both users and usersFile are provided, the two are merged. The contents of usersFile have precedence over the values in users.
For security reasons, the field users doesn't exist for Kubernetes IngressRoute, and one should use the secret field instead.

Kubernetes Secrets

The option users supports Kubernetes secrets.

Kubernetes kubernetes.io/basic-auth secret type

Kubernetes supports a special kubernetes.io/basic-auth secret type. This secret must contain two keys: username and password.

Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods. You can find more information on the Kubernetes Basic Authentication Secret Documentation

usersFile

If both users and usersFile are provided, the two are merged. The contents of usersFile have precedence over the values in users.
For security reasons, the field users doesn't exist for Kubernetes IngressRoute, and one should use the secret field instead.

Passwords format

Passwords must be hashed using MD5, SHA1, or BCrypt. Use htpasswd to generate the passwords.

Configuration Example​

Configuration Options​

users​

Kubernetes Secrets​

usersFile​

Passwords format​