How to add basic auth on staging subdomain

[Alex0x4b]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched in the documentation/README.
• I already searched in Google "How to do X" and didn't find any information.
• I already read and followed all the tutorial in the docs/README and didn't find an answer.

Commit to Help

• I commit to help with one of those options 👆

Example Code

None

Description

Following the template instructions, I successfully deployed 2 environments (staging and production) on the same VPS and on the same public traefik network :

• staging.myapp.com
• api.staging.myapp.com
• myapp.com
• api.myapp.com

I would like to add simple auth when user try to access a staging subdomain.

I tried to add a basic auth staging subdomain without success in docker-compose.traefik.yml.

Note: I went for basic auth because it look like a simple solution, but I'm open to other approach.

Operating System

Linux

Operating System Details

lscpu
Architecture:             x86_64
  CPU op-mode(s):         32-bit, 64-bit
  Address sizes:          40 bits physical, 48 bits virtual
  Byte Order:             Little Endian
CPU(s):                   1
  On-line CPU(s) list:    0
Vendor ID:                GenuineIntel
  Model name:             Intel Core Processor (Haswell, no TSX)
    CPU family:           6
    Model:                60
    Thread(s) per core:   1
    Core(s) per socket:   1
    Socket(s):            1
    Stepping:             1
    BogoMIPS:             4788.90
    Flags:                fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rd
                          tscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1
                          sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm cpuid_fault pti
                          tpr_shadow flexpriority ept vpid ept_ad fsgsbase bmi1 avx2 smep bmi2 erms invpcid xsaveopt arat vnmi md_clear
Virtualization features:
  Virtualization:         VT-x
  Hypervisor vendor:      KVM
  Virtualization type:    full
Caches (sum of all):
  L1d:                    32 KiB (1 instance)
  L1i:                    32 KiB (1 instance)
  L2:                     4 MiB (1 instance)
  L3:                     16 MiB (1 instance)
NUMA:
  NUMA node(s):           1
  NUMA node0 CPU(s):      0
Vulnerabilities:
  Gather data sampling:   Not affected
  Itlb multihit:          KVM: Mitigation: VMX disabled
  L1tf:                   Mitigation; PTE Inversion; VMX conditional cache flushes, SMT disabled
  Mds:                    Mitigation; Clear CPU buffers; SMT Host state unknown
  Meltdown:               Mitigation; PTI
  Mmio stale data:        Unknown: No mitigations
  Reg file data sampling: Not affected
  Retbleed:               Not affected
  Spec rstack overflow:   Not affected
  Spec store bypass:      Vulnerable
  Spectre v1:             Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:             Mitigation; Retpolines; STIBP disabled; RSB filling; PBRSB-eIBRS Not affected; BHI Retpoline
  Srbds:                  Unknown: Dependent on hypervisor status
  Tsx async abort:        Not affected

Python Version

3.10.13

Additional Context

No response

[stevleibelt]

I am not using this template but have you tried to adapt the DOMAIN in the .env file?

As far as I've looked all the docker compose files, this must be it.

How have you setup your two domains? You should have two directories, each with a copy of this template and configured. Furthermore, your dns should be able to resolve both domains.

I tried to add a basic auth staging subdomain without success in docker-compose.traefik.yml.
Do i understand it correctly, that you hard coded the DOMAIN in the docker-compose.traefik.yml?
Can you please add a diff of this changed file?

As a side note, to ease up migration to later versions of this template, you should only adapt docker-compose.override.yml.

[Alex0x4b]

On the same VPS I have indeed two copies of the template. Both are updated with its own github runner.

As you suggest, I use the DOMAIN to adapt the url based on which environment is deployed.

Do i understand it correctly, that you hard coded the DOMAIN in the docker-compose.traefik.yml?
Can you please add a diff of this changed file?

No, I did not update docker-compose.traefik.yml, the DOMAIN is populated by github action variables during deployment.

See bellow deploy to production workflow (there is a similar one for staging but with secrets.DOMAIN_STAGING):

  name: Deploy to Production

  on:
    release:
      types:
        - published

  jobs:
    deploy:
      # Do not deploy in the main repository, only in user projects
      if: github.repository_owner != 'fastapi'
      runs-on:
        - self-hosted
        - production
      env:
        ENVIRONMENT: production
        DOMAIN: ${{ secrets.DOMAIN_PRODUCTION }}
        STACK_NAME: ${{ secrets.STACK_NAME_PRODUCTION }}
        SECRET_KEY: ${{ secrets.SECRET_KEY_PRODUCTION }}
        FIRST_SUPERUSER: ${{ secrets.FIRST_SUPERUSER }}
        FIRST_SUPERUSER_PASSWORD: ${{ secrets.FIRST_SUPERUSER_PASSWORD_PRODUCTION }}
        SMTP_HOST: ${{ secrets.SMTP_HOST }}
        SMTP_USER: ${{ secrets.SMTP_USER }}
        SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
        EMAILS_FROM_EMAIL: ${{ secrets.EMAILS_FROM_EMAIL }}
        FRONTEND_HOST: ${{ secrets.FRONTEND_HOST_PRODUCTION }}
        POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD_PRODUCTION }}
        SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
      steps:
        - name: Checkout
          uses: actions/checkout@v4
        - run: docker compose -f docker-compose.yml --project-name ${{ secrets.STACK_NAME_PRODUCTION }} build
        - run: docker compose -f docker-compose.yml --project-name ${{ secrets.STACK_NAME_PRODUCTION }} up -d
        - name: Cleanup Docker
          run: |
            docker container prune -f
            docker image prune -f
            docker builder prune -f

At this stage, I have the 2 environments (staging.myapp.com and myapp.com) running on the same VPS, which is great.

Both environments run behind the same Traefik proxy as described in this template documentation

To prevent the end user from accessing staging, my hunch was to add at proxy level a basic authentication on the staging subdomain a. Something similar to what is done here for the default traefik dashboard (secured by middlewares=admin-auth)

So I tried unsuccessfully to update docker-compose.traefik.yml. But I'm a beginner with traefik and I can't find a solution.

Translated with DeepL.com (free version)

[stevleibelt]

Thanks for your reply,

again as a remark, I am not using traefik bit I wanted to understand the project and hopefully could fetch the mandatory information.

If I understand traefik basic auth and traefik routers correctly, you need to add something like this to your docker-compose.override.yaml file.

services:
  proxy:
    image: traefik:3.0
      labels:
        # Enable HTTP Basic auth, using the middleware in docker-compose.traefik.yml
        - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.middlewares=admin-auth

And this docker-compose.override.yml must be part of your staging environment or github action.

I translate the traefik configuration line above like "Add the previously defined admin-auth middleware to the frontend-https service.

[Alex0x4b]

Some answers about how the template works

docker-compose.override.yaml is only used for development purpose when running docker compose watch

When I'm deploying in staging I running this workflow :

      - run: docker compose -f docker-compose.yml --project-name ${{ secrets.STACK_NAME_STAGING }} build
      - run: docker compose -f docker-compose.yml --project-name ${{ secrets.STACK_NAME_STAGING }} up -d

There is a similar workflow for production

Working implementation of basic oauth

I found a simple way to implement basic oauth on staging :

I create a new docker-compose.staging.yml to overide docker-compose.yml during staging deployment workflow:

New file: docker-compose.staging.yml

# docker-compose.staging.yml
  services:

    backend:
      labels:
        - traefik.http.routers.${STACK_NAME?Variable not set}-backend-https.middlewares=admin-auth

    frontend:
      labels:
        - traefik.http.routers.${STACK_NAME?Variable not set}-frontend-https.middlewares=admin-auth

    adminer:
      labels:
        - traefik.http.routers.${STACK_NAME?Variable not set}-adminer-https.middlewares=admin-auth

updating .github/workflows/deploy-staging.yml

  name: Deploy to Staging

[...]

       steps:
        - name: Checkout
          uses: actions/checkout@v4
        - run: docker compose -f docker-compose.yml -f docker-compose.staging.yml --project-name ${{ secrets.STACK_NAME_STAGING }} build
        - run: docker compose -f docker-compose.yml -f docker-compose.staging.yml --project-name ${{ secrets.STACK_NAME_STAGING }} up -d
[...]
        

[Alex0x4b]

additionally if need a specific user/password for staging basic oauth, it can be add in docker-compose.traefik.yml

e.g.

        - traefik.http.middlewares.staging-auth.basicauth.users=${USERNAME?Variable not set}:${STAGING_PWD?Variable not set}

[stevleibelt]

Great, thanks for sharing your answer!

Have an incredible rest of the week.