Traefik for Docker Compose

May 8, 2026 · View on GitHub

A set of example Docker Compose Traefik stacks for different environments to get up an running in no time.

Setting Up Traefik Basic Auth

Reference guide for setting up Traefik BasicAuth middleware for the dashboard.

Generate a bcrypt password hash using a temporary Docker container:
```
docker run --rm -it httpd:alpine htpasswd -nB -C 12 adminuser
```
-C 12 sets the bcrypt cost. Lower defaults such as cost 05 are functional but not recommended for internet-exposed Basic Auth.

Enter your password when prompted. The output will look like:
```
adminuser:\$2y\$12$abcdefghijklmnopqrstuvwxyz...
```

Important

Escape $ characters in Docker Compose. Compose treats $ as variable interpolation syntax, so every $ in the bcrypt hash must become $$ in the label.

adminuser:\$2y\$12$...  ->  adminuser:$\$2y$\$12$$...

Add the user to your compose labels.

For a single user:

- 'traefik.http.middlewares.auth.basicauth.users=adminuser:$\$2y$\$12$$...'

For multiple users, separate with commas:

- 'traefik.http.middlewares.auth.basicauth.users=adminuser:$\$2y$\$12$$...,alice:$\$2y$\$12$$...'

Or abstract to an environment variable:

- 'traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_AUTH_USERS}'

Recreate the container after changing Basic Auth users.

docker compose up -d --force-recreate <service_name>

Deploy the stack.

Traefik reads the inline label and enforces Basic Auth on every request. The browser will prompt for credentials on first visit and cache them for the session.

Note

Password hashes are visible in Docker metadata (docker inspect) but remain bcrypt-hashed. Treat them as sensitive.