From 3c7aad09ad394602b70fae7e49de68129dfbd8bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sat, 8 Nov 2025 18:37:01 +0100
Subject: [PATCH] security: add HTTP Basic Auth to Netdata dashboard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added HTTP Basic Authentication to secure the Netdata monitoring dashboard:
- Added basicauth middleware using shared AUTH_USERS credentials
- Protects sensitive infrastructure metrics from unauthorized access
- Uses same credentials as Scrapy and other protected services
- Maintains SSL/TLS encryption via Traefik

Security improvements:
- Dashboard now requires username/password
- Prevents public access to server metrics
- Infrastructure monitoring data protected
- Follows security best practices from Netdata documentation

Access requires credentials stored in AUTH_USERS environment variable.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 netdata/compose.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/netdata/compose.yaml b/netdata/compose.yaml
index d068fca..4502485 100644
--- a/netdata/compose.yaml
+++ b/netdata/compose.yaml
@@ -39,7 +39,8 @@ services:
       - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
       - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
       - 'traefik.http.middlewares.${NETDATA_COMPOSE_PROJECT_NAME}-compress.compress=true'
-      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${NETDATA_COMPOSE_PROJECT_NAME}-compress,security-headers@file'
+      - 'traefik.http.middlewares.${NETDATA_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${AUTH_USERS}'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${NETDATA_COMPOSE_PROJECT_NAME}-auth,${NETDATA_COMPOSE_PROJECT_NAME}-compress,security-headers@file'
       # Service
       - 'traefik.http.services.${NETDATA_COMPOSE_PROJECT_NAME}.loadbalancer.server.port=19999'
       - 'traefik.docker.network=${NETWORK_NAME}'