Closed b83 closed 8 months ago
Thanks for raising this. It will be fixed asap. As this is likely a configuration bug in the entrypoint there will not be a version bump, anyone using latest or 1.0.2 will get the fix.
I have a test setup that demonstrates the issue:
version: '3.8'
secrets:
MONGO_INITDB_ROOT_USERNAME:
file: ./secrets/mongo_root_username.txt
MONGO_INITDB_ROOT_PASSWORD:
file: ./secrets/mongo_root_password.txt
ME_CONFIG_BASICAUTH_USERNAME:
file: ./secrets/mongo_express_username.txt
ME_CONFIG_BASICAUTH_PASSWORD:
file: ./secrets/mongo_express_password.txt
services:
mongo:
image: mongo:4
environment:
MONGO_INITDB_ROOT_USERNAME: ${MONGO_INITDB_ROOT_USERNAME}
MONGO_INITDB_ROOT_PASSWORD: ${MONGO_INITDB_ROOT_PASSWORD}
mongoexpress:
# build: 1.0/20-alpine3.19
image: mongo-express:1.0.0
# image: mongo-express:1.0.2
ports:
- "8081:8081"
links:
- mongo
environment:
- ME_CONFIG_MONGODB_SERVER=mongo
- ME_CONFIG_MONGODB_ENABLE_ADMIN=true
- ME_CONFIG_MONGODB_ADMINUSERNAME_FILE=/run/secrets/MONGO_INITDB_ROOT_USERNAME
- ME_CONFIG_MONGODB_ADMINPASSWORD_FILE=/run/secrets/MONGO_INITDB_ROOT_PASSWORD
- ME_CONFIG_BASICAUTH_USERNAME_FILE=/run/secrets/ME_CONFIG_BASICAUTH_USERNAME
- ME_CONFIG_BASICAUTH_PASSWORD_FILE=/run/secrets/ME_CONFIG_BASICAUTH_PASSWORD
secrets:
- MONGO_INITDB_ROOT_USERNAME
- MONGO_INITDB_ROOT_PASSWORD
- ME_CONFIG_BASICAUTH_USERNAME
- ME_CONFIG_BASICAUTH_PASSWORD
docker-compose down -v
mkdir -vp secrets
for user in express root ; do
echo "${user}_custom_username" > ./secrets/mongo_${user}_username.txt
dd if=/dev/random bs=1 count=32 2>/dev/null | base64 > ./secrets/mongo_${user}_password.txt
done
export MONGO_INITDB_ROOT_USERNAME=$(cat ./secrets/mongo_root_username.txt)
export MONGO_INITDB_ROOT_PASSWORD=$(cat ./secrets/mongo_root_password.txt)
docker-compose up -d
When running 1.0.0 the basic auth user/pass work as expected but on 1.0.2 they are ignored and users can connect without any credentials. Hope to have a patch soon.
All of a sudden with the latest version ME_CONFIG_BASICAUTH_USERNAME_FILE and ME_CONFIG_BASICAUTH_PASSWORD_FILE environment variables stopped working, making pages insecure - without the Basic Auth.
Can be reproduced with docker Swarm, or I suppose with a regular Docker environment as well. Falling back to version 1.0.0 returns back the Basic Auth.