ConfigurationAuthenticationBasic
Basic Authentication
The basic authentication lets you protect drydock access using the Http Basic auth standard.
The basic authentication lets you protect drydock access using the Http Basic auth standard.
Variables
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
DD_AUTH_BASIC_{auth_name}_USER | 🔴 | Username | ||
DD_AUTH_BASIC_{auth_name}_HASH | 🔴 | Argon2id password hash | $argon2id$v=19$m=65536,t=3,p=4$salt$hash (preferred) or argon2id$memory$passes$parallelism$salt$hash (compatible) |
Hash values contain
$ characters. In Docker Compose YAML, double each $ as $$. In Bash, use single quotes around the value.Known limitation: Passwords containing colon characters (
:) are not supported due to a bug in the underlying passport-http library. Authentication will fail if your password contains a colon. Use passwords without colons until this is resolved.Argon2id verification uses asynchronous
crypto.argon2 so authentication does not block the Node.js event loop. The hash work still runs on libuv worker threads; for very high authentication concurrency, tune UV_THREADPOOL_SIZE or move verification into dedicated worker threads/services.Examples
services:
drydock:
image: codeswhat/drydock
...
environment:
- DD_AUTH_BASIC_JOHN_USER=john
- "DD_AUTH_BASIC_JOHN_HASH=argon2id$$65536$$3$$4$$/Y21uoNfTJ/Bv+t7Msz6XABip7tBOI55ZgjeCXyhGc0=$$MHhv8Tc/0TCnhAeoNQRHII3sbOLIQ+1lMlHk+Ifyv3IUAxT6NkVt+OXT03kJTn8JRzmD24L+qCjcqk2+Ad1dTw=="
- DD_AUTH_BASIC_JANE_USER=jane
- "DD_AUTH_BASIC_JANE_HASH=argon2id$$65536$$3$$4$$r6d4/pX/7fLvpz3xw7qvEZok4KSYwMRm71TjBlujwPI=$$OmI2vv0GCpP12SC0u6dL6Lz1OpRyBjTQGe+bBvF84hhQJB1iTaFd/S1NRQafvAHL02U61E5/eqvOaQ81vPzxvw=="
- DD_AUTH_BASIC_BOB_USER=bob
- "DD_AUTH_BASIC_BOB_HASH=argon2id$$65536$$3$$4$$shoWJqA1qg1Zen08/XIocsJUEFKgox8Glw0/EAkY5SY=$$toyn5NwytBXDTqQN94wJzjUT0tocDzhvvYii4YK279pDTbMDGoyqOhxxDi7lS0xEJAC7fRKfMAaZFfxmzD4GNw=="docker run \
-e DD_AUTH_BASIC_JOHN_USER="john" \
-e 'DD_AUTH_BASIC_JOHN_HASH=argon2id$65536$3$4$/Y21uoNfTJ/Bv+t7Msz6XABip7tBOI55ZgjeCXyhGc0=$MHhv8Tc/0TCnhAeoNQRHII3sbOLIQ+1lMlHk+Ifyv3IUAxT6NkVt+OXT03kJTn8JRzmD24L+qCjcqk2+Ad1dTw==' \
-e DD_AUTH_BASIC_JANE_USER="jane" \
-e 'DD_AUTH_BASIC_JANE_HASH=argon2id$65536$3$4$r6d4/pX/7fLvpz3xw7qvEZok4KSYwMRm71TjBlujwPI=$OmI2vv0GCpP12SC0u6dL6Lz1OpRyBjTQGe+bBvF84hhQJB1iTaFd/S1NRQafvAHL02U61E5/eqvOaQ81vPzxvw==' \
-e DD_AUTH_BASIC_BOB_USER="bob" \
-e 'DD_AUTH_BASIC_BOB_HASH=argon2id$65536$3$4$shoWJqA1qg1Zen08/XIocsJUEFKgox8Glw0/EAkY5SY=$toyn5NwytBXDTqQN94wJzjUT0tocDzhvvYii4YK279pDTbMDGoyqOhxxDi7lS0xEJAC7fRKfMAaZFfxmzD4GNw==' \
...
codeswhat/drydockHow to create a password hash
Using argon2 CLI (recommended)
echo -n "yourpassword" | argon2 $(openssl rand -base64 32) -id -m 16 -t 3 -p 4 -l 64 -eAlternative: using Node.js locally (requires Node 24+, no argon2 CLI install)
node -e '
const c = require("node:crypto");
const toPhc = (b) => b.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
const s = c.randomBytes(32);
const h = c.argon2Sync("argon2id", { message: process.argv[1], nonce: s, memory: 65536, passes: 3, parallelism: 4, tagLength: 64 });
console.log("$argon2id$v=19$m=65536,t=3,p=4$" + toPhc(s) + "$" + toPhc(h));
' "yourpassword"Legacy htpasswd hash formats from WUD/v1.3.x —
{SHA} (SHA-1), $apr1$ (Apache APR1-MD5), $1$ (MD5-crypt), DES crypt, and plain text — are still accepted at runtime but deprecated. They will be removed in v1.6.0. Use the commands above to generate an argon2id hash and update your DD_AUTH_BASIC_*_HASH values.