ConfigurationAuthenticationBasic
Basic Authentication
The basic authentication lets you protect drydock access using the Http Basic auth standard.
Variables
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
DD_AUTH_BASIC_{auth_name}_USER | 🔴 | Username | ||
DD_AUTH_BASIC_{auth_name}_HASH | 🔴 | Argon2id password hash | $argon2id$v=19$m=65536,t=3,p=4$salt$hash (preferred) or argon2id$memory$passes$parallelism$salt$hash (compatible) |
Hash values contain
$ characters. In Docker Compose YAML, double each $ as $$. In Bash, use single quotes around the value.Known limitation: Passwords containing colon characters (
:) are not supported due to a bug in the underlying passport-http library. Authentication will fail if your password contains a colon. Use passwords without colons until this is resolved.Argon2id verification uses asynchronous
crypto.argon2 so authentication does not block the Node.js event loop. The hash work still runs on libuv worker threads; for very high authentication concurrency, tune UV_THREADPOOL_SIZE or move verification into dedicated worker threads/services.Examples
services:
drydock:
image: codeswhat/drydock
...
environment:
- DD_AUTH_BASIC_JOHN_USER=john
- "DD_AUTH_BASIC_JOHN_HASH=argon2id$$65536$$3$$4$$/Y21uoNfTJ/Bv+t7Msz6XABip7tBOI55ZgjeCXyhGc0=$$MHhv8Tc/0TCnhAeoNQRHII3sbOLIQ+1lMlHk+Ifyv3IUAxT6NkVt+OXT03kJTn8JRzmD24L+qCjcqk2+Ad1dTw=="
- DD_AUTH_BASIC_JANE_USER=jane
- "DD_AUTH_BASIC_JANE_HASH=argon2id$$65536$$3$$4$$r6d4/pX/7fLvpz3xw7qvEZok4KSYwMRm71TjBlujwPI=$$OmI2vv0GCpP12SC0u6dL6Lz1OpRyBjTQGe+bBvF84hhQJB1iTaFd/S1NRQafvAHL02U61E5/eqvOaQ81vPzxvw=="
- DD_AUTH_BASIC_BOB_USER=bob
- "DD_AUTH_BASIC_BOB_HASH=argon2id$$65536$$3$$4$$shoWJqA1qg1Zen08/XIocsJUEFKgox8Glw0/EAkY5SY=$$toyn5NwytBXDTqQN94wJzjUT0tocDzhvvYii4YK279pDTbMDGoyqOhxxDi7lS0xEJAC7fRKfMAaZFfxmzD4GNw=="docker run \
-e DD_AUTH_BASIC_JOHN_USER="john" \
-e 'DD_AUTH_BASIC_JOHN_HASH=argon2id$65536$3$4$/Y21uoNfTJ/Bv+t7Msz6XABip7tBOI55ZgjeCXyhGc0=$MHhv8Tc/0TCnhAeoNQRHII3sbOLIQ+1lMlHk+Ifyv3IUAxT6NkVt+OXT03kJTn8JRzmD24L+qCjcqk2+Ad1dTw==' \
-e DD_AUTH_BASIC_JANE_USER="jane" \
-e 'DD_AUTH_BASIC_JANE_HASH=argon2id$65536$3$4$r6d4/pX/7fLvpz3xw7qvEZok4KSYwMRm71TjBlujwPI=$OmI2vv0GCpP12SC0u6dL6Lz1OpRyBjTQGe+bBvF84hhQJB1iTaFd/S1NRQafvAHL02U61E5/eqvOaQ81vPzxvw==' \
-e DD_AUTH_BASIC_BOB_USER="bob" \
-e 'DD_AUTH_BASIC_BOB_HASH=argon2id$65536$3$4$shoWJqA1qg1Zen08/XIocsJUEFKgox8Glw0/EAkY5SY=$toyn5NwytBXDTqQN94wJzjUT0tocDzhvvYii4YK279pDTbMDGoyqOhxxDi7lS0xEJAC7fRKfMAaZFfxmzD4GNw==' \
...
codeswhat/drydockHow to create a password hash
Using argon2 CLI (recommended)
echo -n "yourpassword" | argon2 $(openssl rand -base64 32) -id -m 16 -t 3 -p 4 -l 64 -eAlternative: using Node.js locally (requires Node 24+, no argon2 CLI install)
node -e '
const c = require("node:crypto");
const toPhc = (b) => b.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
const s = c.randomBytes(32);
const h = c.argon2Sync("argon2id", { message: process.argv[1], nonce: s, memory: 65536, passes: 3, parallelism: 4, tagLength: 64 });
console.log("$argon2id$v=19$m=65536,t=3,p=4$" + toPhc(s) + "$" + toPhc(h));
' "yourpassword"Legacy htpasswd hash formats from WUD/v1.3.x —
{SHA} (SHA-1), $apr1$ (Apache APR1-MD5), $1$ (MD5-crypt), DES crypt, and plain text — are still accepted at runtime but deprecated. They will be removed in v1.6.0. Use the commands above to generate an argon2id hash and update your DD_AUTH_BASIC_*_HASH values.