fabio supports basic http authorization on a per-route basis.

Authorization schemes are configured with the proxy.auth option. You can configure one or multiple schemes.

Each authorization scheme is configured with a list of key/value options.


Each scheme must have a unique name which is then referenced in a route configuration.

proxy.auth = name=myauth;type=...

When you configure the route, you must reference the unique name for the authorization scheme:

route add svc / auth=<name>

urlprefix-/ proto=https auth=<name>

The following types of authorization schemes are available:

  • basic: legacy store for a single TLS and a set of client auth certificates

At the end you also find a list of examples.


The basic authorization scheme leverages Http Basic Auth and reads a htpasswd file at startup and credentials are cached until the service exits.

The file option contains the path to the htpasswd file. The realm parameter is optional (default is to use the name). The refresh option can set the htpasswd file refresh interval. Minimal refresh interval is 1s to void busy loop. By default refresh is disabled i.e. set to zero. Note: removing the htpasswd file will cause all requests to fail with HTTP status code 401 (Unauthorized) until the file is restored.


Supported htpasswd formats are detailed here


# single basic auth scheme

# single basic auth scheme with refresh interval set to 30 seconds

# basic auth with multiple schemes
proxy.auth = name=mybasicauth;type=basic;file=p/creds.htpasswd;refresh=30s