security(ui): add Basic Auth protection for /accounts UI

- Add Traefik Basic Auth middleware for /accounts path
- API endpoints remain unprotected (as intended)
- Configure via CCPROXY_UI_AUTH environment variable
- Document setup in .env.example

BREAKING: /accounts UI now requires authentication when CCPROXY_UI_AUTH is set

Author: joachimBrindeau

.env.example

@@ -38,6 +38,15 @@ PGID=1000
 # Hostname for Traefik routing (Docker compose with Traefik)
 # CCPROXY_HOST=localhost
 
+# =============================================================================
+# UI SECURITY (Traefik Basic Auth)
+# =============================================================================
+# Basic Auth credentials for /accounts UI (protects account management)
+# Generate with: htpasswd -nb username password
+# Example: htpasswd -nb admin mySecurePassword123
+# IMPORTANT: In docker-compose, escape $ as $$ (admin:$$apr1$$...)
+# CCPROXY_UI_AUTH=admin:$$apr1$$SALT$$HASH
+
 # =============================================================================
 # DEBUGGING & LOGGING
 # =============================================================================

docker/compose.yaml

@@ -35,16 +35,28 @@ services:
     labels:
       - traefik.enable=true
       - traefik.docker.network=coolify
+      # HTTP → HTTPS redirect
       - 'traefik.http.routers.claude-code-proxy-http.rule=Host(`${CCPROXY_HOST:-localhost}`)'
       - traefik.http.routers.claude-code-proxy-http.entrypoints=http
       - traefik.http.routers.claude-code-proxy-http.middlewares=redirect-to-https
-      - 'traefik.http.routers.claude-code-proxy.rule=Host(`${CCPROXY_HOST:-localhost}`)'
+      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
+      - traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true
+      # Main HTTPS router (API access - no auth)
+      - 'traefik.http.routers.claude-code-proxy.rule=Host(`${CCPROXY_HOST:-localhost}`) && !PathPrefix(`/accounts`)'
       - traefik.http.routers.claude-code-proxy.entrypoints=https
       - traefik.http.routers.claude-code-proxy.tls=true
       - traefik.http.routers.claude-code-proxy.tls.certresolver=letsencrypt
+      # Protected UI router (accounts - requires Basic Auth)
+      - 'traefik.http.routers.claude-code-proxy-ui.rule=Host(`${CCPROXY_HOST:-localhost}`) && PathPrefix(`/accounts`)'
+      - traefik.http.routers.claude-code-proxy-ui.entrypoints=https
+      - traefik.http.routers.claude-code-proxy-ui.tls=true
+      - traefik.http.routers.claude-code-proxy-ui.tls.certresolver=letsencrypt
+      - traefik.http.routers.claude-code-proxy-ui.middlewares=accounts-auth
+      # Basic Auth middleware (generate hash: htpasswd -nb admin password)
+      # Default: admin:admin - CHANGE THIS via CCPROXY_UI_AUTH env var
+      - 'traefik.http.middlewares.accounts-auth.basicauth.users=${CCPROXY_UI_AUTH:-admin:$$apr1$$xyz$$placeholder}'
+      # Service
       - traefik.http.services.claude-code-proxy.loadbalancer.server.port=8000
-      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
-      - traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true
     networks:
       - coolify