Hello!
I'd like to allow access to Traefik from one IP and require basic auth from all other sources; Is there any way to skip basic auth if the IP matches?
In Apache htaccess we could do something like this
AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
Require expr %{REMOTE_ADDR} = "123.123.123.123"
This would allow access from any user that can authenticate against the .htpasswd file or requests coming from 123.123.123.123.
Is there anything like this in Traefik?
Thanks in advance!
Hello @kevingimbel,
One simple use case, could be:
version: '3.6'
services:
traefik:
image: traefik:v2.6
command:
- --providers.docker
ports:
- "80:80"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
whoami:
image: traefik/whoami
labels:
traefik.http.routers.whoami-ip.rule: Host(`whoami.localhost`) && ClientIP(`127.0.0.1`)
traefik.http.routers.whoami-auth.rule: Host(`whoami.localhost`)
traefik.http.routers.whoami-auth.middlewares: test-auth
traefik.http.middlewares.test-auth.basicauth.users: root:$$apr1$$J.oefIGs$$HnlqmKtI8B6xKYYA1WbEc. #root:root
Here, I define 2 routers.
The first one filters IP and match only a given IP. So, requests coming from this IP will have to be authenticated.
The second one, with a lower priority, will match all other requests going to this service. This second router uses the test-auth middleware that ensure that requests are authenticated to be served.
Hope it helps 
Thank you a lot, this looks exactly like what I needed! I'll test this on our infra and then mark as solution once I verify it works! 
I was finally able to test this and it works! We had some issues with the basic auth which was defined for the entrypoint instead of the routes, but after reconfiguring that it worked.