Auth only on path prefix

I'm trying to put some basic authentication on only the /metrics prefix of one of my services. For this, I have the following compose file:

version: "3.5"
services:
  reverse-proxy:
    image: traefik:latest
    command:
      - --log.level=${LOG_LEVEL}
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --providers.file.directory=/configs/
      - --entryPoints.web.address=:${HTTP_PORT}
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https 
      - --entryPoints.websecure.address=:${HTTPS_PORT}
    ports:
      - ${HTTP_PORT}:80
      - ${HTTPS_PORT}:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${DATA_DIR}/letsencrypt/acme.json:/acme.json
      - ${DATA_DIR}/traefik_configs/:/configs
      - ${DATA_DIR}/.metric_users:/userfiles/.metric_users
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=dnsresolver"
      - "traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN}"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.${DOMAIN}"
    restart: unless-stopped

  backend:
    image: <myimage>
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.back.rule=Host(`${BACK_HOST}`)"
      - "traefik.http.routers.back.entryPoints=web"
      - "traefik.http.services.back.loadbalancer.server.port=8080"
      - "traefik.http.routers.back-ssl.rule=Host(`${BACK_HOST}`)"
      - "traefik.http.routers.back-ssl.entryPoints=websecure"
      - "traefik.http.routers.back-ssl.service=back"
      - "traefik.http.routers.back-ssl.tls=true"
      - "traefik.http.routers.back-auth.rule=Host(`${BACK_HOST}`) && PathPrefix(`/metrics`)"
      - "traefik.http.routers.back-auth.middlewares=metric-auth"
      - "traefik.http.routers.back-auth.priority=300"
      - "traefik.http.middlewares.metric-auth.basicauth.usersfile=/userfiles/.metric_users"

The .metric_users file contains my pairs of user:hashed-passwd and my traefik_configs directory only contains a file for TLS settings.

From what I understand, this should require me to log in when going to the /metrics prefix. However, this doesn't happen and I'm not sure why. Is this an issue with the different priorities?

Hello @Lithimlin and thanks for your interest in Traefik,

The issue is not related to the priority, the problem is that you missed adding the tls label to the back-auth router configuration:

traefik.http.routers.back-auth.tls=true

I would also set the entryPoints label value for the basic-auth router to websecure as all requests sent with the http scheme on web will be redirected to websecure with the https scheme.

Hope this helps!

That worked! Thanks.

In hindsight, it seems kind of obvious what I was missing, but one is always smarter after the fact.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.