How to handle protected and unprotected routes on single service

Hello, I'm looking for a sane method to handle a specific situation where I have one service with both protected and unprotected routes (using forwardauth.)


I have a single service with all of it's routes prefixed to /api
I need to protect/unprotect specific routes with forwardauth middleware *that do not have their own prefix (i.e. /unprotected)

My first instinct is to run two separate routers for protected/unprotected, but I'm at a loss for how to handle mapping the specific routes. It seems like I would have to chain all of the protected routes in my rule for the routers like:

traefik.http.routers.api-protected.rule=(Host(local.test) && Path(/api/protect1) || Path(/api/protect2) || Path(/api/protect3))

traefik.http.routers.api-unprotected.rule=(Host(local.test) && Path(`/api/unprotected))

Where the forwardauth middleware only applies on my 'protected' router.

Is there a better way to do this?

Hello @cellis,

When you define a router, you can specify which middleware will be attached:

traefik.http.routers.api-protected.rule: (Host(`local.test`) && Path(`/api/protect1`) || Path(`/api/protect2`) || Path(`/api/protect3`))
traefik.http.routers.api-protected.middlewares: forwardauth

traefik.http.routers.api-unprotected.rule: (Host(local.test) && Path(`/api/unprotected))