TLS Client cert authentication with HTTP AUTH as fallback


Currently evaluating migrating my nginx setup to traefik. In order to add some extra security to some microservices that I'm exposing over HTTP, I'm currently using a LetsEncrypt Nginx container as a reverse proxy that does pre-authentication before the HTTP request even gets to the final destination.

I'm using the following code in nginx:

        set $realm "HTTP AUTH";

        ssl_client_certificate /config/userauth/ca.crt;
        ssl_verify_client optional;

        if ($ssl_client_verify = SUCCESS) {
                set $realm off;

    location / {
        auth_basic                      $realm;
        auth_basic_user_file            /config/userauth/.htpasswd;
        proxy_pass                      http://someinternalURL/;
        proxy_max_temp_file_size        10m;
        include                         /config/nginx/proxy.conf;

I've been digging through the TLS and Auth sections of the Traefik docs but I can't seem to find the exact setup I'm trying to rebuild. Note that I'm not trying to pass the authentication to the backend service.. it just needs to auth in the middle. Some services behind this proxy have additional authentication methods or verification codes embedded in the API for extra security.

The reason for the client certs is because I can auto-login when using a trusted computer and get straight to the app with a fallback to normal HTTP auth when using a different device.

Did you find a solution to this problem?