Traefik-forward-auth on all except some domains

I am using thomseddon/traefik-forward-auth and google to auth access to my homelab services over https.
For Plex this breaks remote access, as the clients are not web browsers.
How can I add exclusions for some domains to bypass auth?

(Fyi; I run two docker instances of traefik, one for internal access with no auth, and one bound to a port forwarded address with auth on all services. I also run a wildcard DNS, so I can access any internal service directly at foo.home.bar.net, and via auth port forwarded at foo.service.bar.net, where *.service.bar.net is a wildcard pointing to my public IP)

Traefik config in Ansible:

---
# Install Traefik Forward Auth
# https://hub.docker.com/r/thomseddon/traefik-forward-auth
# https://www.github.com/thomseddon/traefik-forward-auth
# https://docs.traefik.io/middlewares/forwardauth/

# https://docs.ansible.com/ansible/latest/collections/community/docker/docker_container_module.html
- name: "Install Traefik Forward Auth"
  community.docker.docker_container:
    name: traefik-forward-auth
    image: thomseddon/traefik-forward-auth:latest
    pull: yes
    hostname: "traefik-forward-auth-{{ ansible_hostname }}"
    domainname: "{{ ansible_domain }}"
    restart_policy: unless-stopped
    user: "{{ user_id }}:{{ group_id }}"
    env:
      TZ: "{{ local_timezone }}"
      DEFAULT_PROVIDER: "google"
      PROVIDERS_GOOGLE_CLIENT_ID: "{{ google_auth_id }}"
      PROVIDERS_GOOGLE_CLIENT_SECRET: "{{ google_auth_secret }}"
      SECRET: "{{ traefik_auth_secret }}"
      COOKIE_DOMAIN: "{{ external_domain }}"
      #LOG_LEVEL: "debug"
      WHITELIST: "{{ traefik_auth_allow }}"
      AUTH_HOST: "{{ traefik_auth_server }}"
    networks:
      - name: "{{ docker_local_network }}"
    # published_ports:
    # External routing via traefik
    # - 4181:4181
    labels:
      traefik.enable: "true"
      traefik.http.routers.traefik-forward-auth.rule: "Host(`{{ traefik_auth_server }}`)"
      traefik.http.routers.traefik-forward-auth.entrypoints: "websecure"
      traefik.http.routers.traefik-forward-auth.middlewares: "traefik-forward-auth"
      traefik.http.middlewares.traefik-forward-auth.forwardauth.address: "http://traefik-forward-auth:4181"
      traefik.http.middlewares.traefik-forward-auth.forwardauth.authresponseheaders: "X-Forwarded-User"
      # Manually specify port and schema
      traefik.http.services.traefik-forward-auth.loadbalancer.server.port: "4181"
      traefik.http.services.traefik-forward-auth.loadbalancer.server.scheme: "http"
      com.centurylinklabs.watchtower.enable: "true"
    recreate: "{{ docker_container_recreate }}"

Traeefik config file:

global:
  sendAnonymousUsage: true

log:
  level: "WARN" # DEBUG, PANIC, FATAL, ERROR, WARN, and INFO

api:
  dashboard: true
  insecure: true # Enable dashboard on http 8080 for direct access

serversTransport:
  insecureSkipVerify: true # Ignore downstream SSL cert errors

providers:
  docker:
    exposedByDefault: false
    network: "localnet" # {{ docker_local_network }}
  file:
    filename: "/config/dynamic-public.yml"

# https://docs.traefik.io/routing/entrypoints/
entryPoints:
  ssh:
    address: ":2022"
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        domains:
          - main: "service.insanegenius.net"
            sans:
              - "*.service.insanegenius.net"
          - main: "home.insanegenius.net"
            sans:
              - "*.home.insanegenius.net"
          - main: "insanegenius.net"
            sans:
              - "*.insanegenius.net"
      middlewares:
        # Enable auth for all services
        - "traefik-forward-auth@docker"

Forward auth:

---
# Install Traefik Forward Auth
# https://hub.docker.com/r/thomseddon/traefik-forward-auth
# https://www.github.com/thomseddon/traefik-forward-auth
# https://docs.traefik.io/middlewares/forwardauth/

# https://docs.ansible.com/ansible/latest/collections/community/docker/docker_container_module.html
- name: "Install Traefik Forward Auth"
  community.docker.docker_container:
    name: traefik-forward-auth
    image: thomseddon/traefik-forward-auth:latest
    pull: yes
    hostname: "traefik-forward-auth-{{ ansible_hostname }}"
    domainname: "{{ ansible_domain }}"
    restart_policy: unless-stopped
    user: "{{ user_id }}:{{ group_id }}"
    env:
      TZ: "{{ local_timezone }}"
      DEFAULT_PROVIDER: "google"
      PROVIDERS_GOOGLE_CLIENT_ID: "{{ google_auth_id }}"
      PROVIDERS_GOOGLE_CLIENT_SECRET: "{{ google_auth_secret }}"
      SECRET: "{{ traefik_auth_secret }}"
      COOKIE_DOMAIN: "{{ external_domain }}"
      #LOG_LEVEL: "debug"
      WHITELIST: "{{ traefik_auth_allow }}"
      AUTH_HOST: "{{ traefik_auth_server }}"
    networks:
      - name: "{{ docker_local_network }}"
    # published_ports:
    # External routing via traefik
    # - 4181:4181
    labels:
      traefik.enable: "true"
      traefik.http.routers.traefik-forward-auth.rule: "Host(`{{ traefik_auth_server }}`)"
      traefik.http.routers.traefik-forward-auth.entrypoints: "websecure"
      traefik.http.routers.traefik-forward-auth.middlewares: "traefik-forward-auth"
      traefik.http.middlewares.traefik-forward-auth.forwardauth.address: "http://traefik-forward-auth:4181"
      traefik.http.middlewares.traefik-forward-auth.forwardauth.authresponseheaders: "X-Forwarded-User"
      # Manually specify port and schema
      traefik.http.services.traefik-forward-auth.loadbalancer.server.port: "4181"
      traefik.http.services.traefik-forward-auth.loadbalancer.server.scheme: "http"
      com.centurylinklabs.watchtower.enable: "true"
    recreate: "{{ docker_container_recreate }}"

I suspect I need to add exclusion to the middlewares, but I've not found info on how?

      middlewares:
        # Enable auth for all services
        - "traefik-forward-auth@docker"

If you don't want all services to use the middleware, then don't assign it in the static config. Just create it in the dynamic config for every service for the ones that need it.

I was probably not clear in the reason why I use static config.

I run two traefik instances on the same host, one connected to a static IP and port forwarded from the router, the other local host network access only.

Each docker instance is visible to both traefik instances, the result is traefik static config + docker instance dynamic config.

Only the port forwarded instance has the middleware auth present.
The host only instance has no auth as it only allows access from the local network.

I do not want to configure each docker. (Even if I could, I do not know how to configure one docker for different rules for different traefik instances on the same host).

Most importantly, it is a major configuration risk to have to configure each docker instance to enable auth middleware, if I forget, the service is visible on the internet with no auth.

That is why I am asking how to default include everything on a traefik instance basis, and exclude per docker instance or hostname or domain name.

I doubt that you can overwrite a middleware you have assigned in static config, but I am not an expert.

Why do you use 2 Traefik instances? You could just use a single one, use 2 entrypoints (public port and localhost), then assign each service/container the entrypoint it should be reachable at.

Example:

whoami:
    image: traefik/whoami:v1.8.1
    networks:
      - traefik
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.whoami.tls=true'
      - 'traefik.http.routers.whoami.entrypoints=websecure'
      - 'traefik.http.routers.whoami.rule=Host(`whoami.example.com`)'
      - 'traefik.http.services.whoami.loadbalancer.server.port=80'

I could not get the auth middleware for a specific URI vs. all URI's on a service.
Nor how to get hairpin NAT working when the port on the host is in use.
i.e.
service.foo.net -> public port forward -> auth -> service.docker
service.foo.net -> hairpin -> auth -> service.docker
service.local.foo.net -> service.docker

I was advised to run two instances, such that I can be selective, and it has been working great.
Except for not knowing how to selectively exclude a service from auth set in static config.