This Traefik plugin allows you to define exceptions for certain origin ips / ip ranges or requests with specific headers to override basic auth requirements. This works by defining a special user / passwords in Traefik's basic auth configuration.
The following code snippet is a sample configuration for the dynamic file based provider, but as usual, this plugin should work with all other configuration providers as well.
[http][http.routers][http.routers.router0]entryPoints = ["http"]service = "service-foo"rule = "Path(`/foo`)"middlewares = ["except-auth", "test-auth"][http.middlewares][http.middlewares.except-auth.plugin.except-authbasic]allowIPList = ["127.0.0.1"]user = "user"password = "password"preventUser = trueheaders = {"X-Very-Secret" = "totallysecret"}[http.middlewares.test-auth.basicauth]users = "user:$apr1$6Ktd55e3$9qaa6Dw9t70x90uQbZsts/,anotheruser:$apr1$cwugIdEJ$juXAPT2qb0sUroFEIucqz0"realm = "Test"removeHeader = true
Please note: The middleware for this plugin needs to be loaded before the basic auth middleware (as seen above).
This plugin supports the following configuration parameters:
127.0.0.1) and ip address ranges (e.g. 127.0.0.1/8). Default: []"""""". Needs to be in plaintext!falseX-Forwarded-For, X-Real-IP) to use as sources besides the requests remote ip. Please note: If any ip address can be found in one of these headers, the requests remote ip is ignored. Multiple ips in a header (e.g. 127.0.0.1,127.0.0.2) are treated equally. Using this feature is highly discouraged. Please ensure that these headers are not set by end users. Default: []* as wildcard value. Please note: This is or-chained with the ip based rules. Default: {}