Traefik, forward auth and API/basic authentication

[devster31]

My question is regarding the following issue #13238
After the implementation of these features (API and basic authentication) I'm still unclear on how to properly configure Traefik and qBittorrent for WebUI authentication while allowing API key authentication for the API only.
From what I can gather from the current docs it's still not possible to uncouple the WebUI auth and API auth, meaning an instance of qBittorrent with an authentication middleware will still not allow API access and using a setting which disables auth checks for the internal docker network (without enabling reverse proxy support in qBittorrent as it would read the original IP and render this pointless) exposes the API endpoint with no authentication.

In short, is there a way to keep only API key auth with forward auth for web UI with some kind of configuration?

[devster31]

I figured out a solution, leaving it here for future reference:

labels:
  traefik.http.routers.qbt.middlewares: tinyauth,qbt-auth
  traefik.http.routers.qbt.rule: Host(`qbt.${DOMAIN}`)
  traefik.http.routers.qbt.tls: "true"
  traefik.http.routers.qbt.tls.certresolver: ovh
  traefik.http.routers.qbt-api.rule: "Host(`qbt.${DOMAIN}`) && PathPrefix(`/api`)"
  traefik.http.routers.qbt-api.service: qbt
  traefik.http.routers.qbt-api.tls: "true"
  traefik.http.routers.qbt-api.tls.certresolver: ovh
  traefik.http.services.qbt.loadbalancer.server.port: "8088"
  traefik.http.middlewares.qbt-auth.headers.customrequestheaders.Authorization: "Basic ${QBIT_BASIC_AUTH_B64}"
  traefik.http.middlewares.qbt-auth.headers.customrequestheaders.Referer: ""
  traefik.http.middlewares.qbt-auth.headers.customrequestheaders.Origin: ""

Add Basic auth header for all requests for WebUI while the API path is left out of the Tinyauth (or other provider) authentication.