diff --git a/compose.production.yml b/compose.production.yml
index 65dc199b..f28e24ad 100644
--- a/compose.production.yml
+++ b/compose.production.yml
@@ -67,8 +67,6 @@ services:
             - 'traefik.enable=true'
             - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)'
             - 'traefik.http.services.idp.loadbalancer.server.port=7080'
-            - 'traefik.http.routers.block-admin.rule=PathPrefix(`/idp/admin`)'
-            - 'traefik.http.routers.block-admin.service=web'
         depends_on:
             - keycloak-db
         volumes:
@@ -95,6 +93,9 @@ services:
             - '80:80/tcp'
             - '443:443/tcp'
         command:
+            # Enable web UI
+            - '--api=true'
+
             # Add Docker provider
             - '--providers.docker=true'
             - '--providers.docker.exposedbydefault=false'
@@ -115,6 +116,17 @@ services:
             - '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web'
             - '--certificatesresolvers.letsencrypt.acme.email=timo.demeyst@ugent.be'
             - '--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
+        labels:
+            # BasicAuth middleware
+            # To create a user:password pair, the following command can be used:
+            # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+            - 'traefik.http.middlewares.protected-sub-path.basicauth.users=dwengo.org:$$apr1$$FdALqAjI$$7ZhPq0I/qEQ6k3OYqxJKZ1'
+            # Proxying
+            - 'traefik.enable=true'
+            - 'traefik.http.routers.proxy.middlewares=protected-sub-path'
+            - 'traefik.http.routers.proxy.service=api@internal'
+            - 'traefik.http.routers.proxy.rule=PathPrefix(`/proxy`)'
+            - 'traefik.http.services.proxy.loadbalancer.server.port=8080'
         restart: unless-stopped
         volumes:
             - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -137,8 +149,10 @@ services:
 
     dashboards:
         image: grafana/grafana:latest
-        ports:
-            - '9002:3000'
+        labels:
+            - 'traefik.enable=true'
+            - 'traefik.http.routers.graphs.rule=PathPrefix(`/graphs`)'
+            - 'traefik.http.services.graphs.loadbalancer.server.port=3000'
         restart: unless-stopped
         volumes:
             - dwengo_grafana_data:/var/lib/grafana
diff --git a/compose.staging.yml b/compose.staging.yml
index 253ab7d5..3d833436 100644
--- a/compose.staging.yml
+++ b/compose.staging.yml
@@ -60,6 +60,13 @@ services:
 
             # Add web entrypoint
             - '--entrypoints.web.address=:80/tcp'
+
+            # Proxying the web UI on a sub-path
+            - '--api.basePath=/proxy'
+        labels:
+            - 'traefik.http.routers.proxy.service=api@internal'
+            - 'traefik.http.routers.proxy.rule=PathPrefix(`/proxy`)'
+            - 'traefik.http.services.proxy.loadbalancer.server.port=8080'
         ports:
             - '9000:8080'
             - '80:80/tcp'
@@ -82,8 +89,12 @@ services:
         image: grafana/grafana:latest
         ports:
             - '9002:3000'
+        labels:
+            - 'traefik.http.routers.graphs.rule=PathPrefix(`/graphs`)'
+            - 'traefik.http.services.graphs.loadbalancer.server.port=3000'
         volumes:
             - dwengo_grafana_data:/var/lib/grafana
+            - ./config/grafana/grafana.ini:/etc/grafana/grafana.ini
         restart: unless-stopped
 
 volumes:
diff --git a/config/grafana/grafana.ini b/config/grafana/grafana.ini
new file mode 100644
index 00000000..7421cb3f
--- /dev/null
+++ b/config/grafana/grafana.ini
@@ -0,0 +1,8 @@
+[server]
+
+root_url = http://localhost:3000/graphs
+serve_from_sub_path = true
+
+[security]
+
+admin_user = dwengo.org