diff --git a/compose.production.yml b/compose.production.yml
index c9fec77c..cf155c18 100644
--- a/compose.production.yml
+++ b/compose.production.yml
@@ -67,8 +67,6 @@ services:
             - 'traefik.enable=true'
             - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)'
             - 'traefik.http.services.idp.loadbalancer.server.port=7080'
-            - 'traefik.http.routers.block-admin.rule=PathPrefix(`/idp/admin`)'
-            - 'traefik.http.routers.block-admin.service=web'
         depends_on:
             - keycloak-db
         volumes:
@@ -95,6 +93,9 @@ services:
             - '80:80/tcp'
             - '443:443/tcp'
         command:
+            # Enable web UI
+            - '--api=true'
+
             # Add Docker provider
             - '--providers.docker=true'
             - '--providers.docker.exposedbydefault=false'
@@ -115,6 +116,15 @@ services:
             - '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web'
             - '--certificatesresolvers.letsencrypt.acme.email=timo.demeyst@ugent.be'
             - '--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
+        labels:
+            # BasicAuth middleware
+            - 'traefik.http.middlewares.protected-sub-path.basicauth.users=dwengo.org:$$apr1$$FdALqAjI$$7ZhPq0I/qEQ6k3OYqxJKZ1'
+            # Proxying
+            - 'traefik.enable=true'
+            - 'traefik.http.routers.proxy.middlewares=protected-sub-path'
+            - 'traefik.http.routers.proxy.service=api@internal'
+            - 'traefik.http.routers.proxy.rule=PathPrefix(`/proxy`)'
+            - 'traefik.http.services.proxy.loadbalancer.server.port=8080'
         restart: unless-stopped
         volumes:
             - /var/run/docker.sock:/var/run/docker.sock:ro
diff --git a/compose.staging.yml b/compose.staging.yml
index 547a9235..3d833436 100644
--- a/compose.staging.yml
+++ b/compose.staging.yml
@@ -60,6 +60,13 @@ services:
 
             # Add web entrypoint
             - '--entrypoints.web.address=:80/tcp'
+
+            # Proxying the web UI on a sub-path
+            - '--api.basePath=/proxy'
+        labels:
+            - 'traefik.http.routers.proxy.service=api@internal'
+            - 'traefik.http.routers.proxy.rule=PathPrefix(`/proxy`)'
+            - 'traefik.http.services.proxy.loadbalancer.server.port=8080'
         ports:
             - '9000:8080'
             - '80:80/tcp'
diff --git a/config/grafana/grafana.ini b/config/grafana/grafana.ini
index d1c7b40b..7421cb3f 100644
--- a/config/grafana/grafana.ini
+++ b/config/grafana/grafana.ini
@@ -2,3 +2,7 @@
 
 root_url = http://localhost:3000/graphs
 serve_from_sub_path = true
+
+[security]
+
+admin_user = dwengo.org