Config problems with grafana and basic auth

Hey,
i came to set up a small raspi based server for basic services. I want to make it accesible to different users, who shall have different acces rights. Everything will be based on docker.

In a basic use case i installed a InfluxDB with Grafana, Portainer to organize docker stuff and chronograf for database managment (maybe more to come). Also i have a VPN connection to my local network (not dockerized) and (FUTURE!) i would like to have a PiHole running on it as well (with little use).
So far to my setup on the Raspi4.

Here is how i imagined it to work vs. reality:

VPN acces port 1194, so it should not collide with any other service. (Indeed it works quite well so far)
Grafana is accessible through port 3000, portainer through port 9000 and chronograf through port 8888, which can be changed within docker container setup to be any desired port.

What i hoped to configure:

  1. HTTP request comes on port 80 with mydyndns.com/grafana (or …com/portainer, …com/AnyKindOfString)
  2. haproxy makes basic auth to check if the user has rights to acces the service
  3. if 2 applies: haproxy redirects to localhost:3000, ELSE any kind of error

This is what my haproxy.cfg looked like in the first step (pretty straight forward):

global
    maxconn 3000
defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80

    acl has_grafana path_beg /grafana
    acl has_portainer path_beg /portainer

    use_backend grafana_backend if has_grafana
    use_backend portainer_backend if has_portainer

    default_backend portainer_backend

backend grafana_backend
    server grafana_test 192.168.0.3:4000 check

backend portainer_backend
    server portainer 192.168.0.3:9000 check

Setting portainer as default_backend, i got redirected correctly to portainer when entering only mydyndns.com. Trying to connect to mydyndns.com/grafana i get error 404.
I changed default_backend to grafana and experienced the upside down, so got redirected tografana when typing mydyndns.com and an error with mydyndns.com/portainer.
Same happend with other ports i have tried.

So sadly i couldnt even ovecome the first stept of the reverseproxy setup and after hours of researching i couldnt really find a suitable solution.

trying base auth (frontend and backend) with only grafana i saw some little succes. I got asked for credentials, which i defined in a userlist in the haproxy.cfg file. Sadly i couldnt enter pass through the base auth with any of the created users+insecure_password, ONLY, if they were the same combination as needed for “grafana login” (so the next step login page).

So what i need to find out is:

  • redirect to different servers based on the path
  • create working base auth (either backend or frontend, doesnt have to be super clean, but safe)
  • in addition to all the mentioned stuff, i would like to use the pi as DNS server with pihole installed, which also listens to port 80, just as haproxy in my case and the documentation did not really help me out.

So if anyne has some useful information about all(or only some) of my questions i would appreciace it a lot!!

Thanks and have some nice days off!

Noah