diff --git a/roles/prometheus/defaults/main.yml b/roles/prometheus/defaults/main.yml
index a5776dd..74508bb 100644
--- a/roles/prometheus/defaults/main.yml
+++ b/roles/prometheus/defaults/main.yml
@@ -2,3 +2,4 @@ prom_name: prometheus
 grafana_name: grafana
 prom_root: "/opt/{{ prom_name }}"
 grafana_root: "/opt/{{ prom_name }}/grafana"
+traefik_localonly: "192.168.1.0/24"
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
index de06ce4..f19fead 100644
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@@ -44,6 +44,9 @@
     labels:
       traefik.http.routers.prometheus.rule: "Host(`{{ prom_domain }}`)"
       traefik.http.routers.prometheus.entrypoints: websecure
+      traefik.http.routers.prometheus.middlewares: "securehttps@file,localonly"
+      traefik.http.routers.prometheus.tls.certresolver: letsencrypt
+      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
       traefik.docker.network: traefik
       traefik.enable: "true"
 
diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml
index a71883e..67e04d1 100644
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -35,8 +35,9 @@
     labels:
       traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
       traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
+      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
       traefik.http.routers.traefik.tls.certresolver: letsencrypt
-      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker"
+      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
       traefik.http.routers.traefik.service: "api@internal"
       traefik.http.routers.traefik.entrypoints: websecure
       traefik.http.routers.traefik.tls: "true"