diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 53d28fdddb72365d9796d4172cd1180d38949d6d..f6876d21147130e15c261be2a0299225d0ca74e0 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -84,14 +84,15 @@ services:
         - "traefik.http.routers.emg-cache-redirect-shib.middlewares=redirect@file"
         - "traefik.http.routers.emg-cache-redirect-shib.entrypoints=http"
         # router for internal proxy based access (https)
-        - "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth)`)"
-        - "traefik.http.routers.emg-cache-proxy.middlewares=emg-pass-whitelist,compress@file,cors@file"
+        - "traefik.http.middlewares.emg-pass-whitelist-cache.ipwhitelist.sourcerange=<insert-proxy-url>"
+        - "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth)`)"
+        - "traefik.http.routers.emg-cache-proxy.middlewares=emg-pass-whitelist-cache,compress@file,cors@file"
         - "traefik.http.routers.emg-cache-proxy.tls=true"
         - "traefik.http.routers.emg-cache-proxy.tls.certresolver=default"
         - "traefik.http.routers.emg-cache-proxy.entrypoints=https"
         # router for internal proxy based access (http)
-        - "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth)`)"
-        - "traefik.http.routers.emg-cache-redirect-proxy.middlewares=emg-pass-whitelist,redirect@file"
+        - "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth)`)"
+        - "traefik.http.routers.emg-cache-redirect-proxy.middlewares=emg-pass-whitelist-cache,redirect@file"
         - "traefik.http.routers.emg-cache-redirect-proxy.entrypoints=http"
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"
diff --git a/docker-compose.emg.staging.yml b/docker-compose.emg.staging.yml
index a6c00f003b6f6be0d56c19d9ee49f5efd981e8be..c63a245d2fb04882f15b8d5e168cbfb60f858ee5 100644
--- a/docker-compose.emg.staging.yml
+++ b/docker-compose.emg.staging.yml
@@ -24,7 +24,7 @@ services:
         - "traefik.http.routers.emg-renderer-redirect-shib.middlewares=redirect@file"
         - "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
         # router for internal proxy based access (https)
-        - "traefik.http.middlewares.emg-pass-whitelist.ipwhitelist.sourcerange=<insert-proxy-url>"
+        - "traefik.http.middlewares.emg-pass-whitelist.ipwhitelist.sourcerange=178.248.89.10"
         - "traefik.http.routers.emg-renderer-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
         - "traefik.http.routers.emg-renderer-proxy.middlewares=emg-pass-whitelist,compress@file,cors@file"
         - "traefik.http.routers.emg-renderer-proxy.tls=true"
@@ -80,14 +80,15 @@ services:
         - "traefik.http.routers.emg-cache-redirect-shib.middlewares=redirect@file"
         - "traefik.http.routers.emg-cache-redirect-shib.entrypoints=http"
         # router for internal proxy based access (https)
-        - "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
-        - "traefik.http.routers.emg-cache-proxy.middlewares=emg-pass-whitelist,compress@file,cors@file"
+        - "traefik.http.middlewares.emg-pass-whitelist-cache.ipwhitelist.sourcerange=178.248.89.10"
+        - "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
+        - "traefik.http.routers.emg-cache-proxy.middlewares=emg-pass-whitelist-cache,compress@file,cors@file"
         - "traefik.http.routers.emg-cache-proxy.tls=true"
         - "traefik.http.routers.emg-cache-proxy.tls.certresolver=default"
         - "traefik.http.routers.emg-cache-proxy.entrypoints=https"
         # router for internal proxy based access (http)
-        - "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
-        - "traefik.http.routers.emg-cache-redirect-proxy.middlewares=emg-pass-whitelist,redirect@file"
+        - "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
+        - "traefik.http.routers.emg-cache-redirect-proxy.middlewares=emg-pass-whitelist-cache,redirect@file"
         - "traefik.http.routers.emg-cache-redirect-proxy.entrypoints=http"
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-cache.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/cache`)"