authentik_traefik icon indicating copy to clipboard operation
authentik_traefik copied to clipboard
verified publisher icon brokenscripts

Issues with access

Open EBS-DarkD opened this issue 8 months ago • 0 comments

I'm running Portainer BE (2.27.6 LTS) stacks with a stack for the reverse proxy and a stack for each of my apps (i've lots). I was running authelia but want to try setup SSO for my various apps and have been having shits 'n' giggles with openLDAP!

traefik 3.4.0 stack

` traefik: <<: common-keys-core container_name: traefik image: traefik:latest command: - --global.checkNewVersion=true - --global.sendAnonymousUsage=false ## Logging - --log=true - --log.level=INFO - --accessLog=true - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --accessLog.filters.statusCodes=204-299,400-499,500-599 ## API - --api=true - --api.dashboard=true - --api.insecure=true ## Basic Entry Points - --entryPoints.http.address=:80 - --entryPoints.https.address=:443 - --entryPoints.traefik.address=:8080 - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 ## Basic Providers - --providers.docker=true - --providers.docker.exposedByDefault=false - --providers.docker.network=t2_proxy - --providers.file.directory=/rules - --providers.file.watch=true ## Adv Entry Points - --entrypoints.https.http.tls.options=tls-opts@file - --entrypoints.https.http.tls.certresolver=dns-cloudflare - --entrypoints.https.http.tls.domains[0].main=am-baker.com - --entrypoints.https.http.tls.domains[0].sans=.am-baker.com ## Cert Resolution #- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing - --certificatesResolvers.dns-cloudflare.acme.email=chief@window-lickers.com - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53 - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 - --serversTransport.insecureSkipVerify=true ## Metrics - --metrics.prometheus=true - --metrics.prometheus.buckets=0.1,0.3,1.2,5.0

networks:
  t2_proxy:
  socket_proxy:
  
ports:
  - target: 80
    published: 80
    protocol: tcp
    mode: host
  - target: 443
    published: 443
    protocol: tcp
    mode: host
  - target: 8080
    published: 9079
    protocol: tcp
    mode: host 

volumes:
  - /docker/shared:/shared
  - /docker/logs/cloudserver/traefik:/logs
  - /docker/appdata/traefik2/rules/cloudserver:/rules
  - /docker/appdata/traefik2/acme/acme.json:/acme.json

environment:
  - TZ=Asia/Qatar
  - CF_API_EMAIL_FILE=/run/secrets/cf_email
  - CF_API_KEY_FILE=/run/secrets/cf_api_key
  - HTPASSWD_FILE=/run/secrets/htpasswd
  - DOMAINNAME_CLOUD_SERVER

secrets:
  - cf_email
  - cf_api_key
  - htpasswd
  
labels:
  - "traefik.enable=true"
  # HTTP-to-HTTPS Redirect
  - "traefik.http.routers.http-catchall.entrypoints=http"
  - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
  - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
  - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
  # HTTP Routers
  - "traefik.http.routers.traefik-rtr.entrypoints=https"
  - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.buggerit.com`)"
  - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
  - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
  - "traefik.http.routers.traefik-rtr.tls.domains[0].main=buggerit.com"
  - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.buggerit.com"
  ## Services - API
  - "traefik.http.routers.traefik-rtr.service=api@internal"
  ## Middlewares
  - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file" # For Authentik
  - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file"
  - "traefik.http.routers.traefik-rtr.middlewares=middlewares-compress@file"

` This is working ok under authelia. I've also added a middleware into the traefik

middleware-authentik: forwardAuth: address: "http://window-lickers.com:9000/outpost.goauthentik.io/auth/traefik" trustForwardHeader: true authResponseHeaders:

For the authentik, i've got the following set with a whole list of items in the stack.env

authentik: <<: [*common-keys-apps, *common-keys-dep] image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0} container_name: authentik command: server environment: AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} AUTHENTIK_REDIS__HOST: ${REDIS_HOST} AUTHENTIK_POSTGRESQL__HOST: ${PG_HOST} AUTHENTIK_POSTGRESQL__USER: ${PG_USER} AUTHENTIK_POSTGRESQL__NAME: ${PG_DB} AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} volumes: - /opt/docker/appdata/authentik/app/media:/media - /opt/docker/appdata/authentik/app/templates:/templates env_file: - stack.env networks: t2_proxy: ipv4_address: 192.168.92.23 socket_proxy: ipv4_address: 192.168.90.23 ports: - 9000:9000 - 9443:9443 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.authentik-rtr.entrypoints=https" - "traefik.http.routers.authentik-rtr.rule=Host(authentik.${DOMAINNAME})" ## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth) - "traefik.http.routers.authentik-output-rtr.rule=HostRegexp({subdomain:[a-z0-9-]+}.${DOMAINNAME}) && PathPrefix(/outpost.goauthentik.io/`)" ## HTTP Services - "traefik.http.routers.authentik-rtr.service=authentik-svc" - "traefik.http.services.authentik-svc.loadBalancer.server.port=9443"

#Worker authworker: <<: [*common-keys-apps, *common-keys-dep] image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0} command: worker container_name: auth-worker environment: AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} AUTHENTIK_REDIS__HOST: ${REDIS_HOST} AUTHENTIK_POSTGRESQL__HOST: ${PG_HOST} AUTHENTIK_POSTGRESQL__USER: ${PG_USER} AUTHENTIK_POSTGRESQL__NAME: ${PG_DB} AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} user: root volumes: - /var/run/docker.sock:/var/run/docker.sock - /docker/appdata/authentik/app/media:/media - /docker/appdata/authentik/app/certs:/certs - /docker/appdata/authentik/app/templates:/templates env_file: - stack.env networks: t2_proxy: socket_proxy:

`

Having gone through all the steps of your setup (I think), I get to the point when I try access the authentik interface to login and administer it. It works on http://window-lickers.com:9000 but I can't access it via https://window-lickers.com:9443.

How have your got your https working?

I went through you catch-all steps using the wizard and got it so I could access one of the running containers, but the login page was http, not https!

Hope you can give me some clues as to what I need to tweak/ hit with a baseball bat to get this damn thing working!

EBS-DarkD avatar May 10 '25 19:05 EBS-DarkD