authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Unable to use application via proxy provider

Open phoenix1184 opened this issue 1 year ago • 2 comments

I try to use an application via proxy provider. This application won't let me set authentik in front of it. I can login via Authentik but then a blank page appears. No Errors found in any log.

Authentik is implemented in Traefik v3.

No Errors appear but there is a blank page after authentication.

Here are my configs:

`services:

Traefik 3 - Reverse Proxy

traefik: container_name: traefik image: traefik:3.0 security_opt: - no-new-privileges:true restart: $RESTARTPOL profiles: ["core", "all"] networks: - t3_proxy - socket_proxy command: # CLI arguments - --global.checkNewVersion=true - --global.sendAnonymousUsage=false - --entrypoints.web.address=:80 - --entrypoints.websecure.address=:443

- --entrypoints.websecure.http3

  - --entrypoints.traefik.address=:8080
  - --entrypoints.websecure.http.tls=true
  - --entrypoints.web.http.redirections.entrypoint.to=websecure
  - --entrypoints.web.http.redirections.entrypoint.scheme=https
  - --entrypoints.web.http.redirections.entrypoint.permanent=true
  - --api=true
  - --api.dashboard=true
  - --api.insecure=false
  - --serversTransport.insecureSkipVerify=true
  - --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
  - --log=true
  - --log.filePath=/logs/traefik.log
  - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
  - --accessLog=true
  - --accessLog.filePath=/logs/access.log
  - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
  - --accessLog.filters.statusCodes=204-299,400-499,500-599
  - --providers.docker=true
  - --providers.docker.endpoint=tcp://socket-proxy:2375
  - --providers.docker.exposedByDefault=false
  - --providers.docker.network=t3_proxy 
  # - --providers.swarm.endpoint=tcp://127.0.0.1:2377 # Traefik v3 Swarm
  - --entrypoints.websecure.http.tls.options=tls-opts@file
  - --entrypoints.websecure.http.tls.certresolver=dns-cloudflare
  - --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME_1
  - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME_1
  # - --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME_2 # Pulls main cert for second domain
  # - --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME_2 # Pulls wildcard cert for second domain
  - --providers.file.directory=/rules 
  - --providers.file.watch=true
  # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
  - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
  - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
  - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=ajay.ns.cloudflare.com:53,audrey.ns.cloudflare.com:53
  - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
ports:
  - target: 80
    published: 80
    protocol: tcp
    mode: host
  - target: 443
    published: 443
    protocol: tcp
    mode: host
  # - target: 8080 # need to enable --api.insecure=true
  #  published: 8085
  #  protocol: tcp
  #  mode: host
volumes:
  - $DOCKERDIR/appdata/traefik3/rules/$HOSTNAME:/rules # Dynamic File Provider directory
  - $DOCKERDIR/appdata/traefik3/acme/acme.json:/acme.json # Certs File 
  - $DOCKERDIR/logs/$HOSTNAME/traefik:/logs # Traefik logs
environment:
  - TZ=$TZ
  - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token    
  - HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
  - DOMAINNAME_1 # Passing the domain name to traefik container to be able to use the variable in rules. 
secrets:
  - cf_dns_api_token
  - basic_auth_credentials
labels:
  - "traefik.enable=true"
  # HTTP Routers
  - "traefik.http.routers.traefik-rtr.entrypoints=websecure"
  - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_1`)"
  # Services - API
  - "traefik.http.routers.traefik-rtr.service=api@internal"
  # Middlewares
  - "traefik.http.routers.traefik-rtr.middlewares=chain-authentik-auth@file"
depends_on:
  - socket-proxy

`

http: middlewares: middlewares-authentik: forwardAuth: address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik" trustForwardHeader: true authResponseHeaders: - X-authentik-username - X-authentik-groups - X-authentik-email - X-authentik-name - X-authentik-uid - X-authentik-jwt - X-authentik-meta-jwks - X-authentik-meta-outpost - X-authentik-meta-provider - X-authentik-meta-app - X-authentik-meta-version

`services:

Authentik DB

authentik_db: container_name: authentik_db image: docker.io/library/postgres:15-alpine security_opt: - no-new-privileges:true restart: $RESTARTPOL profiles: ["core", "all"] networks: - authentik_net volumes: - $APPDIR/authentik/postgres:/var/lib/postgresql/data environment: POSTGRES_PASSWORD: $authentik_DB_PASS POSTGRES_USER: $authentik_DB_USER POSTGRES_DB: $authentik_DB_NAME healthcheck: test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] start_period: 20s interval: 30s retries: 5 timeout: 5s

Authentik redis

authentik_redis: container_name: authentik_redis image: docker.io/library/redis:alpine command: --save 60 1 --loglevel warning security_opt: - no-new-privileges:true restart: $RESTARTPOL profiles: ["core", "all"] networks: - authentik_net volumes: - $APPDIR/authentik/redis:/data healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] start_period: 20s interval: 30s retries: 5 timeout: 3s

Authentik Server

authenik_server: container_name: authentik_server image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2} command: server security_opt: - no-new-privileges:true restart: $RESTARTPOL profiles: ["core", "all"] networks: - authentik_net - t3_proxy volumes: - $APPDIR/authentik/media:/media - $APPDIR/authentik/templates:/templates ports: - 9080:9000 - 9443:9443 environment: AUTHENTIK_REDIS__HOST: authentik_redis AUTHENTIK_POSTGRESQL__HOST: authentik_db AUTHENTIK_POSTGRESQL__USER: $authentik_DB_USER AUTHENTIK_POSTGRESQL__NAME: $authentik_DB_NAME AUTHENTIK_POSTGRESQL__PASSWORD: $authentik_DB_PASS AUTHENTIK_SECRET_KEY: $authentik_SECRET_KEY AUTHENTIK_LOG_LEVEL: trace env_file: - $APPDIR/authentik/.container-vars.env labels: traefik.enable: true # HTTP Routers traefik.http.routers.authentik-rtr.entrypoints: websecure traefik.http.routers.authentik-rtr.rule: Host(auth.$DOMAINNAME_1) || HostRegexp({subdomain:[a-z0-9-]+}.$DOMAINNAME_1) && PathRegexp(/outpost.goauthentik.io/) traefik.http.routers.authentik-rtr.middlewares: chain-no-auth@file depends_on: - authentik_db - authentik_redis

Authentik Worker

authentik_worker: container_name: authentik_worker image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2} command: worker security_opt: - no-new-privileges:true restart: $RESTARTPOL profiles: ["core", "all"] networks: - authentik_net - t3_proxy - socket_proxy volumes: - $APPDIR/authentik/media:/media - $APPDIR/authentik/templates:/templates environment: AUTHENTIK_REDIS__HOST: authentik_redis AUTHENTIK_POSTGRESQL__HOST: authentik_db AUTHENTIK_POSTGRESQL__USER: $authentik_DB_USER AUTHENTIK_POSTGRESQL__NAME: $authentik_DB_NAME AUTHENTIK_POSTGRESQL__PASSWORD: $authentik_DB_PASS AUTHENTIK_SECRET_KEY: $authentik_SECRET_KEY DOCKER_HOST: tcp://socket-proxy:2375 env_file: - $APPDIR/authentik/.container-vars.env depends_on: - authentik_db - authentik_redis `

` trace | event=headers written to forward_auth headers={"Content-Encoding":["gzip"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0"],"Vary":["Accept-Encoding"],"X-Authentik-Email":["redacted"],"X-Authentik-Groups":["authentik Admins"],"X-Authentik-Jwt":["redacted"],"X-Authentik-Meta-App":["apc"],"X-Authentik-Meta-Jwks":["https://auth.redacted/application/o/apc/jwks/"],"X-Authentik-Meta-Outpost":["authentik Embedded Outpost"],"X-Authentik-Meta-Provider":["Provider for apc"],"X-Authentik-Meta-Version":["goauthentik.io/outpost/2024.4.2"],"X-Authentik-Name":["redacted"],"X-Authentik-Uid":["e4967ae56e58b71585dd0ce14b9c588e1186598f2a2f4b9234a05fc449d643c0"],"X-Authentik-Username":["redacted"]} logger=authentik.outpost.proxyv2.application name=Provider for apc timestamp=2024-06-17T13:53:47Z

INF | event=/outpost.goauthentik.io/auth/traefik host=redacted logger=authentik.outpost.proxyv2.application method=GET name=Provider for apc remote=redacted runtime=3.786 scheme=http size=0 status=0 timestamp=2024-06-17T13:53:47Z user=redacted user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0 `

2024-06-17T15:59:31+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 28f4731d318e9f38 2024-06-17T15:59:45+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f58fab65b05e6296 2024-06-17T15:59:45+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f58fab65b05e6296 2024-06-17T15:59:45+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f58fab65b05e6296 2024-06-17T15:59:45+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f58fab65b05e6296 2024-06-17T15:59:45+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f58fab65b05e6296 2024-06-17T15:59:45+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f58fab65b05e6296 2024-06-17T15:59:45+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f58fab65b05e6296 2024-06-17T15:59:45+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f58fab65b05e6296 2024-06-17T15:59:45+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f58fab65b05e6296 2024-06-17T15:59:45+02:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f58fab65b05e6296 How can I set Authentik in front of my loginpage?

It should provide 2FA for a Schneider Electric APC UPS Network Management Card 2

phoenix1184 avatar Jun 17 '24 14:06 phoenix1184

I forgot: The login URL of the APC UPS always changes:

http://redacted/NMC/SKTBGUBR2fjhnjahxD8L5g/logon.htm

This part always changes: SKTBGUBR2fjhnjahxD8L5g

phoenix1184 avatar Jun 17 '24 14:06 phoenix1184

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Aug 17 '24 01:08 authentik-automation[bot]