Traefik ForwardAuth UnRaid

[steRnbear87]

Hi @steRnbear87 , sorry for the late reply, my notifications don't work reliably.

Before I go into too much detail, do you know these 2 sources?

• https://goauthentik.io/docs/providers/proxy/forward_auth
• And, more importantly, did you read this whole thread? That actually contains my whole setup, or the relevant parts, which were based on the official documentation

This whole issue developed out of the fact that I configured my Forward Auth according to the documentation, but it didn't work as expected. From my view, the most important step was https://github.com/goauthentik/authentik/issues/2180#issuecomment-1027035509 about the priorities.

Since then, my Forward Auth has been running flawlessly, so I expect my original configuration, plus https://github.com/goauthentik/authentik/issues/2180#issuecomment-1027035509, minus the improvements Authentik may have received during the meantime, should do the trick.

If it doesn't and you get stuck, open a new "question" issue and mention me, before this one gets to clogged with off-topic stuff.

Cheers!

Originally posted by @agrimpelhuber in https://github.com/goauthentik/authentik/issues/2180#issuecomment-1118395504

[steRnbear87]

Hey @agrimpelhuber, let me know when you can take a look at my config. I currently have authentik working as a forwardauth for single apps but that's too much configs.

[agrimpelhuber]

Hi, so am I right in assuming that you are struggling with the domain-wide forward auth? Having the single app version working may be a good start.

So here's my configuration, from back to front . All the pixelated domain names in the screenshots correspond to the example "mydomain.com", so I'm basically using auth.mydomain.com and mydomain.com, as well as other subdomains *.mydomain.com for the apps. I didn't check where I do something different from the documentation, so please compare it yourself.

Outpost

and the configuration (Hashed comments added here, do NOT copy)

log_level: warn # helped me debug at some time
authentik_host: https://auth.mydomain.com
docker_network: common-bridge # I run a separate bridge network - that's the one with traefik
container_image: null
docker_map_ports: false # no need to map ports, because the ports are unique on the bridged network
# the rest is default (?)
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: ""
object_naming_template: authentik-outpost-%(name)s
authentik_host_insecure: false
kubernetes_service_type: ClusterIP
kubernetes_image_pull_secrets: []
kubernetes_disabled_components: []
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls

Proxy Provider

No Advanced protocol settings

Application

No UI settings

Outpost Container

With this configuration, Authentik pulls up an outpost as a docker container, and registers it with Traefik:

Traefik middleware configuration (docker-compose)

This is the relevant middleware declaration for my docker-based Traefik instance. It provides the "authentik@docker" middleware for all apps

    labels:
      - "traefik.enable=true"
      [...]
      # the host name follows the naming scheme "object_naming_template" from the outpost
      - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-outpost-forward-auth:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"

App container (docker-compose)

Protecting an app under mydomain.com is just as simple as configuring the middleware in the apps docker-compose.yml file:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`app.mydomain.com`)"
      - "traefik.http.routers.app.entrypoints=websecure"
      - "traefik.http.routers.app.tls.certresolver=myresolver"
      - "traefik.docker.network=common-bridge"
      - "traefik.http.services.kuma.loadbalancer.server.port=8080"
      - "traefik.http.routers.app.middlewares=authentik@docker"

[robsiera]

Thank you very much @agrimpelhuber for your time and effort to try to explain it all as simple as possible. I'm also trying to get my Authentik (behind Traefik) working. My current state: I still do not see an Outpost middleware in Traefik. Your above post was clear, except for two elements a) following your first screenshot, I could not select any application. But I fixed that. Apparently I had to create the Proxy Provider first. b) 'Outpost Deployment Info' is something I can not find anywhere. Could you clarify that? Where do I find that dialog?

[agrimpelhuber]

Sorry for the late reply, I was away from the computer for a few days. Hope this is still relevant.

Concerning a): Yes, sorry, you are probably right. Couldn't recall the order in which I did it.

Concerning b), I refer to this view - overview of the outposts when I click "Outposts" in the menu

The screenshot that I showed comes from the pop-up that opens when I click on "View Deployment Info" for the forward auth outpost.

When you write "I still do not see ..." - did you configure the middleware as described under the heading "Traefik middleware configuration (docker-compose)" above? To summarize:

1. Authentik should provide the docker-based outpost container automatically
2. You need to configure a middleware in your basic Traefik instance that connects to this outpost
3. You can then use tis middleware to protect any docker instance under the domain

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.