Authelia not working with traefik

I am in the process of converting my setup to using file providers. I managed to get the traefik application working but I am unable to get "authelia" to work. Can someone help me try to figure out where I have gone wrong. The only thing I get is a "404" page.

data/configurations/routers.yml

http:
  routers:
    traefik:
      rule: Host(`monitor.domain.tld`)
      entrypoints: https
      tls: true
      service: api@internal
      middlewares: 
        - basic-auth
        - redirect-to-https
        - secure-headers
        - app-rate-limit
    authentication:
      rule: Host(`authelia.domain.tld`)
      entrypoints: https
      tls: true
      service: authelia
      middlewares:
        - redirect-to-https
        - forward-auth
    
    http-catchall:
      entrypoints: http
      service: api@internal
      rule: HostRegexp(`{host:.+}`)
      middlewares: 
        - redirect-to-https

data/configurations/services.yml

http:
    services:
      traefik:
        loadbalancer:
          servers:
            - port: "80"
      authelia:
        loadbalancer:
          servers:
            - port: "9091"

data/configurations/middlewares.yml

http:
  middlewares:
    basic-auth:
      basicAuth:
        realm: "Traefik2 Basic Auth"
        usersFile: "/configurations/.htpasswd"

    app-rate-limit:
      rateLimit:
        average: 30
        burst: 20

    secure-headers:
      headers:
        accessControlAllowMethods: ["GET", "OPTIONS", "PUT"]
        accessControlMaxAge: 100
        hostsProxyHeaders: ["X-Forwarded-Host"]
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "allow-from https:domain.tld" 
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
          server: ""

    forward-auth:
      forwardAuth:
        address: "http://authelia:9091/api/verify?rd=https://authelia.domain.tld"
        trustForwardHeader: true
        authResponseHeaders: ["Remote-User", "Remote-Groups"]


    redirect-to-https:
      redirectScheme:
        scheme: "https"
        permanent: true   

docker-compose.yml (authelia)

version: '3.8'
services:
  authelia:
    image: 'authelia/authelia:4.37'
    networks:
      - t2_proxy
      - dbnet
    ports:
      - '9091:9091'
    volumes:
      - 'authelia-config:/config'
    environment:
      - TZ=Europe/Prague
      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
      - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
      - AUTHELIA_STORAGE_MYSQL_HOST=mariadb
      - AUTHELIA_STORAGE_MYSQL_PORT=3306
      - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_db_password
      - AUTHELIA_STORAGE_MYSQL_DATABASE=authelia
      - AUTHELIA_STORAGE_MYSQL_USERNAME=authelia
    secrets:
      - authelia_jwt_secret
      - authelia_session_secret
      - authelia_notifier_smtp_password
      - authelia_db_password
    deploy:
        
volumes:
  authelia-config:
    driver: local
    driver_opts:
      o: bind
      device: /mnt/data/app-config/authelia
      type: none
networks:
  t2_proxy:
    external: true
  dbnet:
    external: true
secrets:
  authelia_jwt_secret:
    external: true
  authelia_session_secret:
    external: true
  authelia_notifier_smtp_password:
    external: true
  authelia_db_password:
    external: true

traefik.yml

api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs: 
       - xxx.xx.48.0/20
       - xxx.xx.244.0/22
       - xxx.xx.200.0/22
       - xxx.xx.4.0/22
       - xxx.xxx.64.0/18
       - xxx.xx.192.0/18
       - xxx.xx.240.0/20
       - xxx.xxx.96.0/20
       - xxx.xxx.240.0/22
       - xxx.xx.128.0/17
       - xxx.xx.0.0/15
       - xxx.16.0.0/12
       - xxx.64.0.0/13
       - xxx.0.72.0/22

log:
  level: DEBUG

accessLog:
  filePath: "/traefik.log"
  bufferingSize: 100
  filters:
    statusCodes: 
      - "400-499"

providers: 
  file:
    directory: "/data/configurations"
    watch: true

certificatesResolvers:
  dns-cloudflare:
    acme:
      email: "$CLOUDFLARE_EMAIL"
      storage: "/acme.json"
      dnsChallenge:
        provider: 
          - cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
        delayBeforeCheck: 90

What does Traefik debug log and the dashboard tell you?

Where is the domain/IP for your service target coming from? You set the target port, but no url. And there seems to be no provider.docker for Docker Configuration Discovery.

The thing in the log for traefik is this:

traefik_traefik.1.74f19kx2lzao@node-master    | time="2023-02-19T16:09:07Z" level=debug msg="Serving default certificate for request: \"authelia.domain.tld\""

The service is being targeted on the port only which worked fine before I tried to convert to file provider.

You mention that there seems to be provider.docker, I am not sure I needed this because I want to use file providers only. I am using docker swarm also if that information is necessary.

I found some problems with the config but now I get this and I dont know how to debug it:

https://authelia.domain.tld/?rd=https%3A%2F%2Fauthelia.domain.tld%2F%3Frd%3Dhttps%253A%252F%252Fauthelia.domain.tld%252F%253Frd%253Dhttps%25253A%25252F%25252Fauthelia.domain.tld%25252F%25253Frd%25253Dhttps%2525253A%2525252F%2525252Fauthelia.domain.tld%2525252F%2525253Frd%2525253Dhttps%252525253A%252525252F%252525252Fauthelia.domain.tld%252525252F%252525253Frd%252525253Dhttps%25252525253A%25252525252F%25252525252Fauthelia.domain.tld%25252525252F%25252525253Frd%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fauthelia.domain.tld%2525252525252F%2525252525253Frd%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fauthelia.domain.tld%252525252525252F%252525252525253Frd%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fauthelia.domain.tld%25252525252525252F%25252525252525253Frd%25252525252525253Dhttps%2525252525252525253A%2525252525252525252F%2525252525252525252Fauthelia.domain.tld%2525252525252525252F%2525252525252525253Frd%2525252525252525253Dhttps%252525252525252525253A%252525252525252525252F%252525252525252525252Fauthelia.domain.tld%252525252525252525252F%252525252525252525253Frd%252525252525252525253Dhttps%25252525252525252525253A%25252525252525252525252F%25252525252525252525252Fauthelia.domain.tld%25252525252525252525252F%25252525252525252525253Frd%25252525252525252525253Dhttps%2525252525252525252525253A%2525252525252525252525252F%2525252525252525252525252Fauthelia.domain.tld%2525252525252525252525252F%2525252525252525252525253Frd%2525252525252525252525253Dhttps%252525252525252525252525253A%252525252525252525252525252F%252525252525252525252525252Fauthelia.domain.tld%252525252525252525252525252F%252525252525252525252525253Frd%252525252525252525252525253Dhttps%25252525252525252525252525253A%25252525252525252525252525252F%25252525252525252525252525252Fauthelia.domain.tld%25252525252525252525252525252F%25252525252525252525252525253Frd%25252525252525252525252525253Dhttps%2525252525252525252525252525253A%2525252525252525252525252525252F%2525252525252525252525252525252Fauthelia.domain.tld%2525252525252525252525252525252F%2525252525252525252525252525253Frd%2525252525252525252525252525253Dhttps%252525252525252525252525252525253A%252525252525252525252525252525252F%252525252525252525252525252525252Fauthelia.domain.tld%252525252525252525252525252525252F%25252525252525252525252525252526rm%2525252525252525252525252525253DGET%252525252525252525252525252526rm%25252525252525252525252525253DGET%2525252525252525252525252526rm%252525252525252525252525253DGET%25252525252525252525252526rm%2525252525252525252525253DGET%252525252525252525252526rm%25252525252525252525253DGET%2525252525252525252526rm%252525252525252525253DGET%25252525252525252526rm%2525252525252525253DGET%252525252525252526rm%25252525252525253DGET%2525252525252526rm%252525252525253DGET%25252525252526rm%2525252525253DGET%252525252526rm%25252525253DGET%2525252526rm%252525253DGET%25252526rm%2525253DGET%252526rm%25253DGET%2526rm%253DGET%26rm%3DGET&rm=GET

What do you want to do? Just access Authelia or use it for forward authentication?

Your service is using only https entrypoint, but you have also assigned a redirect middleware. So it's probably in an endless loop.

So I want to be able to access authelia.domain.tld directly for configuration and use it for forward auth for my applications .

What‘s your status? Still not working?

On authelia you have redirect-to-https middleware assigned, which should not be used on https.

You have a forward-auth middleware assigned, which I can’t find declared.

You have no loadbalancer.server.url in your service. What hostname/IP should requests be forwarded to?

You have the catchall router which seems strange to me, use entrypoint redirect instead.

Still no luck, I removed the catchall and https redirect stuff and I still get the same result. With the multiple requests or redirects in this:

https://authelia.domain.tld/?rd=https%3A%2F%2Fauthelia.domain.tld%2F%3Frd%3Dhttps%253A%252F%252Fauthelia.domain.tld%252F%253Frd%253Dhttps%25253A%25252F%25252Fauthelia.domain.tld%25252F%25253Frd%25253Dhttps%2525253A%2525252F%2525252Fauthelia.domain.tld%2525252F%2525253Frd%2525253Dhttps%252525253A%252525252F%252525252Fauthelia.domain.tld%252525252F%252525253Frd%252525253Dhttps%25252525253A%25252525252F%25252525252Fauthelia.domain.tld%25252525252F%25252525253Frd%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fauthelia.domain.tld%2525252525252F%2525252525253Frd%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fauthelia.domain.tld%252525252525252F%252525252525253Frd%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fauthelia.domain.tld%25252525252525252F%25252525252525253Frd%25252525252525253Dhttps%2525252525252525253A%2525252525252525252F%2525252525252525252Fauthelia.domain.tld%2525252525252525252F%2525252525252525253Frd%2525252525252525253Dhttps%252525252525252525253A%252525252525252525252F%252525252525252525252Fauthelia.domain.tld%252525252525252525252F%252525252525252525253Frd%252525252525252525253Dhttps%25252525252525252525253A%25252525252525252525252F%25252525252525252525252Fauthelia.domain.tld%25252525252525252525252F%25252525252525252525253Frd%25252525252525252525253Dhttps%2525252525252525252525253A%2525252525252525252525252F%2525252525252525252525252Fauthelia.domain.tld%2525252525252525252525252F%2525252525252525252525253Frd%2525252525252525252525253Dhttps%252525252525252525252525253A%252525252525252525252525252F%252525252525252525252525252Fauthelia.domain.tld%252525252525252525252525252F%252525252525252525252525253Frd%252525252525252525252525253Dhttps%25252525252525252525252525253A%25252525252525252525252525252F%25252525252525252525252525252Fauthelia.domain.tld%25252525252525252525252525252F%25252525252525252525252525253Frd%25252525252525252525252525253Dhttps%2525252525252525252525252525253A%2525252525252525252525252525252F%2525252525252525252525252525252Fauthelia.domain.tld%2525252525252525252525252525252F%2525252525252525252525252525253Frd%2525252525252525252525252525253Dhttps%252525252525252525252525252525253A%252525252525252525252525252525252F%252525252525252525252525252525252Fauthelia.domain.tld%252525252525252525252525252525252F%25252525252525252525252525252526rm%2525252525252525252525252525253DGET%252525252525252525252525252526rm%25252525252525252525252525253DGET%2525252525252525252525252526rm%252525252525252525252525253DGET%25252525252525252525252526rm%2525252525252525252525253DGET%252525252525252525252526rm%25252525252525252525253DGET%2525252525252525252526rm%252525252525252525253DGET%25252525252525252526rm%2525252525252525253DGET%252525252525252526rm%25252525252525253DGET%2525252525252526rm%252525252525253DGET%25252525252526rm%2525252525253DGET%252525252526rm%25252525253DGET%2525252526rm%252525253DGET%25252526rm%2525253DGET%252526rm%25253DGET%2526rm%253DGET%26rm%3DGET&rm=GET

Do I need to declare the network anywhere? I remember when I used labels I needed to do that.

Also the forward-auth is in the middleware and the routers.yml

Update: I stopped the redirection by removing the forward-auth. Now I only get a 500 internal server error.

level=debug msg="'500 Internal Server Error' caused by: unsupported protocol scheme \"\""

I fixed it. I needed to add the docker url to the service. I thought there would be a way for it to dynamically discover the IP address with the port.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.