Ok so let's start.
When checking the logs of my immich container, there is nothing link to the connection, it seems to mean that the request doesn't reach the immich container. There is a "not found" on the Authentik web page.
There no logs for the traefik comtainer.
From my Authentik-server container:
{"auth_via": "unauthenticated", "domain_url": "immich.domain.tld", "event": "/outpost.goauthentik.io/auth/traefik", "host": "immich.domain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102802, "remote": "172.70.248.49", "request_id": "d6379c6afc174289a4452bec6f7d2fdb", "runtime": 16, "schema_name": "public", "scheme": "https", "status": 404, "timestamp": "2025-03-24T07:59:54.420717", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "domain_url": "immich.domain.tld", "event": "/outpost.goauthentik.io/auth/traefik", "host": "immich.domain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102802, "remote": "172.68.194.139", "request_id": "bbacb6f87e4c4f2199d352d2046c87a5", "runtime": 27, "schema_name": "public", "scheme": "https", "status": 404, "timestamp": "2025-03-24T07:59:55.123396", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "domain_url": "immich.domain.tld", "event": "/outpost.goauthentik.io/auth/traefik", "host": "immich.domain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102802, "remote": "172.71.172.68", "request_id": "ef532cac6e764f92a16fe0f075e287df", "runtime": 68, "schema_name": "public", "scheme": "https", "status": 404, "timestamp": "2025-03-24T07:59:55.195530", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"}
Traefik dynamic file:
http:
middlewares:
default-whitelist:
ipWhiteList:
sourceRange:
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
secured:
chain:
middlewares:
- default-whitelist
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true
# https://github.com/goauthentik/authentik/issues/2366
authentik:
forwardAuth:
address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
my-traefik-get-real-ip:
plugin:
traefik-get-real-ip:
Proxy:
- proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn1
realIP: X-Forwarded-For
- proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn2
realIP: Client-Ip
- overwriteXFF: "true"
proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn3
realIP: Cf-Connecting-Ip
- proxyHeadername: '*'
realIP: RemoteAddr
#region routers
routers:
authentik:
entryPoints:
- "https-external"
rule: "Host(`authentik.domain.tld`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 10
service: authentik
secure-webserver:
entryPoints:
- "https-external"
rule: "Host(`www.domain.tld`)"
middlewares:
- https-redirectscheme
tls: {}
service: secure-webserver
blogger:
entryPoints:
- "https-external"
rule: "Host(`blogger.domain.tld`)"
middlewares:
- https-redirectscheme
#- authentik
tls: {}
service: blogger
homeassistant:
entryPoints:
- "https-external"
rule: "Host(`haoss.domain.tld`)"
middlewares:
- https-redirectscheme
#- authentik
tls: {}
service: homeassistant
homeassistant-r:
entryPoints:
- "http-external"
rule: "Host(`remote-ha.domain.tld`)"
middlewares:
- https-redirectscheme
#- authentik
tls: {}
service: homeassistant-r
#region services
services:
# service Proxmox
# service web
authentik:
loadBalancer:
servers:
- url: "http://authentik-server:9000/outpost.goauthentik.io"
secure-webserver:
loadBalancer:
servers:
- url: "http://192.168.xxxxxxxx"
passHostHeader: true
blogger:
loadBalancer:
servers:
- url: "https://192.168.xxxxxx"
passHostHeader: true
homeassistant:
loadBalancer:
servers:
- url: "http://192.168.xxxxx:xxxxx"
passHostHeader: true
homeassistant-r:
loadBalancer:
servers:
- url: "http://192.168.2xxxx:xxxx"
passHostHeader: true
# services servitudes
Traefik.yml file:
global:
checkNewVersion: true
sendAnonymousUsage: false
api:
dashboard: true
insecure: false
#debug: false
## enable healthcheck
ping: {}
##
entryPoints:
http:
address: ":80"
forwardedHeaders:
trustedIPs:
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
forwardedHeaders:
trustedIPs:
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
middlewares:
- crowdsec-bouncer@file
http-external: # changement
address: ":1181"
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entrypoint:
to: https-external
scheme: https
https-external:
address: ":11444"
transport:
respondingTimeouts:
readTimeout: 600s
idleTimeout: 600s
writeTimeout: 600s
http:
middlewares:
- crowdsec-bouncer@file
serversTransport:
insecureSkipVerify: true
providers:
docker:
network: my_net
endpoint: "tcp://t-docker-socket-proxy:2375"
exposedByDefault: false
file:
filename: /dynamic_conf.yml
watch: true
certificatesResolvers:
dns-cloudflare:
acme:
email: myemail
storage: ./letsencrypt/acme.json
dnsChallenge:
provider: cloudflare
caServer: https://acme-v02.api.letsencrypt.org/directory
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
experimental:
plugins:
traefik-get-real-ip:
moduleName: "github.com/Paxxs/traefik-get-real-ip"
version: "v1.0.3"
#crowdsec-bouncer-traefik-plugin:
#moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
#version: "v1.4.1"
log:
level: "INFO"
filePath: "/var/log/crowdsec/traefik.log"
accessLog:
filePath: "/var/log/crowdsec/access.log"
bufferingSize: 50
Immich traefik config:
labels:
- "traefik.enable=true"
# increase readingTimeouts for the entrypoint used here
- "traefik.http.routers.immich.entrypoints=https-external"
- "traefik.http.routers.immich.rule=Host(immich.domain.tld)"
- "traefik.http.services.immich.loadbalancer.server.port=8080"
- "traefik.http.routers.immich.tls=true"
- "traefik.http.routers.immich.tls.certresolver=dns-cloudflare"
- "traefik.http.routers.immich.middlewares=authentik@file"
- "traefik.http.routers.immich.service=immich"
- "traefik.docker.network=my_net"