Authentik, immich and Traefik v3

Hello,

I am seeking insights from anyone who has experience with this particular combination. I am encountering an issue where Immich functions seamlessly with Traefik, but it fails to operate correctly when using Authentik (OAuth2).
And I'm not yet able to determine the origin of the problem. I did ask on the UAhtentik Discord channel, but they aren't very active.

Thx

Thank you for your assistance.

Come one, you posted here before, you know the drill :wink:

Explain what "fails to operate correctly" mean, share an error message.

Share your full Traefik static and dynamic config, and Docker compose file(s) if used.

Enable and check Traefik debug log and Traefik access log in JSON format.

Check browser developer tools network tab.

I didn't want to 'pollute' the post too early. :slight_smile:

Ok so let's start.

When checking the logs of my immich container, there is nothing link to the connection, it seems to mean that the request doesn't reach the immich container. There is a "not found" on the Authentik web page.

There no logs for the traefik comtainer.

From my Authentik-server container:

{"auth_via": "unauthenticated", "domain_url": "immich.domain.tld", "event": "/outpost.goauthentik.io/auth/traefik", "host": "immich.domain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102802, "remote": "172.70.248.49", "request_id": "d6379c6afc174289a4452bec6f7d2fdb", "runtime": 16, "schema_name": "public", "scheme": "https", "status": 404, "timestamp": "2025-03-24T07:59:54.420717", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "domain_url": "immich.domain.tld", "event": "/outpost.goauthentik.io/auth/traefik", "host": "immich.domain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102802, "remote": "172.68.194.139", "request_id": "bbacb6f87e4c4f2199d352d2046c87a5", "runtime": 27, "schema_name": "public", "scheme": "https", "status": 404, "timestamp": "2025-03-24T07:59:55.123396", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "domain_url": "immich.domain.tld", "event": "/outpost.goauthentik.io/auth/traefik", "host": "immich.domain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102802, "remote": "172.71.172.68", "request_id": "ef532cac6e764f92a16fe0f075e287df", "runtime": 68, "schema_name": "public", "scheme": "https", "status": 404, "timestamp": "2025-03-24T07:59:55.195530", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"}

Traefik dynamic file:

http:
  middlewares:
    default-whitelist:
      ipWhiteList:
        sourceRange:
          - 173.245.48.0/20
          - 103.21.244.0/22
          - 103.22.200.0/22
          - 103.31.4.0/22
          - 141.101.64.0/18
          - 108.162.192.0/18
          - 190.93.240.0/20
          - 188.114.96.0/20
          - 197.234.240.0/22
          - 198.41.128.0/17
          - 162.158.0.0/15
          - 104.16.0.0/13
          - 104.24.0.0/14
          - 172.64.0.0/13
          - 131.0.72.0/22
          - 2400:cb00::/32
          - 2606:4700::/32
          - 2803:f800::/32
          - 2405:b500::/32
          - 2405:8100::/32
          - 2a06:98c0::/29
          - 2c0f:f248::/32
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
    secured:
      chain:
        middlewares:
          - default-whitelist
    crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true  
    # https://github.com/goauthentik/authentik/issues/2366
    authentik:
      forwardAuth:
        address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
    my-traefik-get-real-ip:
            plugin:
                traefik-get-real-ip:
                    Proxy:
                        - proxyHeadername: X-From-Cdn
                          proxyHeadervalue: cdn1
                          realIP: X-Forwarded-For
                        - proxyHeadername: X-From-Cdn
                          proxyHeadervalue: cdn2
                          realIP: Client-Ip
                        - overwriteXFF: "true"
                          proxyHeadername: X-From-Cdn
                          proxyHeadervalue: cdn3
                          realIP: Cf-Connecting-Ip
                        - proxyHeadername: '*'
                          realIP: RemoteAddr 
                                                               
 #region routers 
  routers:
    authentik:
      entryPoints:
        - "https-external"
      rule: "Host(`authentik.domain.tld`) && PathPrefix(`/outpost.goauthentik.io/`)"
      priority: 10
      service: authentik
    secure-webserver:
      entryPoints:
        - "https-external"
      rule: "Host(`www.domain.tld`)"
      middlewares:
        - https-redirectscheme
      tls: {}
      service: secure-webserver
    blogger:
      entryPoints:
        - "https-external"
      rule: "Host(`blogger.domain.tld`)"
      middlewares:
        - https-redirectscheme
        #- authentik
      tls: {}
      service: blogger
    homeassistant:
      entryPoints:
        - "https-external"
      rule: "Host(`haoss.domain.tld`)"
      middlewares:
        - https-redirectscheme
        #- authentik
      tls: {}
      service: homeassistant
    homeassistant-r:
      entryPoints:
        - "http-external"
      rule: "Host(`remote-ha.domain.tld`)"
      middlewares:
        - https-redirectscheme
        #- authentik
      tls: {}
      service: homeassistant-r       
#region services
  services:
# service Proxmox
# service web
    authentik:
      loadBalancer:
        servers:
          - url: "http://authentik-server:9000/outpost.goauthentik.io"
    secure-webserver:
      loadBalancer:
        servers:
          - url: "http://192.168.xxxxxxxx"
        passHostHeader: true 
    blogger:
      loadBalancer:
        servers:
          - url: "https://192.168.xxxxxx"
        passHostHeader: true
    homeassistant:
      loadBalancer:
        servers:
          - url: "http://192.168.xxxxx:xxxxx"
        passHostHeader: true
    homeassistant-r:
      loadBalancer:
        servers:
          - url: "http://192.168.2xxxx:xxxx"
        passHostHeader: true
# services servitudes

Traefik.yml file:

global:
  checkNewVersion: true
  sendAnonymousUsage: false
api: 
  dashboard: true
  insecure: false
  #debug: false
## enable healthcheck
ping: {}  
##
entryPoints:
  http:
    address: ":80"
    forwardedHeaders:
      trustedIPs: 
        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/13
        - 104.24.0.0/14
        - 172.64.0.0/13
        - 131.0.72.0/22
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
        # End of Cloudlare public IP list
    http:
      middlewares:
        - crowdsec-bouncer@file
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs: 
        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/13
        - 104.24.0.0/14
        - 172.64.0.0/13
        - 131.0.72.0/22
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
        # End of Cloudlare public IP list
    http:
      middlewares: 
        - crowdsec-bouncer@file
  http-external:  # changement
    address: ":1181"
    http:
      middlewares:
        - crowdsec-bouncer@file
      redirections:
        entrypoint:
          to: https-external
          scheme: https
  https-external:
    address: ":11444"
    transport:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
        writeTimeout: 600s
    http:
      middlewares:
        - crowdsec-bouncer@file
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    network: my_net
    endpoint: "tcp://t-docker-socket-proxy:2375"
    exposedByDefault: false
  file:
    filename: /dynamic_conf.yml
    watch: true
certificatesResolvers:
  dns-cloudflare:
    acme:
      email: myemail
      storage: ./letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
      caServer: https://acme-v02.api.letsencrypt.org/directory
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
experimental:
  plugins:
    traefik-get-real-ip:
      moduleName: "github.com/Paxxs/traefik-get-real-ip"
      version: "v1.0.3"
    #crowdsec-bouncer-traefik-plugin:
      #moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      #version: "v1.4.1"
log:
  level: "INFO"
  filePath: "/var/log/crowdsec/traefik.log"
accessLog:
  filePath: "/var/log/crowdsec/access.log"
bufferingSize: 50

Immich traefik config:

labels:
      - "traefik.enable=true"
      # increase readingTimeouts for the entrypoint used here
      - "traefik.http.routers.immich.entrypoints=https-external"
      - "traefik.http.routers.immich.rule=Host(immich.domain.tld)"
      - "traefik.http.services.immich.loadbalancer.server.port=8080"
      - "traefik.http.routers.immich.tls=true"
      - "traefik.http.routers.immich.tls.certresolver=dns-cloudflare"
      - "traefik.http.routers.immich.middlewares=authentik@file"
      - "traefik.http.routers.immich.service=immich"
      - "traefik.docker.network=my_net"

What is not working? What does "fails to operate correctly" mean?

Is there an error message? Are some pages (partially) loading?

Check browser developer tools network tab. Page load errors? CORS errors?

What is not working? What does "fails to operate correctly" mean?

-> the immich page is not loading, I have instead an authentik page "not found"

from the developper tool of my web browser:

Request URL:
https://immich.domain.tld/
Request Method:
GET
Status Code:
404 Not Found
Remote Address:
172.67.141.133:443
Referrer Policy:
same-origin
Response Headers
Raw
alt-svc:
h3=":443"; ma=86400
cf-cache-status:
DYNAMIC
cf-ray:
925xxxxxxxx85-FRA
connection:
keep-alive
content-encoding:
zstd
content-type:
text/html; charset=utf-8
date:
Mon, 24 Mar 2025 14:40:06 GMT
nel:
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
referrer-policy:
same-origin
report-to:
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9DWGzRuW0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxPSqPRwnM3LX95tOTtVSqZ%2FE%2Ba9zezIjYLcvzs2njJnZmUhwp3kegdXr6kWxmtWMlR9wixnc%3D"}],"group":"cf-nel","max_age":604800}
server:
cloudflare
server-timing:
cfL4;desc="?proto=TCP&rtt=98829&min_rtt=47141&rtt_var=33933&sent=98&recv=61&lost=0&retrans=1&sent_bytes=64991&recv_bytes=21728&delivery_rate=165065&cwnd=256&unsent_bytes=0&cid=8a7f51da4136443a&ts=516715&x=0"
transfer-encoding:
chunked
vary:
Accept-Encoding
vary:
Cookie
x-authentik-id:
3b6xxxxxxxxxxxxxxxxxxxxfda6c821c80
x-content-type-options:
nosniff
x-frame-options:
DENY
x-powered-by:
authentik
GET / HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: fr-FR,fr;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Cookie: immich_access_token=k26gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFrzy5xywfuM; immich_auth_type=password; immich_is_authenticated=true
DNT: 1
Host: immich.domain.tld
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Sec-Fetch-User: ?1
Sec-GPC: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Brave";v="134"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

And now let’s trace it to Traefik
access log in JSON format. What are values of OriginStatus and DownstreamStatus?

{"ClientAddr":"172.71.172.69:30278","ClientHost":"172.71.172.69","ClientPort":"30278","ClientUsername":"-","DownstreamContentSize":1204,"DownstreamStatus":404,"Duration":306970574,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":306970574,"RequestAddr":"immich.domain.tld","RequestContentSize":0,"RequestCount":146,"RequestHost":"immich.domain.tld","RequestMethod":"GET","RequestPath":"/static/dist/poly-2025.2.2.js","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"immich@docker","SpanId":"0000000000000000","StartLocal":"2025-03-24T17:14:44.641922695+02:00","StartUTC":"2025-03-24T15:14:44.641922695Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","TraceId":"00000000000000000000000000000000","entryPointName":"https-external","level":"info","msg":"","time":"2025-03-24T17:14:44+02:00"}

No OriginStatus, so the error status comes from Traefik itself, it seems it doesn’t find any matching router rule.

Do you use Host(`immich.domain.tld`) with backticks?

yes I use it with backticks It looks like that the text was not formatted correctly ?




Did you have the time to have a look to these traefik dashboard print screen concerning immish ?

Did you check the Authentik Traefik doc?

did you see something wrong with my config ??

No, but I haven’t used ForwardAuth yet.

Ok thx anyway for your help. I have spend enough time on this pb. I give up.

You can try reddit.com/r/Traefik.

is there special rules to be able to publish there ?? I did it three times but it has been "remove" by the moderation ...

Not that I am aware of, it seems all kinds of people ask beginner and advanced questions there.

it seems that I cannot post there ....