Hello,
I am seeking insights from anyone who has experience with this particular combination. I am encountering an issue where Immich functions seamlessly with Traefik, but it fails to operate correctly when using Authentik (OAuth2).
And I'm not yet able to determine the origin of the problem. I did ask on the UAhtentik Discord channel, but they aren't very active.
Thx
Thank you for your assistance.
Come one, you posted here before, you know the drill 
Explain what "fails to operate correctly" mean, share an error message.
Share your full Traefik static and dynamic config, and Docker compose file(s) if used.
Enable and check Traefik debug log and Traefik access log in JSON format.
Check browser developer tools network tab.
I didn't want to 'pollute' the post too early. 
Ok so let's start.
When checking the logs of my immich container, there is nothing link to the connection, it seems to mean that the request doesn't reach the immich container. There is a "not found" on the Authentik web page.
There no logs for the traefik comtainer.
From my Authentik-server container:
{"auth_via": "unauthenticated", "domain_url": "immich.domain.tld", "event": "/outpost.goauthentik.io/auth/traefik", "host": "immich.domain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102802, "remote": "172.70.248.49", "request_id": "d6379c6afc174289a4452bec6f7d2fdb", "runtime": 16, "schema_name": "public", "scheme": "https", "status": 404, "timestamp": "2025-03-24T07:59:54.420717", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "domain_url": "immich.domain.tld", "event": "/outpost.goauthentik.io/auth/traefik", "host": "immich.domain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102802, "remote": "172.68.194.139", "request_id": "bbacb6f87e4c4f2199d352d2046c87a5", "runtime": 27, "schema_name": "public", "scheme": "https", "status": 404, "timestamp": "2025-03-24T07:59:55.123396", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "domain_url": "immich.domain.tld", "event": "/outpost.goauthentik.io/auth/traefik", "host": "immich.domain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102802, "remote": "172.71.172.68", "request_id": "ef532cac6e764f92a16fe0f075e287df", "runtime": 68, "schema_name": "public", "scheme": "https", "status": 404, "timestamp": "2025-03-24T07:59:55.195530", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"}
Traefik dynamic file:
http:
middlewares:
default-whitelist:
ipWhiteList:
sourceRange:
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
secured:
chain:
middlewares:
- default-whitelist
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true
# https://github.com/goauthentik/authentik/issues/2366
authentik:
forwardAuth:
address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
my-traefik-get-real-ip:
plugin:
traefik-get-real-ip:
Proxy:
- proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn1
realIP: X-Forwarded-For
- proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn2
realIP: Client-Ip
- overwriteXFF: "true"
proxyHeadername: X-From-Cdn
proxyHeadervalue: cdn3
realIP: Cf-Connecting-Ip
- proxyHeadername: '*'
realIP: RemoteAddr
#region routers
routers:
authentik:
entryPoints:
- "https-external"
rule: "Host(`authentik.domain.tld`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 10
service: authentik
secure-webserver:
entryPoints:
- "https-external"
rule: "Host(`www.domain.tld`)"
middlewares:
- https-redirectscheme
tls: {}
service: secure-webserver
blogger:
entryPoints:
- "https-external"
rule: "Host(`blogger.domain.tld`)"
middlewares:
- https-redirectscheme
#- authentik
tls: {}
service: blogger
homeassistant:
entryPoints:
- "https-external"
rule: "Host(`haoss.domain.tld`)"
middlewares:
- https-redirectscheme
#- authentik
tls: {}
service: homeassistant
homeassistant-r:
entryPoints:
- "http-external"
rule: "Host(`remote-ha.domain.tld`)"
middlewares:
- https-redirectscheme
#- authentik
tls: {}
service: homeassistant-r
#region services
services:
# service Proxmox
# service web
authentik:
loadBalancer:
servers:
- url: "http://authentik-server:9000/outpost.goauthentik.io"
secure-webserver:
loadBalancer:
servers:
- url: "http://192.168.xxxxxxxx"
passHostHeader: true
blogger:
loadBalancer:
servers:
- url: "https://192.168.xxxxxx"
passHostHeader: true
homeassistant:
loadBalancer:
servers:
- url: "http://192.168.xxxxx:xxxxx"
passHostHeader: true
homeassistant-r:
loadBalancer:
servers:
- url: "http://192.168.2xxxx:xxxx"
passHostHeader: true
# services servitudes
Traefik.yml file:
global:
checkNewVersion: true
sendAnonymousUsage: false
api:
dashboard: true
insecure: false
#debug: false
## enable healthcheck
ping: {}
##
entryPoints:
http:
address: ":80"
forwardedHeaders:
trustedIPs:
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
forwardedHeaders:
trustedIPs:
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
middlewares:
- crowdsec-bouncer@file
http-external: # changement
address: ":1181"
http:
middlewares:
- crowdsec-bouncer@file
redirections:
entrypoint:
to: https-external
scheme: https
https-external:
address: ":11444"
transport:
respondingTimeouts:
readTimeout: 600s
idleTimeout: 600s
writeTimeout: 600s
http:
middlewares:
- crowdsec-bouncer@file
serversTransport:
insecureSkipVerify: true
providers:
docker:
network: my_net
endpoint: "tcp://t-docker-socket-proxy:2375"
exposedByDefault: false
file:
filename: /dynamic_conf.yml
watch: true
certificatesResolvers:
dns-cloudflare:
acme:
email: myemail
storage: ./letsencrypt/acme.json
dnsChallenge:
provider: cloudflare
caServer: https://acme-v02.api.letsencrypt.org/directory
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
experimental:
plugins:
traefik-get-real-ip:
moduleName: "github.com/Paxxs/traefik-get-real-ip"
version: "v1.0.3"
#crowdsec-bouncer-traefik-plugin:
#moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
#version: "v1.4.1"
log:
level: "INFO"
filePath: "/var/log/crowdsec/traefik.log"
accessLog:
filePath: "/var/log/crowdsec/access.log"
bufferingSize: 50
Immich traefik config:
labels:
- "traefik.enable=true"
# increase readingTimeouts for the entrypoint used here
- "traefik.http.routers.immich.entrypoints=https-external"
- "traefik.http.routers.immich.rule=Host(immich.domain.tld)"
- "traefik.http.services.immich.loadbalancer.server.port=8080"
- "traefik.http.routers.immich.tls=true"
- "traefik.http.routers.immich.tls.certresolver=dns-cloudflare"
- "traefik.http.routers.immich.middlewares=authentik@file"
- "traefik.http.routers.immich.service=immich"
- "traefik.docker.network=my_net"
What is not working? What does "fails to operate correctly" mean?
Is there an error message? Are some pages (partially) loading?
Check browser developer tools network tab. Page load errors? CORS errors?
What is not working? What does "fails to operate correctly" mean?
-> the immich page is not loading, I have instead an authentik page "not found"
from the developper tool of my web browser:
Request URL:
https://immich.domain.tld/
Request Method:
GET
Status Code:
404 Not Found
Remote Address:
172.67.141.133:443
Referrer Policy:
same-origin
Response Headers
Raw
alt-svc:
h3=":443"; ma=86400
cf-cache-status:
DYNAMIC
cf-ray:
925xxxxxxxx85-FRA
connection:
keep-alive
content-encoding:
zstd
content-type:
text/html; charset=utf-8
date:
Mon, 24 Mar 2025 14:40:06 GMT
nel:
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
referrer-policy:
same-origin
report-to:
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9DWGzRuW0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxPSqPRwnM3LX95tOTtVSqZ%2FE%2Ba9zezIjYLcvzs2njJnZmUhwp3kegdXr6kWxmtWMlR9wixnc%3D"}],"group":"cf-nel","max_age":604800}
server:
cloudflare
server-timing:
cfL4;desc="?proto=TCP&rtt=98829&min_rtt=47141&rtt_var=33933&sent=98&recv=61&lost=0&retrans=1&sent_bytes=64991&recv_bytes=21728&delivery_rate=165065&cwnd=256&unsent_bytes=0&cid=8a7f51da4136443a&ts=516715&x=0"
transfer-encoding:
chunked
vary:
Accept-Encoding
vary:
Cookie
x-authentik-id:
3b6xxxxxxxxxxxxxxxxxxxxfda6c821c80
x-content-type-options:
nosniff
x-frame-options:
DENY
x-powered-by:
authentik
GET / HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: fr-FR,fr;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Cookie: immich_access_token=k26gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFrzy5xywfuM; immich_auth_type=password; immich_is_authenticated=true
DNT: 1
Host: immich.domain.tld
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Sec-Fetch-User: ?1
Sec-GPC: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Brave";v="134"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
And now let’s trace it to Traefik
access log in JSON format. What are values of OriginStatus and DownstreamStatus?
{"ClientAddr":"172.71.172.69:30278","ClientHost":"172.71.172.69","ClientPort":"30278","ClientUsername":"-","DownstreamContentSize":1204,"DownstreamStatus":404,"Duration":306970574,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":306970574,"RequestAddr":"immich.domain.tld","RequestContentSize":0,"RequestCount":146,"RequestHost":"immich.domain.tld","RequestMethod":"GET","RequestPath":"/static/dist/poly-2025.2.2.js","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"immich@docker","SpanId":"0000000000000000","StartLocal":"2025-03-24T17:14:44.641922695+02:00","StartUTC":"2025-03-24T15:14:44.641922695Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","TraceId":"00000000000000000000000000000000","entryPointName":"https-external","level":"info","msg":"","time":"2025-03-24T17:14:44+02:00"}
No OriginStatus, so the error status comes from Traefik itself, it seems it doesn’t find any matching router rule.
Do you use Host(`immich.domain.tld`) with backticks?
Did you have the time to have a look to these traefik dashboard print screen concerning immish ?
Did you check the Authentik Traefik doc?
did you see something wrong with my config ??
No, but I haven’t used ForwardAuth yet.
Ok thx anyway for your help. I have spend enough time on this pb. I give up.
You can try reddit.com/r/Traefik.
is there special rules to be able to publish there ?? I did it three times but it has been "remove" by the moderation ...
Not that I am aware of, it seems all kinds of people ask beginner and advanced questions there.
it seems that I cannot post there ....
