I have authentic application hosted on docker container with endpoints accessible using traefik docker labels.
I have the forward auth middleware configured which routes the traffic to authentik container before forwarding the request to a service.
I am able to access the application via their URL endpoint, but I am getting authorisation errors for few applications such as Portainer, Nginx Proxy Manager, and Wizarr when I try to login. I am not getting any authorisation errors when I remove the authentik middleware.
Below is my Traefik docker-compose file contents
services:
traffic:
image: traefik:v3.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
web:
aliases: # This will create host entries for the IP of the Traefik container in the traefik network
- auth.example.com
ports:
- "80:80"
- "443:443"
- "42112:42112"
- "5432:5432"
env_file:
- ./.env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data:/data
- ./data/routes.yml:/routes.yml
- ./logs/:/logs/
command:
- "--accesslog=true"
- "--accesslog.filePath=/logs/access.log"
- '--api=true'
- '--api.dashboard=true'
- '--api.insecure=false'
- '--global.sendAnonymousUsage=false'
- '--global.checkNewVersion=true'
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`s1.example.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=test:hash"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`s1.example.com`)"
- "traefik.http.routers.traefik-secure.middlewares=authelia@docker"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=https"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
web:
external: true
Below are the middleware that I have configured:
http:
middleware:
secured-authentik:
chain:
middlewares:
- cors
- ratelimit
- authentik # Everything works fine when this middleware is removes
authentik:
forwardauth:
address: http://authentik_server:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
- authorization
- Authorization
- X-Forwarded-User
cors:
headers:
accessControlAllowMethods: "*"
accessControlAllowHeaders:
- "*"
- "content-type"
- "Authorization"
accessControlAllowOriginListRegex:
- https://(([\w]+.)?(test1.)?s1.|([\w]+.)?test2.|auth.)?example\.com(.*)
accessControlMaxAge: 100
addVaryHeader: true
accessControlAllowCredentials: true
browserXssFilter: true
frameDeny: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 15552000
stsPreload: true
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
sslProxyHeaders:
X-Forwarded-Proto: "https"
customResponseHeaders:
X-Forwarded-Proto: "https"
referrerPolicy: "same-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
contentTypeNosniff: true
secured-no-authelia:
chain:
middlewares:
- cors
- ratelimit
ratelimit:
rateLimit:
average: 680
period: 1m
burst: 480
Below is my Authentik docker-compose file:
version: "3.4"
services:
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:latest
container_name: authentik_server
restart: unless-stopped
command: server
networks:
- web
environment:
AUTHENTIK_REDIS__HOST: ${REDIS_HOST}
AUTHENTIK_POSTGRESQL__HOST: ${PG_HOST}
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_LOG_LEVEL: warning
volumes:
- ./media:/media
- ./custom-templates:/templates
env_file:
- .env
ports:
- "0.0.0.0:${COMPOSE_PORT_HTTP:-9000}:9000"
- "0.0.0.0:${COMPOSE_PORT_HTTPS:-9443}:9443"
labels:
- "traefik.enable=true"
- "traefik.port=9000"
- "traefik.http.routers.authentik-unsecure.entrypoints=http"
- "traefik.http.routers.authentik-unsecure.rule=Host(`auth.example.com`) || Host(`authentik.s1.example.com`) || HostRegexp(`{subdomain:[a-z0-9]+}.example.com`) && PathPrefix(`/outpost.goauthentik.io/`) || HostRegexp(`{subdomain:[a-z0-9]+}.{subdomain:[a-z0-9]+}.example.com`) && PathPrefix(`/outpost.goauthentik.io/`) || HostRegexp(`{subdomain:[a-z0-9]+}.{subdomain:[a-z0-9]+}.{subdomain:[a-z0-9]+}.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
- "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.authentik-unsecure.middlewares=authentik-https-redirect"
- 'traefik.http.routers.authentik.rule=Host(`auth.example.com`) || Host(`authentik.s1.example.com`) || HostRegexp(`{subdomain:[a-z0-9]+}.example.com`) && PathPrefix(`/outpost.goauthentik.io/`) || HostRegexp(`{subdomain:[a-z0-9]+}.{subdomain:[a-z0-9]+}.example.com`) && PathPrefix(`/outpost.goauthentik.io/`) || HostRegexp(`{subdomain:[a-z0-9]+}.{subdomain:[a-z0-9]+}.{subdomain:[a-z0-9]+}.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)'
- 'traefik.http.routers.authentik.entrypoints=https'
- 'traefik.http.routers.authentik.tls=true'
- 'traefik.http.routers.authentik.tls.certresolver=http'
- 'traefik.docker.network=web'
- "traefik.http.routers.authentik.middlewares=secured-no-authelia@file"
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:latest
container_name: authentik_worker
restart: unless-stopped
command: worker
networks:
- web
environment:
AUTHENTIK_REDIS__HOST: ${REDIS_HOST}
AUTHENTIK_POSTGRESQL__HOST: ${PG_HOST}
AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_LOG_LEVEL: warning
AUTHENTIK_INSECURE: ${AUTHENTIK_INSECURE}
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
env_file:
- .env
networks:
web:
external: true
The routes are configured to be accessed by a wildcard sub-host address via Proxy Provider on Authentik with Domain level Forward Auth type and the Intercept header authentication option is disabled.
On Nginx Proxy manager, I am getting the 500 status code on UI for /api/tokens endpoint (the landing page loads fine) with the following log on container
[4/19/2024] [11:12:30 PM] [Express ] ›
warning Existing token contained invalid user data
Traefik Log
{
"ClientAddr": "",
"ClientHost": "",
"ClientPort": "",
"DownstreamContentSize": 0,
"DownstreamStatus": 500,
"Duration": 1103483,
"OriginContentSize": 0,
"OriginDuration": 0,
"OriginStatus": 0,
"Overhead": 1103483,
"RequestAddr": "nginx.example.com",
"RequestContentSize": 0,
"RequestCount": 192,
"RequestHost": "nginx.example.com",
"RequestMethod": "POST",
"RequestPath": "/api/tokens",
"RequestPort": "-",
"RequestProtocol": "HTTP/2.0",
"RequestScheme": "https",
"RetryAttempts": 0,
"RouterName": "nginx-secure@file",
"StartLocal": "2024-04-20T01:39:33.597487046Z",
"StartUTC": "2024-04-20T01:39:33.597487046Z",
"TLSCipher": "TLS_AES_128_GCM_SHA256",
"TLSVersion": "1.3",
"downstream_Access-Control-Allow-Credentials": "true",
"downstream_Access-Control-Allow-Origin": "https://nginx.example.com",
"downstream_Content-Type": "",
"downstream_Referrer-Policy": "same-origin",
"downstream_Strict-Transport-Security": "max-age=15552000; includeSubDomains; preload",
"downstream_Vary": "Origin",
"downstream_X-Content-Type-Options": "nosniff",
"downstream_X-Forwarded-Proto": "https",
"downstream_X-Frame-Options": "SAMEORIGIN",
"downstream_X-Xss-Protection": "1; mode=block",
"entryPointName": "https",
"level": "info",
"msg": "",
"request_Accept": "application/json, text/javascript, */*; q=0.01",
"request_Accept-Encoding": "gzip, deflate, br, zstd",
"request_Accept-Language": "en-GB,en;q=0.8",
"request_Content-Length": "70",
"request_Content-Type": "application/json; charset=UTF-8",
"request_Cookie": "",
"request_Dnt": "1",
"request_Origin": "https://nginx.example.com",
"request_Referer": "https://nginx.example.com/login",
"request_Sec-Ch-Ua": "\"Brave\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\"",
"request_Sec-Ch-Ua-Mobile": "?0",
"request_Sec-Ch-Ua-Platform": "\"macOS\"",
"request_Sec-Fetch-Dest": "empty",
"request_Sec-Fetch-Mode": "cors",
"request_Sec-Fetch-Site": "same-origin",
"request_Sec-Gpc": "1",
"request_User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",
"request_X-Forwarded-Host": "nginx.example.com",
"request_X-Forwarded-Port": "443",
"request_X-Forwarded-Proto": "https",
"request_X-Forwarded-Server": "",
"request_X-Real-Ip": "",
"time": "2024-04-20T01:39:33Z"
}
On Portainer, I am getting the below error:
For Wizarr, I am getting the following error:
Traefik Log:
{"ClientAddr":"","ClientHost":"","ClientPort":"","ClientUsername":"-","DownstreamContentSize":385,"DownstreamStatus":500,"Duration":56112667,"OriginContentSize":385,"OriginDuration":54637065,"OriginStatus":500,"Overhead":1475602,"RequestAddr":"wizarr.example.com","RequestContentSize":0,"RequestCount":1525,"RequestHost":"wizarr.example.com","RequestMethod":"GET","RequestPath":"/api/settings","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"","ServiceAddr":"","ServiceName":"","ServiceURL":"","StartLocal":"2024-04-19T23:10:36.559993493Z","StartUTC":"2024-04-19T23:10:36.559993493Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-04-19T23:10:36Z"}
I am able to access the landing page on all these cases. It is just that the authentication part of the application does not work 