Configurating Traefik with Authentik (running into gateway timeouts and 404s galore)

Traefik Traefik v3 (latest)
,
1

Hello! I’m fairly new to homelabbing, setting up a photo server to share with friends and family. The idea was to use Tailscale for friends and family to access the website via VPN, so if others visit the site, it doesn’t show up. Then, they’d hit an Authentik webpage where they’d log in, and then they’d be redirected to a Homepage.

I set up what I thought would be quite simple, but I feel like I’m only digging myself deeper and deeper in, trying to figure out what’s wrong. I have a single docker-compose.yml:

networks:
  library_net:
  proxy_net:

services:

  #
  # AUTHENTIK
  #

  authentik-outpost:
    image: ghcr.io/goauthentik/proxy:latest
    container_name: authentik-outpost
    env_file:
      - /app/environments/authentik.env
    depends_on:
      - authentik-server
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.http.routers.authentik.entrypoints=websecure"
      - "traefik.http.routers.authentik.rule=Host(`name-of-domain.xyz`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.routers.authentik.tls=true"
      - "traefik.http.routers.authentik.tls.certresolver=le"
      - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-outpost:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
    networks:
      - library_net
      - proxy_net
    restart: unless-stopped


  authentik-postgres:
    image: postgres:16-alpine
    container_name: authentik-postgres
    env_file:
      - /app/environments/authentik.env
    healthcheck:
      test:
        - CMD-SHELL
        - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
      interval: 30s
      retries: 5
      start_period: 20s
      timeout: 5s
    networks:
      - library_net
    restart: unless-stopped
    volumes:
      - /app/services/authentik/postgres:/var/lib/postgresql/data


  authentik-redis:
    image: redis:7-alpine
    container_name: authentik-redis
    env_file:
      - /app/environments/authentik.env
    networks:
      - library_net
    restart: unless-stopped
    volumes:
      - /app/services/authentik/redis:/data


  authentik-server:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik-server
    command: server
    depends_on:
      - authentik-postgres
      - authentik-redis
    env_file:
      - /app/environments/authentik.env
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.rule=Host(`auth.name-of-domain.xyz`)"
      - "traefik.http.routers.auth.entrypoints=websecure"
      - "traefik.http.routers.auth.tls=true"
      - "traefik.http.routers.auth.tls.certresolver=le"
      - "traefik.http.services.auth.loadbalancer.server.port=9000"
    networks:
      - library_net
      - proxy_net
    restart: unless-stopped
    volumes:
      - /app/services/authentik/media:/media
      - /app/services/authentik/templates:/templates


  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik-worker
    command: worker
    depends_on:
      - authentik-postgres
      - authentik-redis
      - authentik-server
    env_file:
      - /app/environments/authentik.env
    networks:
      - library_net
    restart: unless-stopped
    volumes:
      - /app/services/authentik/media:/media
      - /app/services/authentik/templates:/templates


  #
  # HOMEPAGE
  #


  homepage:
    image: ghcr.io/gethomepage/homepage:latest
    container_name: homepage
    env_file:
      - /app/environments/homepage.env
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.home.entrypoints=websecure"
      - "traefik.http.routers.home.middlewares=authentik-forward"
      - "traefik.http.routers.home.rule=Host(`home.name-of-domain.xyz`)"
      - "traefik.http.routers.home.tls=true"
      - "traefik.http.routers.home.tls.certresolver=le"
      - "traefik.http.services.home.loadbalancer.server.port=3000"
    networks:
      - library_net
      - proxy_net
    restart: unless-stopped
    volumes:
      - /app/services/homepage/config:/app/config
      - /app/services/homepage/icons:/app/public/icons


  #
  # TAILSCALE
  #


  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    env_file:
      - /app/environments/tailscale.env
    network_mode: service:traefik
    restart: unless-stopped
    volumes:
      - /app/services/tailscale:/var/run/tailscale
      - /app/services/tailscale/state:/var/lib/tailscale
      - /app/services/tailscale/run:/var/run/tailscale
      - /dev/net/tun:/dev/net/tun


  #
  # TRAEFIK
  #


  traefik:
    image: traefik:latest
    container_name: traefik
    ports:
      - "80:80"
      - "443:443"
    command:
      - "--accesslog=true"
      - "--api.dashboard=true"
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=0"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=namecheap"
      - "--certificatesresolvers.le.acme.email=email@gmail.com"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.asDefault=true"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certresolver=le"
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=proxy_net"
      - "--serversTransport.forwardingTimeouts.dialTimeout=60s"
      - "--serversTransport.forwardingTimeouts.idleConnTimeout=300s"
      - "--serversTransport.forwardingTimeouts.responseHeaderTimeout=300s"
      - "--serversTransport.insecureSkipVerify=true"
    env_file:
      - /app/environments/traefik.env
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.authentik-forward.forwardauth.address=http://authentik-outpost:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik-forward.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authentik-forward.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-email,X-authentik-name,X-authentik-groups"
    networks:
      - proxy_net
    restart: unless-stopped
    volumes:
      - /app/services/tailscale/run:/var/run/tailscale
      - /app/services/traefik:/etc/traefik
      - /app/services/traefik/letsencrypt:/letsencrypt
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro


  #
  # REDIRECT
  #

  library-redirect:
    image: traefik/whoami
    container_name: library-redirect
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.redirect-home.redirectregex.permanent=true"
      - "traefik.http.middlewares.redirect-home.redirectregex.regex=^https?://name-of-domain.xyz/?$"
      - "traefik.http.middlewares.redirect-home.redirectregex.replacement=https://home.name-of-domain.xyz"
      - "traefik.http.routers.root.entrypoints=websecure"
      - "traefik.http.routers.root.middlewares=redirect-home"
      - "traefik.http.routers.root.rule=Host(`name-of-domain.xyz`) && Path(`/`)"
      - "traefik.http.routers.root.tls=true"
      - "traefik.http.routers.root.tls.certresolver=le"
      - "traefik.http.routers.root.tls.domains[0].main=name-of-domain.xyz"
      - "traefik.http.services.root.loadbalancer.server.port=80"
    networks:
      - proxy_net
    restart: unless-stopped

So when I go to name-of-domain[.]xyz, it does successfully redirect to home.name-of-domain[.]xyz, but it gives a 500 error. If I go to auth.name-of-domain[.]xyz, it redirects to the right flow for Authentik, being auth.name-of-domain[.]xyz/if/flow/default-authentication-flow/?next=%2F, but it ends up in a gateway timeout. Weirdly, if I remove the redirect logic, the whoami and homepage containers seem to work totally fine, so I’m not exactly sure what’s happening. The logs look relatively clean for Traefik too, so I think it’s just a bad definition or something in my compose file… Regardless, any help would be much, much appreciated! Thanks so much!

2

If you only have a few users, maybe check authelia for auth, should be a lot less services.

For 500 error check the logs. Use Traefik access log in JSON for more details.

Bad gateway usually comes from using multiple Docker networks. Use docker.network on provider or labels to indicate the right one to use.

1 Like
3

Thanks so much for the help! I think you might be right on the network causing the issue; here are the Traefik logs:

2026-02-15T08:42:45-05:00 WRN Could not find network named "proxy_net" for container "/authentik-server". Maybe you're missing the project's prefix in the label? container=authentik-server-app-xxxproviderName=docker serviceName=auth
2026-02-15T08:42:45-05:00 WRN Defaulting to first available network (&{"app_library_net" "xxx.xx.x.x" '\x00' "" "xxx"}) for container "/authentik-server". container=authentik-server-app-xxxproviderName=docker serviceName=auth
2026-02-15T08:42:45-05:00 WRN Could not find network named "proxy_net" for container "/x". Maybe you're missing the project's prefix in the label? container=x-app-xxxproviderName=docker serviceName=x
2026-02-15T08:42:45-05:00 WRN Defaulting to first available network (&{"app_library_net" "xxx.xx.x.x" '\x00' "" "xxx"}) for container "/x". container=x-app-xxxproviderName=docker serviceName=x
2026-02-15T08:42:45-05:00 WRN Could not find network named "proxy_net" for container "/traefik". Maybe you're missing the project's prefix in the label? container=traefik-app-xxxproviderName=docker serviceName=traefik-app
2026-02-15T08:42:45-05:00 WRN Defaulting to first available network (&{"app_proxy_net" "172.19.0.2" '\x00' "" "xxx"}) for container "/traefik". container=traefik-app-xxxproviderName=docker serviceName=traefik-app
2026-02-15T08:42:45-05:00 WRN Could not find network named "proxy_net" for container "/homepage". Maybe you're missing the project's prefix in the label? container=homepage-app-xxxproviderName=docker serviceName=home
2026-02-15T08:42:45-05:00 WRN Defaulting to first available network (&{"app_library_net" "xxx.xx.x.x" '\x00' "" "xxx"}) for container "/homepage". container=homepage-app-xxxproviderName=docker serviceName=home
2026-02-15T08:42:45-05:00 WRN Could not find network named "proxy_net" for container "/library-redirect". Maybe you're missing the project's prefix in the label? container=library-redirect-app-xxxproviderName=docker serviceName=root
2026-02-15T08:42:45-05:00 WRN Defaulting to first available network (&{"app_proxy_net" "xxx.xx.x.x" '\x00' "" "xxx"}) for container "/library-redirect". container=library-redirect-app-xxxproviderName=docker serviceName=root

I did try quickly switching providers.docker.network=proxy_net to providers.docker.network=app_proxy_net, and it may have cleared the logs a bit because now I see this clearly:

2026-02-15T08:52:36-05:00 ERR Error calling http://authentik-outpost:9000/outpost.goauthentik.io/auth/traefik error="Get \"http://authentik-outpost:9000/outpost.goauthentik.io/auth/traefik\": dial tcp: lookup authentik-outpost on xxx.x.x.xx:53: no such host" middlewareName=authentik-forward@docker middlewareType=ForwardAuth
xxx.x.x.x - - [15/Feb/2026:13:52:36 +0000] "GET / HTTP/2.0" 500 0 "-" "-" 4 "home@docker" "-" 33ms

Honestly I did try Authelia/Caddy at first and could never get it to work! I thought the fact that there was quite a bit of Authentik/Traefik documentation would make it easier… Turns out I still have a lot to learn!

EDIT 1: Oh my gosh! The Authentik page is now coming up okay! Adding the “app” prefix worked for that! The home.name-of-domain[.]xyz is still coming up 500 but this is the first progress I’ve had in days!!

4

If you don’t provide a dedicated name for services and networks, then compose will prefix them with the project name.

For 500 error status check the Traefik access log in JSON format (doc) and the target container logs.

5

Okay, I think I’m making some progress (sorry and thank you so much for your help!). Essentially now I’m getting all 404 errors. I tried to really peel everything back to the base level example Authentik gives for the config ( Traefik | authentik ):

networks:
  library_net:
  proxy_net:

services:

  #
  # AUTHENTIK
  #

  authentik-outpost:
    image: ghcr.io/goauthentik/proxy:latest
    container_name: authentik-outpost
    ports:
      - "9000:9000"
      - "9443:9443"
    env_file:
      - /app/environments/authentik.env
    depends_on:
      - authentik-server
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-outpost:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
      - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
      - "traefik.http.routers.authentik.entrypoints=websecure"
      - "traefik.http.routers.authentik.rule=Host(`auth.example-domain.xyz`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.routers.authentik.tls=true"
      - "traefik.http.routers.authentik.tls.certresolver=le"
    networks:
      - library_net
      - proxy_net
    restart: unless-stopped

  authentik-postgres:
    image: postgres:16-alpine
    container_name: authentik-postgres
    env_file:
      - /app/environments/authentik.env
    healthcheck:
      test:
        - CMD-SHELL
        - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
      interval: 30s
      retries: 5
      start_period: 20s
      timeout: 5s
    networks:
      - library_net
    restart: unless-stopped
    volumes:
      - /app/services/authentik/postgres:/var/lib/postgresql/data

  authentik-redis:
    image: redis:7-alpine
    container_name: authentik-redis
    env_file:
      - /app/environments/authentik.env
    networks:
      - library_net
    restart: unless-stopped
    volumes:
      - /app/services/authentik/redis:/data

  authentik-server:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik-server
    command: server
    depends_on:
      - authentik-postgres
      - authentik-redis
    env_file:
      - /app/environments/authentik.env
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.rule=Host(`auth.example-domain.xyz`)"
      - "traefik.http.routers.auth.entrypoints=websecure"
      - "traefik.http.routers.auth.tls=true"
      - "traefik.http.routers.auth.tls.certresolver=le"
      - "traefik.http.services.auth.loadbalancer.server.port=9000"
    networks:
      - library_net
      - proxy_net
    restart: unless-stopped
    volumes:
      - /app/services/authentik/media:/media
      - /app/services/authentik/templates:/templates

  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik-worker
    command: worker
    depends_on:
      - authentik-postgres
      - authentik-redis
      - authentik-server
    env_file:
      - /app/environments/authentik.env
    networks:
      - library_net
    restart: unless-stopped
    volumes:
      - /app/services/authentik/media:/media
      - /app/services/authentik/templates:/templates

  #
  # HOMEPAGE
  #

  homepage:
    image: ghcr.io/gethomepage/homepage:latest
    container_name: homepage
    env_file:
      - /app/environments/homepage.env
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.home.entrypoints=websecure"
      - "traefik.http.routers.home.middlewares=authentik@docker"
      - "traefik.http.routers.home.rule=Host(`home.example-domain.xyz`)"
      - "traefik.http.routers.home.tls=true"
      - "traefik.http.routers.home.tls.certresolver=le"
      - "traefik.http.services.home.loadbalancer.server.port=3000"
    networks:
      - library_net
      - proxy_net
    restart: unless-stopped
    volumes:
      - /app/services/homepage/config:/app/config
      - /app/services/homepage/icons:/app/public/icons

  #
  # TAILSCALE
  #

  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    env_file:
      - /app/environments/tailscale.env
    network_mode: service:traefik
    restart: unless-stopped
    volumes:
      - /app/services/tailscale:/var/run/tailscale
      - /app/services/tailscale/state:/var/lib/tailscale
      - /app/services/tailscale/run:/var/run/tailscale
      - /dev/net/tun:/dev/net/tun

  #
  # TRAEFIK
  #

  traefik:
    image: traefik:latest
    container_name: traefik
    ports:
      - "80:80"
      - "443:443"
    command:
      - "--accesslog=true"
      - "--api.dashboard=true"
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=0"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=namecheap"
      - "--certificatesresolvers.le.acme.email=myemail@email.com"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.asDefault=true"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certresolver=le"
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=app_proxy_net"
      - "--serversTransport.forwardingTimeouts.dialTimeout=60s"
      - "--serversTransport.forwardingTimeouts.idleConnTimeout=300s"
      - "--serversTransport.forwardingTimeouts.responseHeaderTimeout=300s"
      - "--serversTransport.insecureSkipVerify=true"
    env_file:
      - /app/environments/traefik.env
    labels:
      - "traefik.enable=true"
    networks:
      - proxy_net
    restart: unless-stopped
    volumes:
      - /app/services/tailscale/run:/var/run/tailscale
      - /app/services/traefik:/etc/traefik
      - /app/services/traefik/letsencrypt:/letsencrypt
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro


  #
  # REDIRECT
  #

  library-redirect:
    image: traefik/whoami
    container_name: library-redirect
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.root.rule=Host(`example-domain.xyz`) && Path(`/`)"
      - "traefik.http.routers.root.tls=true"
      - "traefik.http.routers.root.tls.certresolver=le"
      - "traefik.http.routers.root.tls.domains[0].main=example-domain.xyz"
      - "traefik.http.services.root.loadbalancer.server.port=80"
    networks:
      - proxy_net
    restart: unless-stopped

So auth.example-domain[.]xyz resolves perfectly and Authentik works. But example-domain[.]xyz and home.example-domain[.]xyz don’t (with the middleware– the second I remove it, they’re both fine, meaning that it has to be the middleware that isn’t working). I think the issue may be that the redirect is working, but that the authentik-outpost is not resolving. Sure enough, I try to ping /outpost.goauthentik.io/ and the outpost container is constantly restarting with:

env AUTHENTIK_TOKEN not set!
authentik proxy

Required environment variables:
- AUTHENTIK_HOST: URL to connect to (format "http://authentik.company")
- AUTHENTIK_TOKEN: Token to authenticate with
- AUTHENTIK_INSECURE: Skip SSL Certificate verification

Optionally, you can set these:
- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST
{"event":"Loaded config","level":"debug","path":"inbuilt-default","timestamp":"2026-02-16T04:19:28Z"}
{"event":"Loaded config from environment","level":"debug","timestamp":"2026-02-16T04:19:28Z"}

Now, I’ve set everything except AUTHENTIK_TOKEN because I’m using an embedded outpost– meaning there isn’t an AUTHENTIK_TOKEN to set. The Authentik docs are really unclear on this; since I’m not sure if this is a Traefik issue (the Traefik logs are fine– the 404 just shows up as happening, no additional info), I totally understand it maybe being beyond the scope of this forum, but y’all have been super helpful so far and I figure others may come across this and need the help too. Thank you so much for your time and help!!

6

I already wrote twice:

7

Sorry, I thought since I had accesslog=true in the config that the access log was printing to stdout; I reconfig’d it to add to a log file and it is printing exactly what it was printing to stdout. This is the change to the config:

    command:
      - "--accesslog.bufferingsize=100"
      - "--accesslog.format=json"
      - "--accesslog.filepath=/logs/access.log"

    volumes:
      - /app/services/traefik/logs:/logs

And this is what prints to the access log after visiting those pages that had 404s:

{"ClientAddr":"127.0.0.1:58536","ClientHost":"127.0.0.1","ClientPort":"58536","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":112193,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":112193,"RequestAddr":"name-of-domain.xyz","RequestContentSize":0,"RequestCount":1,"RequestHost":"name-of-domain.xyz","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2026-02-16T02:26:54.488586643-05:00","StartUTC":"2026-02-16T07:26:54.488586643Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2026-02-16T02:26:54-05:00"}
{"ClientAddr":"127.0.0.1:41846","ClientHost":"127.0.0.1","ClientPort":"41846","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":112743,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":112743,"RequestAddr":"home.name-of-domain.xyz","RequestContentSize":0,"RequestCount":2,"RequestHost":"home.name-of-domain.xyz","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"StartLocal":"2026-02-16T02:27:11.862281583-05:00","StartUTC":"2026-02-16T07:27:11.862281583Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2026-02-16T02:27:11-05:00"}

Not sure if I’m missing something else, but this doesn’t appear to be any more than what was printing to the logs in stdout. Am I missing something?

8

Ok, so

and no RouterName and ServiceName tells us that Traefik found no matching router for the request.

Rule looks okay, is the service/container up and running?

Not sure what this is about, I think the service should not be needed:

  library-redirect:
      - "traefik.http.routers.root.rule=Host(`name-of-domain.xyz`) && Path(`/`)"

Check Traefik debug log (doc, not access log) if the container/service is recognized at all.

9

Thanks! I think the issue isn’t the homepage container, but rather the authentik-outpost container.

When running docker logs homepage I get:

Skipping ownership changes for /app/config
Skipping ownership changes for /app/config/logs
/app/.next already owned by correct UID/GID or running as root, skipping chown
   ▲ Next.js 15.5.11
   - Local:        http://[::1]:3000
   - Network:      http://[::]:3000

 ✓ Starting...
 ✓ Ready in 498ms

And it does resolve and go to homepage when I remove the middleware portion. I did remove the library-redirect service, and you’re right– it isn’t needed at all.

But I’m still getting 404 for name-of-domain[.]xyz and home.name-of-domain[.]xyz when I have the middleware rules for authentik@docker active. Via docker ps -a I’m seeing the following for authentik-outpost (where the middleware is defined):

671ec739ae70   ghcr.io/goauthentik/proxy:latest      "/proxy"                 3 minutes ago   Restarting (1) 47 seconds ago                                                                                  authentik-outpost

Indicating that it is doing the constant restarting I mentioned earlier. Investigating the debug log by setting:

- "--log.level=DEBUG"
- "--log.filePath=/logs/traefik.log"

I can see:

2026-02-16T09:00:44-05:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:228 > Filtering unhealthy or starting container container=authentik-outpost-app-xxxproviderName=docker

Followed by:

2026-02-16T09:00:44-05:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:107 > Provider event received {Status:die ID:xxxFrom:ghcr.io/goauthentik/proxy:latest Type:container Action:die Actor:{ID:xxxAttributes:map[com.docker.compose.config-hash:xxxcom.docker.compose.container-number:1 com.docker.compose.depends_on:authentik-server:service_started:false com.docker.compose.image:sha256:xxxcom.docker.compose.oneoff:False com.docker.compose.project:app com.docker.compose.project.config_files:/app/docker-compose.yml com.docker.compose.project.working_dir:/app com.docker.compose.service:authentik-outpost com.docker.compose.version:5.0.2 execDuration:0 exitCode:1 image:ghcr.io/goauthentik/proxy:latest name:authentik-outpost org.opencontainers.image.description:goauthentik.io Proxy outpost image, see https://goauthentik.io for more info. org.opencontainers.image.revision: org.opencontainers.image.source:https://github.com/goauthentik/authentik org.opencontainers.image.url:https://goauthentik.io org.opencontainers.image.version:refs/tags/version/2025.2.4 traefik.enable:true traefik.http.middlewares.authentik.forwardauth.address:http://authentik-outpost:9000/outpost.goauthentik.io/auth/traefik traefik.http.middlewares.authentik.forwardauth.authResponseHeaders:X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version traefik.http.middlewares.authentik.forwardauth.trustForwardHeader:true traefik.http.routers.authentik.entrypoints:websecure traefik.http.routers.authentik.rule:Host(`auth.name-of-domain.xyz`) && PathPrefix(`/outpost.goauthentik.io/`) traefik.http.routers.authentik.tls:true traefik.http.routers.authentik.tls.certresolver:le traefik.port:9000]} Scope:local Time:1771250444 TimeNano:1771250444820680200} providerName=docker

And then:

2026-02-16T09:01:15-05:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:223 > Filtering non running container container=authentik-outpost-app-xxx providerName=docker

I think this is because authentik-outpost is constantly restarting for some reason. For homepage, I can see:

2026-02-16T09:00:44-05:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:228 > Filtering unhealthy or starting container container=homepage-app-xxxproviderName=docker

Followed by:

2026-02-16T09:00:52-05:00 DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:107 > Provider event received {Status:health_status: healthy ID:xxxFrom:ghcr.io/gethomepage/homepage:latest Type:container Action:health_status: healthy Actor:{ID:xxxAttributes:map[com.docker.compose.config-hash:xxxcom.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:xxxcom.docker.compose.oneoff:False com.docker.compose.project:app com.docker.compose.project.config_files:/app/docker-compose.yml com.docker.compose.project.working_dir:/app com.docker.compose.service:homepage com.docker.compose.version:5.0.2 image:ghcr.io/gethomepage/homepage:latest name:homepage org.opencontainers.image.created:2026-02-05T15:09:19.715Z org.opencontainers.image.description:A highly customizable homepage (or startpage / application dashboard) with Docker and service API integrations. org.opencontainers.image.documentation:https://github.com/gethomepage/homepage/wiki org.opencontainers.image.licenses:GPL-3.0 org.opencontainers.image.revision:xxxorg.opencontainers.image.source:https://github.com/gethomepage/homepage org.opencontainers.image.title:homepage org.opencontainers.image.url:https://github.com/gethomepage/homepage org.opencontainers.image.version:v1.10.1 traefik.enable:true traefik.http.routers.home.entrypoints:websecure traefik.http.routers.home.middlewares:authentik@docker traefik.http.routers.home.rule:Host(`home.name-of-domain.xyz`) traefik.http.routers.home.tls:true traefik.http.routers.home.tls.certresolver:le traefik.http.services.home.loadbalancer.server.port:3000]} Scope:local Time:1771250448 TimeNano:1771250448254044400} providerName=docker

Which seems to indicate that it gets started without issue.

Overall, in a very brief run of the logs (about 2 minutes of time up, just enough for everything to be initialized, connected, and visiting the webpages), authentik-outpost appears 109 times and homepage appears 17 times, with the former almost always appearing in Filtering non running container container statements.

10

Well, if Authentik is constantly restarting, it will not be reachable for Traefik. So you need to fix this first.

Or check Authelia Traefik integration (doc), if it's just for home lab and you have a few fixed users.

11

Understood. Cross-posted at the Authentik Git repo: Authentik Embedded Outpost Stuck in Restart Loop Asking for a Token Where It Doesn't Exist · Issue #20327 · goauthentik/authentik · GitHub, and will follow up there. I think it may be a bug or I’ve configured something wrong with the Authentik Outpost (or both). Very thankful for your help and will post back if I find a solution!

12

I find that for accessing services behind tailscale, tsbridge is simpler. I'm using traefik for services on my Internet domain, and tsbridge (https://github.com/jtdowney/tsbridge) for service.taileeNNN.ts.net (and sometimes a service is available via both)

13

Interesting! Honestly the only reason I moved from a Tailscale domain to a Namecheap domain was because they needed different subdomains to prevent collisions in static folders… Does TS Bridge allow you to host Tailnet subdomains?

14

You run one docker container for tsbridge, and it establishes each container with the tsbridge.enabled docker label as a machine in your Tailnet –- so, with its own subdomain