Dashboard Not Found when Authentik configured as root Host

Traefik Traefik v2
1

Got Traefik's Host configured with PathPrefix and Authentik as a root Host. If both rules are enabled, Traefik's dashboard works, but Authentik shows "404 page not found". To make Authentik work I have to comment-out Traefik's rule, but then I lose Traefik's dashboard. I do have Portainer configured with PathPrefix (in the same compose file - not included in the code below) and it works w/o issues. Any idea what I'm missing?

docker-compose.yml

secrets:
  cf_dns_api_token:
    file: $SECRETSDIR/cf_dns_api_token.secret
  cf_api_email:
    file: $SECRETSDIR/cf_api_email.secret
    
services:

  traefik:
    image: traefik:v2.11.0
    container_name: traefik
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro      
      - ./certs:/certs
    labels:
      - traefik.enable=true
    secrets:
      - cf_dns_api_token
      - cf_api_email
    environment:
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token
      - CF_API_EMAIL_FILE=/run/secrets/cf_api_email

  postgresql:
    image: postgres:12-alpine
    restart: unless-stopped
    container_name: authentik-postgres
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${PG_PASS}
      - POSTGRES_USER=${PG_USER:-authentik}
      - POSTGRES_DB=${PG_DB:-authentik}
    env_file:
      - .env
    networks:
      - proxy
  redis:
    image: redis:alpine
    restart: unless-stopped
    container_name: authentik-redis
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      - proxy
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.0}
    restart: unless-stopped
    container_name: authentik-server
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.authentik.entryPoints=websecure
      - traefik.http.routers.authentik.rule=Host(`sub.domain.com`)
      - traefik.http.services.authentik.loadbalancer.server.port=9000
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.0}
    restart: unless-stopped
    container_name: authentik-worker
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    user: root
    volumes:
      - ./media:/media
      - ./certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - ./custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    networks:
      - proxy
  geoipupdate:
    image: "maxmindinc/geoipupdate:latest"
    container_name: authentik-geoip
    volumes:
      - "geoip:/usr/share/GeoIP"
    environment:
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
      GEOIPUPDATE_FREQUENCY: "8"
    env_file:
      - .env
    networks:
      - proxy

volumes:
  database:
    driver: local
  geoip:
    driver: local

networks:
  proxy:
    driver: bridge
    external: true

traefik.yml

serversTransport:
  insecureSkipVerify: true

api:
  dashboard: true
  insecure: false

providers:
  docker:
    watch: true
    network: proxy
    exposedByDefault: false
    endpoint: unix:///var/run/docker.sock
  file:
    filename: /etc/traefik/dynamic.yml
    watch: true
  providersThrottleDuration: "10"

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
    http:
      tls:
        certResolver: cloudflare
    forwardedHeaders:
      trustedIPs:
        - "127.0.0.1/32"
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"

certificatesResolvers:
  cloudflare:
    acme:
      storage: /certs/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 10
        resolvers:
           - 1.1.1.1:53
           - 8.8.8.8:53

dynamic.yml

http:
  routers: 
    dashboard:
      entryPoints: 
        - websecure
      rule: Host(`sub.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      tls: {}
      service: api@internal
  middlewares:    
    middlewares-authentik:
      forwardAuth:
        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
2

Remove this on router, you have TLS LE enabled already on entrypoint:

tls: {}

What URLs are you using? Authentik is using a host with path http://authentik_server:9000/outpost.goauthentik.io and Traefik usually requires /dashboard/ path.

I highly recommend to use sub-domains, most web apps don't like to be deployed under a path, not being able to use absolute / path.

3

Thank you for pointing double TLS entry.

As for URLs, I have 2 plus 1 of them:

Traefik:

Host(`<sub.domain.tld>`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))

Authentik, based on the guide from GitHub - brokenscripts/authentik_traefik: Authentik behind Traefik :

Host(`<sub.domain.tld>`)
HostRegexp(`{subdomain:[a-z0-9-]+}.<sub.domain.tld>`) && PathPrefix(`/outpost.goauthentik.io/`)

As I mentioned, with both Hosts enabled, Authentik works, but Traefik's dashboard displays this

Screenshot 2024-02-28 091930
Screenshot 2024-02-28 091930996×752 100 KB

If I comment out Authentik's Host, Traefik's dashboard works. What am I missing?