To be honest,I can't understand what authentik docs said.It likes an instruction teared in half,missing the usage part.I can deploy it,but not wield it.
I tried to use authelia,but it gives me endless loop.I have no idea where goes wrong.So I turn to authentik,but I can't find any steps after deployment in the docs.So is there anybody can provide me a detail how to use it.I will be appreciated.
Hi @flyingfish,
Thanks for your interest in Traefik.
Going through Authentik documentation, there is a dedicated section about the integration with Traefik. Did you have a look at it?
If you do not manage to make it work, could you provide your configuration, please? So we can try to reproduce and help you.
Thanks,
Maxence
Yes,I have read it over and over again.And it's not about configrations,I can visit authentik,and there is no malfunction.The problem is after deployed authentik,I don't know what to do next.I need detail steps.
Here is what I have done:after deployed authentik,I visited http://192.168.0.130:9080/if/flow/initial-setup/ and created a user,then clicked admin interface.Created a proxy provider:type proxy provider,name app,authorization flow explicit,forward auth(domain level),url https://subdomain3.duckdns.org,cookie domain duckdns.org.Created an application:name app,slug app,provider app.Then I don't know what to do next 
.
traefik docker compose
Summary
version: "3"
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
networks:
- "traefik_proxy"
ports:
- 80:80
- 443:443
environment:
- 'DUCKDNS_TOKEN=token'
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime:ro
- /home/me/docker/traefik:/etc/traefik
- /home/me/docker/traefik/config.yml:/config.yml
- /home/me/docker/traefik/logs:/etc/traefik/logs
networks:
traefik_proxy:
external: true
traefik.yml
Summary
global:
checkNewVersion: true
sendAnonymousUsage: false
log:
level: DEBUG
filePath: /etc/traefik/logs/traefik.log
accessLog:
filePath: /etc/traefik/logs/traefik-access.log
api:
dashboard: true
debug: true
serversTransport:
insecureSkipVerify: true
entryPoints:
web:
address: :80
websecure:
address: :443
certificatesResolvers:
production:
acme:
email: myemail
storage: /etc/traefik/certs/acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: duckdns
providers:
docker:
exposedByDefault: false
network: traefik_proxy
watch: true
file:
filename: /config.yml
directory: /etc/traefik
watch: true
config.yml
Summary
http:
routers:
traefik:
entryPoints:
- "web"
rule: "Host(`subdomain1.duckdns.org`)"
middlewares:
- https-redirectscheme
service: api@internal
traefik-secure:
entryPoints:
- "websecure"
rule: "Host(`subdomain1.duckdns.org`)"
tls:
certResolver: production
service: api@internal
authentik:
entryPoints:
- web
rule: "Host(`subdomain2.duckdns.org`)"
middlewares:
- https-redirectscheme
service: authentik
authentik-secure:
entryPoints:
- websecure
rule: "Host(`subdomain2.duckdns.org`)"
tls:
certResolver: production
service: authentik
app:
entryPoints:
- web
rule: "Host(`subdomain3.duckdns.org`)"
middlewares:
- https-redirectscheme
service: app
app-secure:
entryPoints:
- websecure
rule: "Host(`subdomain3.duckdns.org`)"
middlewares:
- authentik-auth
tls:
certResolver: production
service: app
services:
authentik:
loadBalancer:
servers:
- url: "http://192.168.0.130:9080"
app:
loadBalancer:
servers:
- url: "http://192.168.0.130:180"
middlewares:
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
authentik-auth:
forwardAuth:
address: http://authentik:9080/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
postgresql and redis docker compose.I have to changed their networks to traefik_proxy manually.
Summary
version: "3"
services:
postgres:
container_name: postgres
image: postgres:12-alpine
restart: unless-stopped
ports:
- 5432:5432
volumes:
- /home/me/docker/data:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD= password
- POSTGRES_USER= authentik
- POSTGRES_DB= authentik-db
redis:
container_name: redis
image: redis:alpine
ports:
- 6379:6379
restart: unless-stopped
authentik docker compose
Summary
version: "3"
services:
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.6.2}
container_name: authentik-server
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik-db
AUTHENTIK_POSTGRESQL__PASSWORD: password
AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
AUTHENTIK_SECRET_KEY: secretkey
# WORKERS: 2
volumes:
- /home/me/docker/media:/media
- /home/me/docker/templates:/templates
ports:
- "9080:9000"
- "9443:9443"
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.6.2}
container_name: authentik-worker
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik-db
AUTHENTIK_POSTGRESQL__PASSWORD: password
AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
AUTHENTIK_SECRET_KEY: secretkey
user: root
volumes:
- /home/me/docker/media:/media
- /home/me/docker/certs:/certs
- /var/run/docker.sock:/var/run/docker.sock
- /home/me/docker/templates:/templates
Hi @flyingfish,
After deploying it on my side: you need to configure an outpost.
So there is my Authentik configuration:
Provider:
type: Proxy (forward auth)
authentication URL: http://auth.example.com (Authentik URL accessible from outside)
cookie domain: example.com
Outpost:
type: Proxy
application: app created in Application
configuration: authentik_host: http://auth.example.com
Be sure to select the right provider and apps in the different configurations.
For the outpost, it exists several methods to create them.
The one I used was created by default and is called embedded outpost. But you can easily create a custom one from the UI called managed outpost (don't forget to configure an outpost integration with docker) or create one manually.
Then you can access to the application with the created accounts.
Maxence
Thanks for your works.I'll give it a try.I'm still try to understand authentik docs about forward_auth.Here is my understand after seeing you configuration:
Provider is authentik instead of traefik.So I don't need to create a traefik provider.
Authentik URL sould be a subdomain of cookie domain,so do other apps.But what if I have more than one domain,should I create another authentik provider using different domain?
I should put every apps that will be authenticated in embedded outpost.And change authentik_host to Authentik URL.
I still have some questions about Forward auth | authentik. The Standalone traefik config may conflict with docker-compose config.Docker-compose's forwardAuth is authentik-proxy.And authentik-proxy uses the same ports as authentik,then what ports authentik should be going to use?And authentik-proxy's domain is a path of whoami's domain,so where are authentik and traefik's parts?Does authentik-proxy's domain should be every apps' path?Standalone's forwardAuth is authentik.I believe default-router is whoami and default-router-auth is authentik-proxy.Then why authentik-proxy's services points to authentik forwardAuth address,doesn't it conflict?And I don't konw what match means,does it means rule?
So when I use embedded outpost,should I use the authentik-auth forwardAuth in the config.yml file?If not,then what?
@ moutoum,I failed again.I configured an outpost and put app in it.But when I visit app,firefox will show :
The page isn’t redirecting properly
An error occurred during a connection to app.mydomain.duckdns.org.
I have changed my configs for easy reading.
config-traefik.yml
Summary
http:
routers:
traefik:
entryPoints:
- web
rule: "Host(`traefik.mydomain.duckdns.org`)"
middlewares:
- https-redirectscheme
service: api@internal
traefik-secure:
entryPoints:
- websecure
rule: "Host(`traefik.mydomain.duckdns.org`)"
tls:
certResolver: production
domains:
- main: "mydomain.duckdns.org"
sans:
- "*.mydomain.duckdns.org"
service: api@internal
middlewares:
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
config-authentik.yml
Summary
http:
routers:
authentik:
entryPoints:
- web
rule: "Host(`authentik.mydomain.duckdns.org`)"
middlewares:
- https-redirectscheme
service: authentik
authentik-secure:
entryPoints:
- websecure
rule: "Host(`authentik.mydomain.duckdns.org`)"
#- authentik-auth
tls: {}
service: authentik
services:
authentik:
loadBalancer:
servers:
- url: "http://192.168.0.130:9080"
middlewares:
authentik-auth:
forwardAuth:
address: http://192.168.0.130:9080/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
config-app.yml
Summary
http:
routers:
app:
entryPoints:
- web
rule: "Host(`app.mydomain.duckdns.org`)"
middlewares:
- https-redirectscheme
service: app
app-secure:
entryPoints:
- websecure
rule: "Host(`app.mydomain.duckdns.org`)"
- authentik-auth
tls: {}
service: app
services:
app:
loadBalancer:
servers:
- url: "http://192.168.0.130:180"
Here are configs about authentik:
Summary
Provider:
type: Proxy (forward auth)
name: authentik
authentication URL: `https://authentik.mydomain.duckdns.org`
cookie domain: `mydomain.duckdns.org`
type: Proxy (proxy)
name: app
external host: `https://app.mydomain.duckdns.org`
internal: `http://192.168.0.130:180`
Application:
name: authentik
slug: authentik
provider: authentik
name: app
slug: app
provider: app
Outpost:
type: Proxy
application: authentik,app
configuration: `authentik_host: https://authentik.mydomain.duckdns.org`
I can visit https://authentik.mydomain.duckdns.org/outpost.goauthentik.io/callback and got redirected.But after remove # in config-authentik.yml,this will happen:
The page isn’t redirecting properly
An error occurred during a connection to authentik.mydomain.duckdns.org.
I can't visit https://app.mydomain.duckdns.org/outpost.goauthentik.io/callback with or without # .
Does it mean I need to add a new Host for authentik?Because when I visit app,the url will show this:
https://app.mydomain.duckdns.org/outpost.goauthentik.io/start?rd=https%3A%2F%2Fapp.mydomain.duckdns.org%2Foutpost.goauthentik.io%2Fauth%2Ftraefik
As far as I know,the path outpost.goauthentik.io belongs to authentik.
So this?
authentik-app:
entryPoints:
- websecure
rule: "Host(`app.mydomain.duckdns.org`) && PathPrefix(`/outpost.goauthentik.io`)"
tls: {}
service: authentik
But from my experience,there must be a middleware exist,but what type?RedirectRegex? StripPrefixRegex?
Hi @flyingfish,
Why do you have an authentik provider and app? To me, it seems not necessary.
And yes, if you are using the "Single Provider" proxy provider, you have to create a router to redirect /outpost.goauthentik to your outpost (which is authentik if you are using the embedded one).
For "domain level" proxy provider, it is not necessary as it redirects to auth.domain.com in all cases.
Maxence
Thank you very much,it finally works,and I finally understand the concept.
1 Like
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.