Forwardauth is never triggered by Traefik

Traefik Traefik v2 (latest)
1

I am having issues with Traefik and Authelia. in docker-swarm. I have reached out to Authelia community for support and they could not figure out a solution to my issue and advised me to reach out to the Traefik community.

The issue I'm having is Traefik is never triggering the Forwardauth and my requests are not redirected to authelia for authentication.

For example when point my browser to https://domain.net/whoami/ I go directly to the whoami page instead of redirected to authelia for authentication.

I have attached files I believe are relevant to this issue.

docker-compose.yml

---
version: "3.8"
services:
  authelia:
    image: authelia/authelia:4.24.0
    ports:
      - "9091:9091"
    networks:
      - public
    volumes:
      - "/opt/docker/authelia/config/configuration.yml:/config/configuration.yml:ro"
      - "/opt/docker/authelia/config:/config"
      - "/opt/docker/authelia/logs:/logs"
      - "/opt/docker/authelia/data:/var/lib/authelia"
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.authelia-https-rtr.rule=Host(`domain.net`) && (PathPrefix(`/authelia`))"
        - "traefik.http.routers.authelia-https-rtr.entrypoints=websecure"
        - "traefik.http.routers.authelia-https-rtr.middlewares=chain-authelia@file"
        - "traefik.http.routers.authelia-https-rtr.tls=true"
        - "traefik.http.routers.authelia-https-rtr.tls.options=default"
        - "traefik.http.routers.authelia-https-rtr.service=authelia-svc"
        - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"
  traefik:
    image: qualnet-docker.uncleared-artifactory.qgov.net/traefik:v2.3.3
    networks:
      - public
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik:/etc/traefik
    command:
      --configFile=/etc/traefik/traefik.yml
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    deploy:
      placement:
        constraints: [node.role==manager]
      labels:
        - traefik.enable=true
        - traefik.docker.lbswarm=true
        - traefik.http.routers.traefik.tls=true
        - traefik.http.routers.traefik.rule=Host(`domain.net`) && (PathPrefix(`/traefik/`) || PathPrefix(`/api`) || Headers(`Referer`, `https://domain.net/traefik/dashboard/`))
        - traefik.http.routers.traefik.middlewares=chain-authelia@file
        - traefik.http.routers.traefik.service=api@internal
        - traefik.http.services.traefik.loadbalancer.server.port=8080

  whoami:
    image: containous/whoami:latest
    networks:
      - public
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
        - traefik.enable=true
        - traefik.docker.network=public
        - traefik.http.routers.whoami-https-rtr.tls=true
        - traefik.http.routers.whoami-https-rtr.rule=Host(`domain.net`) && (PathPrefix(`/whoami`))
        - traefik.http.routers.whoami-https-rtr.entrypoints=websecure
        - traefik.http.routers.whoami-https-rtr.tls.options=default
        - traefik.http.routers.whoami-https-rtr.service=whoami-svc
        - traefik.http.services.whoami-svc.loadbalancer.server.port=80
        - traefik.http.routers.whoami-https-rtr.middlewares=chain-authelia@file

  agent:
    image: "qualnet-docker.uncleared-artifactory.qgov.net/portainer/agent:linux-amd64-2.0.0-alpine"
    environment:
      # REQUIRED: Should be equal to the service name prefixed by "tasks." when
      # deployed inside an overlay network
      AGENT_CLUSTER_ADDR: tasks.agent
      # AGENT_PORT: 9001
      # LOG_LEVEL: debug
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - agent_network
  portainer:
    image: portainer/portainer-ce:2.0.0-alpine
    command: -H tcp://tasks.agent:9001 --tlsskipverify
    volumes:
      - data:/data
    networks:
      - public
      - agent_network
    ports:
      - "8000:8000"
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=public"
        - "traefik.http.routers.portainer-https-rtr.rule=Host(`domain.net`) && (PathPrefix(`/portainer`) || PathPrefix(`/portainer/`))"
        - "traefik.http.routers.portainer-https-rtr.tls=true"
        - "traefik.http.routers.portainer-https-rtr.entrypoints=websecure"
        - "traefik.http.routers.portainer-https-rtr.service=portainer-svc"
        - "traefik.http.routers.portainer-https-rtr.middlewares=chain-portainer@file"
        - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
networks:
  public:
    external: true
  agent_network:
    external: true

volumes:
  data:

Traefik dynamic_config.yml

http:
  middlewares:
    user-auth:
      basicAuth:
        users:
          - "xxx:xxx/" #user/user
    strip-prefix:
      stripprefix:
        prefixes:
        - "/traefik"
        - "/whoami"
        - "/authelia"
    strip-prefix-1:
      redirectRegex:
        regex: "^(https?://[^/]+/[a-z0-9_]+)$"
        replacement: "$1/"
        permanent: true
    strip-prefix-2:
      stripPrefixRegex:
        regex: "/[a-z0-9_]+"
    middlewares-authelia:
      forwardAuth:
          address: "http://authelia:9091/api/verify?rd=https://domain.net/authelia"
          trustForwardHeader: true
          authResponseHeaders:
            - "X-Forward-User"
            - "Remote-User"
            - "Remote-Groups"
            - "Remote-Name"
            - "Remote-Email"
    chain-basic-auth:
      chain:
        middlewares:
          - strip-prefix
          - strip-prefix-2
          - user-auth
    chain-authelia:
      chain:
        middlewares:
          - strip-prefix
          - middlewares-authelia
    chain-portainer:
      chain:
        middlewares:
          - strip-prefix-1
          - strip-prefix-2
tls:
  certificates:
    - certFile: "/etc/traefik/ssl/hostname.crt"
      keyFile: "/etc/traefik/ssl/hostname.key"

Traeffik access.log

10.0.0.2 - - [23/Dec/2020:21:35:32 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 1 "traefik@docker" "-" 2ms
10.0.0.2 - - [23/Dec/2020:21:35:37 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 2 "traefik@docker" "-" 3ms
10.0.0.2 - - [23/Dec/2020:21:35:42 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 3 "traefik@docker" "-" 5ms
10.0.0.2 - - [23/Dec/2020:21:35:47 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 4 "traefik@docker" "-" 3ms
10.0.0.2 - - [23/Dec/2020:21:35:52 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 5 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:35:57 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 6 "traefik@docker" "-" 4ms
10.0.0.2 - - [23/Dec/2020:21:36:02 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 7 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:07 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 8 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:12 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 9 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:17 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 10 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:22 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 11 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:27 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 12 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:31 +0000] "GET /whoami/ HTTP/2.0" 200 864 "-" "-" 13 "whoami-https-rtr@docker" "http://10.0.1.221:80" 3ms
10.0.0.2 - - [23/Dec/2020:21:36:32 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 14 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:37 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 15 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:42 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 16 "traefik@docker" "-" 1ms

snippet of traefik log connecting to whoami

time="2020-12-23T23:11:20Z" level=debug msg="Filtering disabled container" providerName=docker container=remote-agent-1kn8ljbhjibs5hog0udcil8cf
time="2020-12-23T23:11:20Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"authelia-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"authelia-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/authelia`))\",\"tls\":{\"options\":\"default\"}},\"portainer-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"chain-portainer@file\"],\"service\":\"portainer-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/portainer`) || PathPrefix(`/portainer/`))\",\"tls\":{}},\"traefik\":{\"middlewares\":[\"chain-authelia@file\"],\"service\":\"api@internal\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/traefik/`) || PathPrefix(`/api`) || Headers(`Referer`, `https://domain.net/traefik/dashboard/`))\",\"tls\":{}},\"whoami-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"whoami-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/whoami`))\",\"tls\":{\"options\":\"default\"}}},\"services\":{\"authelia-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.252:9091\"}],\"passHostHeader\":true}},\"portainer-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.250:9000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.253:8080\"}],\"passHostHeader\":true}},\"whoami-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.248:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2020-12-23T23:11:20Z" level=info msg="Skipping same configuration" providerName=docker
time="2020-12-23T23:11:34Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/whoami\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.9\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36\"],\"X-Forwarded-Host\":[\"domain.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"72c0399ddca5\"],\"X-Real-Ip\":[\"10.0.0.2\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"domain.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.2:51288\",\"RequestURI\":\"/whoami\",\"TLS\":null}"
time="2020-12-23T23:11:34Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/whoami\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.9\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36\"],\"X-Forwarded-Host\":[\"domain.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"72c0399ddca5\"],\"X-Real-Ip\":[\"10.0.0.2\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"domain.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.2:51288\",\"RequestURI\":\"/whoami\",\"TLS\":null}" ForwardURL="http://10.0.1.248:80"
time="2020-12-23T23:11:34Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/whoami\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.9\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36\"],\"X-Forwarded-Host\":[\"domain.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"72c0399ddca5\"],\"X-Real-Ip\":[\"10.0.0.2\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"domain.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.2:51288\",\"RequestURI\":\"/whoami\",\"TLS\":null}"
time="2020-12-23T23:11:35Z" level=debug msg="Filtering disabled container" container=remote-agent-1kn8ljbhjibs5hog0udcil8cf providerName=docker
time="2020-12-23T23:11:35Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"authelia-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"authelia-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/authelia`))\",\"tls\":{\"options\":\"default\"}},\"portainer-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"chain-portainer@file\"],\"service\":\"portainer-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/portainer`) || PathPrefix(`/portainer/`))\",\"tls\":{}},\"traefik\":{\"middlewares\":[\"chain-authelia@file\"],\"service\":\"api@internal\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/traefik/`) || PathPrefix(`/api`) || Headers(`Referer`, `https://domain.net/traefik/dashboard/`))\",\"tls\":{}},\"whoami-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"whoami-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/whoami`))\",\"tls\":{\"options\":\"default\"}}},\"services\":{\"authelia-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.252:9091\"}],\"passHostHeader\":true}},\"portainer-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.250:9000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.253:8080\"}],\"passHostHeader\":true}},\"whoami-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.248:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2020-12-23T23:11:35Z" level=info msg="Skipping same configuration" providerName=docker
time="2020-12-23T23:11:50Z" level=debug msg="Filtering disabled container" providerName=docker container=remote-agent-1kn8ljbhjibs5hog0udcil8cf
time="2020-12-23T23:11:50Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"authelia-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"authelia-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/authelia`))\",\"tls\":{\"options\":\"default\"}},\"portainer-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"chain-portainer@file\"],\"service\":\"portainer-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/portainer`) || PathPrefix(`/portainer/`))\",\"tls\":{}},\"traefik\":{\"middlewares\":[\"chain-authelia@file\"],\"service\":\"api@internal\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/traefik/`) || PathPrefix(`/api`) || Headers(`Referer`, `https://domain.net/traefik/dashboard/`))\",\"tls\":{}},\"whoami-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"whoami-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/whoami`))\",\"tls\":{\"options\":\"default\"}}},\"services\":{\"authelia-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.252:9091\"}],\"passHostHeader\":true}},\"portainer-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.250:9000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.253:8080\"}],\"passHostHeader\":true}},\"whoami-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.248:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2020-12-23T23:11:50Z" level=info msg="Skipping same configuration" providerName=docker

If you need more informaiton please let me know.

2

Hello @jinro79 and thanks for your interest in Traefik,

I tried to reproduce your issue by simplifying your configuration and making some assumptions about your static configuration but without any success. When I send a request to https://domain.net/whoami/, I see the request to Authelia in the Traefik logs.

Can you share your static configuration?
As your config is complex, maybe it will be easier if you provide a minimal reproducible case?

1 Like
3

Hi Kevinpollet,

sorry about the delay, I have been swamped and thank you for taking a look at my issue. At the minimum I would like to have authelia and whoami running and be required to authenticate with authelia when trying to reach whoami.

I believe this is the static config you are asking for.

################################################################
# Traefik logs configuration
################################################################
global:
  checkNewVersion: false
  sendAnonymousUsage: false

################################################################
# Traefik logs configuration
################################################################
log:
  # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
  level: INFO
################################################################
# Access logs configuration
################################################################
accessLog:
  filePath: /log/access.log
  bufferingSize: 100
  filters:
    statusCodes:
      - 200
      - 300-302
      - 400-499
    retryAttempts: true
    minDuration: 10ms
################################################################
# API and dashboard configuration
################################################################
api:
  # insecure: true
  dashboard: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
################################################################
# Providers
################################################################
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    # endpoint: "tcp://127.0.0.1:2377"
    exposedByDefault: false
    swarmMode: true
    network: public
  file:
    directory: /configurations/
    watch: true

If you need more information please let me know.
Luke

4

Hi again,

In your static configuration, you have configured two entrypoints http and https but in the docker label configuration for the authelia, agent and whoami services the configured entrypoint is websecure.

For authelia, the entrypoint config must be:

 traefik.http.routers.authelia-https-rtr.entrypoints=https

For whoami, the entrypoint config must be:

 traefik.http.routers.whoami-https-rtr.entrypoints=https

For agent, the entrypoint config must be:

traefik.http.routers.portainer-https-rtr.entrypoints=https

Hope this helps.

5

Hi,
Thanks for the help, but I need to apologize. I posted the wrong static file, I was excited to try what you recommended but realized I sent the wrong static file. Here is the correct file I am using.

global:
  checkNewVersion: false
  sendAnonymousUsage: false
entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
api:
  insecure: true
  dashboard: true
  debug: true
log:
  level: DEBUG
  format: common
  filePath: /etc/traefik/logs/traefik.log
accessLog:
  filePath: /etc/traefik/logs/traefik-access.log
api:
  insecure: true
  dashboard: true
providers:
  docker:
    watch: true
    swarmmode: true
    network: public
    exposedByDefault: false
  file:
    filename: /etc/traefik/dynamic_config.yml
    watch: true

As you can see am using websecure in the static file, do you see any other issues?
Thanks
Luke

6

In your static configuration the api key is duplicated but your issue is not related to that.

I've deployed your stack without the authelia service because I don't have your configuration and everything is working fine on the Traefik side (in the logs I see the call to the forward auth endpoint).

7

Is it expected to configure the authelia chain middleware on the authelia service?

In the authelia service configuration:

"traefik.http.routers.authelia-https-rtr.middlewares=chain-authelia@file"
8

Hi again,

I tried to reproduce your issue and here are my findings. To be accurate, as I've already said the forward auth middleware is properly triggered by Traefik with your configuration when a request is made to https://domain.net/whoami.

By using a basic authelia configuration I have spotted some problems in your configuration.

As said in my previous post the middleware configuration on the authelia service: traefik.http.routers.authelia-https-rtr.middlewares=chain-authelia@file creates a redirection loop. Therefore, this configuration should be removed.

It also seems that authelia cannot be deployed under a subpath. This means that the router rule for the authelia container must be something like: traefik.http.routers.authelia-https-rtr.rule=Host(`login.domain.net`). This implies to change the forwardAuth address to something like: http://authelia:9091/api/verify?rd=https://login.domain.net.

By configuring the strip-prefix middleware on the whoami service, the redirection URL is not the right one (the whoami prefix is removed). In order to fix that, the whoami prefix configuration must be removed middleware configuration.

Hope this helps!

9

Kevin,

Thanks for further support, I was also able to make this work using subdomains. Unfortunately the use case I have will not allow that. I guess I will have to enable security on each application.

Thank you for your time and help!

Luke