I am having issues with Traefik and Authelia. in docker-swarm. I have reached out to Authelia community for support and they could not figure out a solution to my issue and advised me to reach out to the Traefik community.
The issue I'm having is Traefik is never triggering the Forwardauth and my requests are not redirected to authelia for authentication.
For example when point my browser to https://domain.net/whoami/ I go directly to the whoami page instead of redirected to authelia for authentication.
I have attached files I believe are relevant to this issue.
docker-compose.yml
---
version: "3.8"
services:
authelia:
image: authelia/authelia:4.24.0
ports:
- "9091:9091"
networks:
- public
volumes:
- "/opt/docker/authelia/config/configuration.yml:/config/configuration.yml:ro"
- "/opt/docker/authelia/config:/config"
- "/opt/docker/authelia/logs:/logs"
- "/opt/docker/authelia/data:/var/lib/authelia"
deploy:
placement:
constraints: [node.role == manager]
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia-https-rtr.rule=Host(`domain.net`) && (PathPrefix(`/authelia`))"
- "traefik.http.routers.authelia-https-rtr.entrypoints=websecure"
- "traefik.http.routers.authelia-https-rtr.middlewares=chain-authelia@file"
- "traefik.http.routers.authelia-https-rtr.tls=true"
- "traefik.http.routers.authelia-https-rtr.tls.options=default"
- "traefik.http.routers.authelia-https-rtr.service=authelia-svc"
- "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"
traefik:
image: qualnet-docker.uncleared-artifactory.qgov.net/traefik:v2.3.3
networks:
- public
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik:/etc/traefik
command:
--configFile=/etc/traefik/traefik.yml
ports:
- 80:80
- 443:443
- 8080:8080
deploy:
placement:
constraints: [node.role==manager]
labels:
- traefik.enable=true
- traefik.docker.lbswarm=true
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.rule=Host(`domain.net`) && (PathPrefix(`/traefik/`) || PathPrefix(`/api`) || Headers(`Referer`, `https://domain.net/traefik/dashboard/`))
- traefik.http.routers.traefik.middlewares=chain-authelia@file
- traefik.http.routers.traefik.service=api@internal
- traefik.http.services.traefik.loadbalancer.server.port=8080
whoami:
image: containous/whoami:latest
networks:
- public
deploy:
placement:
constraints: [node.role == manager]
labels:
- traefik.enable=true
- traefik.docker.network=public
- traefik.http.routers.whoami-https-rtr.tls=true
- traefik.http.routers.whoami-https-rtr.rule=Host(`domain.net`) && (PathPrefix(`/whoami`))
- traefik.http.routers.whoami-https-rtr.entrypoints=websecure
- traefik.http.routers.whoami-https-rtr.tls.options=default
- traefik.http.routers.whoami-https-rtr.service=whoami-svc
- traefik.http.services.whoami-svc.loadbalancer.server.port=80
- traefik.http.routers.whoami-https-rtr.middlewares=chain-authelia@file
agent:
image: "qualnet-docker.uncleared-artifactory.qgov.net/portainer/agent:linux-amd64-2.0.0-alpine"
environment:
# REQUIRED: Should be equal to the service name prefixed by "tasks." when
# deployed inside an overlay network
AGENT_CLUSTER_ADDR: tasks.agent
# AGENT_PORT: 9001
# LOG_LEVEL: debug
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- agent_network
portainer:
image: portainer/portainer-ce:2.0.0-alpine
command: -H tcp://tasks.agent:9001 --tlsskipverify
volumes:
- data:/data
networks:
- public
- agent_network
ports:
- "8000:8000"
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
labels:
- "traefik.enable=true"
- "traefik.docker.network=public"
- "traefik.http.routers.portainer-https-rtr.rule=Host(`domain.net`) && (PathPrefix(`/portainer`) || PathPrefix(`/portainer/`))"
- "traefik.http.routers.portainer-https-rtr.tls=true"
- "traefik.http.routers.portainer-https-rtr.entrypoints=websecure"
- "traefik.http.routers.portainer-https-rtr.service=portainer-svc"
- "traefik.http.routers.portainer-https-rtr.middlewares=chain-portainer@file"
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
networks:
public:
external: true
agent_network:
external: true
volumes:
data:
Traefik dynamic_config.yml
http:
middlewares:
user-auth:
basicAuth:
users:
- "xxx:xxx/" #user/user
strip-prefix:
stripprefix:
prefixes:
- "/traefik"
- "/whoami"
- "/authelia"
strip-prefix-1:
redirectRegex:
regex: "^(https?://[^/]+/[a-z0-9_]+)$"
replacement: "$1/"
permanent: true
strip-prefix-2:
stripPrefixRegex:
regex: "/[a-z0-9_]+"
middlewares-authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://domain.net/authelia"
trustForwardHeader: true
authResponseHeaders:
- "X-Forward-User"
- "Remote-User"
- "Remote-Groups"
- "Remote-Name"
- "Remote-Email"
chain-basic-auth:
chain:
middlewares:
- strip-prefix
- strip-prefix-2
- user-auth
chain-authelia:
chain:
middlewares:
- strip-prefix
- middlewares-authelia
chain-portainer:
chain:
middlewares:
- strip-prefix-1
- strip-prefix-2
tls:
certificates:
- certFile: "/etc/traefik/ssl/hostname.crt"
keyFile: "/etc/traefik/ssl/hostname.key"
Traeffik access.log
10.0.0.2 - - [23/Dec/2020:21:35:32 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 1 "traefik@docker" "-" 2ms
10.0.0.2 - - [23/Dec/2020:21:35:37 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 2 "traefik@docker" "-" 3ms
10.0.0.2 - - [23/Dec/2020:21:35:42 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 3 "traefik@docker" "-" 5ms
10.0.0.2 - - [23/Dec/2020:21:35:47 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 4 "traefik@docker" "-" 3ms
10.0.0.2 - - [23/Dec/2020:21:35:52 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 5 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:35:57 +0000] "GET /api/overview HTTP/2.0" 500 0 "-" "-" 6 "traefik@docker" "-" 4ms
10.0.0.2 - - [23/Dec/2020:21:36:02 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 7 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:07 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 8 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:12 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 9 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:17 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 10 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:22 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 11 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:27 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 12 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:31 +0000] "GET /whoami/ HTTP/2.0" 200 864 "-" "-" 13 "whoami-https-rtr@docker" "http://10.0.1.221:80" 3ms
10.0.0.2 - - [23/Dec/2020:21:36:32 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 14 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:37 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 15 "traefik@docker" "-" 1ms
10.0.0.2 - - [23/Dec/2020:21:36:42 +0000] "GET /api/overview HTTP/2.0" 200 443 "-" "-" 16 "traefik@docker" "-" 1ms
snippet of traefik log connecting to whoami
time="2020-12-23T23:11:20Z" level=debug msg="Filtering disabled container" providerName=docker container=remote-agent-1kn8ljbhjibs5hog0udcil8cf
time="2020-12-23T23:11:20Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"authelia-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"authelia-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/authelia`))\",\"tls\":{\"options\":\"default\"}},\"portainer-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"chain-portainer@file\"],\"service\":\"portainer-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/portainer`) || PathPrefix(`/portainer/`))\",\"tls\":{}},\"traefik\":{\"middlewares\":[\"chain-authelia@file\"],\"service\":\"api@internal\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/traefik/`) || PathPrefix(`/api`) || Headers(`Referer`, `https://domain.net/traefik/dashboard/`))\",\"tls\":{}},\"whoami-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"whoami-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/whoami`))\",\"tls\":{\"options\":\"default\"}}},\"services\":{\"authelia-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.252:9091\"}],\"passHostHeader\":true}},\"portainer-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.250:9000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.253:8080\"}],\"passHostHeader\":true}},\"whoami-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.248:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2020-12-23T23:11:20Z" level=info msg="Skipping same configuration" providerName=docker
time="2020-12-23T23:11:34Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/whoami\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.9\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36\"],\"X-Forwarded-Host\":[\"domain.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"72c0399ddca5\"],\"X-Real-Ip\":[\"10.0.0.2\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"domain.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.2:51288\",\"RequestURI\":\"/whoami\",\"TLS\":null}"
time="2020-12-23T23:11:34Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/whoami\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.9\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36\"],\"X-Forwarded-Host\":[\"domain.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"72c0399ddca5\"],\"X-Real-Ip\":[\"10.0.0.2\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"domain.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.2:51288\",\"RequestURI\":\"/whoami\",\"TLS\":null}" ForwardURL="http://10.0.1.248:80"
time="2020-12-23T23:11:34Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/whoami\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.9\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36\"],\"X-Forwarded-Host\":[\"domain.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"72c0399ddca5\"],\"X-Real-Ip\":[\"10.0.0.2\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"domain.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.2:51288\",\"RequestURI\":\"/whoami\",\"TLS\":null}"
time="2020-12-23T23:11:35Z" level=debug msg="Filtering disabled container" container=remote-agent-1kn8ljbhjibs5hog0udcil8cf providerName=docker
time="2020-12-23T23:11:35Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"authelia-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"authelia-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/authelia`))\",\"tls\":{\"options\":\"default\"}},\"portainer-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"chain-portainer@file\"],\"service\":\"portainer-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/portainer`) || PathPrefix(`/portainer/`))\",\"tls\":{}},\"traefik\":{\"middlewares\":[\"chain-authelia@file\"],\"service\":\"api@internal\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/traefik/`) || PathPrefix(`/api`) || Headers(`Referer`, `https://domain.net/traefik/dashboard/`))\",\"tls\":{}},\"whoami-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"whoami-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/whoami`))\",\"tls\":{\"options\":\"default\"}}},\"services\":{\"authelia-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.252:9091\"}],\"passHostHeader\":true}},\"portainer-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.250:9000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.253:8080\"}],\"passHostHeader\":true}},\"whoami-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.248:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2020-12-23T23:11:35Z" level=info msg="Skipping same configuration" providerName=docker
time="2020-12-23T23:11:50Z" level=debug msg="Filtering disabled container" providerName=docker container=remote-agent-1kn8ljbhjibs5hog0udcil8cf
time="2020-12-23T23:11:50Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"authelia-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"authelia-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/authelia`))\",\"tls\":{\"options\":\"default\"}},\"portainer-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"chain-portainer@file\"],\"service\":\"portainer-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/portainer`) || PathPrefix(`/portainer/`))\",\"tls\":{}},\"traefik\":{\"middlewares\":[\"chain-authelia@file\"],\"service\":\"api@internal\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/traefik/`) || PathPrefix(`/api`) || Headers(`Referer`, `https://domain.net/traefik/dashboard/`))\",\"tls\":{}},\"whoami-https-rtr\":{\"entryPoints\":[\"websecure\"],\"middlewares\":[\"middlewares-authelia@file\"],\"service\":\"whoami-svc\",\"rule\":\"Host(`domain.net`) \\u0026\\u0026 (PathPrefix(`/whoami`))\",\"tls\":{\"options\":\"default\"}}},\"services\":{\"authelia-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.252:9091\"}],\"passHostHeader\":true}},\"portainer-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.250:9000\"}],\"passHostHeader\":true}},\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.253:8080\"}],\"passHostHeader\":true}},\"whoami-svc\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.1.248:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2020-12-23T23:11:50Z" level=info msg="Skipping same configuration" providerName=docker
If you need more informaiton please let me know.