Getting 404 page not found for authentik behind traefik

Hello everyone, I recently discovered Traefik and I managed to spin it up and basically all of my services are proxied behind it. Then I wanted to implement authentik with it. I have been trying for the last two days to no avail. I keep getting 404 page not found or bad gateway error 502 when i try to go to my hostname (auth.mydomain.com) but I can connect via ip:port to the authentik page.
Since my other services work with traefik, I believe that my traefik and config yml files are working, so I am a bit confused

What I did was get the docker-compose.yml file from authentik, and created a docker-compose.override.yml for ease of updates.
Below are my yaml files:

#docker-compose.override.yml for authentik
services:
  postgresql:
    container_name: authentik-db
    environment:
      TZ: America/Toronto
    networks:
      - backend
    volumes:
      - ./postgres/database:/var/lib/postgresql/data

  redis:
    container_name: authentik-redis
    environment:
      TZ: America/Toronto
    networks:
      - backend
    volumes:
      - ./redis/redis:/data

  server:
    container_name: authentik-server
    networks:
      - backend
      - frontend
    environment:
      TZ: America/Toronto
      AUTHENTIK_DISABLE_STARTUP_ANALYTICS: true
      AUTHENTIK_DISABLE_UPDATE_CHECK: false
      AUTHENTIK_ERROR_REPORTING__ENABLED: true
     # AUTHENTIK_ALLOWED_HOSTS: auth.mydomain.com
    ports:
      - 9000:9000
      - 9447:9443
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.entrypoints=web_internal"
      - "traefik.http.routers.authentik.rule=Host(`auth.mydomain.com`)"
      - "traefik.http.routers.authentik-secure.entrypoints=websecure_internal"
      - "traefik.http.routers.authentik-secure.rule=Host(`auth.mydomain.com`)"
      - "traefik.http.routers.authentik-secure.tls=true"
      - "traefik.http.routers.authentik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.authentik-secure.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.mydomain.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
      - "traefik.docker.network=frontend"
  worker:
    container_name: authentik-worker
    networks:
      - backend
    environment:
      TZ: America/Toronto

networks:
  frontend:
    external: true
  backend:
    external: true

#my config.yml file for traefik
http:
  middlewares:
    crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true
    ip-allowlist:
      ipAllowList:
        sourceRange:
        # Cloudflare (https://www.cloudflare.com/ips-v4)
          - "173.245.48.0/20"
          - "103.21.244.0/22"
          - "103.22.200.0/22"
          - "103.31.4.0/22"
          - "141.101.64.0/18"
          - "108.162.192.0/18"
          - "190.93.240.0/20"
          - "188.114.96.0/20"
          - "197.234.240.0/22"
          - "198.41.128.0/17"
          - "162.158.0.0/15"
          - "104.16.0.0/13"
          - "104.24.0.0/14"
          - "172.64.0.0/13"
          - "131.0.72.0/22"
        # Local IPs
          - "172.0.0.0/8"
          - "10.0.0.0/24"
          - "192.168.0.0/16"
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
    security-headers:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "noindex,nofollow,none,noarchive,nosnippet,notranslate,noimageindex"
          server: ""
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: https
        referrerPolicy: "strict-origin-when-cross-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
          - "X-Forwarded-Server"
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          Connection: Upgrade
          Upgrade: websocket
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true
        frameDeny: true
    auth:
      forwardauth:
        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
    secured:
      chain:
        middlewares:
        - crowdsec-bouncer
        - ip-whitelist
        - security-headers
        - auth

and finally

#my traefik.yaml
global:
  checkNewVersion: false
  sendAnonymousUsage: false

# --> (Optional) Change log level and format here ...
#     - level: [TRACE, DEBUG, INFO, WARN, ERROR, FATAL]
log:
  level: INFO
  filePath: "/var/log/traefik/traefik.log"
accessLog:
  filePath: "var/log/traefik/access.log"

# --> (Optional) Enable API and Dashboard here, don't do in production
api:
  dashboard: true
  insecure: true


# -- Change EntryPoints here...
entryPoints:
  web_internal:
    address: ":80"
    http:
      middlewares:
        - crowdsec-bouncer@file
        - ip-allowlist@file
        - security-headers@file
        - https-redirectscheme@file
  websecure_internal:
    address: ":443"
    http:
      middlewares:
        - crowdsec-bouncer@file
        - ip-allowlist@file
        - security-headers@file
# -- Configure your CertificateResolver here...
certificatesResolvers:
  cloudflare:
    acme:
      email: myemail@email.com  # <-- Change this to your email
      storage: /var/traefik/certs/cloudflare-acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: cloudflare # <-- (Optional) Change this to your DNS provider
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

# --> (Optional) Disable TLS Cert verification check
serversTransport:
  insecureSkipVerify: true
# <--

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

  file:
    filename: /config.yml

Does anyone have any suggestions on how to get this working? I have the traefik dashboard enabled and I don't see any errors for authentik/authentik-secure routers.

You can not use multiple .rule= for the same router (name), they will overwrite each other.

Bad gateway usually happens when using multiple Docker networks, but not all are shared between Traefik and target service. Make sure to set docker.network. Be aware that compose might change the name, so use name: if you create the network within compose.

In general I recommend to centralize http-to-https and TLS assignment to entrypoints. Compare to simple Traefik example.

Sorry I'm a bit new, can you elaborate on what you mean by "Make sure to set the docker.network? I thought I set it via my "- traefik.docker.network=frontend" label? My frontend network was created externally (well on portainer but i digress).

With respect to the advice of centralizing http to https and TLS assignment to entrypoints, isn't that what I did, at least when I placed my redirection middleware scheme for my web_internal?
I think I still need to call labels when I am trying to place a service behind traefik right? That's why I did the ones shown, although I am not sure if the http(web_internal) ones are redundant or not lol

You start with a very complex setup, loads of middlewares, which all need to work. How about you strip some out and start with a lean setup?

Can you share your Traefik compose file?

What is Traefik dashboard telling you? Are services registered?

Here is my traefik compose file

---
services:
  traefik:
    image: docker.io/library/traefik:v3.2.3
    container_name: traefik
    ports:
      - 80:80
      - 443:443
      # --> (Optional) Enable Dashboard, don't do in production
      - 8085:8080
      # <--
    volumes:
      - /run/docker.sock:/run/docker.sock:ro
      - /container/traefik/config/traefik.yaml:/etc/traefik/traefik.yaml:ro
      - /container/traefik/data/certs/:/var/traefik/certs/:rw
      - /container/traefik/config/config.yml:/config.yml:ro
      - /container/traefik/logs:/var/log/traefik
    environment:
      - CF_DNS_API_TOKEN=apitokenhere # <-- Change this to your Cloudflare API Token
    networks:
      - frontend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web_internal"
      - "traefik.http.routers.traefik.rule=Host(`traefikdb.mydomain.com`)"
      #- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      #- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure_internal"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefikdb.mydomain.com`)"
      #- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"
    restart: unless-stopped
networks:
  frontend:
    external: true # <-- (Optional) Change this to false if you want to create a new network

For my authentik override file, I have tried stripping all of the labels and leaving only the entrypoint and hostname (tls and certresolver as well when i do enable websecure entrypoint) to test along with stripping all middleware from my traefik.yaml file (leaving only ip-allowlist) to no avail.
Stripping every middleware, and labelling the authentik override file with just only the following gives me a 404 page not found :

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.entrypoints=web_internal"
      - "traefik.http.routers.authentik.rule=Host(`auth.mydomain.com`)"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
      - "traefik.docker.network=frontend"

Yes, my dashboard states that there is a service called authentik

Update, I have absolutely no idea why and how BUT I managed to get to authentik's dashboard with these labels

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.entrypoints=web_internal"
      - "traefik.http.routers.authentik.rule=Host(`auth.mydomain.com`)"
      - "traefik.http.routers.authentik-secure.entrypoints=websecure_internal"
      - "traefik.http.routers.authentik-secure.rule=Host(`auth.mydomain.com`)||HostRegexp(`{subdomain:[a-z0-9-]+}.mydomain.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.routers.authentik-secure.tls=true"
      - "traefik.http.routers.authentik-secure.tls.certresolver=cloudflare"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
      - "traefik.docker.network=frontend"

I further investigated, slowly applying my middleware, everything worked and then I found my security-headers broke it, so I discovered that

        customRequestHeaders:
          Upgrade: websocket

upgrade websocket broke it completely.
I will admit that I copied this entire security headers from a tutorial and I do no understand what they mean or do. I will read up upon them!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.