Help Needed: Traefik with Authelia and Domain Setup - traefik-traefik Error

RareBird15 · January 14, 2025, 6:55am

Hi all,

I'm new to self-hosting, Traefik, Authelia, and YAML. I recently set up a domain, laniesplace.us, purchased from Porkbun, and configured DDNS through Dynu. I've added DNS records for the subdomains I want to use and am trying to configure Traefik to route traffic to my services on subdomains while using Authelia for authentication.

I'm running this setup on a Raspberry Pi 500 (8GB RAM, 512GB SD card) with Stormux (Arch Linux ARM-based). Most services are Docker containers, but some (like Forgejo, Netdata, Filebrowser, and TheLounge) are installed via Pacman.

The Problem

Some subdomains (e.g., traefik.laniesplace.us) won't load. Additionally, I'm seeing this error in Traefik's logs:

2025-01-12T11:55:54Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:457 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [traefik-traefik]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Invalid identifiers requested :: Cannot issue for \"traefik-traefik\": Domain name needs at least one dot" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["traefik-traefik"] providerName=le.acme routerName=websecure-traefik-traefik@docker rule=Host(`traefik-traefik`)

It seems like Traefik is trying to generate certificates for an invalid domain (traefik-traefik). I've reviewed all my configuration files and DNS records and restarted Traefik multiple times, but I can't figure out what's causing this issue.

My Setup

Here are the services I'm hosting:

Homer dashboard
Pi-Hole
Cockpit
Forgejo
Code-Server
Netdata
Uptime Kuma
Linkding
MiniFlux
Watchtower
TheLounge
Filebrowser
Authelia
Portainer
Dokuwiki

I'm also using Tailscale VPN, UFW, and Crowdsec.

Configuration Files

I've uploaded all my relevant configuration files in a ZIP archive. You can download them here:

Download all_configs.zip

The archive contains:

docker-compose.yml for Traefik and other services.
traefik.yml (static configuration).
Dynamic configuration files (middlewares.yml, routers.yml, etc.).
Authelia's configuration.yml.
Other relevant service-specific configurations (e.g., Forgejo, Filebrowser).

Questions

Why might Traefik be generating a domain like traefik-traefik instead of my intended subdomain (traefik.laniesplace.us)?
How can I debug why some subdomains aren't loading?
Are there any common mistakes when setting up Traefik with Authelia that I should check?

Thanks in advance for your help! Let me know if there's anything else I can provide.

bluepuma77 · January 14, 2025, 10:40am

Share your full Traefik static and dynamic config, and docker-compose.yml if used. Use 3 backticks before and after code/config, or select text and press </> button.

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

Compare your setup to a simple Traefik example, for a Docker service or an external service.

RareBird15 · January 14, 2025, 12:52pm

I included a link to a zip file with all configurations, but I'll put them below as well.
Traefik docker-compose:

networks:
  web:
    external: true

services:
  traefik:
    image: traefik:v3.2.5
    container_name: traefik
    security_opt:
      - no-new-privileges:true
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./acme.json:/etc/traefik/acme.json
      - ./dynamic:/etc/traefik/dynamic:ro
      - ./logs:/etc/traefik/logs
    networks:
      - web
    restart: unless-stopped
    labels:
      - "traefik.enable=true"

traefik.yml:

global:
  checkNewVersion: true
  sendAnonymousUsage: false

log:
  level: DEBUG
  filePath: /etc/traefik/logs/traefik.log

accessLog:
  filePath: /etc/traefik/logs/access.log

api:
  dashboard: true
  insecure: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: le

providers:
  file:
    directory: /etc/traefik/dynamic
    watch: true
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false
    network: web

certificatesResolvers:
  le:
    acme:
      email: "laniegcarmelo@gmail.com"
      storage: "/etc/traefik/acme.json"
      tlsChallenge: {}

traefik middlewares.yml:

http:
  middlewares:
    dashboard-auth:
      basicAuth:
        users:
          - "admin:$apr1$t5/O0mIb$M6Mkxlqxmi2RRJHNL007Q1"

Traefik routers.yml:

http:
  routers:
    traefik-dashboard:
      rule: "Host(`traefik.laniesplace.us`)"
      service: api@internal
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - dashboard-auth

    homer:
      rule: "Host(`laniesplace.us`)"
      service: homer
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

    glances:
      rule: "Host(`glances.laniesplace.us`)"
      service: glances
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "glances.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

    uptime-kuma:
      rule: "Host(`uptime.laniesplace.us`)"
      service: uptime-kuma
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "uptime.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

    miniflux:
      rule: "Host(`rss.laniesplace.us`)"
      service: miniflux
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "rss.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

    pihole:
      rule: "Host(`pihole.laniesplace.us`)"
      service: pihole
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
        - pihole-redirect
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "pihole.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

    portainer:
      rule: "Host(`portainer.laniesplace.us`)"
      service: portainer
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "portainer.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

    linkding:
      rule: "Host(`bookmarks.laniesplace.us`)"
      service: linkding
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "bookmarks.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"
          Remote-User: "{{ .Request.Headers.Remote-User }}"

    filebrowser:
      rule: "Host(`files.laniesplace.us`)"
      service: filebrowser
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "files.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

    netdata:
      rule: "Host(`netdata.laniesplace.us`)"
      service: netdata
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "netdata.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

    forgejo:
      rule: "Host(`git.laniesplace.us`)"
      service: forgejo
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "git.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

    dokuwiki:
      rule: "Host(`wiki.laniesplace.us`)"
      service: dokuwiki
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "wiki.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

    cockpit:
      rule: "Host(`cockpit.laniesplace.us`)"
      service: cockpit
      entryPoints:
        - websecure
      tls:
        certResolver: le
      middlewares:
        - authelia@docker
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Host: "cockpit.laniesplace.us"
          X-Forwarded-Uri: "/"
          X-Forwarded-For: "true"

Traefik services.yml:

http:
  services:
    # Docker Services
    homer:
      loadBalancer:
        servers:
          - url: "http://homer:8080"

    glances:
      loadBalancer:
        servers:
          - url: "http://glances:61208"

    uptime-kuma:
      loadBalancer:
        servers:
          - url: "http://uptime-kuma:3001"

    miniflux:
      loadBalancer:
        servers:
          - url: "http://miniflux:8080"

    pihole:
      loadBalancer:
        servers:
          - url: "http://pihole:8088"

    portainer:
      loadBalancer:
        servers:
          - url: "http://portainer:9000"

    linkding:
      loadBalancer:
        servers:
          - url: "http://linkding:9090"

    # Non-Docker Services
    filebrowser:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8085"

    netdata:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:19999"

    forgejo:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:3000"

    dokuwiki:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:81"

    cockpit:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:9090"

Logs are too long to paste. That's why I included a zipped folder with all configs and logs in my original post.

bluepuma77 · January 14, 2025, 2:53pm

Remove insecure dashboard, which will automatically create an additional 8080 entrypoint:

Usually those are set by Traefik automatically, so not needed:

I don't think this can work, as Traefik is running inside a container and 127.0.0.1 inside container is not localhost on host, where your "native" apps are listening:

You only need to assign the certresolver once, to entrypoint or router, not twice. So you can remove the TLS from the routers, saves config lines.

This is probably your issue, you enable the Traefik container via labels, but there is no further info for providers.docker, probably uses some defaults then:

If the issue with LetsEncrypt persists, search the log for "err" and/or "acme".

RareBird15 · January 14, 2025, 5:00pm

I fixed all the issues you mentioned. I added additional labels to the Traefik container, got rid of insecure=true, removed the headers, and changed the non-docker services to use host.docker.internal after adding it as an extra host in the Traefik container. I also removed the TLS lines from the routers. I have no more errors, but my service pages still don't load. DNS nameservers have had a couple days to propagate so I don't think it's a DNS issue.

traefik.log

2025-01-14T16:47:08Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:959 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["netdata.laniesplace.us"] providerName=le.acme routerName=netdata@file rule=Host(`netdata.laniesplace.us`)
2025-01-14T16:47:08Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:959 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["laniesplace.us"] providerName=le.acme routerName=homer@docker rule=Host(`laniesplace.us`)
2025-01-14T16:47:08Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:959 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["vscode.laniesplace.us"] providerName=le.acme routerName=code-server@file rule=Host(`vscode.laniesplace.us`)
2025-01-14T16:47:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:112 > Provider event received {Status:health_status: healthy ID:f8836ffc12a8a7079607a13b804510a03d6ba262b376a009725e383a9a6b7964 From:redis:alpine Type:container Action:health_status: healthy Actor:{ID:f8836ffc12a8a7079607a13b804510a03d6ba262b376a009725e383a9a6b7964 Attributes:map[com.docker.compose.config-hash:01bb63be2532a1fedb2958eedd54f29fd4eb36afdc179a93c882495fcb5cc7a4 com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:3476e78e24d81d14c06907e3be39f6d0a2d0ad7b2a483491f95428c7426e06f7 com.docker.compose.oneoff:False com.docker.compose.project:authelia com.docker.compose.project.config_files:/opt/docker/authelia/docker-compose.yml com.docker.compose.project.working_dir:/opt/docker/authelia com.docker.compose.service:redis com.docker.compose.version:2.32.1 image:redis:alpine name:authelia_redis]} Scope:local Time:1736873251 TimeNano:1736873251972122070} providerName=docker
2025-01-14T16:47:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=redis-authelia-f8836ffc12a8a7079607a13b804510a03d6ba262b376a009725e383a9a6b7964 providerName=docker
2025-01-14T16:47:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=db-miniflux-6a303f48a1e5008d6eea7ebed041cddaaeea7ba21d9d473ffe68f7810e4a2c02 providerName=docker
2025-01-14T16:47:31Z WRN github.com/traefik/traefik/v3/pkg/provider/docker/config.go:334 > Could not find network named "web" for container "/pihole". Maybe you're missing the project's prefix in the label? container=pihole-infrastructure-services-717c2f11d18a07a6d06f178d03b02a3cd93d3ecaf1d608490be1431caea7f196 providerName=docker serviceName=pihole
2025-01-14T16:47:31Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=watchtower-infrastructure-services-085c3f6da3008daad69d8a44a082c02b205ff7213df66de27a98f6d1272224d5 providerName=docker
2025-01-14T16:47:31Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"authelia":{"forwardAuth":{"address":"http://authelia:9091/api/verify?rd=https://auth.laniesplace.us","authRequestHeaders":["X-Forwarded-Proto","X-Forwarded-Host"],"authResponseHeaders":["Remote-User","Remote-Groups","Remote-Name","Remote-Email"],"trustForwardHeader":true}},"pihole-redirect":{"redirectRegex":{"permanent":true,"regex":"^https://pihole\\.laniesplace\\.us/?$","replacement":"https://pihole.laniesplace.us/admin"}}},"routers":{"authelia":{"entryPoints":["websecure"],"rule":"Host(`auth.laniesplace.us`)","service":"authelia","tls":{"certResolver":"le"}},"glances":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`glances.laniesplace.us`)","service":"glances","tls":{"certResolver":"le"}},"homer":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`laniesplace.us`)","service":"homer","tls":{"certResolver":"le"}},"linkding":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`bookmarks.laniesplace.us`)","service":"linkding","tls":{"certResolver":"le"}},"miniflux":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`rss.laniesplace.us`)","service":"miniflux","tls":{"certResolver":"le"}},"pihole":{"entryPoints":["websecure"],"middlewares":["authelia@docker","pihole-redirect"],"rule":"Host(`pihole.laniesplace.us`)","service":"pihole","tls":{"certResolver":"le"}},"portainer":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`portainer.laniesplace.us`)","service":"portainer","tls":{"certResolver":"le"}},"traefik":{"entryPoints":["websecure"],"middlewares":["dashboard-auth@file"],"rule":"Host(`traefik.laniesplace.us`)","service":"api@internal"},"uptime-kuma":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`uptime.laniesplace.us`)","service":"uptime-kuma","tls":{"certResolver":"le"}}},"services":{"authelia":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.7:9091"}]}},"glances":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.5:61208"}]}},"homer":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.10:8080"}]}},"linkding":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.9:9090"}]}},"miniflux":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.6:8080"}]}},"pihole":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.17.0.1:8088"}]}},"portainer":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.2:9000"}]}},"traefik":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.8:8080"}]}},"uptime-kuma":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.4:3001"}]}}}},"tcp":{},"tls":{},"udp":{}} providerName=docker
2025-01-14T16:47:31Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:127 > Skipping unchanged configuration providerName=docker

access.log

106.75.132.125 - - [14/Jan/2025:15:07:09 +0000] "GET /favicon.ico HTTP/1.1" 401 124 "-" "-" 745 "cockpit@file" "-" 0ms
106.75.139.250 - - [14/Jan/2025:15:07:11 +0000] "GET /favicon.ico HTTP/1.1" 401 124 "-" "-" 746 "netdata@file" "-" 0ms
106.75.169.16 - - [14/Jan/2025:15:07:15 +0000] "GET /favicon.ico HTTP/1.1" 401 122 "-" "-" 747 "filebrowser@file" "-" 1ms
106.75.137.67 - - [14/Jan/2025:15:09:33 +0000] "GET / HTTP/1.1" 401 110 "-" "-" 748 "dokuwiki@file" "-" 1ms
106.75.137.67 - - [14/Jan/2025:15:09:34 +0000] "GET /favicon.ico HTTP/1.1" 401 121 "-" "-" 749 "dokuwiki@file" "-" 0ms
106.75.175.130 - - [14/Jan/2025:15:09:44 +0000] "GET / HTTP/1.1" 401 110 "-" "-" 750 "dokuwiki@file" "-" 0ms
106.75.175.130 - - [14/Jan/2025:15:09:47 +0000] "GET /favicon.ico HTTP/1.1" 401 121 "-" "-" 751 "dokuwiki@file" "-" 0ms
192.147.66.37 - - [14/Jan/2025:15:18:30 +0000] "GET / HTTP/1.1" 403 13 "-" "-" 752 "homer@file" "-" 1ms
205.169.39.4 - - [14/Jan/2025:15:21:30 +0000] "GET / HTTP/2.0" 401 115 "-" "-" 753 "linkding@file" "-" 1ms
205.169.39.19 - - [14/Jan/2025:15:21:30 +0000] "GET / HTTP/2.0" 401 113 "-" "-" 754 "netdata@file" "-" 1ms

bluepuma77 · January 14, 2025, 6:08pm

Dashboard is loading? If not, use labels from simple Traefik example, remove from dynamic files.

The issue is with authelia? Share the middleware config. authelia@docker indicates it is declared in labels?

RareBird15 · January 14, 2025, 6:50pm

Dashboard doesn't load at all. Authelia config is below:

Authelia docker-compose:

services:
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    volumes:
      - ./config:/config
      - ./logs:/var/log/authelia
    networks:
      - web
      - authelia_internal
    environment:
      - TZ=America/Chicago
      - AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwt_secret
      - AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session_secret
      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/config/secrets/storage_encryption_key
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.rule=Host(`auth.laniesplace.us`)"
      - "traefik.http.routers.authelia.entrypoints=websecure"
      - "traefik.http.routers.authelia.tls.certresolver=le"
      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.laniesplace.us"
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardauth.authRequestHeaders=X-Forwarded-Proto,X-Forwarded-Host"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
      - "traefik.http.services.authelia.loadbalancer.server.port=9091"

    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    depends_on:
      - redis
    healthcheck:
      test: ["CMD", "wget", "--no-check-certificate", "--quiet", "--tries=1", "--spider", "http://localhost:9091/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s

  redis:
    image: redis:alpine
    container_name: authelia_redis
    networks:
      - authelia_internal
    restart: unless-stopped
    volumes:
      - ./redis:/data
    command: redis-server --save 60 1 --loglevel warning
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 30s
      timeout: 10s
      retries: 3
    security_opt:
      - no-new-privileges:true

networks:
  web:
    external: true
  authelia_internal:
    internal: true

Authelia configuration.yml:

theme: light

server:
  address: 0.0.0.0:9091

log:
  level: debug
  format: text
  file_path: /var/log/authelia/authelia.log

totp:
  issuer: laniesplace.us
  period: 30
  skew: 1

authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 3
      memory: 65536
      parallelism: 4
      salt_length: 16
      key_length: 32

access_control:
  default_policy: deny
  rules:
    # Public Access
    - domain: 
        - "pihole.laniesplace.us"
        - "laniesplace.us"
        - "auth.laniesplace.us"
        - "traefik.laniesplace.us"
      policy: bypass

    # High Security (Two Factor)
    - domain: 
        - "portainer.laniesplace.us"
        - "netdata.laniesplace.us"
        - "cockpit.laniesplace.us"
        - "glances.laniesplace.us"
        - "vscode.laniesplace.us"
      policy: two_factor
      subject:
        - "group:admins"

    # Medium Security (One Factor Admin)
    - domain:
        - "forgejo.laniesplace.us"
        - "files.laniesplace.us"
        - "uptime.laniesplace.us"
      policy: one_factor
      subject:
        - "group:admins"

    # Standard Auth (One Factor)
    - domain:
        - "thelounge.laniesplace.us"
        - "miniflux.laniesplace.us"
        - "linkding.laniesplace.us"
        - "wiki.laniesplace.us"
      policy: one_factor

    - domain: "*.laniesplace.us"
      policy: one_factor

session:
  name: authelia_session
  domain: laniesplace.us
  same_site: lax
  expiration: 3600
  inactivity: 300
  remember_me: 1M

regulation:
  max_retries: 3
  find_time: 120
  ban_time: 300

storage:
  local:
    path: /config/db.sqlite3

notifier:
  disable_startup_check: false
  smtp:
    address: submission://smtp.gmail.com:587
    username: laniegcarmelo@gmail.com
    password: rcig lqpk cbsg aqcm
    sender: "Authelia <laniegcarmelo@gmail.com>"
    identifier: auth.laniesplace.us
    subject: "[Authelia] {title}"
    startup_check_address: laniegcarmelo@gmail.com
    timeout: 5s

identity_validation:
  reset_password:
    jwt_secret: ${AUTHELIA_JWT_SECRET_FILE}

Traefik middlewares.yml:

http:
middlewares:
dashboard-auth:
basicAuth:
users:
- "admin:$apr1$t5/O0mIb$M6Mkxlqxmi2RRJHNL007Q1"
rate-limit:
rateLimit:
average: 100
burst: 50

In case it helps, updated versions of other files are below:
###Traefik docker-compose.yml:

networks:
web:
external: true

services:
traefik:
extra_hosts:
- "host.docker.internal:host-gateway"
image: traefik:v3.2.5
container_name: traefik
security_opt:
- no-new-privileges:true
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./acme.json:/etc/traefik/acme.json
- ./dynamic:/etc/traefik/dynamic:ro
- ./logs:/etc/traefik/logs
networks:
- web
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(traefik.laniesplace.us)"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- "traefik.http.routers.traefik.middlewares=dashboard-auth@file"
```

traefik.yml:

global:
  checkNewVersion: true
  sendAnonymousUsage: false

log:
  level: DEBUG
  filePath: /etc/traefik/logs/traefik.log

accessLog:
  filePath: /etc/traefik/logs/access.log

api:
  dashboard: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: le

providers:
  file:
    directory: /etc/traefik/dynamic
    watch: true
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false
    network: web

certificatesResolvers:
  le:
    acme:
      email: "laniegcarmelo@gmail.com"
      storage: "/etc/traefik/acme.json"
      tlsChallenge: {}

dynamic/routers.yml:

http:
  routers:
    traefik-dashboard:
      rule: "Host(`traefik.laniesplace.us`)"
      service: api@internal
      entryPoints:
        - websecure
      middlewares:
        - dashboard-auth

    homer:
      rule: "Host(`laniesplace.us`)"
      service: homer
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    glances:
      rule: "Host(`glances.laniesplace.us`)"
      service: glances
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    uptime-kuma:
      rule: "Host(`uptime.laniesplace.us`)"
      service: uptime-kuma
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    miniflux:
      rule: "Host(`rss.laniesplace.us`)"
      service: miniflux
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    pihole:
      rule: "Host(`pihole.laniesplace.us`)"
      service: pihole
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker
        - pihole-redirect

    portainer:
      rule: "Host(`portainer.laniesplace.us`)"
      service: portainer
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    linkding:
      rule: "Host(`bookmarks.laniesplace.us`)"
      service: linkding
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    filebrowser:
      rule: "Host(`files.laniesplace.us`)"
      service: filebrowser
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    netdata:
      rule: "Host(`netdata.laniesplace.us`)"
      service: netdata
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    forgejo:
      rule: "Host(`git.laniesplace.us`)"
      service: forgejo
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    dokuwiki:
      rule: "Host(`wiki.laniesplace.us`)"
      service: dokuwiki
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    cockpit:
      rule: "Host(`cockpit.laniesplace.us`)"
      service: cockpit
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    code-server:
      rule: "Host(`vscode.laniesplace.us`)"
      service: code-server
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

dynamic/services.yml:

http:
  services:
    # Docker Services
    homer:
      loadBalancer:
        servers:
          - url: "http://homer"

    glances:
      loadBalancer:
        servers:
          - url: "http://glances"

    uptime-kuma:
      loadBalancer:
        servers:
          - url: "http://uptime-kuma"

    miniflux:
      loadBalancer:
        servers:
          - url: "http://miniflux"

    pihole:
      loadBalancer:
        servers:
          - url: "http://pihole"

    portainer:
      loadBalancer:
        servers:
          - url: "http://portainer"

    linkding:
      loadBalancer:
        servers:
          - url: "http://linkding"

    # Non-Docker Services
    filebrowser:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:8085"

    netdata:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:19999"

    forgejo:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:3000"

    dokuwiki:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:81"

    cockpit:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:9090"
          
    code-server:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:8081"
          ```

RareBird15 · January 15, 2025, 8:18pm

Still can't get things working. I've gone over my config several times but still have no idea what the problem is. None of my configured subdomains will load. All files will be below.

### Traefik docker-compose.yml:

```
networks:
  web:
    external: true

services:
  traefik:
    extra_hosts:
      - "host.docker.internal:host-gateway"
    image: traefik:v3.2.5
    container_name: traefik
    platform: linux/arm64
    security_opt:
      - no-new-privileges:true
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./acme.json:/etc/traefik/acme.json
      - ./dynamic:/etc/traefik/dynamic:ro
      - ./logs:/etc/traefik/logs
    networks:
      - web
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.laniesplace.us`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
      - "traefik.http.routers.traefik.middlewares=dashboard-auth@file"
```

### traefik.yml

```
global:
  checkNewVersion: true
  sendAnonymousUsage: false

log:
  level: DEBUG
  filePath: /etc/traefik/logs/traefik.log

accessLog:
  filePath: /etc/traefik/logs/access.log

api:
  dashboard: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: le

providers:
  file:
    directory: /etc/traefik/dynamic
    watch: true
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false
    network: web

certificatesResolvers:
  le:
    acme:
      email: "laniegcarmelo@gmail.com"
      storage: "/etc/traefik/acme.json"
      tlsChallenge: {}
```

### dynamic/middlewares.yml:

```
http:
  middlewares:
    dashboard-auth:
      basicAuth:
        users:
          - "admin:$apr1$t5/O0mIb$M6Mkxlqxmi2RRJHNL007Q1"
    rate-limit:
      rateLimit:
        average: 100
        burst: 50

http:
  middlewares:
    authelia:
      forwardAuth:
        address: "http://authelia:9091/api/verify?rd=https://auth.laniesplace.us"
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"
          - "Remote-Name"
          - "Remote-Email"
```

### dynamic/routers.yml:

```
http:
  routers:
    traefik-dashboard:
      rule: "Host(`traefik.laniesplace.us`)"
      service: api@internal
      entryPoints:
        - websecure

    homer:
      rule: "Host(`laniesplace.us`)"
      service: homer
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    glances:
      rule: "Host(`glances.laniesplace.us`)"
      service: glances
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    uptime-kuma:
      rule: "Host(`uptime.laniesplace.us`)"
      service: uptime-kuma
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    miniflux:
      rule: "Host(`rss.laniesplace.us`)"
      service: miniflux
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    pihole:
      rule: "Host(`pihole.laniesplace.us`)"
      service: pihole
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker
        - pihole-redirect

    portainer:
      rule: "Host(`portainer.laniesplace.us`)"
      service: portainer
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    linkding:
      rule: "Host(`bookmarks.laniesplace.us`)"
      service: linkding
      entryPoints:
        - websecure
      middlewares:
        - authelia@docker

    filebrowser:
      rule: "Host(`files.laniesplace.us`)"
      service: filebrowser
      entryPoints:
        - websecure
      middlewares:
        - authelia@file

    netdata:
      rule: "Host(`netdata.laniesplace.us`)"
      service: netdata
      entryPoints:
        - websecure
      middlewares:
        - authelia@file

    forgejo:
      rule: "Host(`git.laniesplace.us`)"
      service: forgejo
      entryPoints:
        - websecure
      middlewares:
        - authelia@file

    dokuwiki:
      rule: "Host(`wiki.laniesplace.us`)"
      service: dokuwiki
      entryPoints:
        - websecure
      middlewares:
        - authelia@file

    cockpit:
      rule: "Host(`cockpit.laniesplace.us`)"
      service: cockpit
      entryPoints:
        - websecure
      middlewares:
        - authelia@file

    code-server:
      rule: "Host(`vscode.laniesplace.us`)"
      service: code-server
      entryPoints:
        - websecure
      middlewares:
        - authelia@file
```

### dynamic/services.yml:

```
http:
  services:
    # Docker Services
    homer:
      loadBalancer:
        servers:
          - url: "http://homer"

    glances:
      loadBalancer:
        servers:
          - url: "http://glances"

    uptime-kuma:
      loadBalancer:
        servers:
          - url: "http://uptime-kuma"

    miniflux:
      loadBalancer:
        servers:
          - url: "http://miniflux"

    pihole:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8088"

    portainer:
      loadBalancer:
        servers:
          - url: "http://portainer"

    linkding:
      loadBalancer:
        servers:
          - url: "http://linkding"

    # Non-Docker Services
    filebrowser:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:8085"

    netdata:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:19999"

    forgejo:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:3000"

    dokuwiki:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:81"

    cockpit:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:9090"
          
    code-server:
      loadBalancer:
        servers:
          - url: "http://host.docker.internal:8081"
          ```

### authelia docker-compose.yml:

```
services:
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    volumes:
      - ./config:/config
      - ./logs:/var/log/authelia
    networks:
      - web
      - authelia_internal
    environment:
      - TZ=America/Chicago
      - AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwt_secret
      - AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session_secret
      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/config/secrets/storage_encryption_key
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.rule=Host(`auth.laniesplace.us`)"
      - "traefik.http.routers.authelia.entrypoints=websecure"
      - "traefik.http.routers.authelia.tls.certresolver=le"
      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.laniesplace.us"
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardauth.authRequestHeaders=X-Forwarded-Proto,X-Forwarded-Host"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
      - "traefik.http.services.authelia.loadbalancer.server.port=9091"

    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    depends_on:
      - redis
    healthcheck:
      test: ["CMD", "wget", "--no-check-certificate", "--quiet", "--tries=1", "--spider", "http://localhost:9091/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s

  redis:
    image: redis:alpine
    container_name: authelia_redis
    networks:
      - authelia_internal
    restart: unless-stopped
    volumes:
      - ./redis:/data
    command: redis-server --save 60 1 --loglevel warning
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 30s
      timeout: 10s
      retries: 3
    security_opt:
      - no-new-privileges:true

networks:
  web:
    external: true
  authelia_internal:
    internal: true
```

### Authelia configuration.yml:

```
theme: light

server:
  address: 0.0.0.0:9091

log:
  level: debug
  format: text
  file_path: /var/log/authelia/authelia.log

totp:
  issuer: laniesplace.us
  period: 30
  skew: 1

authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 3
      memory: 65536
      parallelism: 4
      salt_length: 16
      key_length: 32

access_control:
  default_policy: deny
  rules:
    # Public Access
    - domain: 
        - "laniesplace.us"
        - "auth.laniesplace.us"
        - "traefik.laniesplace.us"
      policy: bypass

    # Pi-hole specific rule
    - domain: "pihole.laniesplace.us"
      resources:
        - "^/api/.*$"
      policy: bypass

    - domain: "pihole.laniesplace.us"
      policy: two_factor
      subject:
        - "group:admins"

    # High Security (Two Factor)
    - domain: 
        - "portainer.laniesplace.us"
        - "netdata.laniesplace.us"
        - "cockpit.laniesplace.us"
        - "glances.laniesplace.us"
        - "vscode.laniesplace.us"
      policy: two_factor
      subject:
        - "group:admins"

    # Medium Security (One Factor Admin)
    - domain:
        - "forgejo.laniesplace.us"
        - "files.laniesplace.us"
        - "uptime.laniesplace.us"
      policy: one_factor
      subject:
        - "group:admins"

    # Standard Auth (One Factor)
    - domain:
        - "thelounge.laniesplace.us"
        - "miniflux.laniesplace.us"
        - "linkding.laniesplace.us"
        - "wiki.laniesplace.us"
      policy: one_factor

    - domain: "*.laniesplace.us"
      policy: one_factor

session:
  name: authelia_session
  domain: laniesplace.us
  same_site: lax
  expiration: 3600
  inactivity: 300
  remember_me: 1M

regulation:
  max_retries: 3
  find_time: 120
  ban_time: 300

storage:
  local:
    path: /config/db.sqlite3

notifier:
  disable_startup_check: false
  smtp:
    address: submission://smtp.gmail.com:587
    username: laniegcarmelo@gmail.com
    password: rcig lqpk cbsg aqcm
    sender: "Authelia <laniegcarmelo@gmail.com>"
    identifier: auth.laniesplace.us
    subject: "[Authelia] {title}"
    startup_check_address: laniegcarmelo@gmail.com
    timeout: 5s

identity_validation:
  reset_password:
    jwt_secret: ${AUTHELIA_JWT_SECRET_FILE}
```

### infrastructure services docker-compose:

```
services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      TZ: 'America/Chicago'
      WEBPASSWORD: ${PIHOLE_PASSWORD}
      WEB_PORT: 8088
      DNSMASQ_LISTENING: "all"
      FTLCONF_LOCAL_IPV4: '192.168.1.137'
      FTLCONF_REPLY_ADDR4: '192.168.1.137'
      DNS1: '1.1.1.1'
      DNS2: '1.0.0.1'
      PIHOLE_DNS_: '1.1.1.1;1.0.0.1'
      VIRTUAL_HOST: 'pihole.laniesplace.us'
      PROXY_LOCATION: 'pihole'
    network_mode: host
    volumes:
      - pihole_data:/etc/pihole
      - pihole_dnsmasq:/etc/dnsmasq.d
    dns:
      - 1.1.1.1
      - 1.0.0.1
    healthcheck:
      test: ["CMD", "dig", "@127.0.0.1", "pi.hole", "&&", "nslookup", "google.com", "127.0.0.1"]
      interval: 30s
      timeout: 10s
      retries: 3

  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - portainer_data:/data
    networks:
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=Host(`portainer.laniesplace.us`)"
      - "traefik.http.routers.portainer.entrypoints=websecure"
      - "traefik.http.routers.portainer.tls.certresolver=le"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
      - "traefik.http.routers.portainer.middlewares=authelia@docker"

  watchtower:
    image: containrrr/watchtower:latest
    container_name: watchtower
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    healthcheck:
      test: ["CMD", "/watchtower", "--help"]
      interval: 30s
      timeout: 10s
      retries: 3
    command:
      - --interval
      - "86400"
    networks:
      - web

volumes:
  pihole_data:
  pihole_dnsmasq:
  portainer_data:

networks:
  web:
    external: true
```

### MiniFlux docker-compose:

```
services:
  db:
    image: postgres:15
    container_name: miniflux-db
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USER}
      POSTGRES_DB: miniflux
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "${DB_USER}"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - miniflux-net

  miniflux:
    image: miniflux/miniflux:latest
    container_name: miniflux
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
    environment:
      - DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@db/miniflux?sslmode=disable
      - RUN_MIGRATIONS=1
      - CREATE_ADMIN=1
      - ADMIN_USERNAME=${ADMIN_USERNAME}
      - ADMIN_PASSWORD=${ADMIN_PASSWORD}
    healthcheck:
      test: ["CMD", "wget", "--spider", "--quiet", "http://localhost:8080/healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 3
    networks:
      - web
      - miniflux-net
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.miniflux.rule=Host(`rss.laniesplace.us`)"
      - "traefik.http.routers.miniflux.entrypoints=websecure"
      - "traefik.http.routers.miniflux.tls.certresolver=le"
      - "traefik.http.services.miniflux.loadbalancer.server.port=8080"
      - "traefik.http.routers.miniflux.middlewares=authelia@docker"

volumes:
  postgres_data:

networks:
  miniflux-net:
    internal: true
  web:
    external: true
```

### Monitoring services docker-compose:
```
services:
  glances:
    image: nicolargo/glances:latest-full
    container_name: glances
    restart: unless-stopped
    ports:
      - "61208:61208"
    environment:
      - GLANCES_OPT=-w
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    healthcheck:
      test: ["CMD", "curl", "--fail", "http://0.0.0.0:61208"]
      interval: 30s
      timeout: 10s
      retries: 3
    networks:
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.glances.rule=Host(`glances.laniesplace.us`)"
      - "traefik.http.routers.glances.entrypoints=websecure"
      - "traefik.http.routers.glances.tls.certresolver=le"
      - "traefik.http.routers.glances.middlewares=authelia@docker"
      - "traefik.http.services.glances.loadbalancer.server.port=61208"

  uptime-kuma:
    image: louislam/uptime-kuma:1
    container_name: uptime-kuma
    restart: unless-stopped
    ports:
      - "3001:3001"
    volumes:
      - uptime_kuma_data:/app/data
    healthcheck:
      test: ["CMD", "curl", "--fail", "http://localhost:3001"]
      interval: 30s
      timeout: 10s
      retries: 3
    networks:
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.uptime-kuma.rule=Host(`uptime.laniesplace.us`)"
      - "traefik.http.routers.uptime-kuma.entrypoints=websecure"
      - "traefik.http.routers.uptime-kuma.tls.certresolver=le"
      - "traefik.http.routers.uptime-kuma.middlewares=authelia@docker"
      - "traefik.http.services.uptime-kuma.loadbalancer.server.port=3001"

volumes:
  uptime_kuma_data:

networks:
  web:
    external: true
```

### Web services docker-compose:

```
services:
  homer:
    image: b4bz/homer:latest
    container_name: homer
    volumes:
      - homer_data:/www/assets
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080"]
      interval: 30s
      timeout: 10s
      retries: 3
    networks:
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homer.rule=Host(`laniesplace.us`)"
      - "traefik.http.routers.homer.entrypoints=websecure"
      - "traefik.http.routers.homer.tls.certresolver=le"
      - "traefik.http.services.homer.loadbalancer.server.port=8080"
      - "traefik.http.routers.homer.middlewares=authelia@docker"
  linkding:
    image: sissbruecker/linkding:latest-plus
    container_name: linkding
    environment:
      LD_ENABLE_AUTH_PROXY: "true"
      LD_AUTH_PROXY_HEADER: "Remote-User"
      LD_AUTH_PROXY_AUTO_LOGIN: "true"
      LD_AUTH_PROXY_LOGOUT_URL: "https://auth.laniesplace.us/logout"
    volumes:
      - linkding_data:/etc/linkding/data
    healthcheck:
      test: ["CMD", "node", "-e", "const http = require('http'); const options = {host: 'localhost', port: 9090, path: '/', timeout: 2000}; const request = http.request(options, (res) => { process.exit([200, 302].includes(res.statusCode) ? 0 : 1)}); request.on('error', () => process.exit(1)); request.end()"]
      interval: 30s
      timeout: 10s
      retries: 3
    networks:
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.linkding.rule=Host(`bookmarks.laniesplace.us`)"
      - "traefik.http.routers.linkding.entrypoints=websecure"
      - "traefik.http.routers.linkding.tls.certresolver=le"
      - "traefik.http.services.linkding.loadbalancer.server.port=9090"
      - "traefik.http.routers.linkding.middlewares=authelia@docker"

volumes:
  homer_data:
  linkding_data:

networks:
  web:
    external: true
```

### Note:
Services not mentioned in docker-compose.yml files are installed as packages.

### Logs

```
[lanie@stormux traefik] $ sudo tail ../authelia/logs/authelia.log

time="2025-01-15T13:30:29-06:00" level=info msg="Startup complete"

time="2025-01-15T13:30:29-06:00" level=info msg="Listening for non-TLS connections on '[::]:9091' path '/'" server=main service=server

time="2025-01-15T13:56:31-06:00" level=debug msg="Shutdown initiated due to process signal" signal=terminated

time="2025-01-15T13:56:31-06:00" level=info msg="Shutdown initiated"

time="2025-01-15T13:56:31-06:00" level=info msg="Shutdown complete"

time="2025-01-15T13:56:34-06:00" level=info msg="Storage schema is being checked for updates"

time="2025-01-15T13:56:34-06:00" level=info msg="Storage schema is already up to date"

time="2025-01-15T13:56:35-06:00" level=debug msg="Create Server Service (metrics) skipped"

time="2025-01-15T13:56:35-06:00" level=info msg="Startup complete"

time="2025-01-15T13:56:35-06:00" level=info msg="Listening for non-TLS connections on '[::]:9091' path '/'" server=main service=server

[lanie@stormux traefik] $ sudo tail ../traefik/logs/traefik.log

2025-01-15T19:56:40Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:959 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["bookmarks.laniesplace.us"] providerName=le.acme routerName=linkding@docker rule=Host(`bookmarks.laniesplace.us`)

2025-01-15T19:56:40Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:959 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["portainer.laniesplace.us"] providerName=le.acme routerName=portainer@docker rule=Host(`portainer.laniesplace.us`)

2025-01-15T19:57:04Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/pdocker.go:112 > Provider event received {Status:health_status: healthy ID:570df8e63e49d136b710c1a4497c1d3884aeb2076c1cde303bce36313ec63d48 From:redis:alpine Type:container Action:health_status: healthy Actor:{ID:570df8e63e49d136b710c1a4497c1d3884aeb2076c1cde303bce36313ec63d48 Attributes:map[com.docker.compose.config-hash:01bb63be2532a1fedb2958eedd54f29fd4eb36afdc179a93c882495fcb5cc7a4 com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:3476e78e24d81d14c06907e3be39f6d0a2d0ad7b2a483491f95428c7426e06f7 com.docker.compose.oneoff:False com.docker.compose.project:authelia com.docker.compose.project.config_files:/opt/docker/authelia/docker-compose.yml com.docker.compose.project.working_dir:/opt/docker/authelia com.docker.compose.service:redis com.docker.compose.version:2.32.1 image:redis:alpine name:authelia_redis]} Scope:local Time:1736971024 TimeNano:1736971024190761829} providerName=docker

2025-01-15T19:57:04Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=redis-authelia-570df8e63e49d136b710c1a4497c1d3884aeb2076c1cde303bce36313ec63d48 providerName=docker

2025-01-15T19:57:04Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=pihole-infrastructure-services-14dac25a456b543d5e5037ac14b6ac4a54e4693a6017d0063d74f032940a7570 providerName=docker

2025-01-15T19:57:04Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=watchtower-infrastructure-services-a7c10b7d9efbb9859c0d5a8fe5dd08e21ae59a5dc9575e4bc73c185a3ed54d63 providerName=docker

2025-01-15T19:57:04Z DBG github.com/traefik/traefik/v3/pkg/provider/docker/config.go:185 > Filtering disabled container container=db-miniflux-79fe72104545723c902d03759b1f90b6d0ea8b78ba80a51ebc7b9e7258a47723 providerName=docker

2025-01-15T19:57:04Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"authelia":{"forwardAuth":{"address":"http://authelia:9091/api/verify?rd=https://auth.laniesplace.us","authRequestHeaders":["X-Forwarded-Proto","X-Forwarded-Host"],"authResponseHeaders":["Remote-User","Remote-Groups","Remote-Name","Remote-Email"],"trustForwardHeader":true}}},"routers":{"authelia":{"entryPoints":["websecure"],"rule":"Host(`auth.laniesplace.us`)","service":"authelia","tls":{"certResolver":"le"}},"glances":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`glances.laniesplace.us`)","service":"glances","tls":{"certResolver":"le"}},"homer":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`laniesplace.us`)","service":"homer","tls":{"certResolver":"le"}},"linkding":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`bookmarks.laniesplace.us`)","service":"linkding","tls":{"certResolver":"le"}},"miniflux":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`rss.laniesplace.us`)","service":"miniflux","tls":{"certResolver":"le"}},"portainer":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`portainer.laniesplace.us`)","service":"portainer","tls":{"certResolver":"le"}},"traefik":{"entryPoints":["websecure"],"middlewares":["dashboard-auth@file"],"rule":"Host(`traefik.laniesplace.us`)","service":"api@internal"},"uptime-kuma":{"entryPoints":["websecure"],"middlewares":["authelia@docker"],"rule":"Host(`uptime.laniesplace.us`)","service":"uptime-kuma","tls":{"certResolver":"le"}}},"services":{"authelia":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.7:9091"}]}},"glances":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.3:61208"}]}},"homer":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.9:8080"}]}},"linkding":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.10:9090"}]}},"miniflux":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.6:8080"}]}},"portainer":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.4:9000"}]}},"traefik":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.8:8080"}]}},"uptime-kuma":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://172.23.0.5:3001"}]}}}},"tcp":{},"tls":{},"udp":{}} providerName=docker

2025-01-15T19:57:04Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:127 > Skipping unchanged configuration providerName=docker

2025-01-15T20:05:35Z WRN github.com/traefik/traefik/v3/pkg/version/version.go:103 > A new release of Traefik has been found: 3.3.2. Please consider updating.

[lanie@stormux traefik] $ sudo tail ../traefik/logs/access.log

106.75.132.125 - - [14/Jan/2025:15:07:09 +0000] "GET /favicon.ico HTTP/1.1" 401 124 "-" "-" 745 "cockpit@file" "-" 0ms

106.75.139.250 - - [14/Jan/2025:15:07:11 +0000] "GET /favicon.ico HTTP/1.1" 401 124 "-" "-" 746 "netdata@file" "-" 0ms

106.75.169.16 - - [14/Jan/2025:15:07:15 +0000] "GET /favicon.ico HTTP/1.1" 401 122 "-" "-" 747 "filebrowser@file" "-" 1ms

106.75.137.67 - - [14/Jan/2025:15:09:33 +0000] "GET / HTTP/1.1" 401 110 "-" "-" 748 "dokuwiki@file" "-" 1ms

106.75.137.67 - - [14/Jan/2025:15:09:34 +0000] "GET /favicon.ico HTTP/1.1" 401 121 "-" "-" 749 "dokuwiki@file" "-" 0ms

106.75.175.130 - - [14/Jan/2025:15:09:44 +0000] "GET / HTTP/1.1" 401 110 "-" "-" 750 "dokuwiki@file" "-" 0ms

106.75.175.130 - - [14/Jan/2025:15:09:47 +0000] "GET /favicon.ico HTTP/1.1" 401 121 "-" "-" 751 "dokuwiki@file" "-" 0ms

192.147.66.37 - - [14/Jan/2025:15:18:30 +0000] "GET / HTTP/1.1" 403 13 "-" "-" 752 "homer@file" "-" 1ms

205.169.39.4 - - [14/Jan/2025:15:21:30 +0000] "GET / HTTP/2.0" 401 115 "-" "-" 753 "linkding@file" "-" 1ms

205.169.39.19 - - [14/Jan/2025:15:21:30 +0000] "GET / HTTP/2.0" 401 113 "-" "-" 754 "netdata@file" "-" 1ms

[lanie@stormux traefik] $
```

bluepuma77 · January 15, 2025, 9:00pm

Can you be more specific what is not working? What’s the error, what are Traefik debug log, access log and dashboard telling you?

I don’t understand why you don’t break down you config to a single non-working service, that would make debugging probably a bit easier.

RareBird15 · January 15, 2025, 10:44pm

I provided logs in the post above. The issue is that my domain and subdomains won't load. Edge just says network error. I'll try to create one single config. I thought having separate config files for things would make it easier, but it hasn't.

RareBird15 · January 15, 2025, 11:40pm

Okay, I combined all dynamic configuration into one file and made a few other updates.

docker-compose.yml

networks:
  web:
    external: true

services:
  traefik:
    extra_hosts:
      - "host.docker.internal:host-gateway"
    image: traefik:v3.2.5
    container_name: traefik
    platform: linux/arm64
    security_opt:
      - no-new-privileges:true
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./acme.json:/etc/traefik/acme.json
      - ./dynamic.yml:/etc/traefik/dynamic.yml:ro
      - ./logs:/etc/traefik/logs
    networks:
      - web
    restart: unless-stopped

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

log:
  level: DEBUG
  filePath: /etc/traefik/logs/traefik.log

accessLog:
  filePath: /etc/traefik/logs/access.log

api:
  dashboard: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: le

providers:
  file:
    filename: /etc/traefik/dynamic.yml
    watch: true
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false
    network: web

certificatesResolvers:
  le:
    acme:
      email: "laniegcarmelo@gmail.com"
      storage: "/etc/traefik/acme.json"
      tlsChallenge: {}

dynamic.yml

http:
  routers:
    traefik-dashboard:
      rule: "Host(`traefik.laniesplace.us`)"
      service: api@internal
      entryPoints:
        - websecure
      middlewares:
        - dashboard-auth
        - rate-limit

    homer:
      rule: "Host(`laniesplace.us`)"
      service: homer
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    glances:
      rule: "Host(`glances.laniesplace.us`)"
      service: glances
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    uptime-kuma:
      rule: "Host(`uptime.laniesplace.us`)"
      service: uptime-kuma
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    miniflux:
      rule: "Host(`rss.laniesplace.us`)"
      service: miniflux
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    pihole:
      rule: "Host(`pihole.laniesplace.us`)"
      service: pihole
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit
        - pihole-redirect

    portainer:
      rule: "Host(`portainer.laniesplace.us`)"
      service: portainer
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    linkding:
      rule: "Host(`bookmarks.laniesplace.us`)"
      service: linkding
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    filebrowser:
      rule: "Host(`files.laniesplace.us`)"
      service: filebrowser
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    netdata:
      rule: "Host(`netdata.laniesplace.us`)"
      service: netdata
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    forgejo:
      rule: "Host(`git.laniesplace.us`)"
      service: forgejo
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    dokuwiki:
      rule: "Host(`wiki.laniesplace.us`)"
      service: dokuwiki
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    cockpit:
      rule: "Host(`cockpit.laniesplace.us`)"
      service: cockpit
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

    code-server:
      rule: "Host(`vscode.laniesplace.us`)"
      service: code-server
      entryPoints:
        - websecure
      middlewares:
        - authelia
        - rate-limit

  middlewares:
    dashboard-auth:
      basicAuth:
        users:
          - "admin:$apr1$t5/O0mIb$M6Mkxlqxmi2RRJHNL007Q1"
    
    rate-limit:
      rateLimit:
        average: 100
        burst: 50
    
    authelia:
      forwardAuth:
        address: "http://authelia:9091/api/verify?rd=https://auth.laniesplace.us"
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"
          - "Remote-Name"
          - "Remote-Email"
    
    pihole-redirect:
      redirectRegex:
        regex: "^https://pihole\\.laniesplace\\.us/admin/(.*)$"
        replacement: "https://pihole.laniesplace.us/admin/index.php?{1}"

  services:
    homer:
      loadBalancer:
        servers:
          - url: "http://homer"

    glances:
      loadBalancer:
        servers:
          - url: "http://glances"

    uptime-kuma:
      loadBalancer:
        servers:
          - url: "http://uptime-kuma"

    miniflux:
      loadBalancer:
        servers:
          - url: "http://miniflux"

    pihole:
      loadBalancer:
        servers:
          - url: "http://172.17.0.1:8088"

    portainer:
      loadBalancer:
        servers:
          - url: "http://portainer"

    linkding:
      loadBalancer:
        servers:
          - url: "http://linkding"

    filebrowser:
      loadBalancer:
        servers:
          - url: "http://172.17.0.1:8085"

    netdata:
      loadBalancer:
        servers:
          - url: "http://172.17.0.1:19999"

    forgejo:
      loadBalancer:
        servers:
          - url: "http://172.17.0.1:3000"

    dokuwiki:
      loadBalancer:
        servers:
          - url: "http://172.17.0.1:81"

    cockpit:
      loadBalancer:
        servers:
          - url: "http://172.17.0.1:9090"

    code-server:
      loadBalancer:
        servers:
          - url: "http://172.17.0.1:8081"

logs

[lanie@stormux traefik] $ tail logs/traefik.log 
2025-01-15T23:36:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:445 > Trying to challenge certificate for domain [wiki.laniesplace.us] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=le.acme routerName=dokuwiki@file rule=Host(`wiki.laniesplace.us`)
2025-01-15T23:36:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:915 > Looking for provided certificate(s) to validate ["portainer.laniesplace.us"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=le.acme routerName=portainer@docker rule=Host(`portainer.laniesplace.us`)
2025-01-15T23:36:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:959 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["portainer.laniesplace.us"] providerName=le.acme routerName=portainer@docker rule=Host(`portainer.laniesplace.us`)
2025-01-15T23:36:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:445 > Trying to challenge certificate for domain [uptime.laniesplace.us] found in HostSNI rule ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=le.acme routerName=uptime-kuma@docker rule=Host(`uptime.laniesplace.us`)
2025-01-15T23:36:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:915 > Looking for provided certificate(s) to validate ["glances.laniesplace.us"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=le.acme routerName=glances@file rule=Host(`glances.laniesplace.us`)
2025-01-15T23:36:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:915 > Looking for provided certificate(s) to validate ["uptime.laniesplace.us"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=le.acme routerName=uptime-kuma@docker rule=Host(`uptime.laniesplace.us`)
2025-01-15T23:36:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:959 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["glances.laniesplace.us"] providerName=le.acme routerName=glances@file rule=Host(`glances.laniesplace.us`)
2025-01-15T23:36:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:915 > Looking for provided certificate(s) to validate ["wiki.laniesplace.us"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=le.acme routerName=dokuwiki@file rule=Host(`wiki.laniesplace.us`)
2025-01-15T23:36:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:959 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["uptime.laniesplace.us"] providerName=le.acme routerName=uptime-kuma@docker rule=Host(`uptime.laniesplace.us`)
2025-01-15T23:36:50Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:959 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["wiki.laniesplace.us"] providerName=le.acme routerName=dokuwiki@file rule=Host(`wiki.laniesplace.us`)
[lanie@stormux traefik] $ tail logs/access.log 
106.75.132.125 - - [14/Jan/2025:15:07:09 +0000] "GET /favicon.ico HTTP/1.1" 401 124 "-" "-" 745 "cockpit@file" "-" 0ms
106.75.139.250 - - [14/Jan/2025:15:07:11 +0000] "GET /favicon.ico HTTP/1.1" 401 124 "-" "-" 746 "netdata@file" "-" 0ms
106.75.169.16 - - [14/Jan/2025:15:07:15 +0000] "GET /favicon.ico HTTP/1.1" 401 122 "-" "-" 747 "filebrowser@file" "-" 1ms
106.75.137.67 - - [14/Jan/2025:15:09:33 +0000] "GET / HTTP/1.1" 401 110 "-" "-" 748 "dokuwiki@file" "-" 1ms
106.75.137.67 - - [14/Jan/2025:15:09:34 +0000] "GET /favicon.ico HTTP/1.1" 401 121 "-" "-" 749 "dokuwiki@file" "-" 0ms
106.75.175.130 - - [14/Jan/2025:15:09:44 +0000] "GET / HTTP/1.1" 401 110 "-" "-" 750 "dokuwiki@file" "-" 0ms
106.75.175.130 - - [14/Jan/2025:15:09:47 +0000] "GET /favicon.ico HTTP/1.1" 401 121 "-" "-" 751 "dokuwiki@file" "-" 0ms
192.147.66.37 - - [14/Jan/2025:15:18:30 +0000] "GET / HTTP/1.1" 403 13 "-" "-" 752 "homer@file" "-" 1ms
205.169.39.4 - - [14/Jan/2025:15:21:30 +0000] "GET / HTTP/2.0" 401 115 "-" "-" 753 "linkding@file" "-" 1ms
205.169.39.19 - - [14/Jan/2025:15:21:30 +0000] "GET / HTTP/2.0" 401 113 "-" "-" 754 "netdata@file" "-" 1ms
[lanie@stormux traefik] $ sudo tail ../authelia/logs/authelia.log 
time="2025-01-15T14:41:15-06:00" level=info msg="Startup complete"
time="2025-01-15T14:41:15-06:00" level=info msg="Listening for non-TLS connections on '[::]:9091' path '/'" server=main service=server
time="2025-01-15T17:25:21-06:00" level=debug msg="Shutdown initiated due to process signal" signal=terminated
time="2025-01-15T17:25:21-06:00" level=info msg="Shutdown initiated"
time="2025-01-15T17:25:21-06:00" level=info msg="Shutdown complete"
time="2025-01-15T17:25:24-06:00" level=info msg="Storage schema is being checked for updates"
time="2025-01-15T17:25:24-06:00" level=info msg="Storage schema is already up to date"
time="2025-01-15T17:25:25-06:00" level=info msg="Listening for non-TLS connections on '[::]:9091' path '/'" server=main service=server
time="2025-01-15T17:25:25-06:00" level=debug msg="Create Server Service (metrics) skipped"
time="2025-01-15T17:25:25-06:00" level=info msg="Startup complete"
[lanie@stormux traefik] $

                                                                                                                                                                       Subdomains still don't load. I'm not including my authelia config since it hasn't changed.

bluepuma77 · January 16, 2025, 6:07am

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

Enable JSON format for more details. Status 401 means unauthorized, what does your ForwardAuth service log tell you?

Is auth.laniesplace.us accessible?

My question was why you have 13 routers and not start with a single one until it works.

Topic		Replies	Views
First Traefik config PART 2 - Domain name needs at least one dot Traefik v2 docker-swarm , letsencrypt-acme	3	4321	May 7, 2020
Traefik + letsencrypt using example fails to generate ceritifcate Traefik v2 docker , letsencrypt-acme	3	1202	June 5, 2021
Traefik error 400: DNS problem while deploying portainer with wildcard subdomain Traefik v2 docker , letsencrypt-acme	1	1837	April 6, 2022
Traefik V2 ACME Error: "Domain name needs at least one dot" Traefik v2 docker , letsencrypt-acme	1	8743	April 8, 2020
Traefik cert resolver error Traefik v3 (latest) docker	6	112	November 22, 2024

Help Needed: Traefik with Authelia and Domain Setup - traefik-traefik Error

The Problem

My Setup

Configuration Files

Questions

traefik.log

access.log

Authelia docker-compose:

Authelia configuration.yml:

Traefik middlewares.yml:

traefik.yml:

dynamic/routers.yml:

dynamic/services.yml:

docker-compose.yml

traefik.yml

dynamic.yml

logs

Related topics