Help setting up ForwardAuth using Keycloak and traefik-forward-auth

Hi there, I'm new to Traefik so excuse me if I'm asking something obvious. Also if you spot something weird and/or redundant in my config please let me know :smiley:

I'm trying to set up forward-auth together with Keycloak to provide authentication for (now just one of) my services. Just like @Benjvfr here.
I have the feeling I'm close to getting it working, but I'm getting the following log error:
forward-auth | level=fatal msg="Get https://sso.mydomain.net/realms/myrealm/.well-known/openid-configuration: dial tcp <public_ip>:443: connect: connection refused"

I can access the sso URL from my personal machine over the internet, so I'm not entirely sure what is wrong.
When accessing auth.mydomain.net, i get a 500 server error and nothing loads.

Traefik also picks up this error:
proxy_traefik | level=debug msg="Error calling http://forward-auth:4181. Cause: Get \"http://forward-auth:4181\": dial tcp: lookup forward-auth on 127.0.0.11:53: no such host" middlewareName=forward-auth@file middlewareType=ForwardedAuthType

So it fails to find the forward-auth container locally and keycloak publically....
Any help would be much appreciated!


My traefik compose file:

version: "3.9"
services:
  traefik:
    container_name: proxy_traefik
    image: traefik:v2.6.6
    restart: always
    ports:
      # The HTTP port
      - "80:80"
      # The HTTPS port
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    networks:
      # Create before (docker network create routing-network)
      - routing-network
    volumes:
      # So that Traefik can listen to the Docker events
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      # Store certificates
      - "./letsencrypt:/letsencrypt"
      # Config with middlewares
      - "./config:/etc/traefik/conf:ro"
    command:
      # Enable Docker in Traefik so it reads labels from Docker services
      - "--providers.docker=true"
      # Don't want all services exposed
      - "--providers.docker.exposedByDefault=false"
      # One network to rule them all
      - "--providers.docker.network=routing-network"
      # Don't share info
      - "--global.sendAnonymousUsage=false"

      # Config for shared middlewarez, directory is recommended
      - "--providers.file.directory=/etc/traefik/conf"

      # HTTP
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      # Redirect to HTTPS
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"

      # TLS
      - "--certificatesresolvers.acme-resolver.acme.email=<REDACTED>"
      - "--certificatesresolvers.acme-resolver.acme.tlschallenge=true"
      - "--certificatesresolvers.acme-resolver.acme.storage=/letsencrypt/acme.json"

      # Use when debugging
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      #- "--certificatesresolvers.acme-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"

networks:
  routing-network:
    external: true

My config file:

http:
  middlewares:
    forward-auth:
      forwardauth:
        address: "http://forward-auth:4181"
        trustForwardHeader: true
        authResponseHeaders: "X-Forwarded-User"

my Keycloak compose file:

version: "3.9"
services:
  keycloak:
    container_name: sso_keycloak
    #image: quay.io/keycloak/keycloak:18.0.0
    build:
      context: ./keycloak
    environment:
      - KC_HOSTNAME=sso.mydomain.net
      # Enables communication through HTTP between the proxy and Keycloak.
      - KC_PROXY=edge
      - KC_DB=postgres
      - KC_DB_USERNAME=${DB_USER}
      - KC_DB_PASSWORD=${DB_PASSWORD}
      - KC_DB_URL_HOST=database_postgresql
      - KEYCLOAK_ADMIN=${KC_USER}
      - KEYCLOAK_ADMIN_PASSWORD=${KC_PASSWORD}
    networks:
      - database-network
      - routing-network
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=routing-network"

      # Routing
      - "traefik.http.routers.keycloak.entrypoints=websecure"
      - "traefik.http.routers.keycloak.rule=Host(`sso.mydomain.net`)"

      # Uncomment this for /admin access
      #- "traefik.http.routers.keycloak.rule=PathPrefix(`/js/`, `/realms/`, `/resources/`) || Path(`/robots.txt`)"

      # TLS
      - "traefik.http.routers.keycloak.tls=true"
      - "traefik.http.routers.keycloak.tls.certresolver=acme-resolver"

networks:
  database-network:
    external: true
  routing-network:
    external: true

My traefik-forward-auth compose:

version: "3.9"
services:
  forward-auth:
    container_name: forward-auth
    image: thomseddon/traefik-forward-auth:2
    networks:
      - routing-network
    environment:
      - AUTH_HOST=${AUTH_HOST}
      - COOKIE_DOMAIN=${COOKIE_DOMAIN}
      - SECRET=${SECRET}
      #- URL_PATH=/_oauth
      - PORT=4181
      - DEFAULT_PROVIDER=oidc
      - PROVIDERS_OIDC_ISSUER_URL=${OIDC_ISSUER}
      - PROVIDERS_OIDC_CLIENT_ID=${CLIENT_ID}
      - PROVIDERS_OIDC_CLIENT_SECRET=${CLIENT_SECRET}
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=routing-network"

      # Routing
      - "traefik.http.services.auth.loadbalancer.server.port=4181"
      - "traefik.http.routers.auth.entrypoints=websecure"
      - "traefik.http.routers.auth.rule=Host(`auth.mydomain.net`)"

      # TLS
      - "traefik.http.routers.auth.tls=true"
      - "traefik.http.routers.auth.tls.certresolver=acme-resolver"

      # Auth
      - "traefik.http.routers.auth.middlewares=forward-auth@file"


networks:
  routing-network:
    external: true

The service in question has the following labels:

labels:
      - "traefik.enable=true"
      - "traefik.docker.network=routing-network"

      # Routing
      - "traefik.http.routers.hedgedoc.entrypoints=websecure"
      - "traefik.http.routers.hedgedoc.rule=Host(`app.mydomain.net`)"

      # TLS
      - "traefik.http.routers.hedgedoc.tls=true"
      - "traefik.http.routers.hedgedoc.tls.certresolver=acme-resolver"

      # Auth
      - "traefik.http.routers.auth.middlewares=forward-auth@file"

My partial, redacted .env

# traefik-forward-auth
CLIENT_ID=traefik-forward-auth # set this in Keycloak
CLIENT_SECRET=<generated by keycloak>
SECRET=<nope>
AUTH_HOST=auth.mydomain.net
COOKIE_DOMAIN=mydomain.net
OIDC_ISSUER=https://sso.mydomain.net/realms/myrealm