Hi there, I'm new to Traefik so excuse me if I'm asking something obvious. Also if you spot something weird and/or redundant in my config please let me know 
I'm trying to set up forward-auth together with Keycloak to provide authentication for (now just one of) my services. Just like @Benjvfr here.
I have the feeling I'm close to getting it working, but I'm getting the following log error:
forward-auth | level=fatal msg="Get https://sso.mydomain.net/realms/myrealm/.well-known/openid-configuration: dial tcp <public_ip>:443: connect: connection refused"
I can access the sso URL from my personal machine over the internet, so I'm not entirely sure what is wrong.
When accessing auth.mydomain.net, i get a 500 server error and nothing loads.
Traefik also picks up this error:
proxy_traefik | level=debug msg="Error calling http://forward-auth:4181. Cause: Get \"http://forward-auth:4181\": dial tcp: lookup forward-auth on 127.0.0.11:53: no such host" middlewareName=forward-auth@file middlewareType=ForwardedAuthType
So it fails to find the forward-auth container locally and keycloak publically....
Any help would be much appreciated!
My traefik compose file:
version: "3.9"
services:
traefik:
container_name: proxy_traefik
image: traefik:v2.6.6
restart: always
ports:
# The HTTP port
- "80:80"
# The HTTPS port
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
networks:
# Create before (docker network create routing-network)
- routing-network
volumes:
# So that Traefik can listen to the Docker events
- "/var/run/docker.sock:/var/run/docker.sock:ro"
# Store certificates
- "./letsencrypt:/letsencrypt"
# Config with middlewares
- "./config:/etc/traefik/conf:ro"
command:
# Enable Docker in Traefik so it reads labels from Docker services
- "--providers.docker=true"
# Don't want all services exposed
- "--providers.docker.exposedByDefault=false"
# One network to rule them all
- "--providers.docker.network=routing-network"
# Don't share info
- "--global.sendAnonymousUsage=false"
# Config for shared middlewarez, directory is recommended
- "--providers.file.directory=/etc/traefik/conf"
# HTTP
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
# Redirect to HTTPS
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
# TLS
- "--certificatesresolvers.acme-resolver.acme.email=<REDACTED>"
- "--certificatesresolvers.acme-resolver.acme.tlschallenge=true"
- "--certificatesresolvers.acme-resolver.acme.storage=/letsencrypt/acme.json"
# Use when debugging
- "--log.level=DEBUG"
- "--api.insecure=true"
#- "--certificatesresolvers.acme-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
networks:
routing-network:
external: true
My config file:
http:
middlewares:
forward-auth:
forwardauth:
address: "http://forward-auth:4181"
trustForwardHeader: true
authResponseHeaders: "X-Forwarded-User"
my Keycloak compose file:
version: "3.9"
services:
keycloak:
container_name: sso_keycloak
#image: quay.io/keycloak/keycloak:18.0.0
build:
context: ./keycloak
environment:
- KC_HOSTNAME=sso.mydomain.net
# Enables communication through HTTP between the proxy and Keycloak.
- KC_PROXY=edge
- KC_DB=postgres
- KC_DB_USERNAME=${DB_USER}
- KC_DB_PASSWORD=${DB_PASSWORD}
- KC_DB_URL_HOST=database_postgresql
- KEYCLOAK_ADMIN=${KC_USER}
- KEYCLOAK_ADMIN_PASSWORD=${KC_PASSWORD}
networks:
- database-network
- routing-network
restart: always
labels:
- "traefik.enable=true"
- "traefik.docker.network=routing-network"
# Routing
- "traefik.http.routers.keycloak.entrypoints=websecure"
- "traefik.http.routers.keycloak.rule=Host(`sso.mydomain.net`)"
# Uncomment this for /admin access
#- "traefik.http.routers.keycloak.rule=PathPrefix(`/js/`, `/realms/`, `/resources/`) || Path(`/robots.txt`)"
# TLS
- "traefik.http.routers.keycloak.tls=true"
- "traefik.http.routers.keycloak.tls.certresolver=acme-resolver"
networks:
database-network:
external: true
routing-network:
external: true
My traefik-forward-auth compose:
version: "3.9"
services:
forward-auth:
container_name: forward-auth
image: thomseddon/traefik-forward-auth:2
networks:
- routing-network
environment:
- AUTH_HOST=${AUTH_HOST}
- COOKIE_DOMAIN=${COOKIE_DOMAIN}
- SECRET=${SECRET}
#- URL_PATH=/_oauth
- PORT=4181
- DEFAULT_PROVIDER=oidc
- PROVIDERS_OIDC_ISSUER_URL=${OIDC_ISSUER}
- PROVIDERS_OIDC_CLIENT_ID=${CLIENT_ID}
- PROVIDERS_OIDC_CLIENT_SECRET=${CLIENT_SECRET}
labels:
- "traefik.enable=true"
- "traefik.docker.network=routing-network"
# Routing
- "traefik.http.services.auth.loadbalancer.server.port=4181"
- "traefik.http.routers.auth.entrypoints=websecure"
- "traefik.http.routers.auth.rule=Host(`auth.mydomain.net`)"
# TLS
- "traefik.http.routers.auth.tls=true"
- "traefik.http.routers.auth.tls.certresolver=acme-resolver"
# Auth
- "traefik.http.routers.auth.middlewares=forward-auth@file"
networks:
routing-network:
external: true
The service in question has the following labels:
labels:
- "traefik.enable=true"
- "traefik.docker.network=routing-network"
# Routing
- "traefik.http.routers.hedgedoc.entrypoints=websecure"
- "traefik.http.routers.hedgedoc.rule=Host(`app.mydomain.net`)"
# TLS
- "traefik.http.routers.hedgedoc.tls=true"
- "traefik.http.routers.hedgedoc.tls.certresolver=acme-resolver"
# Auth
- "traefik.http.routers.auth.middlewares=forward-auth@file"
My partial, redacted .env
# traefik-forward-auth
CLIENT_ID=traefik-forward-auth # set this in Keycloak
CLIENT_SECRET=<generated by keycloak>
SECRET=<nope>
AUTH_HOST=auth.mydomain.net
COOKIE_DOMAIN=mydomain.net
OIDC_ISSUER=https://sso.mydomain.net/realms/myrealm