How to map ports with Traefik for internal access?

I am trying to setup traefik-forward-auth with dex.

Here is an example setup that works - GitHub - genert/traefik_with_dex

If you visit the website, it redirects to the wrong url e.g http://dex.testing.internal:5556/auth?client_id=forward-auth&redirect_uri=http%3A%2F%2Ftesting.internal%2F_oauth&response_type=code&scope=openid+profile+email&state=6d8953aad28c968addbe6c208e00fd6d%3Aoidc%3Ahttp%3A%2F%2Ftesting.internal%2F

The URL is wrong because it contains 5556 port. Removing the port from the URL makes it work.

I tried it without ports in both dex issuer conf and changing PROVIDERS_OIDC_ISSUER_URL without port.

However, then the following error happens when booting the containers:

traefik_with_dex-traefik-forward-auth-1 | time="2023-01-11T15:05:45Z" level=fatal msg="Get http://dex.testing.internal/.well-known/openid-configuration: dial tcp 172.20.0.3:80: connect: connection refused"

Which means the dex is not accessible from the forward auth even though it open in the browser.

I added the following network alias for the dex container:
networks:
testing:
aliases:
- dex.testing.internal

However, it did not solve the issue.

Does Traefik work differently for internal container connection?

Any ideas how to fix it?

If you see port 5556 and it is wrong, how about checking your config files? Little hint: dex-config.yml, line with http :slight_smile:

There are two ports in play: the internal for the dex service (connected by Traefik) and the external the browser is redirected to (by dex itself).