Issues with ForwardAuth and Authelia

Traefik Traefik v2
1

Hi everyone,

I'm trying to setup Traefik 2.0 with Authelia using the ForwardAuth middleware but I'm finding the following issue:

  1. I go to the URL heimdall.example
  2. Traefik redirects me to the Authelia login page
  3. I put the credentials and login successfully (according to the logs, posted below)
  4. I'm redirected again to the login page

I'm in an infinite loop and I don't know what's may be causing the issue.

Here are the logs from Authelia and my Traefik configuration:

  1. Redirection after first going to heimdall.example:
method='GET', path='/api/state' requestId='c753f9f8-601e-4140-a99c-0aefd6c5976c' sessionId='XefyZb7EhZNo-H2AQLYI1x1MNR7URnjz' ip='192.168.1.138' message='Session XefyZb7EhZNo-H2AQLYI1x1MNR7URnjz has no authentication information. Its internal id is: XefyZb7EhZNo-H2AQLYI1x1MNR7URnjz its current cookie is: {"originalMaxAge":3600000,"expires":"2019-10-28T21:32:48.435Z","secure":true,"httpOnly":true,"domain":"example","path":"/"}',
method='GET', path='/api/state' requestId='c753f9f8-601e-4140-a99c-0aefd6c5976c' sessionId='XefyZb7EhZNo-H2AQLYI1x1MNR7URnjz' ip='192.168.1.138' message='Authentication session XefyZb7EhZNo-H2AQLYI1x1MNR7URnjz was undefined. Resetting... If it's unexpected, make sure you are visiting the expected domain.',
method='GET', path='/api/state' requestId='c753f9f8-601e-4140-a99c-0aefd6c5976c' sessionId='XefyZb7EhZNo-H2AQLYI1x1MNR7URnjz' ip='192.168.1.138' message='Headers = {"host":"login.example","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0","accept":"*/*","accept-encoding":"gzip, deflate, br","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","cache-control":"max-age=0","dnt":"1","if-none-match":"W/\"1a-WDeCm39gGM0/ubzz9lBRjjvLOdo\"","referer":"https://login.example/","te":"trailers","x-forwarded-for":"192.168.1.138","x-forwarded-host":"login.example","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"22c63bf60994","x-real-ip":"192.168.1.138"}'
  1. After login, it returns again to the login page, despite having the redirect URL there:
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='Headers = {"host":"login.example","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0","content-length":"60","accept":"application/json","accept-encoding":"gzip, deflate, br","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","content-type":"application/json","dnt":"1","origin":"https://login.example","referer":"https://login.example/","te":"trailers","x-forwarded-for":"192.168.1.138","x-forwarded-host":"login.example","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"22c63bf60994","x-real-ip":"192.168.1.138","x-target-url":"https://heimdall.example/"}',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='Session IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp has no authentication information. Its internal id is: IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp its current cookie is: {"originalMaxAge":3600000,"expires":"2019-10-28T21:40:07.387Z","secure":true,"httpOnly":true,"domain":"example","path":"/"}',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='Authentication session IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp was undefined. Resetting... If it's unexpected, make sure you are visiting the expected domain.',
ethod='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='Starting authentication of user "john"',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='No regulation applied.',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='Mark successful authentication to regulator.',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='Found protected domain: example in url extracted domain: heimdall.example at index: 9',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='Extracted domain heimdall.example from url https://heimdall.example/',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='Header x-target-url is set to https://heimdall.example/',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='protected domain size: 8 url extracted domain size: 17',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='domain match url extracted: true',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='https://heimdall.example/ was found to be in domain example',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='calculated authorization level: 1 from resObject: {"domain":"heimdall.example","resource":"/"} subject: {"user":"john","groups":["admins"]} and ip: 192.168.1.138',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='Backend lookup successful. Retrieved information about user john are {"emails":["test@test.com"],"groups":["admins"]}',
method='POST', path='/api/firstfactor' requestId='490c86cf-73a9-4021-a3a1-3b3ff6baf492' sessionId='IUs2O69oXxhSw2x3XcJntvmOdAKZ1Ekp' ip='192.168.1.138' message='sending redirect to: https://heimdall.example/',


method='GET', path='/api/verify' requestId='83d6841c-25c6-450f-b8c7-9519a2f16aa3' sessionId='y4nKc_XvuopnnOVN-znlJiQKhYesCi0O' ip='192.168.1.138' message='Headers = {"host":"authelia:9091","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","accept-encoding":"gzip, deflate, br","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","dnt":"1","referer":"https://login.example/","upgrade-insecure-requests":"1","x-forwarded-for":"192.168.1.138","x-forwarded-host":"heimdall.example","x-forwarded-method":"GET","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"22c63bf60994","x-forwarded-uri":"/","x-real-ip":"192.168.1.138"}',
method='GET', path='/api/verify' requestId='83d6841c-25c6-450f-b8c7-9519a2f16aa3' sessionId='y4nKc_XvuopnnOVN-znlJiQKhYesCi0O' ip='192.168.1.138' message='Session y4nKc_XvuopnnOVN-znlJiQKhYesCi0O has no authentication information. Its internal id is: y4nKc_XvuopnnOVN-znlJiQKhYesCi0O its current cookie is: {"originalMaxAge":3600000,"expires":"2019-10-28T21:40:08.020Z","secure":true,"httpOnly":true,"domain":"example","path":"/"}',
method='GET', path='/api/verify' requestId='83d6841c-25c6-450f-b8c7-9519a2f16aa3' sessionId='y4nKc_XvuopnnOVN-znlJiQKhYesCi0O' ip='192.168.1.138' message='Authentication session y4nKc_XvuopnnOVN-znlJiQKhYesCi0O was undefined. Resetting... If it's unexpected, make sure you are visiting the expected domain.',
method='GET', path='/api/verify' requestId='83d6841c-25c6-450f-b8c7-9519a2f16aa3' sessionId='y4nKc_XvuopnnOVN-znlJiQKhYesCi0O' ip='192.168.1.138' message='Header x-forwarded-host is set to heimdall.example',
method='GET', path='/api/verify' requestId='83d6841c-25c6-450f-b8c7-9519a2f16aa3' sessionId='y4nKc_XvuopnnOVN-znlJiQKhYesCi0O' ip='192.168.1.138' message='Checking session cookie',
method='GET', path='/api/verify' requestId='83d6841c-25c6-450f-b8c7-9519a2f16aa3' sessionId='y4nKc_XvuopnnOVN-znlJiQKhYesCi0O' ip='192.168.1.138' message='Header x-forwarded-proto is set to https',
method='GET', path='/api/verify' requestId='83d6841c-25c6-450f-b8c7-9519a2f16aa3' sessionId='y4nKc_XvuopnnOVN-znlJiQKhYesCi0O' ip='192.168.1.138' message='Header x-forwarded-uri is set to /',
method='GET', path='/api/verify' requestId='83d6841c-25c6-450f-b8c7-9519a2f16aa3' sessionId='y4nKc_XvuopnnOVN-znlJiQKhYesCi0O' ip='192.168.1.138' message='domain=heimdall.example, path=/, user=unknown, groups=unknown, ip=192.168.1.138',
method='GET', path='/api/verify' requestId='83d6841c-25c6-450f-b8c7-9519a2f16aa3' sessionId='y4nKc_XvuopnnOVN-znlJiQKhYesCi0O' ip='192.168.1.138' message='Error: User 'unknown' is not sufficiently authorized to access heimdall.example/.',
method='GET', path='/api/verify' requestId='83d6841c-25c6-450f-b8c7-9519a2f16aa3' sessionId='y4nKc_XvuopnnOVN-znlJiQKhYesCi0O' ip='192.168.1.138' message='Redirecting to https://login.example/#/?rd=https://heimdall.example/',
method='GET', path='/api/state' requestId='fbc593c3-17e3-4835-b6be-adcdce4ffadd' sessionId='eqBs44XH_e7dxcaj15bOI69GwyXhmGbQ' ip='192.168.1.138' message='Headers = {"host":"login.example","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0","accept":"*/*","accept-encoding":"gzip, deflate, br","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","dnt":"1","if-none-match":"W/\"1a-WDeCm39gGM0/ubzz9lBRjjvLOdo\"","referer":"https://login.example/","te":"trailers","x-forwarded-for":"192.168.1.138","x-forwarded-host":"login.example","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"22c63bf60994","x-real-ip":"192.168.1.138"}',
method='GET', path='/api/state' requestId='fbc593c3-17e3-4835-b6be-adcdce4ffadd' sessionId='eqBs44XH_e7dxcaj15bOI69GwyXhmGbQ' ip='192.168.1.138' message='Session eqBs44XH_e7dxcaj15bOI69GwyXhmGbQ has no authentication information. Its internal id is: eqBs44XH_e7dxcaj15bOI69GwyXhmGbQ its current cookie is: {"originalMaxAge":3600000,"expires":"2019-10-28T21:40:08.172Z","secure":true,"httpOnly":true,"domain":"example","path":"/"}',
method='GET', path='/api/state' requestId='fbc593c3-17e3-4835-b6be-adcdce4ffadd' sessionId='eqBs44XH_e7dxcaj15bOI69GwyXhmGbQ' ip='192.168.1.138' message='Authentication session eqBs44XH_e7dxcaj15bOI69GwyXhmGbQ was undefined. Resetting... If it's unexpected, make sure you are visiting the expected domain.'

I saw that authelia successfully tries to redirect to the heimdall page, which is expected. But after that, it again goes to the login page.

Maybe it's a Traefik 2 configuration issue (I'm pretty new to this). My configuration is currently:

version: "3.6"
services:
  traefik: 
    image: traefik:v2.0.2
    container_name: traefik
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    command:
      - --api.insecure=true
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --log.filePath=/etc/traefik/logs/log.log
      - --accessLog.filePath=/etc/traefik/logs/log.log
      - --certificatesResolvers.mycertresolver.acme.httpChallenge.entryPoint=web
      - --certificatesResolvers.mycertresolver.acme.storage=/letsencrypt/acme.json
    volumes:
      - ${USERDIR}/docker/traefik/logs:/etc/traefik/logs
      - ${USERDIR}/docker/traefik/letsencrypt:/letsencrypt
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    restart: always
  authelia:
    image: clems4ever/authelia:v3.16.1
    container_name: authelia
    volumes:
      - ${USERDIR}/docker/authelia/config.yml:/etc/authelia/config.yml:ro
      - ${USERDIR}/docker/authelia/store:/var/lib/authelia/store
      - ${USERDIR}/docker/authelia/users.yml:/etc/authelia/users_database.yml
    environment:
      - NODE_TLS_REJECT_UNAUTHORIZED=0
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia_router.rule=Host(`login.example`)"
      - "traefik.http.routers.authelia_router.entrypoints=websecure"
      - "traefik.http.routers.authelia_router.tls=true"
      - "traefik.http.routers.authelia_router.tls.certresolver=mycertresolver"
    restart: always
  heimdall:
    image: linuxserver/heimdall
    container_name: heimdall
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    volumes:
      - ${USERDIR}/docker/heimdall:/config
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.heimdall_router.rule=Host(`heimdall.example`)"
      - "traefik.http.routers.heimdall_router.entrypoints=websecure"
      - "traefik.http.routers.heimdall_router.tls=true"
      - "traefik.http.routers.heimdall_router.tls.certresolver=mycertresolver"
      - "traefik.http.routers.heimdall_router.middlewares=login"    
      - "traefik.http.middlewares.login.forwardauth.authResponseHeaders=X-Forwarded-User,X-Forwarded-Group,X-Forwarded-Uri,X-Forwarded-For,X-Original-URL"
      - "traefik.http.middlewares.login.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.example/%23/"

      # The next rules are global for all the services.
      # It is just used to redirect all requests to HTTPS.
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
    restart: always

Any help would be highly appreciated.

Regards.

2

This is the same issue I am having and have been pulling my hair out for a few days... did you get to the bottom of it?