Problem getting o

Hi!
Trying to make a setup with oauth2-proxy as a gatekeeper for secure sites.
But have 2 problems that I can’t solve.
First, when I got to a secure page without have an active session. I only get Unauthorized and are not redirected to the log in flow.

I also try to limit so that only emails in the authenticated-emails.txt have access. But seems that any one with an google account still can log in.

My setup below:

#traefik/docker-compose.yml
services:
  
  traefik:
    image: traefik:v3.5
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443/tcp"
      - "443:443/udp"
    command:
      # === Logging & Dashboard ===
      - "--log.level=DEBUG" #INFO/DEBUG
      - "--api.dashboard=true"
      - "--api.insecure=false"

      # === Entrypoints ===
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"

      # === Providers ===
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"

      # === ACME / Let's Encrypt ===
      - "--certificatesresolvers.lencrypt.acme.email=example@example.com"
      - "--certificatesresolvers.lencrypt.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.lencrypt.acme.httpchallenge.entrypoint=web"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/trae/traefik/letsencrypt:/letsencrypt

    labels:
      # === ForwardAuth middleware (oauth2-proxy) ===
      - traefik.http.middlewares.oauth2-auth.forwardauth.address=http://oauth2-proxy:4180/
      - traefik.http.middlewares.oauth2-auth.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.oauth2-auth.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email,Authorization,Set-Cookie
    networks:
      - traefik

  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 #latest
    container_name: oauth2-proxy
    restart: unless-stopped
    environment:
      - OAUTH2_PROXY_PROVIDER=google
      - OAUTH2_PROXY_CLIENT_ID=${GOOGLE_CLIENT_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET}
      - OAUTH2_PROXY_COOKIE_SECRET=${COOKIE_SECRET}
      - OAUTH2_PROXY_REDIRECT_URL=https://auth.mydomain.com/oauth2/callback
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_AUTHENTICATED_EMAILS_FILE=/etc/oauth2-proxy/authenticated-emails.txt
      - OAUTH2_PROXY_UPSTREAMS=static://202     #file:///dev/null
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_COOKIE_DOMAINS=.mydomain.com
      - OAUTH2_PROXY_ALLOWED_DOMAINS=.mydomain.com
      - OAUTH2_PROXY_COOKIE_SECURE=true
      - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
      - OAUTH2_PROXY_PING_PATH=/healthz
      #- OAUTH2_PROXY_COOKIE_SAMESITE=lax
    volumes:
      - /home/trae/traefik/authenticated-emails.txt:/etc/oauth2-proxy/authenticated-emails.txt:ro

    labels:
      - traefik.enable=true
      - traefik.http.services.oauth2-proxy.loadbalancer.server.port=4180
      - traefik.http.routers.oauth.rule=Host(`auth.mydomain.com`)
      - traefik.http.routers.oauth.entrypoints=websecure
      - traefik.http.routers.oauth.tls.certresolver=lencrypt
      - traefik.http.middlewares.oauth2-auth.forwardauth.address=http://oauth2-proxy:4180/oauth2/auth
      - traefik.http.middlewares.oauth2-auth.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.oauth2-auth.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email,Authorization,Set-Cookie

    networks:
      - traefik

networks:
  traefik:
    external: true

#web/docker-compose.yml
services:
  whoami:
    image: traefik/whoami
    container_name: whoami
    labels:
      - traefik.enable=true
      # === Routing ===
      - traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)
      - traefik.http.routers.whoami.entrypoints=websecure
      - traefik.http.routers.whoami.tls.certresolver=lencrypt
      # === Auth via oauth2-proxy ===
      - traefik.http.routers.whoami.middlewares=oauth2-auth@docker
      
      - traefik.http.services.whoami.loadbalancer.server.port=80
    networks:
      - traefik

  web:
    image: nginx:alpine
    container_name: web
    volumes:
      - ./html:/usr/share/nginx/html:ro
    labels:
      - traefik.enable=true
      # === Routing ===
      - traefik.http.routers.web.rule=Host(`mydomain.com`)
      - traefik.http.routers.web.entrypoints=websecure
      - traefik.http.routers.web.tls.certresolver=lencrypt
      
      - traefik.http.services.web.loadbalancer.server.port=80
    networks:
      - traefik

networks:
  traefik:
    external: true

Solved it!
See my updated traefik/docker-compose.yml below.
Also needed to have a delay before started the web containers to make sure the middleware existed before they start.

#traefik/docker-compose.yml
services:
  
  traefik:
    image: traefik:v3.5
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443/tcp"
      - "443:443/udp"
    command:
      # === Logging & Dashboard ===
      - "--log.level=DEBUG" #INFO/DEBUG
      - "--api.dashboard=true"
      - "--api.insecure=false"

      # === Entrypoints ===
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"

      # === Providers ===
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"

      # === ACME / Let's Encrypt ===
      - "--certificatesresolvers.lencrypt.acme.email=example@example.com"
      - "--certificatesresolvers.lencrypt.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.lencrypt.acme.httpchallenge.entrypoint=web"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/trae/traefik/letsencrypt:/letsencrypt

    networks:
      - traefik

  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 #latest
    container_name: oauth2-proxy
    restart: unless-stopped
    environment:
      - OAUTH2_PROXY_PROVIDER=google
      - OAUTH2_PROXY_CLIENT_ID=${GOOGLE_CLIENT_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET}
      - OAUTH2_PROXY_COOKIE_SECRET=${COOKIE_SECRET}
      - OAUTH2_PROXY_REDIRECT_URL=https://auth.mydomain.com/oauth2/callback
      - OAUTH2_PROXY_AUTHENTICATED_EMAILS_FILE=/etc/oauth2-proxy/authenticated-emails.txt
      - OAUTH2_PROXY_UPSTREAMS=static://202     #file:///dev/null
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_WHITELIST_DOMAINS=.mydomain.com
      - OAUTH2_PROXY_COOKIE_DOMAINS=.mydomain.com
      - OAUTH2_PROXY_ALLOWED_DOMAINS=.mydomain.com
      - OAUTH2_PROXY_DEFAULT_ALLOWED_REQUEST_DOMAINS=.mydomain.com
      - OAUTH2_PROXY_DEFAULT_ALLOWED_REDIRECT_URI=https://*.mydomain.com/*
      - OAUTH2_PROXY_COOKIE_SECURE=true
      - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
      - OAUTH2_PROXY_PING_PATH=/healthz
      - OAUTH2_PROXY_COOKIE_SAMESITE=lax
    volumes:
      - /home/trae/traefik/authenticated-emails.txt:/etc/oauth2-proxy/authenticated-emails.txt:ro

    labels:
      - traefik.enable=true
      - traefik.http.services.oauth2-proxy.loadbalancer.server.port=4180
      - traefik.http.routers.oauth.rule=Host(`auth.mydomain.com`)
      - traefik.http.routers.oauth.entrypoints=websecure
      - traefik.http.routers.oauth.tls.certresolver=lencrypt
      - traefik.http.middlewares.oauth2-auth.forwardauth.address=http://oauth2-proxy:4180/oauth2?rd={url}
      - traefik.http.middlewares.oauth2-auth.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.oauth2-auth.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email,Authorization,Set-Cookie

    networks:
      - traefik

networks:
  traefik:
    external: true

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.