Struggling to exclude a path from Authentik middleware

Traefik Traefik v3 (latest)
1

Hi,

I'm using Uptime-Kuma for some monitoring, and I'm using Authentik to put some authentication in front of it. I've got it all working fine for normal flows. But now I'd like to be able to exclude a specific path from authentication (a status page which I would like to make public). The path is:

https://monitor.domain.tld/status/main

I've set up the docker labels as follows:

labels:
      # Reverse proxy config
      traefik.enable: "true"
      traefik.http.routers.uptime-kuma.rule: "Host(`monitor.${PUBLIC_DOMAIN_NAME}`) && !PathPrefix(`/status/`)"
      traefik.http.routers.uptime-kuma.entrypoints: "websecure"
      traefik.http.routers.uptime-kuma.priority: "1"
      traefik.http.routers.uptime-kuma.tls: "true"
      traefik.http.services.uptime-kuma.loadbalancer.server.port: "${UPTIME_KUMA_PORT:?[uptime-kuma] Port missing}"
      traefik.http.routers.uptime-kuma.middlewares: "authentik@file"
----> # Config below added to exclude path
      # Router for /status/main (this excludes authentik middleware)
      traefik.http.routers.uptime-kuma-status.rule: "Host(`monitor.${PUBLIC_DOMAIN_NAME}`) && PathPrefix(`/status/`)"
      traefik.http.routers.uptime-kuma-status.entrypoints: "websecure"
      traefik.http.routers.uptime-kuma-status.priority: "99"
      traefik.http.routers.uptime-kuma-status.tls: "true"
      traefik.http.routers.uptime-kuma-status.middlewares: ""  # I've also tried removing this line completely

However, when I try to access the URL with /status/main, I get a blank white page. In the Chrome dev tools> Network tab I see some calls to my Authentik URL (they fail with a CORS error, but they are attempting to load).

Any advice on how I can update my config to remove the middleware correctly?

Thanks!

2

Not sure if middlewares: "" is valid, I would remove it.

You don’t set the port for the second router, Traefik might use the first from Dockerfile EXPOSE, which might be wrong, or not exist.

Enable and check Traefik debug log and Traefik access log in JSON format.

3

Hi, thanks for the reply. :slight_smile:

Yeah, I wasn't sure about the middlewares line either. For the record, I tested both with and without it.

I did add the port back in, but I'm getting a weird conflict error. I add this line (similar to the line I use to define the port for the main 'uptime-kuma' service):

traefik.http.services.uptime-kuma-status.loadbalancer.server.port: "${UPTIME_KUMA_PORT:?[uptime-kuma] Port missing}"

But then I get this error in the Traefik logs:

2024-11-17T10:08:35Z ERR github.com/traefik/traefik/v3/pkg/provider/configuration.go:497 > Router uptime-kuma-status cannot be linked automatically with multiple Services: ["uptime-kuma-status" "uptime-kuma"] providerName=docker routerName=uptime-kuma-status
2024-11-17T10:08:35Z ERR github.com/traefik/traefik/v3/pkg/provider/configuration.go:497 > Router uptime-kuma cannot be linked automatically with multiple Services: ["uptime-kuma-status" "uptime-kuma"] providerName=docker routerName=uptime-kuma

I try to specify the services explicitly by adding:

traefik.http.routers.uptime-kuma.service: "uptime-kuma"
traefik.http.routers.uptime-kuma-status.service: "uptime-kuma-status"

This removes the errors in the logs, but doesn't fix the /status/main link, which still has the original issue.

Updating with the current labels, after consolidating the services and reusing the main one (still failing as in the OP):

labels:
      # Reverse proxy config
      traefik.enable: "true"
      traefik.http.routers.uptime-kuma.rule: "Host(`monitor.${PUBLIC_DOMAIN_NAME}`) && !PathPrefix(`/status/`)"
      traefik.http.routers.uptime-kuma.entrypoints: "websecure"
      traefik.http.routers.uptime-kuma.priority: "1"
      traefik.http.routers.uptime-kuma.tls: "true"
      traefik.http.routers.uptime-kuma.middlewares: "authentik@file"
      traefik.http.routers.uptime-kuma.service: "uptime-kuma"
      traefik.http.services.uptime-kuma.loadbalancer.server.port: "${UPTIME_KUMA_PORT:?[uptime-kuma] Port missing}"
      # Router for /status/main (this excludes authentik middleware)
      traefik.http.routers.uptime-kuma-status.rule: "Host(`monitor.${PUBLIC_DOMAIN_NAME}`) && PathPrefix(`/status/`)"
      traefik.http.routers.uptime-kuma-status.entrypoints: "websecure"
      traefik.http.routers.uptime-kuma-status.priority: "99"
      traefik.http.routers.uptime-kuma-status.tls: "true"
      traefik.http.routers.uptime-kuma-status.service: "uptime-kuma"
4

You are right, you can use one service and assign it to both routers.

Enable and check Traefik debug log and Traefik access log in JSON format.

5

Ok, just to confirm, I added this this to enable access logging to STDOUT

accessLog:
  format: json

Link to the log after I made the request:

It looks like it goes straight to Authentik, but perhaps I'm missing something.